### 2013 Cisco Annual Security Report


-----

Cybercriminals are taking advantage of the rapidly expanding attack surface found
in today’s “any-to-any” world, where individuals are using any device to access
business applications in a network environment that utilizes decentralized cloud

## Living in today’s services. The Cisco® 2013 Annual Security Report highlights global threat trends

based on real-world data, and provides insight and analysis that helps businesses
and governments improve their security posturing for the future. The report
combines expert research with security intelligence that was aggregated from

## “any-to-any” world. across Cisco, focusing on data collected during the 2012 calendar year.


-----

###### The Nexus of Devices, Clouds, and Applications 6

 Endpoint Proliferation 12

 Services Reside in Many Clouds 18

# Contents

###### Blending of Business and Personal Use 22

Millennials and the Workplace

###### Big Data 28

A Big Deal for Today’s Enterprises

###### State of the Exploit 32

Danger Lurks in Surprising Places

###### Evolutionary Threats 50

New Methods, Same Exploits

###### Spam the Ever Present 58

 Security Outlook 2013 70

 About Cisco Security Intelligence Operations 74


-----

##### The any-to-any world and the
 Internet of Everything is an evolution in connectivity and collaboration that is unfolding rapidly. It’s the nexus of devices, clouds, and applications.

# The Nexus

While this evolution is not unexpected, toward the formation of the “Internet
today’s enterprises may be unprepared of Everything.” This is the intelligent
for the reality of navigating an “any- connection of:
to-any” world—at least, from a security

                                                                                                                       - People: Social networks, population

# of Devices, perspective.

centers, digital entities

“The crux of the any-to-any issue is                                                         - Processes: Systems, business

this: We’re quickly reaching the point processes
where it is increasingly less likely that

                                                                                                                       - Data: World Wide Web, information

# Clouds, and a user is going to access a business

through an enterprise network,” says                                                        - Things: Physical world, devices
Chris Young, Senior Vice President of and objects
the Security and Government Group at
Cisco. “More and more, it’s about any

# Applications device in any location coming over any “More and more, it’s about any

instantiation of the network. Internet- device in any location coming
enabled devices—smartphones, tablets, over any instantiation of the
and more—are trying to connect to network. Internet-enabled
applications that could be running devices—smartphones, tablets,
anywhere, including in a public and more—are trying to connect
software-as-a-service (SaaS) cloud, to applications that could be
in a private cloud, or in a hybrid cloud.” running anywhere.”

Chris Young, Senior Vice President of the

At the same time, another evolution Security and Government Group at Cisco
is under way—a steady movement


-----

The Internet of Everything is a
future state, to be sure, but is not
so distant when the any-to-any
issue is considered. And while it,
too, will create security challenges
for enterprises, it will bring new
opportunities as well. “Amazing things
will happen and be created as the


Internet of Everything grows,” says component is cloud data. By 2016,

###### “The growth and convergence Nancy Cam-Winget, distinguished global cloud traffic will make up nearly Another complicating factor in
 of people, processes, data, and engineer, Cisco. “The growth and two-thirds of total data center traffic. the any-to-any equation is young, things on the Internet will make convergence of people, processes, mobile workers. This group networked connections more data, and things on the Internet will Piecemeal security solutions, such believes they should be able relevant and valuable than
 make networked connections more as applying firewalls to a changeable to do business wherever they ever before.” relevant and valuable than ever before. network edge, don’t secure data that happen to be and on whatever

Nancy Cam-Winget, Distinguished Ultimately, the Internet of Everything is now constantly in motion among devices they have at hand.
Engineer, Cisco will create new capabilities, richer devices, networks, and clouds. Even

experiences, and unprecedented among data centers—which now
economic opportunities for countries, house organizations’ “crown jewels” the changing attitudes that college

The Internet of Everything builds on businesses, and individuals.” (big data)—virtualization is becoming students and young professionals

more the rule than the exception.

an “Internet of Things”[1] foundation around the globe have toward work,

Addressing security challenges

by adding network intelligence that How the Cloud technology, and security.

presented by virtualization and the

allows convergence, orchestration, Complicates Security
and visibility across previously The challenge of securing a wide cloud requires rethinking security The latest study shines even more
disparate systems. Connections in range of applications, devices, and postures to reflect this new paradigm— light on these workers’ attitudes
the Internet of Everything aren’t just users—whether in an “any-to-any” or perimeter-based controls and old toward security, with a special focus
about mobile devices or laptops and Internet of Everything context—is made models of access and containment on privacy and how much or how
desktops, but also the rapidly growing tougher by the popularity of the cloud need to be changed to secure the new often a company can intrude on an
number of machine-to-machine (M2M) as a means of managing enterprise business model. employee’s desire to freely roam the
connections coming online each day. systems. According to data compiled Internet while at work. The 2012 Cisco
These “things” are often objects we by Cisco, global data center traffic is Connected Workers _Connected World Technology Report_
take for granted or rely on each day, expected to quadruple over the next and Data Privacy study also examines whether online
and don’t traditionally think of as being five years, and the fastest-growing Another complicating factor in privacy is still something that all users
connected—such as a home heating the any-to-any equation is young, actively worry about.
system, a wind turbine, or a car. mobile workers. This group believes

they should be able to do business Data Analysis and

The Internet of Everything is a Global data center traffic is wherever they happen to be and on Global Security Trends
future state, to be sure, but is not expected to quadruple over the whatever devices they have at hand. The 2013 Cisco Annual Security
so distant when the any-to-any next five years, and the fastest- Featured in this year’s 2013 Cisco _Report includes in-depth analysis of_
issue is considered. And while it, growing component is cloud _Annual Security Report are findings_ web malware and spam trends, based
too, will create security challenges data. By 2016, global cloud traffic from the 2012 Cisco Connected World on research conducted by Cisco.
for enterprises, it will bring new will make up nearly two-thirds of _Technology Report which build on_ While many who operate in the
opportunities as well. “Amazing things total data center traffic. research conducted in 2011 about
will happen and be created as the


-----

###### “We are seeing some disturbing changes in the threat environment
 facing governments, companies, and societies.”

John N. Stewart, Senior Vice President and Chief Security Officer at Cisco

“shadow economy” have centered their and recover from a disruptive cyber

efforts in recent years on developing event—whether that event takes the
increasingly sophisticated techniques, form of a DDoS attack directed at the
Cisco’s research makes clear that company; a critical, Internet-enabled
cybercriminals are often turning to manufacturing facility suddenly going
well-known and basic methods to offline; an advanced multistage attack
compromise users. by the criminal underground; or

something else never before seen.

The rise in distributed denial of
service (DDoS) attacks over the past “While the IT security discussion has
year is just one example of the trend suffered more than its fair share
toward “what’s old is new again” in of alarmism over the years, we are
cybercrime. For several years, DDoS seeing some disturbing changes
attacks—which can paralyze Internet in the threat environment facing
service providers (ISPs) and disrupt governments, companies, and
traffic to and from targeted websites— societies,” says John N. Stewart,
have been low on the list of IT security Senior Vice President and Chief
priorities for many enterprises. Security Officer at Cisco. “Cybercrime
However, recent campaigns against is no longer an annoyance or another
a number of high-profile companies— cost of doing business. We are
including U.S. financial institutions[2] approaching a tipping point where
—serve as a reminder that any the economic losses generated
cybersecurity threat has the potential by cybercrime are threatening to
to create significant disruption, overwhelm the economic benefits
and even irreparable damage, if created by information technology.
an organization is not prepared for Clearly, we need new thinking and
it. Therefore, when creating their approaches to reducing the damage
business continuity management that cybercrime inflicts on the well-
plans, enterprises would be wise to being of the world.”
consider how they would respond to


-----

##### The “any-to-any” evolution already
 involves billions of Internet-connected devices; in 2012, the number of these devices globally grew to more than 9 billion.3

# Endpoint

Considering that less than 1 percent near future, it will simply increase the
of things in the physical world are number of things on the Internet by
connected today, there remains one. Now, think about the numerous
vast potential to “connect the other elements to which your car could

# Proliferation unconnected.”[4] It is projected that
 be connected—other cars, stoplights,

with an Internet that already has your home, service personnel, weather
an estimated 50 billion “things” reports, warning signs, and even the
connected to it, the number of road itself.”[6]
connections will increase to
13,311,666,640,184,600 by the
year 2020. Adding just one more “When your car becomes
Internet-connected “thing” (50 billion

###### connected to the Internet of

+ 1) will increase the number of

###### Everything in the near future, it

connections by another 50 billion.[5]

###### will simply increase the number of things on the Internet by one.

As for the “things” that will eventually

###### Now, think about the numerous

comprise the “everything,” they will
range from smartphones to home other elements to which your car
heating systems to wind turbines could be connected—other cars,
to cars. Dave Evans, Cisco’s Chief stoplights, your home, service
Futurist with the Internet Business personnel, weather reports,
Solutions Group, explains the concept warning signs, and even the
of endpoint proliferation like this: road itself.”
“When your car becomes connected David Evans, Chief Futurist, Cisco

to the Internet of Everything in the


-----

In the Internet of Everything,

Figure 1: The Internet of Everything connections are what matter most. “The Internet of Everything is
The Internet of Everything is the intelligent connection of people, processes, data, The types of connections, not the quickly taking shape, so the
and things.

number, are what create value security professional needs to
between people, processes, data, and think about how to shift their
things. And eventually, the number focus from simply securing
of connections will dwarf the number endpoints and the network

###### People to

of things.[7] The explosion of new perimeter.”

###### People to People (P2P)

connections already becoming part

###### Machine (P2M) Chris Young, Senior Vice President of the

of the Internet of Everything is driven Security and Government Group at Cisco
primarily by the development of more

###### People and more IP-enabled devices, but also

by the increase in global broadband

“The Internet of Everything is quickly

###### Home Mobile availability and the advent of IPv6. The

taking shape, so the security

security risks posed by the Internet of

###### Process Everything are not just related to the professional needs to think about

how to shift their focus from simply

any-to-any endpoint proliferation that

###### Things Data is bringing us closer, day by day, to an securing endpoints and the network

perimeter,” says Chris Young. “There

even more highly connected world,

will be too many devices, too many

but also the opportunity for malicious

###### Business actors to utilize even more inroads connections, and too many content

types and applications—and the

to compromise users, networks, and

number will only keep growing. In this

data. The new connections themselves

###### Machine to create risk because they will generate new landscape, the network itself Machine (M2M) even more data in motion that needs becomes part of the security paradigm

that allows enterprises to extend

to be protected in real time—including

policy and control over different

the ballooning volumes of big data that

environments.”

enterprises will continue to collect,
store, and analyze.

###### In the Internet of Everything, connections are what matter most.
 The types of connections, not the number, are what create value between people, processes, data, and things.


-----

###### Cisco BYOD Update

Figure 2: Cisco Mobile Device Deployment

Endpoint proliferation is a phenomenon Cisco knows well within its own organization of
70,000 employees worldwide. Since formalizing its bring-your-own-device (BYOD) practice DEC DEC DEC
two years ago, the company has witnessed a 79 percent growth rate in the number of 2010 2011 2012
mobile devices in use in the organization.

###### PLATFORM

The Cisco 2011 Annual Security Report [8] first examined Cisco’s unfolding BYOD journey,
which is part of the organization’s ongoing and broader transition toward becoming a “virtual iPhone
enterprise.” By the time Cisco reaches the last stage of its planned journey, which will take
several years, the company will be increasingly location- and service-independent—and iPad
enterprise data still will be secure.[9]

BlackBerry

In 2012, Cisco added about 11,000 smartphones and tablet computers companywide—or
about 1,000 new Internet-enabled devices per month. “At the end of 2012, there were nearly Android
60,000 smartphones and tablets in use in the organization—including just under 14,000 Other
iPads—and all of them were Bring Your Own (BYO),” says Brett Belding, Senior Manager
overseeing Cisco IT Mobility Services. “Mobile at Cisco is now BYO, period.”

###### TOTAL

The device type that’s seen the biggest increase in use at Cisco is the Apple iPad.
“It’s fascinating to think that three years ago, this product didn’t even exist,” says Belding.
“Now, there are more than 14,000 iPads being used at Cisco every day by our employees

for a variety of activities—both personal- and work-related. And employees are using
iPads in addition to their smartphones.”

As for smartphones, the number of Apple iPhones in use at Cisco has almost tripled in two controls. For example, users who want to check their email and calendar on their device
years’ time to nearly 28,600. RIM BlackBerry, Google Android, and Microsoft Windows are required to take Cisco’s security profile that enforces remote wipe, encryption and
devices are also included in the BYOD program at Cisco. Employees make the choice to passphrase.
trade having access to corporate data on their personal device with agreement on security

Social support has been a key component of the BYOD program at Cisco from the start.
“We rely heavily on [the enterprise collaboration platform] WebEx Social as our BYOD support

platform, and it’s paid huge dividends,” says Belding. “We have more devices supported
than ever before and, at the same time, we’ve had the fewest number of support cases.
Our goal is that someday an employee can simply bring in any device and self-provision

###### “We have more devices supported than ever before and, at the
 using the Cisco Identity Services Engine (ISE) and set up our core WebEx collaboration

 same time, we’ve had the fewest number of support cases. Our goal tools, including Meeting Center, Jabber, and WebEx Social.” is that someday an employee can simply bring in any device and
 The next step for BYOD at Cisco, according to Belding, is to further improve security by self-provision using the Cisco Identity Services Engine (ISE) and set increasing visibility and control over all user activity and devices, on both the physical up our core WebEx collaboration tools, including Meeting Center, network and virtual infrastructure, while improving the user experience. “Caring about the Jabber, and WebEx Social.” user experience is a core consumerization of IT trend,” says Belding. “We’re trying to apply

this concept to our organization. We have to. I think what we’re seeing now is an ‘IT-ization’

Brett Belding, Senior Manager Overseeing Cisco IT Mobility Services of users. We’re beyond the point of them asking, ‘Can I use this device at work?’ Now

they’re saying, ‘I understand you need to keep the enterprise secure, but don’t interfere
with my user experience.’”


-----

##### Global data center traffic is on the rise. According to the Cisco Global Cloud Index, global data center traffic is expected to quadruple over the next five years and will grow

# Services

##### at a compound annual growth rate (CAGR) of 31 percent between 2011 and 2016.10

# Reside in

Of this tremendous growth, the tools such as firewalls and antivirus
fastest-growing component is cloud software be applied when the network
data. Global cloud traffic will increase edge cannot be defined?

# Many Clouds sixfold over the next five years,

growing at a rate of 44 percent from No matter how many security
2011 to 2016. In fact, global cloud questions are raised, it’s clear more
traffic will make up nearly two-thirds and more enterprises are embracing
of total data center traffic by 2016.[11] the benefits of clouds—and those

This explosion in cloud traffic
raises questions about the ability of

###### Global cloud traffic will increase

enterprises to manage this information.

###### sixfold over the next five years,

In the cloud, the lines of control are

###### growing at a rate of 44 percent

blurred: Can an organization place

###### from 2011 to 2016.

safety nets around its cloud data when
they don’t own and operate the data
center? How can even basic security


-----

that have are not likely to return to a Lowered cost of entry “Virtualization and cloud computing
the private data center model. While Virtualization has lowered the cost of create problems just like those of “Virtualization and cloud
the opportunities of the cloud for entry to provide services like a virtual BYOD, but turned on their head,” computing create problems
organizations are many—including private server (VPS). Compared to says Joe Epstein, former Chief just like those of BYOD, but
cost savings, greater workforce older hardware-based data center Executive Officer of Virtuata, a turned on their head... High-value
collaboration, productivity, and a models, we are seeing growth in company acquired by Cisco in 2012 applications and high-value
reduced carbon footprint—the possible quick, cheap, and easily available that provides innovative capabilities data are now moving around
security risks that enterprises face as infrastructure for criminal activities. for securing virtual machine-level the data center.”
a result of moving business data and For instance, there are many VPS information in data centers and

Joe Epstein, Former Chief Executive

processes to the cloud include: services available for instant sale cloud environments. “High-value Officer of Virtuata

(with the ability to purchase using applications and high-value data are

###### Hypervisors Bitcoin or other hard-to-trace payment now moving around the data center.
If compromised, this software that types) that are targeted to the criminal And the notion of virtual workloads

The answer to these growing cloud

creates and runs virtual machines underground. Virtualization has made makes enterprises uncomfortable.

and virtualization challenges is

could lead to mass hacking or infrastructure much cheaper and In the virtual environment, how do

adaptive and responsive security.

data compromise against multiple easier to provide—with little to no you know you can trust what you’re

In this case, security must be a

servers—applying the same ease policing of activities. running? The answer is that you

programmable element seamlessly

of management and access that haven’t been able to so far—and that

integrated into the underlying data

virtualization provides to a successful “Decoupling” of virtualized uncertainty has been a key barrier to

center fabric, according to Epstein. In

hack. A rogue hypervisor (taken applications cloud adoption.”

addition, security needs to be built in

control of by “hyperjacking”) can take Because virtualized applications are

at the design phase, instead of being

complete control of a server.[12] decoupled from the physical resources But Epstein notes that it is becoming

bolted on post-implementation.

they use, it becomes more difficult increasingly difficult for enterprises
for enterprises to apply traditional to ignore virtualization and the
security approaches. IT providers cloud. “The world is going to share

###### A rogue hypervisor (taken control seek to minimize cost with a very everything,” he says. “Everything
 of by “hyperjacking”) can take elastic offering in which they can move will be virtualized; everything will complete control of a server. resources as needed—contrasted with be shared. It will not make sense to

the security group seeking to collocate continue running only private data
services of like security posture and centers; hybrid clouds are where IT
keep them apart from others that may is heading.”
be less secure.


-----

##### Modern workers—particularly young “Millennials”—want the freedom to
 browse the web not only when and how they want to, but also with the devices they choose. However, they

# Blending of

##### don’t want these freedoms impinged upon by their employers, a situation that can spell tension for security

# Business and

##### professionals.

According to the 2012 Cisco latest Connected World study also

# Personal Use Connected World Technology Report show that Millennials have strong

study, two-thirds of respondents feelings about employers tracking the
believe employers should not track online activity of workers—even those
employees’ online activities on who report they work at organizations
company-issued devices. In short, where such tracking does not occur.

#### Millennials and

they do not think employers have any
business monitoring such behavior.
Only about one-third (34 percent) of

###### Only one in five respondents

#### the Workplace workers surveyed say they don’t mind

###### say their employers do track

if employers track their online behavior.

###### their online activities on

Only one in five respondents say company-owned devices,
their employers do track their online while 46 percent say their
activities on company-owned devices, employers do not track activity.
while 46 percent say their employers
do not track activity. Findings for the


-----

Compounding the challenges for Privacy and Millennials information secure, while 17 percent
security professionals, there appears say they trust most websites to keep “Millennials are now

According to the 2012 Cisco

to be a disconnect between what their information private. However, entering the workplace

_Connected World Technology Report,_

employees think they can do with 29 percent say that not only do and bringing with them

Millennials have accepted the fact that,

their company-issued devices and they not trust websites to keep their new working practices and

thanks to the Internet, personal privacy

what policies IT actually dictates information private, they also are very attitudes to information and

may be a thing of the past. Ninety-one

about personal usage. Four out of 10 percent of young consumers surveyed concerned about security and identity the associated security
respondents say they are supposed say that the age of privacy is over and theft. Compare this to the idea of thereof. They believe in the
to use company-issued devices for believe they can’t control the privacy sharing data with an employer who demise of privacy—that it’s
work activity only, while a quarter of their information, with one-third of has the context about who they are simply defunct in practice,
say they are allowed to use company respondents reporting they are not and what they do. and it’s in this paradigm
devices for non work activity. However, worried about the data that is stored that organizations must
90 percent of IT professionals “Millennials are now entering the

and captured about them. operate—a concept that will

surveyed say they do indeed have workplace and bringing with them

###### be alarming to the older

policies that prohibit company-issued In general, Millennials also believe new working practices and attitudes generation in the workplace.”
devices being used for personal their online identity is different from to information and the associated
online activity—although 38 percent their offline identity. Forty-five percent security thereof. They believe in the Adam Philpott, Director, EMEAR Security Sales, Cisco
acknowledge that employees break say these identities are often different demise of privacy—that it’s simply
policy and use devices for personal depending on the activity in question, defunct in practice, and it’s in this
activities in addition to doing work. while 36 percent believe these paradigm that organizations must
(You can find information about Cisco’s identities are completely different. operate—a concept that will be
approach to these BYOD challenges Only 8 percent believe these identities alarming to the older generation in
on page 16.) are the same. the workplace,” says Adam Philpott,

Director, EMEAR Security Sales, Cisco.

Young consumers also have high “Organizations can, however, look to
expectations that websites will keep provide information security education

###### There appears to be a their information private, often feeling to their employees to alert them to the disconnect between what more comfortable sharing data with risks and provide guidance on how employees think they can do large social media or community sites best to share information and leverage

given the cloak of anonymity the crowd online tools within the realms of

###### with their company-issued

provides. Forty-six percent say they data security.”

###### devices and what policies

expect certain websites to keep their

###### IT actually dictates about personal usage.


-----

###### Why Enterprises Need to Raise Awareness
 of Social Media Disinformation

**by Jean Gordon Kocienda**
Global Threat Analyst, Cisco

Social media has been a boon for many enterprises; the ability to connect directly with
customers and other audiences via Twitter and Facebook has helped many organizations
build brand awareness via online social interaction.

The flip side of this lightning-fast direct communication is that social media can allow
inaccurate or misleading information to spread like wildfire. It isn’t hard to imagine a
scenario in which a terrorist coordinates on-the-ground attacks by using misleading
tweets with the intent to clog roads or phone lines, or to send people into the path of
danger. One example: India’s government blocked hundreds of websites and curbed
texts[13] this summer in an attempt to restore calm in north-eastern part of the country
after photographs and text messages were posted. The rumors prompted thousands
of panicked migrant workers to flood train and bus stations.

Similar social media disinformation campaigns have affected market prices as well. A
hijacked Reuters Twitter feed reported that the Free Syrian Army had collapsed in Aleppo.
A few days later, a Twitter feed was compromised, and a purported top Russian diplomat
tweeted that Syrian President Bashar Al-Assad was dead. Before these accounts could
be discredited, oil prices on international markets spiked.[14]

Security professionals need to be alert to such fast-moving and potentially damaging
social media posts, especially if they are directed at the enterprise itself—and quick
action is needed to defend networks from malware, alert employees to a bogus phishing
attempt, re-route a shipment, or advise employees regarding safety. The last thing
security executives want to do is alert managers to a breaking story that turns out to
be a hoax.

The first safeguard against falling for fabricated stories is to confirm the story across
multiple sources. At one time, journalists did this job for us, so that by the time we read
or heard the news, it was vetted. These days, many journalists are getting their stories
from the same Twitter feeds that we are, and if several of us fall for the same story, For fast-breaking news requiring quick action, your best bet may be to
we can easily mistake re-tweets for story confirmation.

###### use the old-fashioned “sniff test.” If the story seems far-fetched, think

For fast-breaking news requiring quick action, your best bet may be to use the twice before repeating or citing it.
old-fashioned “sniff test.” If the story seems far-fetched, think twice before repeating
or citing it.[15]


-----

##### The business world is abuzz about “big data”—and the potential for
 analytics “gold” that can be mined from the vast volumes of information that enterprises generate, collect,

# Big Data

##### and store.

The 2012 Cisco Connected World for businesses. But there are security
_Technology Report examined the_ concerns about big data. The 2012

#### A Big Deal for

impact of the big-data trend on _Connected World study’s findings_
enterprises—and more specifically, show that a third of respondents
their IT teams. According to the (32 percent) believe big data

#### Today’s Enterprises study’s findings, about three-quarters complicates security requirements

(74 percent) of organizations globally and protection of data and networks
are already collecting and storing because there is so much data and too
data, and management is using many ways of accessing it. In short,
analysis of big data to make business big data increases the vectors and
decisions. Additionally, seven in 10 angles that enterprise security teams—
IT respondents reported that big and security solutions—must cover.
data will be a strategic priority for
their company and IT team in the
year ahead.

###### About 74 percent of organizations

As mobility, cloud, virtualization, globally are already collecting and
endpoint proliferation, and other storing data, and management
networking trends evolve or emerge, is using analysis of big data to
they will pave the way for even more make business decisions.
big data and analytics opportunities


-----

solutions, lack of IT staff, and lack data could truly take off. As a result,

###### Korea, Germany, the United of IT expertise. The fact that almost in some cases, the study indicates There are some countries where States, and Mexico had the one in four respondents globally
 cloud adoption will impact the rate of big-data discussions are resulting highest percentages of IT (23 percent) said lack of expertise adoption—and benefits—of big-data in meaningful decisions on respondents who believe big and personnel was an inhibitor to their efforts. strategy, direction, and solutions. data complicates security. enterprise’s ability to use big data China, Mexico, India, and

effectively indicates a need for more More than half of overall IT Argentina lead in this regard, with
professionals entering the job market respondents also confirmed that well over half of the respondents

Korea (45 percent), Germany to be trained in this area. big-data discussions within their from these countries claiming
(42 percent), the United States companies are not fruitful yet. That that big-data discussions in

The cloud is a factor in big data is not surprising considering the

(40 percent), and Mexico (40 percent) their organizations are well under

success, as well, according to 50 market is just now trying to understand

had the highest percentages of way—and leading to solid actions

percent of IT respondents to the 2012 how to harness their big data,

IT respondents who believe big and results.

_Connected World study. They believe_ analyze it, and use it strategically.

data complicates security. To help

their organizations need to work In some countries, however, big-data

ensure security, the majority of IT

through cloud plans and deployments discussions are resulting in meaningful

respondents—more than two-thirds

to make big data a worthwhile venture. decisions on strategy, direction, and

(68 percent)—believe the entire IT

This sentiment was prominent in China solutions. China (82 percent), Mexico

team should participate in strategizing

(78 percent) and India (76 percent), (67 percent), India (63 percent), and

and leading big data efforts within

where more than three out of four Argentina (57 percent) lead in this

their companies. Gavin Reid, Director

respondents believed there was a regard, with well over half of the

of Threat Research for Cisco Security

dependency on cloud before big respondents from these countries

Intelligence Operations, says “Big data

claiming that big-data discussions

doesn’t complicate security—it makes it

in their organizations are well under

possible. At Cisco we collect and store
2.6 trillion records every day—that As for solutions that are designed way—and leading to solid actions
forms the platform from which we can to help enterprises both better and results.
start incident detection and control.” manage and unlock the value of

Three out of five IT respondents to the

###### their big data, there are barriers

_2012 Connected World Report believe_

As for solutions designed to help to adoption. Respondents pointed

big data can help countries and their

enterprises both better manage and to lack of budget, lack of time to

economies become more competitive

unlock the value of their big data, there study big data, lack of appropriate

in the global marketplace.

are barriers to adoption. Respondents solutions, lack of IT staff, and lack
pointed to lack of budget, lack of time of IT expertise.
to study big data, lack of appropriate


-----

##### Many security professionals—and certainly a large community of online users—hold preconceived ideas about where people are most likely to stumble across dangerous

# State of

##### web malware.

The general belief is that sites that are often hidden in plain sight through
promote criminal activity—such as exploit-laden online ads that are

# the Exploit sites selling illegal pharmaceuticals distributed to legitimate websites, or

or counterfeit luxury goods—are most hackers targeting the user community
likely to host malware. Our data reveals on the common sites they use most.
the truth of this outdated notion, as
web malware encounters are typically In addition, malware-infected

#### Danger Lurks in

not the by-product of “bad” sites in websites are prevalent across many
today’s threat landscape. countries and regions—not just in

one or two countries, dispelling the

#### Surprising Places “Web malware encounters occur notion that some countries’ websites

everywhere people visit on the are more likely to host malicious
Internet—including the most legitimate content than others. “The web is the
of websites that they visit frequently, most formidable malware delivery
even for business purposes,” says mechanism we’ve seen to date,
Mary Landesman, Senior Security outpacing even the most prolific
Researcher with Cisco. “Indeed,
business and industry sites are one
of the top three categories visited
when a malware encounter occurred. Dangers are often hidden in
Of course, this isn’t the result of plain sight through exploit-laden
business sites that are designed to online ads.
be malicious.” The dangers, however,


-----

worm or virus in its ability to reach— encounters, fell dramatically to

Figure 3: Risk by Company Size and infect—a mass audience silently sixth position in 2012. Denmark and
Up to 2.5 times more risk of encountering web malware for large organizations.

and effectively,” says Landesman. Sweden now hold the third and fourth
“Enterprises need protection, even if spots, respectively. The United States

they block common ‘bad’ sites, with retains the top ranking in 2012, as it
additional granularity in inspection did in 2011, with 33 percent of all web

Number of Employees

and analysis.” malware encounters occurring via

websites hosted in the United States.

###### 250 or less Malware Encounters

Changes in geographical location

###### by Company Size

between 2011 and 2012 likely reflect

###### 251–500 The largest enterprises (25,000+

both changes in detection and user

employees) have more than 2.5

habits. For example, “malvertising,”

###### 501–1000 times the risk of encountering web or malware delivered via online ads,

malware than smaller companies.

played a more significant role in

This increased risk may be a reflection

###### 1001–2500 web malware encounters in 2012

that larger companies possess more

than in 2011. It is worth repeating

high-value intellectual property and

that web malware encounters most

###### 2501–5000 thus are more frequently targeted.

frequently occur via normal browsing
of legitimate websites that may have

###### 5001–10,000 While smaller companies have fewer been compromised or are unwittingly

web malware encounters per user, it’s

serving malicious advertising.

important to note that all companies—

###### 10,001–25,000 Malicious advertising can impact any

regardless of size—face significant

website, regardless of the site’s origin.

risk of web malware encounters.

###### Above 25,000 Every organization should focus on

Overall, the geographical data for

the fundamentals of securing its

2012 demonstrates that the web is an

network and intellectual property.

equal-opportunity infector—contrary to
the perceptions that only one or two

###### All companies—regardless of size—face significant risk of web malware Malware Encounters
 countries are responsible for hosting encounters. Every organization should focus on the fundamentals of by Country web malware or that any one country

is safer than another. Just as the

###### securing its network and intellectual property. Cisco’s research shows significant

dynamic content delivery of Web 2.0

change in the global landscape for

enables the monetization of websites

web malware encounters by country

across the globe, it can also facilitate

in 2012. China, which was second

the global delivery of web malware.

on the list in 2011 for web malware


-----

|1 33.14% United States|United Kingdom 4 3 1.95% 7 10 Ireland 9 5 2 9.79% Russia 2.27% 8 Netherlands 6 6.11% Germany 5.65% China 2.63% Turkey Overall, the geographical data for 2012 demonstrates that the web is|
|---|---|


Figure 4: Web Malware Encounters by Country
One-third of all web malware encounters resulted from domains hosted in the United States.

GAIN FROM 2011 DECLINE FROM 2011 9.55% 9.27%

###### 4.07% Denmark Sweden
 United Kingdom
 4

**7** **3**

###### 1.95% 10

**9**

###### Ireland 5 1 2 9.79%
 Russia
 2.27% 8
 Netherlands 6

 6.11%
 Germany
 5.65%
 China

 2.63% Turkey

 33.14%
 United States

 Overall, the geographical data for 2012 demonstrates that the web is an equal-opportunity infector—contrary to the perceptions that only one or two countries are responsible for hosting web malware or that any one country is safer than another.


-----

Android malware grew substantially
faster than any other form of webdelivered malware, an important trend
given that Android is reported to hold
the majority of mobile device market
share worldwide. It is important to
note that mobile malware encounters
comprised only 0.5 percent of all web
malware encounters in 2012, with
Android taking over 95 percent of all
these web malware encounters. In
addition 2012 saw the emergence of


Looking at the wider landscape for
web malware, it is not surprising that
malicious scripts and iFrames
comprised 83 percent of encounters
in 2012. While this is relatively
consistent with previous years,
it’s a finding worthy of reflection


Of course, there is a distinct the first documented Android botnet

Figure 5: Top Web Malware Types difference between where a web in the wild, indicating that mobile
Android malware encounters grew 2577 percent over 2012, though mobile malware only

malware encounter occurs and malware developments in 2013

makes up a small percentage of total web malware encounters.

where the malware is actually hosted. bear watching.
In malvertising, for example, the
encounter typically occurs when While some experts are claiming
visiting a reputable, legitimate website Android is the “biggest threat”
that happens to carry third-party or should be a primary focus for

Exploit 9.8% advertising. However, the actual enterprise security teams in 2013—

malware intended for delivery is the actual data shows otherwise. As
hosted on a completely different noted above, mobile web malware
domain. Since Cisco’s data is based on in general makes up less than 1

Infostealing 3.4% where the encounter occurred, it has percent of total encounters—far from

no bearing on actual malware origin. the “doomsday” scenario many are
For instance, increased popularity of detailing. The impact of BYOD and

Downloader 1.1% social media and entertainment sites the proliferation of devices cannot

Malscript/iframe **83.4%** in Denmark and Sweden, coupled with be overstated, but organizations

malvertising risks, is largely responsible should be more concerned with

Worm 0.89% for increased encounters from sites threats such as accidental data loss,

hosted in those regions but is not ensuring employees do not “root”

Virus 0.48% indicative of actual malware origin. or “jailbreak” their devices, and only

install applications from official and

Mobile 0.42%

###### Top Web Malware
 trusted distribution channels. If users

Scareware 0.16% choose to go outside official mobile

###### Types in 2012

Ransomware 0.058% app stores, they should ensure, before

Android malware grew substantially

Malware/Hack Kit 0.057% downloading an app, that they know

faster than any other form of web-

and trust the app’s author and can

delivered malware, an important trend

Android Growth validate that the code has not been

given that Android is reported to hold

tampered with.

the majority of mobile device market
share worldwide. It is important to Looking at the wider landscape for
note that mobile malware encounters web malware, it is not surprising that
comprised only 0.5 percent of all web malicious scripts and iFrames

Android Growth: 2577% malware encounters in 2012, with comprised 83 percent of encounters

JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC Android taking over 95 percent of all in 2012. While this is relatively

these web malware encounters. In consistent with previous years,
addition 2012 saw the emergence of


-----

Malware creators constantly seek to
maximize their return on investment
(ROI) by finding ways to reach the
largest population of potential victims
with the least effort, and they often
take advantage of cross-platform
technologies when possible. Toward
these ends, exploit toolkits generally
deliver exploits in a specific order;
once a successful exploit has been
delivered, no further exploits are
attempted. The high concentration
of Java exploits—87 percent of total
web exploits—shows that these
vulnerabilities are attempted prior
to other types of exploits and also


These types of attacks often represent vulnerability management process and
malicious code on “trusted” webpages for users to keep to their hardware and Figure 6: Top Malware Content Types for 2012

Java exploits comprised 87 percent of total web exploits.

that users may visit every day— software up to date.
meaning an attacker is able to
compromise users without even Rounding out the top five are Monthly Major Content Types
raising their suspicion. infostealers, with 3.5 percent of the

100%

total web malware encounters in

Exploits take the second spot, with 2012, downloaders (1.1 percent), and 80% ApplicationText
10 percent of the total number of worms (0.8 percent). Once again, 60% Image
web malware encounters last year. these numbers are a reflection of 40% Video
However, these figures are largely a where the block occurs, generally 20% Audio

Message

result of where the block occurred at the point in which the malicious 0%
versus actual concentration of exploits script or iFrame is first encountered. J F M A M J J A S O N D
on the web. For example, the 83 As a result, these numbers are not
percent of malicious scripts and reflective of the actual number of Exploit Content Types
hidden iFrames are blocks that occur infostealers, downloaders, or worms

100%

at an earlier stage, prior to any exploit being distributed via the web.

80% Java

rendering; hence, they may artificially PDF
decrease the number of exploits observed. Top Malware
Content Types 40%60%20% FlashActive-X

Exploits remain a significant cause Malware creators constantly seek to 0%

maximize their return on investment J F M A M J J A S O N D

of infection via the web, and their

(ROI) by finding ways to reach the

continued presence underscores the

largest population of potential victims

need for vendors to adopt security Total Major Content Types

with the least effort, and they often

best practices in their product life

take advantage of cross-platform Application Text Image Video Audio Message

cycles. Organizations should focus on

technologies when possible. Toward

security as part of the product design

these ends, exploit toolkits generally

and development process, with timely
vulnerability disclosures, and prompt/ deliver exploits in a specific order; 65.05% 33.81% 1.09% 0.05% 0.01% 0.00%

once a successful exploit has been

regular patch cycles. Organizations

delivered, no further exploits are

and users also need to be made aware

attempted. The high concentration

of the security risks associated with The high concentration of Java exploits shows that these vulnerabilities

of Java exploits—87 percent of total

using products that are no longer are attempted prior to other types of exploits and also demonstrates

web exploits—shows that these

supported by vendors. It is also critical that attackers are finding success with Java exploits.

vulnerabilities are attempted prior

for organizations to maintain a core

to other types of exploits and also


-----

SaaS &
Web- B2B
Based 1.40%
Email
1 37%


demonstrates that attackers are Top Site Category

Figure 7: Top Site Category finding success with Java exploits.
Online shopping sites are 21 times more likely to deliver malicious content than counterfeit As Cisco data shows, the notion

Additionally, with over 3 billion devices

software sites. that malware infections most

running Java,[16] the technology

commonly result from “risky” sites

Note: The “Dynamic Content” category is at the top of Cisco’s list of top locations for the represents a clear way for hackers
likelihood of malware infections. This category includes content-delivery systems such as web such as counterfeit software is a

to scale their attacks across multiple

statistics, site analytics, and other non-advertising-related third-party content. misconception. Cisco’s analysis

platforms.

indicates that the vast majority of web
malware encounters actually occur

Dynamic Content Two other cross-platform
Business & Advertisements16.81% & CDN 18.30% technologies—PDF and Flash—took via legitimate browsing of mainstream
Industry 8.15% websites. In other words, the majority

the second and third spots in Cisco’s

of encounters happen in the places

analysis of the top content types

that online users visit the most—and

Games 6.51% for malware distribution. Though think are safe.

Active X is still being exploited, Cisco
researchers have seen a consistently

Web Hosting Holding the second spot on the list
4.98% low use of the technology as a vehicle are online advertisements, comprising

for malware. However, as noted earlier

16 percent of total web malware

regarding Java, lower numbers of

Search Engines encounters. Syndicated advertising
& Portals 4.53% certain types of exploits are largely a is a common means of monetizing

reflection of the order in which exploits

websites, so a single malicious ad

Computers & are attempted.
Internet 3.57% distributed in this manner can have a

Online Communities 2.66%

dramatic, adverse impact.

In examining media content, Cisco

Shopping 3.57% Entertainment 2.57%

data reveals almost twice as much

Travel 3.00% Online Storage & image-based malware than non-Flash

Backup 2.27% video. However, this is due, in part, The vast majority of web

to the way browsers handle declared malware encounters actually

News 2.18%

content types, and attackers’ efforts occur via legitimate browsing of
to manipulate these controls by mainstream websites. In other

Sports & Recreations

Health & 2.10% declaring erroneous content types. words, the majority of encounters
Nutrition 0.97% Transportation1.11% Education1.17% In addition, malware command-and- happen in the places that online

File Transfer Services control systems often distribute server users visit the most—and think
1.50%

information via comments hidden in are safe.

SaaS & ordinary image files.
Web- B2B
Based 1.40%
Email
1 37%


-----

###### Popular Applications

 Cybercriminals have paid close Figure 8: Popular Applications by Hits attention to modern browsing by Hits Social media and online video change how employees spend their time at work—and expose

Changes in how people spend new vulnerabilities.

###### habits to expose the largest

their time online are expanding the

###### possible population to web

surface for cybercriminals to launch

###### malware.

exploits. Organizations of all sizes are Other
embracing social media and online
video; most major brands have a Social Network 9% Search Engine
presence on Facebook and Twitter, 20%

Looking further down the list of site and many are integrating social media 36%
categories through which malware into their actual products. As these
encounters occurred, business web destinations draw massive
and industry sites—which include audiences and are accepted into 13%
everything from corporate sites to enterprise settings, more opportunities 22%
human resources to freight services— to deliver malware are also created. Ads
are in third place. Online gaming is in
fourth place, followed by web hosting According to data from Cisco
sites and search engines in fifth and Application Visibility and Control Online Video
sixth places, respectively. The top (AVC), the vast majority (91 percent)
20 website categories are absent of of web requests were split among
sites typically thought of as malicious. search engines (36 percent); online
There is a healthy mix of popular and video sites (22 percent); advertising If the data on the top websites visited across the Internet is correlated
legitimate site types such as online networks (13 percent); and social with the most dangerous category of website, the very same places
shopping (#8), news (#13), and networks (20 percent). online users have the most exposure to malware, such as search
SaaS/business-to-business

###### engines, are among the top areas that drive web malware encounters.

applications (#16).

Cybercriminals have paid close Organizations of all sizes are
attention to modern browsing habits to embracing social media and If the data on the top websites visited malware encounters. This correlation
expose the largest possible population online video; most major brands across the Internet is correlated with shows once again that malware
to web malware. Where the online have a presence on Facebook the most dangerous category of creators are focused on maximizing
users are, malware creators will follow, and Twitter, and many are website, the very same places online their ROI—and therefore, they will
taking advantage of trusted websites integrating social media into users have the most exposure to center their efforts on the places
through direct compromise or third- their actual products. malware, such as search engines, are where the number of users and ease
party distribution networks. among the top areas that drive web of exposure are greatest.


-----

Bhavani Thuraisingham. “Cloud-based” Malware Detection for Evolving Data Streams. ACM Transactions on
Management Information S stems (TMIS) 2(3) October 2011


###### When Gothic Horror Gives Birth to Malware

**by Kevin W. Hamlen**
Associate Professor, Computer Science Department, The University of Texas at Dallas

_Malware camouflage is an emerging threat that security professionals may increasingly face._
While most malware already uses simple mutation or obfuscation to diversify and make itself In general, our research suggests that next-generation malware
harder to reverse-engineer, self-camouflaging malware is even stealthier, blending in with may increasingly eschew simple mutations based on encryption and
the specific software already present on each system it infects. This can elude defenses that
look for software anomalies like runtime unpacking or encrypted code, which often expose packing in favor of advanced metamorphic binary obfuscations like
more conventional malware. those used by Frankenstein.

The latest self-camouflaging malware technology—appropriately dubbed Frankenstein[17]—is
a product of our research this year in the Cyber Security Research and Education Center
at The University of Texas at Dallas. Like the fictional mad scientist in Mary Shelley’s 1818

Each such discovered sequence is finally assembled to form a fresh mutant. In practice,

horror novel, “Frankenstein malware” creates mutants by stealing body parts (i.e., code)

Frankenstein discovers over 2,000 gadgets per second, accumulating over 100,000 from

from other software it encounters and stitches the code together to create unique variants of

just two or three victim binaries in under five seconds. With such a large gadget pool at

itself. Each Frankenstein mutant is therefore composed entirely of non-anomalous, benign-

their disposal, the resulting mutants rarely share any common instruction sequences; each

looking software; performs no suspicious runtime unpacking or encryption; and has access

therefore looks unique.

to an ever-expanding pool of code transformations learned from the many programs it
encounters. In general, our research suggests that next-generation malware may increasingly eschew

simple mutations based on encryption and packing in favor of advanced metamorphic

Under the hood, Frankenstein brings its creations to life using an array of techniques drawn

binary obfuscations like those used by Frankenstein. Such obfuscations are feasible to

from compiler theory and program analysis. Victim binaries are first scanned for short byte

implement, support rapid propagation, and are effective for concealing malware from the

sequences that decode to potentially useful instruction sequences, called gadgets. A small

static analysis phases of most malware detection engines. To counter this trend, defenders

abstract interpreter next infers the possible semantic effects of each gadget discovered.

will need to deploy some of the same technologies used to develop Frankenstein, including

Backtracking search is then applied to discover gadget sequences that, when executed in

static analyses based on semantic, rather than syntactic, feature extraction, and semantic

order, have the effect of implementing the malware payload’s malicious behavior.

signatures derived from machine learning[18] rather than purely manual analysis.

_This article reports research supported in part by National Science Foundation (NSF) award_
_#1054629 and U.S. Air Force Office of Scientific Research (AFOSR) award FA9550-10-1-_
_0088. Any opinions, findings, conclusions, or recommendations expressed are those of the_
_author and do not necessarily reflect those of the NSF or AFOSR._

###### Like the fictional mad scientist in Mary Shelley’s 1818 horror novel, “Frankenstein malware” creates mutants by stealing body parts

 (i.e., code) from other software it encounters and stitches the code together to create unique variants of itself.

17 Vishwath Mohan and Kevin W. Hamlen. “Frankenstein: Stitching Malware from Benign Binaries.” In Proceedings

_of the USENIX Workshop on Offensive Technologies (WOOT), pp. 77-84, August 2012._

18 Mohammad M. Masud, Tahseen M. Al-Khateeb, Kevin W. Hamlen, Jing Gao, Latifur Khan, Jiawei Han, and

Bhavani Thuraisingham. “Cloud-based” Malware Detection for Evolving Data Streams. ACM Transactions on


-----

###### 2012 Vulnerability and Threat Analysis

Figure 10: Vulnerability and Threat Categories

The Vulnerability and Threat Categories chart shows a significant increase in threat totals—
in 2012, threats increased 19.8 percent over 2011. This sharp increase in threats is placing
a serious strain on the ability of organizations to keep vulnerability management systems 2010 Monthly 2011 Monthly 2012 Monthly
updated and patched—especially given the shift to virtual environments. Alert Numbers Alert Numbers Alert Numbers

Total  Reamp  New Total  Reamp  New Total  Reamp  New

Organizations are also attempting to address the increasing use of third-party and open-
source software included in their products and in their environments. “Just one vulnerability January 417 259 158 417 403 237 166 403 552 344 208 552
in third-party or open-source solutions can impact a broad range of systems across the February 430 253 177 847 400 176 224 803 551 317 234 1103
environment, which makes it very difficult to identify and patch or update all those systems,”

March 518 324 194 1364 501 276 225 1304 487 238 249 1590

says Jeff Shipley, Manager of Cisco Security Research and Operations.

April 375 167 208 1740 475 229 246 1779 524 306 218 2114

As for the types of threats, the largest group is resource management threats; this generally May 322 174 148 2062 404 185 219 2183 586 343 243 2700
includes denial of service vulnerabilities, input validation threats such as SQL injection June 534 294 240 2596 472 221 251 2655 647 389 258 3347
and cross-site scripting errors, and buffer overflows that result in denial of service. The July 422 210 212 3018 453 213 240 3108 514 277 237 3861
preponderance of similar threats from previous years, combined with the sharp increase in

August 541 286 255 3559 474 226 248 3582 591 306 285 4452

threats, indicates that the security industry needs to become better equipped at detecting

September 357 167 190 3916 441 234 207 4023 572 330 242 5024

and handling these vulnerabilities.

October 418 191 227 4334 558 314 244 4581 517 280 237 5541

The Cisco IntelliShield Alert Urgency Ratings reflect the level of threat activity related to November 476 252 224 4810 357 195 162 4938 375 175 200 5916
specific vulnerabilities. The substantial increase in Level 3 urgency ratings indicates that

December 400 203 197 5210 363 178 185 5301 376 183 193 6292

more vulnerabilities are actually being exploited. This is likely due to the increase in publicly
released exploits either by researchers or test tools, and the incorporation of those exploits 5210 2780 2430 5301 2684 2617 6292 3488 2804
into attack toolkits. These two factors are allowing more exploits to be available and used
across the board by hackers and criminal groups.

The Cisco IntelliShield Alert Severity Ratings reflect the impact level of successful
vulnerability exploits. The severity ratings also show a noticeable increase in Level 3 8000 2010   2011    2012

7000

threats—for the same reasons indicated above relating to the ready availability of 6000
exploit tools. 5000

4000
3000
2000

Figure 9: Urgency and Severity Ratings 1000

0

2010   2011    2012 J F M A M J J A S O N D

Rating Rating

Urgency ≥3 Severity ≥3

Urgency ≥4 Severity ≥4 “Just one vulnerability in third-party or open-source solutions can impact

###### a broad range of systems across the environment, which makes it very

Urgency ≥5 Severity ≥5 difficult to identify and patch or update all those systems.”

Jeff Shipley, Manager, Cisco Security Research and Operations

0 10 20 30 40 50 60 0 500 1000 1500 2000


-----

##### Anything goes when it comes
 to cyber exploits today—as long as the method selected will get the job done.

This is not to say that actors in the and even nation states will be the

# Evolutionary shadow economy do not remain perpetrators”[19] of these attacks in the

committed to creating ever-more future, working both collaboratively
sophisticated tools and techniques to and independently.
compromise users, infect networks,
and steal sensitive data, among many “We are seeing a trend in DDoS, with

# Threats other goals. In 2012, however, there attackers adding additional context

was a trend toward reaching back about their target site to make the
to “oldies but goodies” to find new outage more significant,” says
ways to create disruption or evade Gavin Reid, Director of Threat
enterprise security protections. Research for Cisco Security

#### New Methods,

Intelligence Operations, “Instead of

DDoS attacks are a primary example— doing a SYN flood, the DDoS now
several major U.S. financial institutions attempts to manipulate a specific

#### Same Exploits were the high-profile targets of two application in the organization—

major and related campaigns launched potentially causing a cascading set
by foreign hacktivist groups in the of damage if it fails.”
last six months of 2012 (for detailed
analysis, see the 2012 Distributed
Denial of Service Trends section).
Some security experts warn that these In 2012 there was a trend
events are just the beginning and that toward reaching back to “oldies
“hacktivists, organized crime rings,

###### but goodies” to find new ways to create disruption or evade enterprise security protections.


-----

Another trend in the cybercrime Amplification and Reflection Attacks

###### “Even against a sophisticated—but community revolves around the

DNS amplification and reflection attacks[20] utilize domain name system (DNS) open recursive

###### average—adversary, the current “democratization” of threats. We are

resolvers or DNS authoritative servers to increase the volume of attack traffic sent to a

###### ‘state of the art’ in network increasingly seeing that the tools victim. By spoofing[21] DNS request messages, these attacks conceal the true source of
 security is often significantly and techniques—and intelligence the attack and send DNS queries that return DNS response messages 1000 to 10,000 outmatched.” about how to exploit vulnerabilities— percent larger than the DNS request message. These types of attack profiles are commonly

observed during DDoS[22] attacks.

are being “broadly shared” in the

Gregory Neal Akers, Senior Vice President
for the Advanced Security Initiatives Group shadow economy today. “Tradecraft Organizations are inadvertently participating in these attacks by leaving open recursive
at Cisco capabilities have evolved a great deal,” resolvers out on the Internet. They can detect the attacks using various tools[23] and flow

telemetry[24] technologies and can help prevent them by securing[25] their DNS server or

Akers says. “We’re now seeing more

rate-limiting[26] DNS response messages.

specialization and more collaboration
among malicious actors. It’s a threat

While enterprises may believe they

assembly line: Someone develops a

are adequately protected against the 2012 Distributed Denial of Service Trends

bug, someone else writes the malware,

DDoS threat, more than likely their another person designs the social The following analysis is derived from the Arbor Networks ATLAS repository, which consists
network could not defend against the of global data gathered from a number of sources, from 240 ISPs, monitoring peak traffic of

engineering component, and so on.”

type of high-volume and relentless 37.8 Tbps.[27]
DDoS attacks witnessed in 2012. Creating potent threats that will Attack Sizes Continue to Trend Upward
“Even against a sophisticated—but help them gain access to the large Overall, there has been an increase in the average size of attacks over the past year. There

average—adversary, the current ‘state volumes of high-value assets coming was a 27 percent increase in throughput of attacks (1.23 Gbps in 2011 to 1.57 Gbps in 2012)

and a 15 percent increase in the packets per second used in attacks (1.33 Mpps in 2011 to

of the art’ in network security is across the network is one reason that

1.54 Mpps in 2012).

often significantly outmatched,” says cybercriminals are combining their
Gregory Neal Akers, Senior Vice expertise more often. But like any real- Attack Demographics

The top three monitored attack sources, after removing 41 percent of sources for which

President for the Advanced Security world organization that outsources there is no attribution due to data anonymization, are China (17.8 percent), South Korea
Initiatives Group at Cisco. tasks, efficiency and cost savings (12.7 percent), and the United States (8.0 percent).

are among the primary drivers for

Largest Attacks

the “build-a-threat” approach in the The largest monitored attack was measured at 100.84 Gbps and lasted approximately 20
cybercrime community. The “freelance minutes (source of attack is unknown due to data anonymization). The corresponding largest
talent” hired for these tasks typically monitored attack in (pps) was measured at 82.36 Mpps and lasted approximately 24 minutes
advertise their skills and pay rates to (source of attack is unknown due to data anonymization).
the broader cybercrime community via
secret online marketplaces.


-----

###### Weaponization of Modern

Figure 11: Live Intrusion Prevention System (IPS) Evasions Cybercriminals are constantly

###### Evasion Techniques
 evolving new techniques to

Cybercriminals are constantly evolving

###### bypass security devices. Cisco

new techniques to bypass security

###### researchers watch vigilantly

devices. Cisco researchers watch

###### for new techniques and the

vigilantly for new techniques and

###### “weaponization” of well-known

the “weaponization” of well-known

**Transmission Control Protocol, Src Port: 32883 (32883), Dst** techniques.
**DCE RPC Bind, Fragment: Single, FragLen: 820, Call: 0** techniques.
**Version: 5**
**Version (minor): 0**
**Packet type: Bind (11)** Cisco Security Research and

**Packet Flags: 0x03** Operations runs several malware labs
**Data Representation: 10000000**
**Frag Length: 820** to observe malicious traffic in the
**Auth Length: 0**
**Call ID: 0** wild. Malware is intentionally released
**Max Xmit Frag: 5840** in the lab to ensure security devices
**Max Recv Frag: 5840**
**Assoc Group: 0x00000000** are effective; computers are also left
**Num Ctx Items: 18 Context ID: 0** intentionally vulnerable and exposed to

**Num Trans Itms: 1** the Internet.
**Interface UUID: c681d4c7-7f36-33aa-6cb8-535560c3f0e9**
**Context ID: 1**
**Num Trans Items: 1** During one such test, Cisco Intrusion
**Interface UUID: 2ec29c7e-6d49-5e67-9d6f-4c4a37a87355**

Prevention System (IPS) technology
detected a well-known Microsoft
Remote Procedure Call (MSRPC)
attack. Careful analysis determined
that the attack was utilizing a
previously unseen malware evasion
tactic in an attempt to bypass security

###### Cisco Security Research and Operations runs several malware labs to devices.[28] The evasion sent several observe malicious traffic in the wild. Malware is intentionally released bind context IDs inside the initial bind in the lab to ensure security devices are effective; computers are also request. This type of attack can evade left intentionally vulnerable and exposed to the Internet. protections unless the IPS monitors

and determines which of the IDs were
successful.


-----

###### CASE STUDY Operation Ababil

During September and October 2012, Cisco and Arbor Networks monitored a targeted sent to TCP/UDP port 53 (DNS) or 80 (HTTP). While traffic on UDP port 53 and TCP port
and very serious DDoS attack campaign known as “Operation Ababil,” which was aimed 53 and 80 represent normally valid traffic, packets destined for UDP port 80 represent an
at U.S.-based financial institutions.” The DDoS attacks were premeditated, focused, anomaly not commonly used by applications.
advertised before the fact, and executed to the letter. Attackers were able to render several

A detailed report of the patterns and payloads of the Operation Ababil campaign can

major financial sites unavailable to legitimate customers for a period of minutes—and in

be found in Cisco Event Response: Distributed Denial of Service Attacks on Financial

the most severe instances, hours. Over the course of the events, several groups claimed

Institutions.[31]

responsibility for the attacks; at least one group purported to be protesting copyright and
intellectual property legislation in the United States. Others broadcast their involvement as
a response to a YouTube video offensive to some Muslims.

###### Lessons Learned

From a cybersecurity standpoint, Operation Ababil is notable because it took advantage of While they are a critical part of any network security portfolio, IPS and firewall devices rely
common web applications and hosting servers that are as popular as they are vulnerable. on stateful traffic inspection. Application-layer techniques used in the Operation Ababil
The other obvious and uncommon factor used in this series of attacks was that simultaneous campaign easily overwhelmed those state tables and, in several cases, caused them to
attacks, at high bandwidth, were launched against multiple companies in the same industry fail. Intelligent DDoS mitigation technology was the only effective countermeasure.
(financial).

Managed security services and ISPs have their limits. In a typical DDoS attack, the prevailing

As is often seen in the security industry, what’s old is new again. wisdom says to deal with volumetric attacks in the network. For application-layer campaigns

that are deployed closer to the victim, these should be addressed at the data center or on

On September 18, 2012, “Cyber Fighters of Izz ad-Din al-Qassam” posted on Pastebin[29] the “customer edge.” Because multiple organizations were targeted concurrently, network
beseeching Muslims to target major financial institutions and commodities trading platforms. scrubbing centers were strained.
The threats and specific targets were put up for the world to see and continued for four
consecutive weeks. Each week, new threats with new targets were followed up by actions It is critical to keep hardware and software current on DDoS mitigation appliances. Older
at the appointed times and dates. By the fifth week, the group stopped naming targets deployments are not always able to deal with newer threats. It is also important to have the
but made it clear that campaigns would continue. As promised, the campaigns renewed in right capacity in the right locations. Being able to mitigate a large attack is useless if traffic
earnest in December 2012, once again targeting multiple large U.S. financial organizations. cannot be channeled to the location where the technology has been deployed.

Phase 2 of Operation Ababil was also announced on Pastebin.[30] Instead of infected While cloud or network DDoS mitigation typically has much higher bandwidth capacity,
machines, a variety of PHP web applications, including the Joomla Content Management on-premise solutions provide better reaction time against, control of, and visibility into the
System, served as the primary bots in the campaign. Additionally, many WordPress sites, attacks. Combining the two makes for a more complete solution.
often using the out-of-date TimThumb plug-in, were being compromised around the same

In conjunction with cloud and network DDoS technologies, and as part of the collateral

time. The attackers often went after unmaintained servers hosting these applications and

produced for the Operation Ababil events, Cisco has outlined detection and mitigation

uploaded PHP webshells to deploy further attack tools. The concept of “command and

techniques in the Identifying and Mitigating the Distributed Denial of Service Attacks

control” did not apply in the usual manner, however; the attackers connected to the tools

Targeting Financial Institutions Applied Mitigation Bulletin.[32] These techniques include

directly or through intermediate servers, scripts, and proxies. During the cyber events in

the use of Transit Access Control List (tACL) filtering, NetFlow data analysis, and unicast

September and October 2012, a wide array of files and PHP-based tools were used, not just

Reverse Path Forwarding (uRPF). In addition, there are a number of best practices that

the widely reported “tsoknoproblembro” (aka “Brobot”). The second round of activity also

should be regularly reviewed, tested, and implemented that will greatly help enterprises

utilized updated attack tools such as Brobot v2.

to prepare for and react to network events. A library of these best practices can be found

Operation Ababil deployed a combination of tools with vectors crossing application-layer by referencing the Cisco SIO Tactical Resources[33] and Service Provider Security Best
attacks on HTTP, HTTPS, and DNS with volumetric attack traffic on a variety of TCP, UDP, Practices.[34]
ICMP, and other IP protocols. Cisco’s analysis showed that the majority of packets were


-----

##### Spam volumes are continuing to
 decline worldwide, according to Cisco’s research, but spam remains a go-to tool for many cybercriminals, who view it as an efficient and

# Spam the

##### expedient way to expose users to malware and facilitate a wide range of scams.

# Ever Present

However, despite the perception quickest way to attract clicks and
that malware is typically deployed purchases—and to generate a profit—is
through spam email attachments, to leverage spoofed brands and take
Cisco’s research shows that very few advantage of current events that have
spammers today rely on this method; the attention of large groups of users.
instead, they turn to malicious links
within the email as a far more efficient Global Spam Trends
distribution mechanism.

Since the large-scale botnet
takedowns of 2010, high-volume

Spam is also less “scattershot” than

spam isn’t as effective as it once

in the past, with many spammers

was, and spammers have learned

preferring to target specific groups

and changed their tactics. There is a

of users with the hope of generating

clear evolution toward smaller, more

higher returns. Name-brand

targeted campaigns based on world

pharmaceuticals, luxury watch brands,

events and particular subsets of users.

and events such as tax season top the

High-volume spam is also more likely

list of things that spammers promote

to be noticed by mail providers and

most in their campaigns. Over time,

shut down before its purpose can

spammers have learned that the

be fulfilled.


-----

Figure 12: Global Spam Trends
Global spam volumes are down 18 percent, with most spammers keeping
bankers’ hours on weekends.

GAIN FROM 2011 DECLINE FROM 2011

###### 4.19% 4.60% China Korea

 3.88% Russia
 6

 10
 2 2.72% 3
 Poland 4

 3.60% 8
 Saudi Arabia 9
 1

 5

 12.3%
 7 India
 11.38%
 United States 4.00%
 Vietnam

 3.60%
 Brazil
 2.94% Taiwan

English
79% Russian Catalan Japanese Danish German French Romanian Spanish Chinese High-volume spam is more likely to be noticed by mail providers and

5% 3% 3% 2% 1% 1% 1% 1% 1%

###### shut down before its purpose can be fulfilled.

Spam Language


-----

In 2012, there were several examples

###### In 2012, there were several of spammers using news about world Figure 13: Spam Origination

India retains the spam crown, and the United States skyrockets into second position.

###### examples of spammers using events—and even human tragedy—to news about world events—and take advantage of users. During even human tragedy—to take Superstorm Sandy, for example, Cisco advantage of users. researchers identified a massive

SPAM VOLUMES

“pump and dump” stock scam based

around a spam campaign. Using
a pre-existing email message that -18%

In 2011, overall global spam volumes urged people to invest in a penny DECLINE FROM 2011 TO 2012
were down 18 percent. This is far from stock focused on natural resource
the dramatic drop in volume seen in exploration, the spammers began MONDAY
2010 following the botnet takedowns, attaching sensational headlines about

TUESDAY +10%

but the continued downward trend is a Superstorm Sandy. An unusual aspect GAIN FOR MIDDLE
positive development nonetheless. of this campaign is that the spammers WEDNESDAY OF THE WEEK

utilized unique IP addresses to send a

Spammers continue their focus on batch of spam—and have not activated THURSDAY
minimizing effort while maximizing those addresses since. FRIDAY
impact. According to Cisco’s research,
spam volumes fall by 25 percent on SATURDAY

###### Spam Origination -25%

weekends, when users are often away DECLINE FOR WEEKENDS

In the world of spam, some countries SUNDAY

from their email. Spam volumes rise

remain the same while others

to the highest levels on Tuesday and

dramatically change their rankings. In

Wednesday—an average of 10 percent

2012, India retains the top spot as a

higher than on other weekdays. This

source of spam worldwide, with the

heightened activity in the middle of

United States moving up from sixth in

the week and lower volumes on the

2011 to second in 2012. Rounding out

weekend allow spammers to live spoken by the largest audiences languages that are being used in

the top five spam-originating countries

“normal lives.” who use email on a regular basis. the spam message; for example,

are Korea (third), China (fourth) and

According to Cisco’s research, the while India was the number one

Vietnam (fifth).

It also gives them time to spend top language for spam messages in spam-originating country in 2012,
crafting tailored campaigns based on 2012 was English, followed by Russian, local dialects did not break the top

Overall, the majority of spammers

world events early in the week that Catalan, Japanese, and Danish. Of 10 in terms of languages used in spam

focus their efforts on creating spam

will help them to generate a higher note, there are gaps between where sent from India. The same was true

messages that feature the languages

response rate to their campaigns. spam is being sent from and the for Korea, Vietnam, and China.


-----

###### Email Attachments As the “Spoofed Brands” analysis that

Figure 14: Email Attachments appears later in this section reveals, a
Only 3 percent of spam has an attachment versus 25 percent of valid email, Spam has long been thought of as

majority of spam comes from groups

but spam attachments are 18 percent larger. a delivery mechanism for malware,

who seek to sell a very specific group

especially when an attachment is

of name-brand goods—from luxury

Spam Email Valid Email involved. But Cisco’s recent research

watches to pharmaceuticals—that are,

on the use of email attachments in

in most cases, fake.

spam campaigns shows that this

###### 3% 25%

perception may be a myth.

###### IPv6 Spam

Only 3 percent of total spam has an While IPv6-based email remains a very
attachment, versus 25 percent of small percentage of overall traffic, it is
valid email. And in the rare cases growing as more email users move to
when a spam message does include IPv6-enabled infrastructure.
an attachment, it is an average of

Spam attachments are 18% larger 18 percent larger than a typical However, while overall email

attachment that would be included volumes are growing at a rapid

###### 18% in valid email. As a result, these attachments tend to stand out. clip, this is not the case with IPv6 spam. This suggests that spammers

are hedging against the time and

In modern email, links are king. expense to migrate to the new

Figure 15: IPv6 Spam
While IPv6-based email remains a very small percentage of overall traffic, it is growing as Spammers design their campaigns Internet standard. There is no driving
more email users move to IPv6-enabled infrastructure. to convince users to visit websites need for spammers—and little to no

where they can purchase products material benefit—to cause such a shift
or services (often dubious). Once at present. As IPv4 addresses are

IPv6 Email Growth: 862% there, users’ personal information exhausted and mobile devices and

IPv6 Spam Growth: 171% is collected, often without their M2M communication drive explosive

knowledge, or they are compromised growth in IPv6, expect spammers
in some other way. to upgrade their infrastructure and

accelerate their efforts.

###### In modern email, links are king. Spammers design their campaigns to convince users to visit websites where they can purchase products or services. Once there, users’ personal information is collected, often without their knowledge, or they are compromised in some other way.

JUN JUL AUG SEP OCT NOV DEC


-----

|Col1|Col2|Col3|Col4|Col5|Col6|Col7|Col8|Col9|Col10|Col11|Col12|
|---|---|---|---|---|---|---|---|---|---|---|---|
|||||||||||||
|||||||||||||
|||||||||||||
|||||||||||||
|||||||||||||
|||||||||||||
|||||||||||||
|||||||||||||
|||||||||||||
|||||||||||||
|||||||||||||
|||||||||||||
|||||||||||||
|||||||||||||
|||||||||||||
|||||||||||||
|||||||||||||
|||||||||||||
|||||||||||||
||Windows 8 consumer preview released||||||Cellular related spam coinciding with iPhone 5 release|||||


###### Spoofed Brands

Figure 16: Spoofed Brands The bottom line is spammers
Spammers target pharmaceuticals, luxury watches, and tax season. With spoofed-brands spam email, are in it for the money, and over

spammers use organizations and

###### the years, they have learned that

5% 50% 100% products to send their messages in

###### the quickest way to attract clicks

hopes that online users click on a link

###### and purchases is by offering

or make a purchase. The majority of

JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC spoofed brands are prescription drugs, pharmaceuticals and luxury

Prescription Drugs such as anti-anxiety medication and goods and by tailoring their

Luxury Watches painkillers. In addition, luxury watch attacks toward events to which

Credit Card brands form a constant layer of “noise” much of the world is paying

Business Reviews that retains consistency across the attention.

Professional Network entire year.

Electronic Money Transfer

Accounting Software Cisco’s analysis shows that spammers

Social Network are also skilled at tying their From September to November 2012,

Professional Associations campaigns to news events. From spammers ran a series of campaigns

Airline January to March 2012, Cisco data posing as cellular companies,

Mail shows a spike in spam relating to coinciding with the release of the

Weight Loss Windows software, which coincided iPhone 5.

Government Organization with the release of the Windows 8

Windows Software operating system. From February to The bottom line: Spammers are in it for

April 2012, during the U.S. tax season, the money, and over the years, they

Cellular Company

analysis shows a precipitous increase have learned that the quickest way

Online Classifieds

in tax software spam. to attract clicks and purchases is by

Taxes

offering pharmaceuticals and luxury

Human Growth Hormone

From January to March 2012, and then goods and by tailoring their attacks

News

again from September to December toward events to which much of the

Electronic Payment Services

2012—the beginning and the end of world is paying attention.

Greeting Cards

the year—spam relating to professional

Luxury Cars

networks made grand entrances,

Payroll Services

perhaps because spammers know

Windows 8 consumer Cellular related spam coinciding that people often begin job searches
preview released with iPhone 5 release

during these times of the year.

Accounting software Spam related to professional
during U.S. tax season social networks


-----

###### Vulnerability Management: A Vendor Has to Do More
 Than Enumerate Ambivalently35

How a vendor discloses its product security issues is the most visible aspect of their Improvement of security disclosure practices should be ongoing as well. In early 2013,
vulnerability management practices. At Cisco, Security Advisories[36] are researched and Cisco will begin using a new document type—the Cisco Security Notices—to disclose low-
published by the Product Security Incident Response Team (PSIRT), a group of senior to-medium-severity product security issues. Cisco Security Notice will improve the efficacy
security experts who understand that protection of Cisco customers and of the corporation of communication around security issues not deemed severe enough to warrant a Cisco
must go hand in hand. Security Advisory. These documents will be available publicly and indexed by a Common

Vulnerability and Exposure (CVE) identifier to improve visibility.

“Security Advisories announce our most severe product security issues and are generally the

first public evidence of a Cisco product vulnerability,” says Russell Smoak, Senior Director To further enhance how to best digest the ongoing reporting of security issues, vendors
of Cisco Security Research and Operations, “As such, it’s critical that they be an effective (including Cisco) have begun to include the Common Vulnerability Reporting Framework
communications vehicle that helps customers make informed decisions and manage their (CVRF)[39] and Open Vulnerability Assessment Language (OVAL)[40] formats in their disclosures.
risk. Combined with the advanced mitigation techniques[37] we provide for our customers to These emerging standards help end users evaluate vulnerabilities across multiple platforms
leverage the capabilities in their existing Cisco gear, we are able to provide as many details and technologies with confidence—and the standards are able to scale due to the benefits
as possible to respond quickly and confidently.” of machine-readable format. Smoak says, “Ensuring that our customers have the tools that

they need to properly evaluate threats to their networks helps reduce risk and allows them to

Vulnerability management, however, starts much earlier in the lifecycle of a vulnerability and

prioritize tasks required to secure their infrastructures.”

can extend beyond initial disclosure. “Continuous improvement in vulnerability management
practices is imperative to keeping pace with the changing security environment as a result of
evolving threats as well as new products and technologies,” says Smoak.

In other words, a vendor that fails to evolve with threat technologies—and that does not
disclose threats—risks falling behind. For example, innovation of internal vulnerabilities
management tools at Cisco has taken place in the area of bundled third-party software. In the year ahead, for additional updates and in-depth analysis on security trends,
Third-party software is any code included in a vendor’s product that was not written by the and for information about the latest enterprise security-related publications from Cisco,
vendor itself; this typically includes commercial third-party or open-source software. visit the Cisco Security Reports website.

http://www.cisco.com/go/securityreport

Cisco takes advantage of custom-built tooling that uses vulnerability data from Cisco
IntelliShield[38] to notify the product development teams when a security issue that originates

For ongoing insight from Cisco’s experts on a wide range of security topics,

in third-party software may impact a Cisco product. This tool, called the Cisco Internal

visit the Cisco Security Blog.

Alert Manager, has greatly increased the ability to manage security issues that originate

blogs.cisco.com/security

in non-Cisco code.

###### A vendor that fails to evolve with threat technologies—and that does
 not disclose threats—risks falling behind.


-----

##### The threat landscape of today is not
 a problem caused by uneducated users visiting malicious sites or is it solved by blocking known “bad” locations on the web.

# Security

This report has demonstrated how cybercriminals take advantage of the
attackers have become increasingly fact that every private or public sector
more sophisticated, going after the enterprise has its own IT security
sites, tools, and applications that program,” says John Stewart. “Yes, we

# Outlook 2013 are least likely to be suspected, and go to conferences and stay in touch

users visit most frequently. Modern with each other, but we really need to
threats are capable of infecting mass move from individualized IT security
audiences silently and effectively, not to one based on real-time intelligence
discriminating by industry, business, sharing and collective response.”
size or country. Cybercriminals
are taking advantage of the rapidly Building a better security infrastructure
expanding attack surface found in doesn’t mean creating a more
today’s “any-to-any” world, where complex architecture—in fact, quite
individuals are using any device to the opposite. It’s about making the
access their business network. infrastructure and the elements within

As critical national infrastructure,
businesses, and global financial

###### Modern threats are capable of

markets continue their move to

###### infecting mass audiences silently

cloud-based services and mobile

###### and effectively, not discriminating

connectivity, an integrated, layered

###### by industry, business size, or

approach to security is needed to

###### country.

protect the burgeoning Internet
of Everything. “Hackers and


-----

it work together, with more intelligence and timely security decisions. As
to detect and mitigate threats. With attackers become more sophisticated,
the rapid adoption of BYOD, the reality enterprises must design security
of multiple devices per user, and capabilities into the network from the
growth of cloud-based services, the beginning, with solutions that bring
era of managing security capabilities together threat intelligence, security
on each endpoint is over. “We must policy, and enforceable controls across
take a holistic approach to security all touch points on the network.
that ensures we are monitoring threats
across all vectors, from email to web As the attackers become more
to users themselves,” says Michael sophisticated so, too, must the tools
Covington, Product Manager for Cisco used to thwart their efforts. With the
SIO. “Threat intelligence needs to be network providing a common fabric
elevated above individual platforms in for communication across platforms,
order to gain a network perspective.” it will also serve as a means to protect

the devices, services, and users that

As threats increasingly target users routinely use it to exchange sensitive
and organizations across multiple content. The network of tomorrow is
vectors, businesses need to collect, an intelligent one that must provide
store, and process all security- better security through a collaborative
relevant network activity to better framework than previously possible
understand the scope and extent through the sum of its individual
of attacks. This level of analysis can components.
then be augmented with the context
of network activity to make accurate

###### The network of tomorrow is an intelligent one that must provide better security through a collaborative framework than previously possible through the sum of its individual components.


-----

##### It has become an increasing challenge to manage and secure today’s distributed and agile networks.

Online criminals continue to exploit Cisco SIO aggregates data from

# About Cisco users’ trust in consumer applications across threat vectors and analyzes

and devices, increasing the risk it using both automated algorithms
to organizations and employees. and manual processing in an effort to
Traditional security, which relies on understand how the threats propagate.
the layering of products and the use SIO then categorizes threats and

# Security of multiple filters, is not enough to creates rules using more than 200

defend against the latest generation parameters. Security researchers also
of malware, which spreads quickly, analyze information about security
has global targets, and uses multiple events that have the potential for
vectors to propagate. widespread impact on networks,

# Intelligence applications, and devices. Rules are

Cisco stays ahead of the latest threats dynamically delivered to deployed
using real-time threat intelligence from Cisco security devices every three
Cisco Security Intelligence Operations to five minutes.
(SIO). Cisco SIO is the world’s largest

# Operations cloud-based security ecosystem, in

which more than 75 terabits of live
data feeds from deployed Cisco email, Cisco SIO is the world’s largest
web, firewall, and IPS solutions are cloud-based security ecosystem,
analyzed each day. in which more than 75 terabits

###### of live data feeds from deployed Cisco email, web, firewall,
 and IPS solutions are analyzed each day.


-----

The Cisco SIO team also sources, including Cisco email, web, Cisco Security IntelliShield Alert Manager Service
publishes security best practice firewall, and intrusion prevention

Cisco Security IntelliShield Alert Manager Service provides a comprehensive, cost-effective

recommendations and tactical system (IPS) security solutions;

solution for delivering the vendor-neutral security intelligence organizations need to identify,

guidance for thwarting threats. these platforms sit on the front lines prevent, and mitigate IT attacks. This customizable, web-based threat and vulnerability
Cisco is committed to providing protecting customer networks from alert service allows security staff to access timely, accurate, and credible information about
complete security solutions that are malicious content and intruders. In threats and vulnerabilities that may affect their environments. IntelliShield Alert Manager

allows organizations to spend less effort researching threats and vulnerabilities, and focus

integrated, timely, comprehensive, and addition to these on-premise customer

more on a proactive approach to security.

effective—enabling holistic security protection mechanisms, Cisco also
for organizations worldwide. With collects data from a worldwide Cisco offers a free 90-day trial of the Cisco Security IntelliShield Alert Manager Service.

By registering for this trial, you will have full access to the service, including tools and threat

Cisco, organizations can save time deployment of sensors that perform

and vulnerability alerts.

researching threats and vulnerabilities functions such as trapping spam and
and focus more on taking a proactive crawling the web to actively seek out To learn more about Cisco Security IntelliShield Alert Manager Services, visit:

https://intellishield.cisco.com/security/alertmanager/trialdo?dispatch=4.

approach to security. new instances of malware.

For early-warning intelligence, threat Using these tools and the data they
and vulnerability analysis, and proven collect, Cisco’s massive network
Cisco mitigation solutions, please visit: footprint gives SIO systems and
http://www.cisco.com/security. researchers insight into a tremendous

###### For More Information

sampling of both legitimate and

###### Methodology malicious activities on the Internet. Cisco Security Intelligence Operations
www.cisco.com/security Cisco Security Products
www.cisco.com/go/security

No security vendor has total visibility

The analysis presented in this report

into all malicious encounters. The data Cisco Security Blog Cisco Corporate Security

is based on data that was gathered [blogs.cisco.com/security](http://blogs.cisco.com/security) Programs Organization

presented in this report is Cisco’s

from a variety of anonymized global www.cisco.com/go/cspo

perspective on the current state of Cisco Remote Management Services
the threat landscape and represents www.cisco.com/en/US/products/

ps6192/serv_category_home

our best attempt to normalize data

###### Cisco collects data from a and reflect global trends and patterns worldwide deployment of based on the data available at
 sensors that perform functions the time. such as trapping spam and crawling the web to actively seek out new instances of malware.


-----

1 “The Internet of Things,” by Michael Chui, Markus Löffler, and Roger Roberts, McKinsey Quarterly, 20 “Maliciously Abusing Implementation Flaws in DNS,” DNS Best Practices, Network Protections, and Attack

March 2010: http://www.mckinseyquarterly.com/The_Internet_of_Things_2538. _Identification, Cisco.com: http://www.cisco.com/web/about/security/intelligence/dns-bcp.html#3._

2 “Cisco Event Response: Distributed Denial of Service Attacks on Financial Institutions,” October 1, 2012: 21 “IP Spoofing,” by Farha Ali, Lander University, available at Cisco.com: http://www.cisco.com/web/about/

http://www.cisco.com/web/about/security/intelligence/ERP-financial-DDoS.html. ac123/ac147/archived_issues/ipj_10-4/104_ip-spoofing.html.

3 Cisco Internet Business Solutions Group. 22 “Distributed Denial of Service Attacks,” by Charalampos Patrikakis, Michalis Masikos, and Olga Zouraraki,

National Technical University of Athens, The Internet Protocol Journal - Volume 7, Number 4. Available at:

4 “The World Market for Internet Connected Devices—2012 Edition,” media release, IMS Research, October http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_7-4/dos_attacks.html.

4, 2012: http://imsresearch.com/press-release/Internet_Connected_Devices_Approaching_10_Billion_to_
exceed_28_Billion_by_2020&cat_id=210&type=LatestResearch. 23 “DNS Tools,” The Measurement Factory: http://dns.measurement-factory.com/tools.

5 Cisco Internet Business Solutions Group. 24  For more on DNS Tools, see DNS-OARC (https://www.dns-oarc.net/oarc/tools) and The Measurement

Factory (http://dns.measurement-factory.com/tools/index.html).

6 “Internet of Everything: It’s the Connections That Matter,” by Dave Evans, Cisco Blog, November 29, 2012:

http://blogs.cisco.com/news/internet-of-everything-its-the-connections-that-matter/. 25 “Secure BIND Template Version 7.3 07 Aug 2012,” by TEAM CYMRU, cymru.com: http://www.cymru.com/

Documents/secure-bind-template.html.

7  Cisco Internet Business Solutions Group.

26 “Response Rate Limiting in the Domain Name System (DNS RRL),” RedBarn.org: http://www.redbarn.org/dns/

8 Cisco 2011 Annual Security Report, December 2011: http://www.cisco.com/en/US/prod/collateral/vpndevc/ ratelimits.

security_annual_report_2011.pdf.

27 Arbor Networks’ ATLAS data is derived from “honey pots” deployed within service provider networks around

9 “Remote Access and BYOD: Enterprises Working to Find Common Ground with Employees,” 2011 Cisco the world; ASERT malware research; and, an hourly feed of anonymized data based on NetFlow, BGP, and

_Annual Security Report, December 2011, p. 10: http://www.cisco.com/en/US/prod/collateral/vpndevc/_ SNMP correlation. The anonymized data provided by Arbor Peakflow SP customers is collated and trended

security_annual_report_2011.pdf. within ATLAS to provide a detailed view of the threats and traffic patterns on the Internet.

10 “Cisco Global Cloud Index: Forecast and Methodology, 2011–2016”: http://www.cisco.com/en/US/solutions/ 28 “IPS Testing,” Cisco.com: http://www.cisco.com/web/about/security/intelligence/cwilliams-ips.html.

collateral/ns341/ns525/ns537/ns705/ns1175/Cloud_Index_White_Paper.html.

29 “Bank of America and New York Stock Exchange under attack unt [sic],” Pastebin.com, September 18, 2012:

11 Ibid http://pastebin.com/mCHia4W5.

12 “A Deep Dive Into Hyperjacking,” by Dimitri McKay, SecurityWeek, February 3, 2011: http://www.securityweek. 30 “Phase 2 Operation Ababil,” Pastebin.com, September 18, 2012: http://pastebin.com/E4f7fmB5.

com/deep-dive-hyperjacking.

31 “Cisco Event Response: Distributed Denial of Service Attacks on Financial Institutions”: http://www.cisco.com/

13 India Asks Pakistan to Investigate Root of Panic,” by Jim Yardley, The New York Times, August 19, 2012: web/about/security/intelligence/ERP-financial-DDoS.html.

http://www.nytimes.com/2012/08/20/world/asia/india-asks-pakistan-to-help-investigate-root-of-panic.
html?_r=1&. 32 Identifying and Mitigating the Distributed Denial of Service Attacks Targeting Financial Institutions Applied

_Mitigation Bulletin: http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=27115._

14 “Twitter Rumor Sparked Oil-Price Spike,” by Nicole Friedman, WSJ.com, August 6, 2012: http://online.wsj.

com/article/SB10000872396390444246904577573661207457898.html. 33 “Security Intelligence Operations Tactical Resources,” Cisco.com: http://tools.cisco.com/security/center/

intelliPapers.x?i=55.

15  This originally appeared on the Cisco Security blog: http://blogs.cisco.com/security/sniffing-out-social-

media-disinformation/ 34 “Service Provider Security Best Practices,” Cisco.com: http://tools.cisco.com/security/center/

serviceProviders.x?i=76.

16 Java.com: http://www.java.com/en/about/.

35  Anagram courtesy of anagramgenius.com.

17  Vishwath Mohan and Kevin W. Hamlen. Frankenstein: Stitching Malware from Benign Binaries. In Proceedings

of the USENIX Workshop on Offensive Technologies (WOOT), pp. 77-84, August 2012. 36 Cisco Security Advisories: http://cisco.com/go/psirt.

18  Mohammad M. Masud, Tahseen M. Al-Khateeb, Kevin W. Hamlen, Jing Gao, Latifur Khan, Jiawei Han, and 37 Cisco Applied Mitigation Bulletins, Cisco.com: http://tools.cisco.com/security/center/searchAIR.x.

Bhavani Thuraisingham. Cloud-based Malware Detection for Evolving Data Streams. ACM Transactions on
Management Information Systems (TMIS), 2(3), October 2011. 38 Cisco Intellishield Alert Manager Service: http://www.cisco.com/web/services/portfolio/product-technical-

support/intellishield/index.html.

19 “DDoS Attacks: 2013 Forecast, Experts Say Recent Hits Only the Beginning,” by Tracy Kitten,

BankInfoSecurity.com, December 30, 2012: http://ffiec.bankinfosecurity.com/ddos-attacks-2013- 39 CVRF, ICASI.com: http://www.icasi.org/cvrf.
forecast-a-5396. 40 OVAL, Oval International: http://oval.mitre.org/.


-----

Americas Headquarters Asia Pacific Headquarters Europe Headquarters
Cisco Systems, Inc. Cisco Systems (USA) Pte. Ltd. Cisco Systems International
San Jose, CA Singapore BV Amsterdam,

The Netherlands

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the
Cisco Website at www.cisco.com/go/offices.

All contents are Copyright © 2011–2013 Cisco Systems, Inc. All rights reserved. This document is Cisco Public
Information. Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S.
and other countries. A listing of Cisco’s trademarks can be found at www.cisco.com/go/trademarks. Third party


-----