4. CRIMEWARE
DamagecausedbyCybercrime
2001 2003 2004 2005 2007 2010
Vulnerabilities
W orm
Outbreaks
Spam
Mass Mailers
Spyware
Intelligent
Botnets
Web
Threats
Evolution to Cybercrime
2011+
Targeted
Attacks
Mobile
Attacks
5. Trustwave 2013 Global Security Report:
Average time from initial breach to
detection was 210 days, more than 35
days longer than in 2011.
6. Malware / Bot / APT Behavior Comparison Table
APT Bot Malware
Distribution With organized planning Mass distribution over regions Mass distribution over regions
Services interruption No No Yes
Attack Pattern Targeted (only a few
groups/organizations)
Not targeted (large area spread-
out)
Not targeted (large area spread-
out)
Target Audience Particular Organization/Company Individual credentials including
online banking account
information
Random
Frequency of attacks Many times Once Once
Weapon -Zero-day exploit
-Drop embedded RAT
-Dropper or Backdoor
Multiple-Exploits,All in one By Malware design
Detection Rate Lower than 10% within one month Around 86% within one month Around 99% within one month
7. Some Documented Advanced Persistent Threat Campaigns
(Real-world Examples)
• LURID – threat actors launched around 300 campaigns
targeting different industries in different countries
• Luckycat – threat actors used diverse infrastructure
(from throwaway free hosting to dedicated VPSs)
• Taidoor – threat actors primarily targeted government
organizations located in Taiwan
• IXESHE – threat actors used compromised computers
inside the network to evade network detection
13. • In a small city in US with 8000 citizens
• It has to look like a real system
• And by “accident” the system has a link to the
Internet
Let’s simulate a Water Pressure Control station
28. • All the ECU turned into
Fail-Safe-Mode.
• Engine fan and
headlamp kept working.
• Meter(e.g. speed)
needle keeps wobbling
Overflow attack to CAN bus