8 10 23 Lecture 1 - Cybersecurity Landscape

Cybersecurity
Landscape
LECTURE
IBM Skills Academy / © 2020 IBM Corporation.

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
A B O U T T H I S C O U R S E
IBM SKILLS ACADEMY
CYBERSECURITY PRACTITIONERS COURSE

< JOURNEY >
Cybersecurity Landscape – Lecture ⇠

Cyber Resilience – Lecture ⇠
⇢ Lab – Monitoring Global Security
Network Security – Lecture ⇠
⇢ Lab – Network Security Tools
Mobile & IoT Security – Lecture ⇠
⇢ Lab – Endpoint Security Practices
Application Security – Lecture ⇠
Data Security – Lecture ⇠
⇢ Lab – Web Banking Data Breach Scenario
Cloud Security – Lecture ⇠
⇢ Lab – Scan And Investigate Vulnerabilities
Security Intelligence – Lecture ⇠
⇢ Lab – Using IBM QRadar
Threat Intelligence – Lecture ⇠
⇢ Lab Investigating User Behavior
⇢ Lab –Analyzing Threats with Intel
Security Operations Center – Lecture ⇠

Course materials may not be reproduced in whole or in part without the prior written permission of IBM. 2
CYBERSECURITY PRACTITIONERS COURSE
IBM SKILLS ACADEMY
LECTURE
CYBERSECURITY LANDSCAPE
OBJECTIVES
• Understand the current impact of cybersecurity

threats
• Research global cybersecurity trends in different
geographies
• Familiarize with the taxonomy of cyber attacks
• Explore the enterprise cybersecurity domains

LECTURE
1. Cybersecurity in the World

Today
2. Cyber Threats Taxonomy
3. Cybersecurity Domains
4. Summary
4
C Y B E R S E C U R I T Y I N T H E W O R L D T O D A Y
Real-world impact
What lessons can we learn from devastating NotPetya cyberattack? CBS This Morning – Aug 22nd 2018. WATCH THIS VIDEO AT -> www.youtube.com/watch?v=jwW3tDcsf6g
IBM
IBM Skills
Skills Academy
Academy// © © 2020 IBM Corporation
Corporation
55 IBM
IBM Security
Security
Course materials
Course may
materials notnot
may bebe
reproduced in in
reproduced whole oror
whole in in
part without
part withoutthe
theprior
2019 IBM
priorwritten
written permission
permission of
of IBM
IBM
Newsworthy attacks (2016-2018)
Global – Aug 2016:

– Sep 2016:
Shadow Brokers
Cloudbleed
SCALE – Oct 2016:

– Mar 2017:
Dyn DDOS attack
WikiLeaks CIA Vault 7
IMPACT – May 2017: Macron campaign hack

⎻ May 2017: WannaCry
⎻ June 2017: NotPetya
⎻ June 2017: 198 million US voter records exposed
⎻ July 2017: Verizon
⎻ Sep 2017: Deloitte
⎻ Sep 2017: Equifax breach of 143M records
⎻ Jan 2018: Spectre and Meltdown
IBM Skills Academy / © 2020 IBM Corporation

6 IBM Security Course materials may not be reproduced in whole or in part without the prior written permission of IBM
Weeks and weeks of downtime caused in just one hour
Merck +100 days

FedEx 84 days
Mondeles 36 days
Mærsk 23 days
Reckitt 14 days
Saint-Gorbain 13 days
Source: Wavestone

Cybersecurity is a universal challenge
By 2020, there will be…

20.8 billion 5 billion $8 trillion
“things” to secure personal data records stolen lost to cybercrime
…while security pressures continue to grow
COMPLIANCE SKILLS TOO MANY

MANDATES SHORTAGE TOOLS
GDPR fines can cost By 2022, there will be Organizations are using
billions 1.8million too many

for large global companies unfulfilled cybersecurity jobs tools from too many vendors

Financial Sector: Cyber Threats Global Impact
Ransomware attacks cost companies more than
$10 billion
globally in 2017 Zeus 28%
Neverquest17%
Gozi 16%
Dridex11%
Ramnit9%
Redirection attacks are considered an
GozNym 7%
advanced modus operandi because they Tinba 6%
bypass bank security measures, hijacking Gootkit 3%
victims before they ever reach the bank’s site Qadars2%
and redirecting them to a malicious website. Ronvix 1%
These attacks can therefore be very effective
in tricking bank customers and elevating online
banking fraud successrates. Figure 1. The most prevalent financial malware families globally
Source: The IBM X-Force researchers, who monitoralmost three hundred million protected endpoints across the globe, have been seeing some shifts in the usual undercurrents of the cybercrime
arena. Those developments are the subject of this report.

Underground cybercrime economy thrives on cryptocurrency * Raimund Bumblauskas, “Dutch

Bitcoin Broker Litebit suffers
second data breach in six seeks,”
HackedPress, 18 September 2017.
Netherlands
Twice in one month, customer Republic of Korea † “Bitcoin exchange Youbit shuts
after second hack attack,” BBC
account data such as contact A Bitcoin exchange filed for News, 19 December 2017.
information and International bankruptcy after beingrobbed ‡ Raimund Bumblauskas,
US Bank Account Numbers were twice in eight months, first for “Bithumb, Korean cryptocurrency
On launch of the leaked.* BTC4,000 and later for an exchange, hacked, $1 million
cryptocurrency, attackers stolen,” HackedPress, 05 July
undisclosed amount totaling 17%
flooded a Bitcoin project Slovenia 2017.
of its assets.†
website with 10+ million A single wallet at a Bitcoin § Rachel Rose O’Leary, “Bitcoin
requests per minute, Gold Website Down Following
exchange suffered a theft of
disrupting users.§ DDoS Attack,” Coindesk,
BTC4,700 (~USD70 million at
24 October 2017.
the time), amid speculation it Republic of Korea ** Abhimanyu Ghoshal, “Bitcoin
was an inside job.**
Compromise of an exchange Nice- Hash robbed of
employee’s computer at a $64 million from its wallet,” TNW,
Bitcoin exchange resulted 06 December 2017.
in theft of customer emails †† India Ashok, “CoinPouch hack:
and information, and more Over $655,000 words of Verge
than USD1 million in cryptocurrency was stolen by
Bitcoin.‡ hackers,” International Business
US Times,
Criminals stole 126 million 25 November 2017.
Verge coins from customer ‡‡ Jeremy Nation, “Enigma Token
accounts at a Offering Eclipsed By Hacking
cryptocurrency wallet Incident,” ETHNews, 21
application service.†† August 2107.
§§ Mohit Kumar, “Hacker Uses A

Hong Kong Simple Trick to Steal $7 Million
Worth of Ethereum Within 3
Israel A cryptocurrency startup
Minutes,” The Hacker News, 17
allowing users to trade
US July 2017.
A cryptocurrency platform digital tokens reported
Hong Kong USD31 million was
During the initial coin was robbed during its initial *** Tomáš Foltýn, “Cryptocurrency
A widely used Bitcoin transferred from itsvault to exchange Bitfinex plagued by
offering, attackers tricked coin offering by attackers an unauthorized recipient.†††
investors into sending exchange was disrupted DDos Attacks,” WeLiveSecurity, 06
who replaced an Ethereum by distributed- denial-of- December 2017.
funds to the attackers’
wallet rather than the wallet address with their own service attacks that lasted ††† Justina Lee, “Even a $31 Million
company’s wallet.‡‡ address.§§ several weeks.*** Hack Couldn’t Keep Bitcoin Down,”
Bloomberg Technology, 21
November 2017.

USA & UK: Countries most targeted by banking Trojans
Most active financial malware families in the UK

(Source: IBMTrusteer, 2016)
Neverquest48% These geographies suffers intense attention from
Kronos 16%
Gootkit 8%
cybercrime groups of all grades.
Tinba 8%
Gozi 5%
Aside from targeting banking services, the attacker targets
Dridex 4%
Zeus 3% the employer accounts of popular job recruitment sites,
Ramnit 3% cable TV providers, and tax filing software.
URLZone 2%
Shifu 2%
GozNym 1%
Job sites are typically targeted when cybercrime gangs are
looking to recruit money mules. Typically, targets job
Most active financial malware families inthe US seekers in the US and UK.
(Source: IBM Trusteer, 2016)
Gozi 21%
GozNym 20%
Neverquest 17%
Zeus varieties9% 100
27
Dridex 9% Billion* Billion*
LOSS TO
Tinba 8% CYBER CRIME LOSS TO
Gootkit 7% CYBER
CRIME
Kronos6%
Ramnit2%
URLZone 1%
Trickbot<1% UNITED KINGDOM UNITED STATES OF AMERICA
1. Center for Strategic and International Studies (CSIS) report,

Germany: Emergence of two sophisticated cybercrime gangs
1) GozNym banking malware, a hybrid Trojan began targeting

banks in Germany in August 2016 with redirection attacks on
13 banks andtheir local subsidiaries. In German language.
$61.4 billion cybercrime
Using its malware to launch vast ransomware campaigns that POTENTIAL LOSSES IN 2 YEARS
resulted in millions of infected endpoints around the globe The largest national economy in
Europe and the fourth largest
economy by GDP in the world.
Apr-2016 Jun-2016 Agu-2016

Apr-2016
GozNym GozNym GozNym
GozNym
launches launches launches
emerges
redirection redirection redirection
attacks
attacks in attacks in attacks in
US banks
Poland the US Germany
Germany
2) TrickBot’s serverside webinjection method is

uncommon in today’s malware.
German companies lost an average of $7.5 million

in each attack.

Canada: Target of trojans and cyber gang-operated attacks
In terms of attack volume, the top five

Historically Canada
Trojans regularly featuring Canadian
escaped high-attack
bank targets are:
activity typical in the
United States. 1.Gozi v2 4.TrickBot
2.Ramnit 5.Zeus Sphinx
Until in 2016 when 3.Qadars 6.Dire
TRICKBOT started to be
used on major
redirection attacks to ATTACK FEATURES
Canadian banks.
• Mob-style cybercrime gangs
• Keep elaborate crews on their payroll
Each malware has a • Maintaining a large number of foot soldiers
different approach to • Malware operators frequently release
the Canadian financial new configurations
sector. Some target the
X-Force researchers believe that Qadarsis
national banks, others privately-owned codeoperated by a closed
target credit unions. cyber-gang that targets Westerncountries.

Australia and New Zealand: 4th major geography attacked
Banks in Australia and neighboring New Zealand

often targets of the same attacks and attackers.
Key trojan attacks: By 2018 Gozi ranks 1st on the

global financial malware chart
PAPUA NEW
GUINEA
1. Ramnit Its campaigns are the second most
2. Gozi prolific in Australia.
Typically Australian banks are
3. Dridex
targeted alongside others, mostly in
4. TrickBot the UK and US.
AUSTRALIA
Dridex is known for diverse target lists, and its recent Australian
infection campaigns were launched alongside campaigns in the
UK, France and Ireland.
NEW
Dridex take interest in credit unions and deploys click-shot attacks on those
ZEALAND banks in Australia. In such attacks, click shots are taken every time the infected
user taps the left mouse button on a link inside the bank’s website. Used in place
of the heavier video-grabbing modules, the tactic allows attackers to familiarize
themselves with a legitimate flow of events on the bank’s site.

Japan: Organized cybercrime proliferates
Shifu Trojan The top most active financial malware

emerged in 2016, in Japan, per attack volume,includes:
attacking 14 Japanese
1.Gozi 3.Rovnix
banks.
2.URLZone 4.Shifu
CHINA
NORTH
KOREA The first large scale
adoption trojan in
ATTACK FEATURES
SOUTH
KOREA Japanese language,
used by Yakuza and • Well-crafted Japanese-language email
spam
other organized crime
• Hefty configuration files full with web
organizations. injections
• Video grabbing - attacker has the malware
G KONG
TAIWAN
JAPAN Ending Japan’s many record a video of the desktop activity
ACAU
years of cyberwarfare • Customized to attack banks in Japan
isolation due to the • Malware adaptation
scarcity of attack • Web injections for social engineering
tools in Japanese • Money mule recruitment
PHILLIPINES • Cash-outand laundering of stolen funds.

Brazil: Fraud and technical sophistication changes the game

Cybercrime in Brazil is beyond doubt one of the country’s greatest challenges,
unlike elsewhere in the world, most attacks there are the work of local criminals
They adapt world-class tools to the Portuguese language and sell them on forums
A new fraud attempt every 16.9 seconds in Brazil1

There are about 4,700 attempts per day.2
BRAZIL
Key attacks: Brazil is already the second-
largest generator of cybercrime
1. TeamXRat in the world.
2. Zeus Panda U.K., saw a 25 percent increase in
online fraud in 2015, as reported
3. Zeus Sphinx by The Guardian. Brazil saw a 40%
4. FlockiBot rise in online banking fraud
Members of TeamXRat 3, a hacking crew based in Brazil, created

their own ransomware variant that they spread to local companies
and hospitals after taking control over their servers and networks
via RDP (Remote Desktop Protocol) brute-force attacks.
1. Convergência Digital 2. Brasil Econômico 3. Softpedia News

Asia: Malware attacks

Asia, which has seen previous interest from malware like Dyre and
Dridex, continued toattract organized cybercrime groups in2016
Two of the most prominent threats relevant to Asian countries are

Dridex and TrickBot.
CHINA Dridex: TrickBot:

Dridex has been targeting TrickBot’s appearance in Asia in the
fourth quarter of 2016 was not very
banks in Asia since 2015,
surprising, given its established
mostly going after the
resemblance to Dyre.
credentials ofbusiness and
INDIA HONG KONG
If the two are indeed connected,
corporate banking users.
target lists are among the first things
The locales most frequently they would share.
THAILAND featured in configurations:
Singapore, Thailand, Hong TrickBot’sconfigurations include
redirection attacks on corporate
Kong, China,Vietnam and
VIETNAM
banking in Singapore, Malaysia and
Indonesia.
India.
MALAYSIA
SINGAPORE
INDONESIA

UAE: Rising interest in the Gulf

Another geography increasingly present on Trojan
configurations is United Arab Emirates (UAE)
Organized gangs like the Dridex and the TrickBot crews are
including more UAE banks on their target lists, as did Dyre
before them.
UAE
Key reasons:
UAE resembles Singapore in a sense: it is a global center of business,
and its population is considered to have above average wealth.
Also, businesses and individuals in the region tend to operate in both
English and their local languages, allowing malware operators to
employ their existing English-language attack tools.
UAE emirates most often targeted by organized malware gangs

are Dubai and Abu Dhabi.
Other targetedcountries in the surrounding regions are Saudi
Arabia, Qatar and Kuwait and Egypt

LECTURE
1. Cybersecurity in the World Today

4. Summary
19
C Y B E R T H R E A T S T A X O N O M Y
WHAT - IS A CYBER THREAT?
Cyber threats are deliberate

exploitations of computer systems
and networks using malicious
software (malware) to compromise
data or disable operations. Cyber
attacks enable cyber-crimes like
information theft, fraud and
ransomware schemes.

WHY – DO THEY ATTACK?
1. Military: countries and nation-states attacking targets for offensive and defensive reasons
̶ Potential targets: power grids, battlefield systems, military bases, government organizations
̶ Example: Stuxnet (ca 2011) believed to have been joint American-Israeli operation targeted at Iranian nuclear
program
2. Civil / private sector: “classic” Internet sabotage targeting enterprises, individuals

̶ Targets include the Internet backbone, web servers, databases, PCs, network devices
̶ Motivations include money, acquisition of trade secrets (cyber espionage), revenge
̶ Attacks can be highly targeted to specific organizations (Home Depot, Sony) or widespread (phishing,
ransomware)
3. Hacktivism: politically motivated; involves cyber sabotage and subversion to promote an agenda
4. Bragging rights: amateurs looking to make a name for themselves

̶ Examples: website defacement, discovery of previously unknown vulnerabilities
5. Legitimate research: ‘White Hat’ organizations and individuals seeking to defeat ’Black Hats’
̶ Examples: X-Force, ethical hackers, anti-malware vendors, penetration testing, invasive vulnerability scanners

HOW – DO THEY ATTACK?
Physical
Access
Incidents where
the attacker
acquires access
to physical
system, this
could include
from phones,
computers or
server, to ATMs,
elevators, cars,
airplanes, CCTV,
homes, and
health monitors)
Physical Brute Misconfig. Malvertising Watering Phishing SQLi DDoS Malware Undisclosed
access force Hole

Attack types
Brute
Force
Use of trial and

error to obtain a
username and
password for a
valid account on
an application to
access sensitive
data such as
credit card
numbers.
access force Hole

Attack types
2 billion records exposed
Misconfiguration 424% raise in records compromised as a result of these
Or human error types of incidents in 2017 than the previous year.
Incidents where Misconfigured cloud servers, networked backup incidents, BYOD

attackers gain and other improperly configured systems.
access to
vulnerable
systems, left
exposed by
inexperienced
administrators or
users (e.g.,
default factory
settings)
access force Hole

Attack types
Malvertising
Using
sophisticated
tools to conceal
malware within
objects or
images in
advertising
network ads,
getting into user’s
computer, even if
they doesn’t click
on the ad.
access force Hole

Attack types
Watering
Hole
A cyber attack in
which the
attacker seeks
to compromise a
specific group
of end users by
infecting
websites that
members of the
group are known
to visit.
access force Hole

Attack types
Phishing
Tricking a user
into providing
protected
information or
downloading a
malware by
typically using
email that
appears to be
from a trusted
or reputable
source.
access force Hole

Attack types
SQL Injection
The attack
inserts SQL
commands in
client
applications,
allowing the
hacker to read
and modify
sensitive data,
execute
database
administration
operations.
access force Hole

Attack types
Denial of
Service (DDoS)
These attacks
overload online
networks and
systems with
massive traffic
consuming
resources and
bandwidth,
eventually
shutting down
their online
capabilities.
access force Hole

Attack types
It’s the chief Malware

weapon of a
cyber attack
Malicious
software
Includes: programmed to
• Viruses attack a target
• Worms computer. It
• Trojans can block
• Ransomware access, steal
• Adware data, make
• Spyware bots systems
• Bugs inoperable and
• rootkits. even physically
destroy them.
access force Hole

WOW - Sampling of security incidents by attack type
2015 2016 2017
Attack types
access force Hole
Size of circle estimates relative impact of incident in terms of cost to business, based on publicly disclosed information
regarding leaked records and financial losses.
Cover Image: Sampling of security incidents by attack type, time and impact, 2015 through 2017.

LECTURE

4. Summary
32
C Y B E R S E C U R I T Y D O M A I N S
As of September 2018, cybersecurity has been recognized by Secretary Nielsen as the
#1 threat against the United States
While dealing with trillions of cyberattacks every day,

C-level decision-makers can unite under the banner of cyber resilience
To address critical challenges like offering faster cyber incident

recovery and finding ways to remain in business with the understanding
that the attackers are already in—now what?
Anyck Turgeon
Global Cyber-Resiliency & Security Evangelist

Why are cyber attacks significant?
• The cost to businesses from cyber attacks and their consequences,

such as data breaches, are devastating.
• According to the 2018 Cost of a Data Breach Study by Ponemon

Institute, the average total cost of a data breach is $3.86 million.1
• Damage brands and reputations
• Erode and even decimate customer loyalty
• Result in loss of intellectual property
• Put companies out of business
• Invite regulatory penalties
• Impair security for governments and states
• Increase potential for future attacks
1. 2018 Cost of a Data Breach Study: Global Overview, Ponemon Institute, July 2018

The real change has to come from the defenders’ side
• Year-by-year shifts in the cybercrime arena do not necessarily mean that much is changing
in the way online fraud works or the tools cybercrime gangs are using to work it.
• The cybercriminal lifecycle has to be shortened to render it less and less lucrative over
time. The faster we react to cybercrime findings and share them across theentire
community, the less time each malware variant will realize successful fraud attacks.
• With increasedvigilance, stronger detection and quicker reaction times, criminal

operations can become much less financially viable for attackers.
• Fraudsters will be forced to abandon the field for lack of profit.
Defenders who respond quickly to attacks are

the key to shortening the cybercrimelifecycle.

Traditional security practices are unsustainable
85 45 1.5
MILLION
unfilled security positions
security tools from vendors by 2020
68
PERCENT of CEOs are
reluctant to share incident
information externally

Imagine if you could…
PROTECT against tomorrow’s risks, today

How do I get started when all I see is chaos?

Threat sharing Virtual patching Indicators of compromise
Network visibility
Incident response
Data access control Data monitoring
Sandboxing
Content security
Application security management
Access management
IP reputation
Log, flow, data analysis Antivirus
Firewalls
Criminal detection
Incident and threat management Entitlements and roles
Privileged identity management

Malware protection Fraud protection Endpoint patching and management
Transaction protection
Vulnerability management
Workload protection
Application scanning
Identity management
Cloud access
Device management Anomaly detection security broker

Why a security immunesystem makes sensenow?
When it comes to cybersecurity threats
No one is immune From “if you’re Traditional defense

• No business attacked” to “how strategy
• No government quickly you can Add another tool to a
• No individual.
respond.” fragmented and
disjointed IT
environment

Integrated security immune system
Security in a more organized IoT

fashion, structured around
domains
MOBILE APPS
Security intelligence in the

middle to make sense of threats
using logs, data, flows, packets.
CLOUD
Different layers of defense start NETWORK DATA
working together SECURITY
INTELLIGENCE
Sending the important info to block

threats.
THREAT IDENTITY
Integrated - collaboration across & ACCESS
INTEL
companies and competitors, to
understand global threats and ADVANCED
data, and adapt to new threats. FRAUD

Network Security
IoT
MOBILE APPS
Serving as first line of defense for

governments and organizations. CLOUD
NETWORK DATA
SECURITY
They support our global economy and communications INTELLIGENCE
infrastructure in which our society relies today.
Targets THREAT IDENTITY

INTEL & ACCESS
• The most common entry point for every cyber attack

ADVANCED
FRAUD
• Individuals from mobile devices and IoT unprotected
WIFI
• To complex mega server farms supporting our
internet backbone.
Attacks Security Immune System

• DDoS, Misconfiguration, Physical Access

Mobile & IoT Security

IoT
MOBILE APPS
Protecting the entry point for billions of

users and things connected globally. CLOUD
NETWORK DATA
SECURITY
There we stored our personal data and sense the events INTELLIGENCE
happening in real time in the world we live in.

INTEL & ACCESS
• Organizations – That rely on sensor data to drive

ADVANCED
logistics and operations FRAUD
• People – Consumers and their personal data

• Things – Planes, elevators, cars, homes
Attacks
Security Immune System
• Physical access, Misconfiguration, Malvertising,
Malware, phishing

Application Security
IoT
MOBILE APPS
Ensuring safe use and operation of all

applications (mobile, web, backend). CLOUD
NETWORK DATA
SECURITY
Applications rule all the access points to data and INTELLIGENCE
transactions required to interact with different systems.

INTEL & ACCESS
• Involving the most sophisticated types of attacks

ADVANCED
FRAUD
• Organizations using websites that provides online
services
• Development teams creating in-company applications
Attacks
• Malware, SQLi, Watering Hole, Misconfiguration

Data Security, Identity, Access and Fraud

IoT
MOBILE APPS
Protecting the access and usage of Data

the most valuable digital asset today. CLOUD
NETWORK DATA
SECURITY
It contains confidential information that could be sold, or INTELLIGENCE
leveraged as intelligence to commit crimes and financial
fraud.
THREAT IDENTITY
INTEL & ACCESS
Targets
ADVANCED
• Large organizations that store valuable information: FRAUD
• Financial institutions, hospitals, government agencies.

• Social media giants that store vast amount of
customer personal data
Attacks Security Immune System

• Misconfigurations, Phishing, Ransomworms

Cloud Security
IoT
MOBILE APPS
Safety cloud mechanisms integrate

network, applications, data and access. CLOUD
NETWORK DATA
SECURITY
Cloud environments help organizations simplify and INTELLIGENCE
automate the integration between networks, endpoints,
applications, data and establish identify validation and
access gateways, and providing powerful management
THREAT IDENTITY
and visualization tools. INTEL & ACCESS
ADVANCED
Targets FRAUD
• Unskilled IT teams starting their cloud adoption journey

• Companies hosting valuable data in the cloud
Attacks
• Misconfiguration, Ransomware, Malware

Security Intelligence with A.I.

IoT
MOBILE APPS
Using Analytics and A.I. to respond in

real-time to attacks finding patterns in CLOUD
NETWORK DATA
thousands of concurrent incidents. SECURITY
INTELLIGENCE
Identifying high-risk threats in near real-time. Detecting

vulnerabilities, managing risks and identify high-priority
incidents among billions of data points. Gaining full THREAT IDENTITY
visibility into network, application and user activity. INTEL & ACCESS
ADVANCED
FRAUD
Targets
• Government and corporate multinational
organizations challenged to interpret billions of events
each day to uncover attacks
Tools Security Immune System

• SIEM – Security Information and Event Management

Threat Hunting
IoT
MOBILE APPS
Focuses on cybercrime detection,

hunting and investigation CLOUD
NETWORK DATA
SECURITY
The act of proactively and aggressively identifying, INTELLIGENCE
intercepting, tracking, investigating and eliminating cyber
adversaries as early as possible in the Cyber Kill
Chain. The earlier you locate and track your adversaries
THREAT IDENTITY
Tactics, Techniques and Procedures (TTPs) the less HUNTING & ACCESS
impact these adversaries will have on your business.
ADVANCED
FRAUD
Targets
• Every industry is impacted by cybercrime and affects
everything that we do in our lives today, so it is a
responsibility of everyone to be part of the solution.
Tools
• Threat intelligence, human analyst, threat analytics,

visualization and prediction tools

LECTURE

4. Summary
48
S U M M A R Y A N D R E S O U R C E S
Summary
• Global financial crime is the biggest motivation for cybercriminals and their
organizations to attack companies around the world.
• Cyber attacks enable cyber-crimes like information theft, fraud and

ransomware schemes.
• Malware is malicious software. It’s the chief weapon of a cyber attack and
includes viruses, worms, trojans, ransomware, adware, spyware bots, bugs
and rootkits.
• The real change has to come from the defenders’ side. The cybercriminal
lifecycle has to be shortened to render it less and less lucrative over time.
• Organizations need an integrated approach to protect from cyber attacks that

goes beyond the boundaries of their enterprise into the extended ecosystem.

Product and Service names are the property of their respective owners

The information contained in this document has not been submitted to any formal IBM test and is
distributed on an “as is” basis without any warranty either express or implied. The use of this
information or the implementation of any of these techniques is a customer responsibility and depends
on the customer’s ability to evaluate and integrate them into the customer’s operational environment.
While each item may have been reviewed by IBM for accuracy in a specific situation, there is no
guarantee that the same or similar results will result elsewhere. Customers attempting to adapt these
techniques to their own environments do so at their own risk.
© Copyright International Business Machines Corporation 2020.

This document may not be reproduced in whole or in part without the prior written permission of IBM.
US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP
Schedule Contract with IBM Corp.

IBM Global University Programs


8 10 23 Lecture 1 - Cybersecurity Landscape

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

8 10 23 Lecture 1 - Cybersecurity Landscape

Uploaded by

Copyright:

Available Formats

Cybersecurity

IBM Skills Academy / © 2020 IBM Corporation.

CYBERSECURITY PRACTITIONERS COURSE

Cybersecurity Landscape – Lecture ⇠

⇢ Lab Investigating User Behavior

⇢ Lab –Analyzing Threats with Intel

Security Operations Center – Lecture ⇠

• Understand the current impact of cybersecurity

IBM Skills Academy / © 2020 IBM Corporation.

1. Cybersecurity in the World

Newsworthy attacks (2016-2018)

Global – Aug 2016:

SCALE – Oct 2016:

IMPACT – May 2017: Macron campaign hack

IBM Skills Academy / © 2020 IBM Corporation

Weeks and weeks of downtime caused in just one hour

Merck +100 days

IBM Skills Academy / © 2020 IBM Corporation

Cybersecurity is a universal challenge

By 2020, there will be…

…while security pressures continue to grow

COMPLIANCE SKILLS TOO MANY

billions 1.8million too many

IBM Skills Academy / © 2020 IBM Corporation

Financial Sector: Cyber Threats Global Impact

Ransomware attacks cost companies more than

IBM Skills Academy / © 2020 IBM Corporation

Underground cybercrime economy thrives on cryptocurrency * Raimund Bumblauskas, “Dutch

§§ Mohit Kumar, “Hacker Uses A

IBM Skills Academy / © 2020 IBM Corporation

USA & UK: Countries most targeted by banking Trojans

Most active financial malware families in the UK

1. Center for Strategic and International Studies (CSIS) report,

IBM Skills Academy / © 2020 IBM Corporation

Germany: Emergence of two sophisticated cybercrime gangs

1) GozNym banking malware, a hybrid Trojan began targeting

Apr-2016 Jun-2016 Agu-2016

2) TrickBot’s serverside webinjection method is

German companies lost an average of $7.5 million

IBM Skills Academy / © 2020 IBM Corporation

Canada: Target of trojans and cyber gang-operated attacks

In terms of attack volume, the top five

IBM Skills Academy / © 2020 IBM Corporation

Australia and New Zealand: 4th major geography attacked

Banks in Australia and neighboring New Zealand

Key trojan attacks: By 2018 Gozi ranks 1st on the

IBM Skills Academy / © 2020 IBM Corporation

Japan: Organized cybercrime proliferates

Shifu Trojan The top most active financial malware

IBM Skills Academy / © 2020 IBM Corporation

Brazil: Fraud and technical sophistication changes the game

A new fraud attempt every 16.9 seconds in Brazil1

Members of TeamXRat 3, a hacking crew based in Brazil, created

1. Convergência Digital 2. Brasil Econômico 3. Softpedia News

IBM Skills Academy / © 2020 IBM Corporation

Asia: Malware attacks

Two of the most prominent threats relevant to Asian countries are

CHINA Dridex: TrickBot:

IBM Skills Academy / © 2020 IBM Corporation

UAE: Rising interest in the Gulf

UAE emirates most often targeted by organized malware gangs

IBM Skills Academy / © 2020 IBM Corporation

1. Cybersecurity in the World Today