The Next Cyber War Geo-Political Events And Cyber Attacks. Werner Thalmeier Director Security Solutions EMEA & CALA

Transcription

1 The Next Cyber War Geo-Political Events And Cyber Attacks Werner Thalmeier Director Security Solutions EMEA & CALA

2

3 3 Almost Every Geo Political Event Triggers a Cyber Attack

4 Geo-Political Events Followed by Cyber Attack Feb/July USA Operation Ababil Targeting financial institutions April 2015 Belgium Belgian Media Group DDoS attack pro ISIS sympathizers November now Ukraine & Baltic Countries Operation Opindependence April 2015 Mexico DDoS Attack on Media after State Masscre August 2014 Brazil FIFA Worldcup January 2015 France Anonymous against Islamic Hackers - OPISIS March 2015 Israel Anonymous attacks OPIsrael 2014 Irak and Syria Anonymous declars war on ISIS 4

5 Crime Hacktivism Espionage War C.H.E.W.: Motivation, Capability & Intent By Richard Clark Money And more money Large number of groups Skills from basic to advanced Present in virtually every country on earth Protest Revenge Large number of groups Groups tend to have basic skills with a few standout individuals with advanced skills motivating a potential larger set of follower Acquiring Secrets For national security For economic benefit Growing number of countries with capability Larger array of supported or tolerated groups Motivation is to destroy, degrade, or deny Politics by other means Growing number of countries with capability Non-state actors my move here as well 5

6 January 7 th Attack on Charlie Hebdo Cyber Attacks As Consecquence Of Recent Terror Attacks January 15 th Anynomous #OpCharlieHebdo launched an operation called "We intend to take revenge in their name, we are going to survey your activities on the net, and we are going to shut down your accounts on all social networks." Twitter Account was created, asked followers to report Twitter accounts of suspected terrorists A crowd sourced list shared by the group has collected more than 100 accounts to target via Twitter Anonymous was able to find few major targets including few pro jihadist websites and social media accounts supporting ISIS 6

7 AnonGhost: Islamic hackers called AnonGhost have launched a digital Jihad against France and Anonymous Cyber Attacks As Consecquence Of Recent Terror Attacks AnonGhost has brought down a number of French websites, replacing the pages with a manifesto and a series of disturbing images The front pages of the official municipality websites have been covered with the Jihadist militant group's black flag, play Arabic-language music and feature the message: "The Islamic State Stay Inchallah, Free Palestine, Death to France, Death to Charlie." In fact 19,000+ Websites counting for a major portion of the French cyber space, while most of these websites were defaced with Anti Charlie Hebdo messages, few were brought down using DDoS attack 7

8 Operation Ababil Battlefield: Cause: U.S. Commercial Banks Elimination of the Film Innocence of Muslims Battle: Phase 4 of major multi-phase campaign Operation Ababil that commenced during the week of July 22 nd. Primary targets included: Bank of America, Chase Bank, PNC, Union Bank, BB&T, US Bank, Fifth Third Bank, Citibank and others. Attackers: Result: Cyber Fighters of Izz ad-din al-qassam Major US financial institutions impacted by intensive and protracted Distributed Denial of Service attacks. 8

9 Massive TCP and UDP flood attacks: Targeting both Web servers and DNS servers. Radware Emergency Response Team tracked and mitigated attacks of up to 25Gbps against one of its customers. Source appears to be Brobot botnet. DNS amplification attacks: Attacker sends queries to a DNS server with a spoofed address that identifies the target under attack. Large replies from the DNS servers, usually so big that they need to be split over several packets, flood the target. Operation Ababil HTTP flood attacks: Cause web server resource starvation due to overwhelming number of page downloads. 9 Encrypted attacks: SSL based HTTPS GET requests generate a major load on the HTTP server by consuming 15x more CPU in order to process the encrypted attack traffic.

10

11 Information Security Fundament availability 11 C.I.A.

12 Change from 2013 Who Is On The Spot

13 Volumetric Floods Network Scans SYN Floods Low & Slow HTTP Floods SSL Floods Application Misuse Brute Force SQL Injection Cross Site Scripting Multi-Vulnerability Attack Campaigns % % % 15% 10% 5% Internet Internet Pipe Firewall IPS/IDS Load Balancer (ADC) Server SQL Server 13

14 Multi-Vector Attacks Are The Norm In 2014, almost every attack campaign was composed of multiple attack vectors. Attackers would rather keep the target busy by launching one attack at a time, rather than firing the entire arsenal at once. You may be successful at blocking four or five attack vectors, but it only takes one for the damage to be done. 14

15 Attack Vectors Application: 49% Network: 51% 15

16 The Rise of the Continuous Attack 40% In 2014, 19% of attacks were considered to be 35% constant. 30% % 20% 15% 10% 5% Less than an hour 1 hour 1 day 1 day 1 week Over a week Constant 16

17 Public Cloud: Perimeter Erosion Cloud-Based Infrastructure Enterprise Datacenter On-premises attack mitigation tools are ineffective against attacks targeting application in the cloud. 17

18 B o t n e t Cloud protection limitations Low & Slow attacks SSL encrypted attacks E n t e r p r i s e Volumetric attacks C l o u d S c r u b b i n g 18

19 Problem: Multiple Sources, Single IP Enterprise Datacenter Sources are behind NAT CDN Enterprise Internal Network Carrier Grade NAT 19

20 Rise of the Botnets - IoT Individual Servers Malicious software installed on hosts and servers (mostly located at Russian and east European universities), controlled by a single entity by direct communication. Examples: Trin00, TFN, Trinity Botnets Stealthy malicious software installed mostly on personal computers without the owner s consent; controlled by a single entity trough indirect channels (IRC, HTTP) Examples: Agobot, DirtJumper, Zemra Voluntary Botnets Many users, at times as part of a Hacktivist group, willingly share their personal computers. Using predetermined and publicly available attack tools and methods, with an optional remote control channel. Examples: LOIC, HOIC Thingbots New Smart, Server-based internet connected Botnets appliances that are Powerful, coopted by well hackers to orchestrated form a botnet attacks, of using networked a geographically things. The spread devices server are typically infrastructure. highly vulnerable Few to attacking compromise. servers The generate sheer the scale same of the impact number as of hundreds devices poses of clients. a major new risk Present Present Present 20

21 Volumetric Attack DNS Amplification Most frequently used attack vector Amplification affect Regular DNS replies - a normal reply is 3-4 times larger than the request Researched replies can reach up to 10 times the original request Crafted replies attacker compromises a DNS server and ensures requests are answered with the maximum DNS reply message (4096 bytes) - amplification factor of up to 100 times 21

22 Low and Slow Attack - R.U.D.Y. Exploits a design weakness that became public in Nov 2010 A slow rate attack tool that can cause DoS with a relatively low amount of traffic generated Instead of sending the entire HTTP Post request at once, it sends one byte every 10 seconds making the connection last forever. It does it in parallel again and again over numerous connections until the server s resources are exhausted. 22

23 Minutes to Compromise. Months to Discover. Seconds Minutes Hours Days Weeks Months Initial Attack to Initial Compromise 10% 75% 12% 2% 0% 1% Initial Compromise to Data Exfiltration 8% 38% 14% 25% 8% 8% Initial Compromise to Discovery 0% 0% 2% 13% 29% 56% 23

24 DDoS To Rent Current prices on the Russian underground market: Hacking corporate mailbox: $500 Winlocker ransomware: $10-$20 Unintelligent exploit bundle: $25 Intelligent exploit bundle: $10-$3,000 Basic crypter (for inserting rogue code into benign file): $10-$30 SOCKS bot (to get around firewalls): $100 Hiring a DDoS attack: $30-$70 / day, $1,200 / month Botnet: $200 for 2,000 bots DDoS Botnet: $700 ZeuS source code: $200-$250 Windows rootkit (for installing malicious drivers): $292 Hacking Facebook or Twitter account: $130 Hacking Gmail account: $162 spam: $10 per one million s scam (using customer database): $50-$500 per one million s 24

25 25 DDoS and Blackmail

26 New Vectors, Dangerous Commonality Cyber-attacks are split evenly between the network and application levels UDP attacks increased from 7% in 2013 to 16% in 2014 due to increase reflective attacks. Web attacks remain the single most common attack vector. 1 in every 4 web-based attacks are HTTPS. 19% of organizations reported attacks on a daily basis Reflective attacks represent 2014 s single largest DDoS headache Hackers trying every protocol to use for their next big reflective attack Larger concern with the rise in the popularity of volumetric attacks 26

27 Hacktivism Move To Campaign-APT Oriented Complex: More than seven different attack vectors at once Blending: Both network and application attacks Targeteering: Select the most appropriate target, attack tools Resourcing: Advertise, invite, coerce anyone capable Testing: Perform short proof-firing prior to the attack Timeline: Establish the most painful time period for his victim 27

28

29 Attack Detection Attack Detection Cyber Attack Cyber Attack Defense Defense Attack Attack Mitigation Quality of Detection Quality Of (QD) Detection Time to Detection Time To (TD) Detection Quality of Mitigation (QM) Quality Of Mitigation Technical Coverage Detection Algorithms Reporting & Correlation Triaged Response Options Over / Under Mitigating Proper Mitigation Location Local / Premise Technical Coverage Detection Algorithms Reporting & Correlation Triaged Response Options Over/Under Mitigation Mitigation Location Local / Premise Time To to Mitigation (TM) Mitigation Cloud Cloud Business Partner 29 Business Partner

30 Understand The Real Behaviour Behavior-based traffic analysis Rather than Superficial rate-based analysis 30

31 Attack Degree Axis The Use of Intelligence Attack Area Suspicious Area Normal Area 31

32 First Line Of Defense Protecting the Application Server Front End against Attacks on the Application Layer Web Attacks Application Misuse Connection Floods Brute Force Directory Traversals Injections Scraping & API Misuse 32

33 Second Line Of Defense Protecting the Perimeter against Encrpyted and Non-volumetric Attacks Envelope Attacks Device Overload Directed Attacks - Exploits Intrusions Mis-Configurations Localized Volume Attacks Low & Slow Attacks SSL Floods 33

34 Protecting against Volumetric Attacks in the Cloud Network DDoS SYN Floods HTTP Floods Third Line Of Defense 34

35 Layered Lines Of Defense Requires An Integrated Hybrid Solution HTTP Floods SSL Floods Large volume network flood attacks Network Scan Syn Floods Low & Slow DoS attacks (e.g.sockstress) App Misuse Brute Force Internet Pipe Firewall IPS/IDS ADC Attacked Server SQL Server Volumetric attacks Network & Stateful attacks Application attacks Cloud DDoS protection DoS protection Behavioral analysis SSL protection WAF IPS 35

36 Are You On Risk? Don t assume that you re not a target. Protecting your data is not the same as protecting your business. Comprehensive information security requires data protection, system integrity and operational availability. You don t control all of your critical business systems. Understand your vulnerabilities in the distributed, outsourced world. The perimeter is dead. Protect your virtual perimeter. You can t defend against attacks you can t detect. Deploy networked attack sensors wherever your business runs. Know your limitations. Choose the right partner with the expertise to help you fight 36

37 What Can You Do? Be mindful of the C.H.E.W. threats Cybercrime, Hacktivism, Espionage and Cyber War Both detection and mitigation are important - success hinges on the quality of both Timing is everything provide solutions which ensure the shortest time to mitigate Use multiple layers a hybrid solution that integrates on-premise detection and mitigation with cloud-based protection - to block volumetric attacks Choose a solution with the widest coverage to protect from multi-vector attacks SSL attacks remain a major threat SSLbased DoS/DDoS mitigation solution deployments must not affect legitimate traffic performance A single point of contact is crucial when under attack - it will help to divert internet traffic and deploy mitigation solutions 37

38 Thank You Security.Radware.com Radware 2015