Pushed to the Limit! Network and Application Security Threat Landscape January 2018

Size: px

Start display at page:

Download "Pushed to the Limit! Network and Application Security Threat Landscape January 2018"

Dwain Parks
6 years ago
Views:

1 Pushed to the Limit! Network and Application Security Threat Landscape January 2018

2 2 Agenda Global Trends Changes in the Attack Vector Landscape Business Concerns What s Around the Corner? Example Attacks in Adriatics Summary and Predictions

3 Radware Annual Security Reports SOURCE #1 Radware Industry

Employees 48% North America 6% 25% Central / Europe South

& Services Financial Services Govt & Civil Service Healthcare

22% 100-499 17% SOURCE #2 ERT Threat Research Center 2017

Team of security experts for fast mitigation experts under

3 3 Radware Annual Security Reports SOURCE #1 Radware Industry Survey 1,250 Retail and Ecommerce Education Number of Employees 48% North America 6% 25% Central / Europe South America 4% 18% Africa & APAC Middle-East Technology Products & Services Financial Services Govt & Civil Service Healthcare 10, % 3,000-9,999 13% 1,000-2,999 5% % <100 22% % SOURCE #2 ERT Threat Research Center 2017 real-life attack data, security alerts and threat research Team of security experts for fast mitigation experts under attack WannaCry OpIcarus XMR Squad Mirai botnet BrickerBot OpKillingBay CodeFork group

4 4 Global Trends

5 5 Global Trends in Threats & Attacks Bots Data IoTs Cyber-security BTC challenge protection integration value and defense is the top complicates systems, pushed cybercrime business to generating the security concern climb limit fictitious to management new heights demand

6 Slovenia Trends: Shift Towards Application Layer 3% 27% 1% Attack Vectors 22% 6% 41% SYN HTTP DNS UDP NTP 17% 13% 1% Attack Category 47% 22% Anomalies Network DDoS Apolication DDoS (DNS) Intrusions

6 6 Slovenia Trends: Shift Towards Application Layer 3% 27% 1% Attack Vectors 22% 6% 41% SYN HTTP DNS UDP NTP 17% 13% 1% Attack Category 47% 22% Anomalies Network DDoS Apolication DDoS (DNS) Intrusions SYN Flood TCP Handshake Violation Network Volume Attack Duration Attacks: Volume & Non Volume 37% 63% Average Duration Less than 1 min (Burst) Steady Flood (more than 1 hour) Large Increase Application Attacks

7 7 Cryptocurrency Prosperity Drives Cybercrime Ransom is the motivation behind 50% of the attacks Incidence has grown by 40% Yearover-Year One in eight organizations suffered a DDoS Extortion Ransom is the top concern of security professionals in % 50% 40% 30% 20% 10% 0% Ransom as Motivation Tripled 50% 41% 25% 16%

prepared for GDPR 26% See data protection as

8 8 Protecting Sensitive Data is the #1 Concern 45% Have suffered a data breach 30% Of customers will ask for compensation, leave, Or file a suit following a data breach 28% Name data theft as the #1 security challenge 72% Are not fully prepared for GDPR 26% See data protection as the top concern in % Intend to invest more in data protection in 2018

9 IoT Security an Orphan Child No agreement on who is

report suffering an IoT botnet attack in 2017 Management

3% Business Organization Manufacturer Private Consumer

Yes, 17% No, 52% Requiring more headcount High rate of

difficulty in security management 9% 9% 15% 18% 47% Who is

Have you experienced DDoS attacks by an IoT botnet?

9 9 IoT Security an Orphan Child No agreement on who is accountable for securing IoT devices 1 in 6 organizations report suffering an IoT botnet attack in 2017 Management Complexity the greatest concern of IoT integration Other 3% Business Organization Manufacturer Private Consumer Service Provider 21% 11% 34% 35% Don't know/not sure, 31% Yes, 17% No, 52% Requiring more headcount High rate of false alarms Malware propagation DDoS attacks More difficulty in security management 9% 9% 15% 18% 47% Who is accountable for risks posed by IoT devices as hubs? Have you experienced DDoS attacks by an IoT botnet? 0% 20% 40% 60% 80% 100% What is your greatest fear when integrating IoT devices into your network?

10 10 The Rise of the Botnets - Is Your Data in Good Hands? For some organizations, bots represent more than 75% of their total traffic 79% organizations cannot distinguish between good bots and bad ones What can bots do? 1. DDoS attacks 2. Web scraping - steal data and intellectual property 3. Manipulate pricing 4. Hold inventory

11 11 APIs the Next Weak Link API security is often overlooked data transferred is not subject to inspection or validation Common API vulnerabilities 80% Access violations Protocol attacks 60% 51% 60% 52% Invalidated redirects 40% Parameter manipulations Irregular JSON/XML expressions 20% 0% Don t analyze API vulnerabilities prior to integration Share and consume sensitive data via APIs Don't inspect data transferred via APIs

12 12 Changes in the Attack Vector Landscape

13 13 DDoS Attacks: Shift Towards Application Layer Application attacks become the preferred DDoS vector Network attacks declined significantly HTTP/S and TCP-SYN Floods are causing the most damage 1 in every 5 attacks exceed 1Gbps 50% 40% 30% 20% 10% 37% 28% 33% 23% 7% 35% 23% 18% 12% 10% 4% + 10% DDoS Attacks 0% HTTP HTTPS DNS SMTP VOIP TCP SYN flood Application UDP ICMP TCP-Other IPv6 Other Network

14 Slovenia Top Attacks: Shift Towards Application Layer TOP

1500 1000 500 0 NTP Reflection UDP Flood SYN Flood 1 TOP PPS Rate

5 0 NTP Reflection UDP Flood SYN Flood Network 0 200 400 600 800 1000

14 14 Slovenia Top Attacks: Shift Towards Application Layer TOP Volumetric Attacks (Mbps) TOP Attacks per Application NTP Reflection UDP Flood SYN Flood 1 TOP PPS Rate Attacks (Millions) NTP Reflection UDP Flood SYN Flood Network Junk HTTPS NTP HTTP DNS SSH/TELNET 0 (Zero) Application Large Increase Application Attacks

15 15 DNS Attack Vectors % suffered a DoS attack against their DNS server Brute Force attack and Basic Query Floods are the most common vectors 60% 50% 40% 49% 42% 34% 30% 20% 26% 20% 10% 0% Brute Force Basic Query Flood Recursive Flood Reflective Amplification Attack Cache Poisoning Which of these attack vectors did you experience?

16 Emerging DDoS Attack Vectors Concerned with in 2018

16 16 Emerging DDoS Attack Vectors Concerned with in % Experienced in % 70% 60% 57% 50% 10% 40% 30% 20% 10% 0% 15% 7% Permanent Denial of Service (PDoS) 31% SSL-Based Attacks 13% 16% IoT Botnets 42% Burst Attacks

17 17 Bot Attacks Web scraping is the main plague Two of five report bot traffic exceeds 75% 44% still can t distinguish between bots and a flash mob 60% Web Scraping Impact 56% 50% 40% 30% 32% 45% 39% 20% 10% 0% Inventory depleted (e.g., sold out within minutes) Inventory held (customers cannot complete purchase) Website copied (screen-captured or content) Intellectual Property stolen (such as pricing)

18 Krebs 09/20 OVH 09/21 Mirai source leaked 09/30 10/19 Hajime 10/21 DYN 10/29 IRCTelnet (new Aidra) 11/23 400k+ Mirai botnet for rent by BestBuy 11/27 DT, TalkTalk, Post Office UK TR069 Exploit

18 18 Krebs 09/20 OVH 09/21 Mirai source leaked 09/30 10/19 Hajime 10/21 DYN 10/29 IRCTelnet (new Aidra) 11/23 400k+ Mirai botnet for rent by BestBuy 11/27 DT, TalkTalk, Post Office UK TR069 Exploit 12/21 Leet botnet: 650Gbps/150Mpps DDoS attack 08/2016 Mirai 08/2016 Rakos 01/30 Linux.Proxy.10 02/22 Mirai turns to Windows 02/22 BestBuy arrested in UK 2015 Moose 2014 MrBlack 2014 TheMoon 2014 Bashlite 2012 Aidra 03/13 Imeij 04/07 Amnesia 04/10 BrickerBot 05/09 Persirai 08/30 WireX 09/14 RouteX 09/26 Linux.ProxyM 10/23 Reaper 11/23 Satori 12/13 Mirai authors plead guilty 01/17 Satori continues 01/25 Masuta 02/03 ADB.miner 02/08 JenX 02/15 DoubleDoor 02/21 OMG 2016 Oct

50% from 2016 Servers are compromised the

40% growth in complete outages over mere

(Saturation) 17% Firewall 6% 4% Load 35%

19 19 Failure Points in the Data Center Internet Pipe Saturation incidence grew 50% from 2016 Servers are compromised the most - as they keep the lucrative data 40% growth in complete outages over mere service degradation 37% Internet Pipe (Saturation) 17% Firewall 6% 4% Load 35% The 1% SQL Server Server Balancer Under (ADC) Attack IPS/IDS Internet Pipe Firewall IPS/IDS Load Balancer/ADC Server Under Attack SQL Server

20 Vertical Highlights 40% Of retailers report bot traffic above 75% of total 42% Of education institutes actually fear availability issues, over data theft or reputation loss 31% Of service

20 20 Vertical Highlights 40% Of retailers report bot traffic above 75% of total 42% Of education institutes actually fear availability issues, over data theft or reputation loss 31% Of service providers intend to invest in DDoS mitigation in % Of government and public sector organizations suffer attacks daily 73% Of healthcare s express low to medium confidence in securing patient records 44% Of financials do not track the dark web after a data security breach

21 21 Business Concerns of Cyber-Attacks

22 22 Biggest Business Concern When Attacked Data loss followed by reputation loss were the biggest concerns Fewer were concerned with revenue loss this year Data Leakage/ information loss 28% Availability / SLA Degradation 23% Reputation loss 17% Revenue loss 13% Customer / partner loss Productivity loss 10% 10% 0% 5% 10% 15% 20% 25% 30% What is your concern if faced with a cyber-attack?

23 23 Cost of a Cyber-Attack 1. 78% of organizations make no cyber-attack cost analysis 120% 100% 2. Those who do provide a higher than double estimation 80% 60% 40% 56% 3. Most believe attacks cost less than $100K USD. 20% 0% 41% 16% 9% 11% 4% 2% 2% 20% 11% 10% 5% 4% 4% 5% Yes No

24 24 Security Measures Following Attacks In general, customers are not holding organizations responsible for cyber-attacks Customers filing lawsuits following data breaches or DDoS downtime are more common in APAC DDoS downtime 13% 5% 12% 70% Customers asking for compensation Lawsuits Data breach 9% 10% 11% 70% Customers leaving Malware contamination and propogation 9% 7% 9% 75% 0% 20% 40% 60% 80% 100% Has any of your customers taken measures because of an attack against your organization?

25 25 Multiple Touchpoints = Higher Risk Organizations do not take all the necessary measures when their application services communicate with 3rd party services 80% 70% 60% 50% 40% 30% 72% 50% 42% 32% 47% do not use encryption 20% 10% 0% Username/ password Payment details Personally identifiable information User behavior / preferences / analytics Which data types do you share with 3 rd parties?

26 26 Application Security Concerns Most organizations feel they can handle the OWASP top 10 pretty well. They fear: 1. Application layer DDoS 2. Encrypted / SSL-based attacks 3. API manipulations 4. Data breach Layer 7 DDoS Encrypted web attacks (SSL/TLS-based) API manipulations Data security breach Brute force Cross-site scripting Web Scraping SQL injection Cross-site request forgery Which attacks against applications are most difficult to prevent, detect and contain? 15% 13% 13% 13% 25% 44% 48% 57% 62% 0% 10% 20% 30% 40% 50% 60% 70%

have an incident response plan in place 68% Are not confident in their security posture 36%

27 27 Additional Gaps in Preparedness 30% Will hire hackers to work in their security team 41% Of security professionals trust the employees in their organizations 33% Of organizations do not have an incident response plan in place 68% Are not confident in their security posture 36% Limited understanding of blockchain mechanism 25% Report an application exploit attempt every week

28 28 What s Around the Corner?

29 29 Biggest Threats in 2018 Ransom and data theft are seen as the two biggest threats in the coming year Ransom Data Theft Application vulnerabilities 22% 26% 26% IoT Botnets 13% Permanent Denial of Service 8% API Integration Other 3% 2% 0% 10% 20% 30% 40% 50% Which of the following attacks against applications and/or web servers are most difficult to prevent, detect and contain?

30 30 Projected investments in 2018 The most popular investment areas are guarding sensitive data, endpoint protection, and SIEM/analytics. MY 2018 INVESTMENT WILL BE IN In-house expertise and application infrastructure, 28% Endpoint and Malware Protection, 26% Security Management & Analytics, 20% Data Leakage Prevention, 16% DDoS Protection, 10%

31 31 Adopting Artificial Intelligence / Machine Learning 20% already rely on Machine Learning/AI based protections Better Security - #1 motivation for exploring AI solutions Better security 63% Already rely on, 20% Simpler manageability 27% Filling in the skill gap 27% Neither, 52% Plan to integrate, 28% Gaining a competitive advantage Cost reduction 25% 25% Other 8% 0% 20% 40% 60% 80% 100%

32 32 Examples of Risk to Financial Institutions such as in Adriatic Region

33 33 Ransom Ransom Denial of Service (RDoS) Objective: Cryptocurrencies Threatens use of latest techniques Increase in extortions Decrease in attacks South Korea Banks $315,000 USD 5Gbps sample attack Result of Nayana Ransomware extortion

34 Local Heists Jackpotting ATMs 2010 Barnaby Jack @ BlackHat Vector 1: Remote attack Vector 2: Key + USB Malware Tennessee - 2014 18 months spree Over $400,000

34 34 Local Heists Jackpotting ATMs 2010 Barnaby BlackHat Vector 1: Remote attack Vector 2: Key + USB Malware Tennessee months spree Over $400,000 Keypad attack Romainia Machines in one day 3.8 Million Slopes (860,000 Euros) Raiffeisen Bank o o o Spear-phising Malicious payload Gained access of ATM s

injection fraudulent messages Transfers to attacker controlled

35 35 Digital Heist SWIFT Society for Worldwide Interbank Financial Telecommunication Authenticated money moving messages Attacker injection fraudulent messages Transfers to attacker controlled accounts Central Bank of Bangladesh $81 Million USD $1 Billion USD attempt Fandation

36 36 Summary and Predictions

37 Looking ahead to 2018 Build your protection strategy.

Weaponized Artificial Intelligence Bots and automated attack tools can mimic

APIs are a double-edged sword APIs connect all platforms and services together.

Attack via Proxies Attackers target 3 rd parties who accommodate a variety of

37 37 Looking ahead to 2018 Build your protection strategy. Develop an incident response plan. Weaponized Artificial Intelligence Bots and automated attack tools can mimic human behavior. Can they mimic human learning? APIs are a double-edged sword APIs connect all platforms and services together. Businesses must audit APIs prior to integration. Attack via Proxies Attackers target 3 rd parties who accommodate a variety of businesses CDNs, applications, analytics services or download sites Automated Social Engineering Bots already collect and analyze personal data. Next step is to add a component that deceives and infects the victim

38 Stay Focused. Be Prepared. Build your protection strategy. Develop an incident response plan.

Manageability, flexibility and scalability are key for a seamless security experience Versatile

Evaluate before integrating 3rd party services Fight fire with fire AI based solutions to mitigate

Understand who is a bot and who isn t to optimize your resources and maximize your security Hope for

38 38 Stay Focused. Be Prepared. Build your protection strategy. Develop an incident response plan. Consolidate and automate Elastic, unified systems against multiple threats. Manageability, flexibility and scalability are key for a seamless security experience Versatile application protection Cross platform API and Application security protect your data assets. Evaluate before integrating 3rd party services Fight fire with fire AI based solutions to mitigate advanced cyber-weapons. Understand who is a bot and who isn t to optimize your resources and maximize your security Hope for the best, Prepare for the worst Reduce Cyber-Attacks Business Impact by getting ready Study new technologies, have an ER plan, patch systems on time, get a hybrid DDoS mitigation solution, hire hackers for clever forensics, rely on experts

Pushed to the Limit! Network and Application Security Threat Landscape Lior Zamir Technical Account Manager

Pushed to the Limit! Network and Application Security Threat Landscape 2017-8 Lior Zamir Technical Account Manager January 2018 2 About Radware 3 About Radware Market Leader in Application Availability