Fighting the Shadows: How to Stop Real-world Cybersecurity Application Threats That You Can t See Louis Scialabba Carrier Solutions Marketing Nov 2015 November 16, 2015
Topics What s New in Cybersecurity An Attack Mitigation Network Architecture o Building a Better Mousetrap o Reference Use Cases o A Case Study o Summary
Security Report Update What s Trending? The Rise of the Continuous Attack Application Attacks on the Rise No One is Immune - Unexpected Targets Hybrid Solutions are Gaining Ground Internet Pipe 2014 s #1 Failure Point Cloud, IoT & SDN are Changing the Rules of the Game Reflective Attacks the Largest DDoS Headache Losing Sleep in the C-suite 3
Motivation Behind Attacks are Changing Cyber Crime Hactivism Espionage War Financial gain is the primary motive Driven by ideological differences Gaining information for political, financial, competitive leverage Damage/destroy centers of power; military or non-military 4
No One is Immune Unexpected Targets Threats in new industries, organizational sizes and technology deployments Healthcare and Education unexpected targets now at risk Gaming, Hosting and ISP companies increased likelihood Financial Services the only industry to have a reduced risk 2014 Change from 2013 5
Why Should You Care? 1 minute OUTAGE -$11,000 loss per server Annual cost of -$5,780,000 per server Today more than ever, TIME IS MONEY * Representing lost revenues from on SLA breach Based on 99.9% availability
Did You Know? Attacks evenly split across network and application layers Web-based attacks remain the single most common attack vector 1 in every 4 are HTTPS Increase reflective attacks cause UDP attacks to increase From 7% in 2013 to 16% in 2014 Application 49% 9% 23% 16% Network 51% 18% 6% 16% 10% Reflective attacks represent 2014 s single largest DDoS headache VoIP 1% Web (HTTP/HTTPS) TCP- Other UDP ICMP SMTP DNS IPv6 1% TCP-SYN Flood
Carrier Threats Lurking in the Shadows
Multi-Vectors Attacks Low & Slow DoS attacks (e.g.sockstress) SQL Injections XSS, CSRF Large volume network flood attacks Network Scan Syn Floods HTTP Floods SSL Floods Brute Force App Misuse Internet Pipe Firewall IPS/IDS Load Balancer/ADC Server Under Attack SQL Server Cloud DDoS protection DoS protection Behavioral analysis IPS WAF SSL protection 9
Attack Mitigation Architecture
Attack Mitigation Pillars Collection Detection Mitigation Operation
How Can You Protect From Something You Don t See? Non-Radware Radware Source IP-agnostic detection Encapsulated attacks Encrypted SSL-based attacks Beyond HTTP (SMTP, FTP, SQL) OpenFlow-based Detection Application Attacks Application Attacks Network Attacks Network Attacks Multilayer Detection is Critical! 12
Radware Mitigation Elements DefensePro Real-time attack mitigation device providing layer 4-7 multi-attack coverage DefenseFlow Network-wide attack detection and cyber command and control AppWall Web Application Firewall (WAF) providing full coverage of OWASP top-10 threats
Robust Data Collection Radware Virtual & Physical Appliances L3-4-7 Collection 3rd Party Detection Devices (NetFlow, SIEM, ) NetFlow Radware Flow Collector Command & Control CheckPoint DDoS Protector SDN Enabled Devices OpenFlow / Open Daylight Cisco FirePower 9300 Multi-source collection ensuring 100% attack coverage
Behavior-Based vs. Rate-Based Detection Non-Radware Radware Rate-Based Detection Behavior-Based Detection To prevent service-level impact of legit traffic
Rate-Invariant Behavioral Analysis Rate Analysis 100.0% TCP Flag Distribution Analysis Flash Crowd 50.0% 0.0% SYN SYN-ACK ACK Data RST FIN-ACK RST Flood Attack Rate Analysis 100.0% 50.0% TCP Flag Distribution Analysis 0.0% SYN SYN-ACK ACK Data RST FIN-ACK 16
Beyond Primitive Source IP Blocking Non-Radware Radware Source IP Address Only X.X.X.X Signature with multiple parameters Smart traffic blocking based on Real-Time Signature incorporating multiple parameters comparing to primitive source IP address blocking
Shortest Time to Mitigate via Synchronized Operation Non-Radware Non-Synchronized Operation Radware Synchronized Operation Attack Detection Attack Mitigation Attack Detection Attack Mitigation Signature regenerated from scratch by Mitigation Device Signature is synched to Mitigation Device Radware synchronized operation = real-time mitigation engagement. Non-synchronized operation = up to 28 minutes delay
Real-Time Signature Generation vs. Manual Non-Radware Manual Signature Generation Radware Real-Time Signature Generation 30 MINUTES 18 SECONDS Manual signature creation can take up to 30 minutes. Radware Real-Time Signature is generated in up to 18 seconds.
Automatic vs. Labor-Intensive Operation Non-Radware Manual Signature Generation Radware Real-Time Signature Generation Manual Attack Blocking Automatic Attack Blocking Manual SoC analysis is required for every attack causing high investment in HR
Complete & Automatic Attack Lifecycle Management Attack termination New service provisioning Lower TCO Less dependency on HR Traffic diversion Automatic mitigation activation
Cyber Attack Protection In Action
Use Case 1 3 rd Party NetFlow-Based Attack Detection Internet Service Provider Network Protected Objects 3 rd Party NetFlow-based Attack Detector Scrubbing Center DefensePro Attack detection by the NetFlow Attack Detector DefenseFlow configures DefensePro with Traffic baselines and diversion information DefenseFlow Diverts traffic for attack cleansing
Use Case 2 Radware NetFlow-Based Attack Detection Internet Service Provider Network Protected Objects Radware Flow Collector Scrubbing Center DefensePro DefenseFlow exports DefenseFlow to DefensePro detects diverts the traffic attack baselines for (behavioral attack and cleansing analysis) diversion information
Use Case 3 OpenFlow-Based Attack Detection Internet Service Provider Network Protected Objects SDN Controller Scrubbing Center DefensePro DefenseFlow DefenseFlow configures Diverts DefensePro detects suspicious the for attack traffic (behavioral information attack analysis) cleansing and traffic diversion
Use Case 4 Layer-7 Attack Detection Internet Service Provider Network Protected Objects Scrubbing Center DefensePro DefensePro Radware DefenseFlow Detects WAF DefenseFlow and the configures SSL Application Inspection Diverts DefensePro Layer can suspicious also (L7) for be Attack attack utilized traffic and information sync attack advanced attack and cleansing baseline web traffic tier diversion to protection DefenseFlow
Summary of Use Cases Case Attack Detection Traffic Redirection Attack Mitigation NetFlow Attack Detector BGP Redirection NetFlow Telemetry BGP Redirection OpenFlow (SDN) Telemetry SDN Redirection DefensePro DefensePro BGP Redirection 27
A Case Study
Case Study #1 - Boston s Children Hospital About Boston s Children Hospital Why Attack a Hospital? 25,000 inpatients each year and 557,000 visits Ranked nationally in 10 pediatric specialties 200+ specialized clinical programs Clinical operations dependent upon networked data and devices Shared ISP services across a network of 7 other healthcare providers Early 2014, custody dispute related to 15-year old in BCH s care Turned over to Massachusetts protective services Group claiming affiliation with Anonymous begin threatening BCH 29
A Look Inside the Attack 30
Attack Vectors Involved and Identified Internet Pipe Firewall IPS/IDS Load Balancer/ADC Server Under Attack SQL Server Infrastructure UDP Fragmented Flood DNS Reflection UDP Flood (PPS) State TCP Out Of State Flood UDP Scan Zero Payload attacks Zero sequence number attacks Invalid ACK number attacks ICMP Flood Application Slowloris SQL-Injection XSS Worm infection - Mydoom SIPVicious - Scanning tool Web-etc/passwd-Dir-Traversal 31
BCH Attack Analysis Summary Duration Multi Vector Mitigation Total duration of the attack was over a month Radware solution was deployed after attack started Total of 15 different attack vectors in the same attack campaign As many as 6 different vectors were observed simultaneously Mixture of web attacks and DDoS attacks - common in Hacktivism related events Proactive planning - didn t assume they weren t a target Identified impacted assets and processes Enlisted outside, expert support Learnings Anyone may be a target! An integrated solution is required Prepare a response plan 32