Cyber War Chronicles Stories from the Virtual Trenches Ron Winward Security Evangelist Radware, Inc. March 17, 2016
Background on the Radware Report Key Cyber Attack Trends for 2015-2016 Case Study: Look into two attacks
Background on the Radware Report 5th Installment of Radware s Global Application & Network Security Report Firsthand & statistical research coupled with front-line experience Identifies trends that can help educate the security community Provides a comprehensive review of 2015 cyber-attacks Covers business and a technical perspectives Gives best practice advice for organizations to consider when planning for 2016 3
Methodology & Sources 4
More Than Just Another Survey In Depth Technical Chapters Dynamic IP Addresses: attack tactics and protections Distinguishing Bots from Legitimate Users, Good from Bad Hacktivists: In Depth TTP Review Seven Prediction for 2016
Key Cyber-Security Trends for 2015-2016
Key Findings No One Immune Few Prepared Shifts in Motives and Impact Growing Need for Security Automation 7
Key Findings No One Immune Few Prepared Over 90% Experienced Attacks in 2015 Ring of Fire Increased Attacks on Education and Hosting Are You Ready? Preparedness for Cyber-Attacks Varies Protection Gaps Identified Across the Board 8
Over 90% Experienced Attacks in 2015 DDoS 51% Half of organizations experienced DDoS and Phishing attacks Phishing Worm and Virus Damage Unauthorized Access 34% 47% 50% Almost half had Worm and Virus Damage One in ten have not experienced any of the attacks mentioned Criminal SPAM Fraud Advanced Persistent Threat Theft of Prop. Info./Intellectual Capital Corporate/Geo-political Sabotage None of the above 7% 9% 15% 29% 25% 23% 0% 10% 20% 30% 40% 50% 60% Q: What type of attack have you experienced? 9
Increased Attacks on Education and Hosting Comparing to 2014 Most verticals stayed the same Education and Hosting increased likelihood Growing number of help me DDoS my school requests Motivations varies for Hosting - Some target end customers - Some target the hosting companies 2015 Change from 2014 10
Are You Ready? Preparedness for Cyber-Attacks Varies Unauthorized Access 17% 47% 29% 6% 2% Worm and Virus Damage 15% 48% 32% 4% 1% Criminal SPAM 15% 44% 33% 7% 2% DDoS Phishing Fraud Theft of Prop. Info./Intellectual Advanced Persistent Threat 20% 14% 14% 12% 9% 33% 33% 38% 38% 35% 41% 41% 30% 39% 36% 12% 7% 10% 12% 14% 3% 2% 2% 3% 3% Extremely well prepared Very well prepared Somewhat prepared Not very prepared Not prepared at all Corporate/Geo-political Sabotage 8% 29% 39% 20% 4% 0% 20% 40% 60% 80% 100% Q.9: In your opinion, how prepared is your organization to safeguard itself from the following cyber-attacks? 11
Are You Ready? Preparedness for Cyber-Attacks Varies Unauthorized Access 17% 47% 29% 6% 2% Worm and Virus Damage 15% 48% 32% 4% 1% Criminal SPAM 15% 44% 33% 7% 2% DDoS Phishing Fraud Theft of Prop. Info./Intellectual Advanced Persistent Threat 20% 14% 14% 12% 9% 33% 33% 38% 38% 35% 41% 41% 30% 39% 36% 12% 7% 10% 12% 14% 3% 2% 2% 3% 3% Extremely well prepared Very well prepared Somewhat prepared Not very prepared Not prepared at all Corporate/Geo-political Sabotage 8% 29% 39% 20% 4% 0% 20% 40% 60% 80% 100% 3 out of 5 respondents feel they are extremely/very well prepared to safeguard against Unauthorized Access and Worm and Virus Damage. Q: In your opinion, how prepared is your organization to safeguard itself from the following cyber-attacks? 12
Are You Ready? Preparedness for Cyber-Attacks Varies Unauthorized Access 17% 47% 29% 6% 2% Worm and Virus Damage 15% 48% 32% 4% 1% Criminal SPAM 15% 44% 33% 7% 2% DDoS Phishing Fraud Theft of Prop. Info./Intellectual Advanced Persistent Threat 20% 14% 14% 12% 9% 33% 33% 38% 38% 35% 41% 41% 30% 39% 36% 12% 7% 10% 12% 14% 3% 2% 2% 3% 3% Extremely well prepared Very well prepared Somewhat prepared Not very prepared Not prepared at all Corporate/Geo-political Sabotage 8% 29% 39% 20% 4% 0% 20% 40% 60% 80% 100% 3 out of 5 respondents are somewhat/not very prepared against APT and information theft Q: In your opinion, how prepared is your organization to safeguard itself from the following cyber-attacks? 13
Are You Ready? Preparedness for Cyber-Attacks Varies Unauthorized Access 17% 47% 29% 6% 2% Worm and Virus Damage 15% 48% 32% 4% 1% Criminal SPAM 15% 44% 33% 7% 2% DDoS Phishing Fraud Theft of Prop. Info./Intellectual Advanced Persistent Threat 20% 14% 14% 12% 9% 33% 33% 38% 38% 35% 41% 41% 30% 39% 36% 12% 7% 10% 12% 14% 3% 2% 2% 3% 3% Extremely well prepared Very well prepared Somewhat prepared Not very prepared Not prepared at all Corporate/Geo-political Sabotage 8% 29% 39% 20% 4% 0% 20% 40% 60% 80% 100% The results are split evenly between those that are prepared and not prepared to protect from DDoS attacks Q: In your opinion, how prepared is your organization to safeguard itself from the following cyber-attacks? 14
Protection Gaps - Across the Board A true protection gap for most organizations today Weaknesses spread evenly among all attack types 40% 20% 22% 19% 20% 21% 23% 26% 27% 33% Volumetric and HTTPS/SSL protection lead the gap 0% Q: Where, if at all, do you think you have a weakness against DDoS attacks? 15
Key Findings No One Immune Few Prepared Slowness Still Main Impact of Cyber Attacks DDoS Remains Biggest Threat of all Cyberattack Categories Increases in Ransom as a Motive for Cyber-attacks Tangible Concerns Expand Shifts in Motives and Impact Growing Need for Security Automation 16
Increase in Ransom as a Motive for Cyber-attacks Motivation behind cyber-attacks is still largely unknown More than 50% increase in ransom as a motivator for attackers One-third cited political/hacktivism About a quarter referenced competition, ransom, or angry users 70% 60% 50% 40% 30% 20% 10% 0% 34% 34% 27% 27% 25% 22% 25% 16% 69% 66% 2014 2015 Q.8: Which of the following motives are behind any cyber-attacks your organization experienced? 17
DDoS Continues to Lead as Biggest Threat DDoS attacks and unauthorized access the main causes which harm the organizations 60% 40% 20% 0% Q.10: In your opinion, which of the following cyber-attacks will cause your organization the most harm?
Slowness - Still the Main Impact Impact on systems was mostly slowness Outage not the impact in most cases only 16% of the cases About a third saw no impact on systems Numbers are consistent with past years Outage, 16% No impact, 37% Slowness, 46% Q: What are the three biggest cyber-attacks you have suffered: Affected System? 19
DDoS Failure Points within the Network Security Products Now Cause of 36% of Downtime Internet Pipe Saturation remains single greatest failure point Stateful Firewalls jump from 15% to 26% Last third take down targeted web/sql servers
Coordinated Technology for Multi-Vector Attacks Low & Slow DoS attacks (e.g.sockstress) Large volume network flood attacks Network Scan Syn Floods HTTP Floods SSL Floods Brute Force App Misuse Internet Pipe Firewall IPS/IDS Load Balancer/ADC Server Under Attack SQL Server Cloud DDoS protection DoS protection Behavioral analysis IPS WAF SSL protection 21
Key Findings No One Immune Few Prepared Today s existing solutions frequently are multi-vendor and manual Burst Attacks on the Rise Adoption of Hybrid Solutions Continues to Grow Beyond Network: Similar Frequency for Network & Application Attacks Shifts in Motives Growing Need for and Impact Security Automation 22
Existing Solutions Multiple and Manual Over 80% of solutions require a medium to high degree of manual tuning Less than 20% require a low degree and are considered mostly automatic Multiple solutions used by almost all (91%) Only 6% use only one solution against cyber-attacks Low degree, 17% Medium degree, 58% High degree, 24% Q: What degree of manual tuning or configuration does your current solution require? 23
Burst Attacks on the Rise More than half of the three biggest attacks experienced lasted 1 hour or less Significant increase from the 27% in 2014 Another indication of increased automated attacks 60% 40% 20% 0% 57% 36% 4% 2% 1% 1 hour or less 1 hour to 1 day 1 day to 1 week Over a week Constantly 2011 2012 2013 2014 2015 Q: What are the three biggest cyber-attacks you have suffered: Duration? 24
Adoption of Hybrid Solutions Continues to Grow Significant increase in current and planned adoptions of Hybrid 50% ~50% increase ~60% increase 41% are using a hybrid solution, double from the 21% in 2014 Another 44% are planning to adopt a hybrid solution, significant increase from 2014 25% 0% 21% 41% Currently using a hybrid solution 17% 44% Planning to adopt a hybrid solution 2014 2015 *Hybrid solutions combine an on-premise DDoS and any cloud-based solution (always-on cloud based service / on-demand cloud based service / CDN solution / ISP-based or clean link service).
Similar Frequency for Network and Application Attacks 100% Network Attacks Application Attacks 80% 60% 19% 22% 22% 43% 17% 20% 22% 23% 25% 17% 20% Rarely-Never 40% 42% 37% 38% 11% 41% 38% 38% 38% 34% 52% 41% Daily / Weekly / Monthly Don't know 20% 0% 21% 22% 24% 35% 23% 25% 23% 23% 25% 15% 24% 26
Case Studies
ProtonMail Ransom Attack Case In Nov 2015 experienced back-to-back attacks initiated through a ransom request. Swiss-based encrypted email service provider Over the course of 7-10 days, experienced multiple attack vectors at high volume Radware deployed emergency service a few days into the campaign and was able to mitigate the attacks 28
ProtonMail Attack Timeline Largest and most extensive cyberattack in Switzerland Nov. 3 2015 Nov. 4 2015 Nov. 5-7 2015 Nov. 8 2015 Nov. 9-15 2015 ProtonMail receives ransom email from The Armada Collective, followed by DDoS attack that took them offline for 15 mins Next DDoS attacks hits in the morning and by afternoon reached over 100G directly attacking the datacenter and ISP infrastructure ProtonMail under pressure decides to pay ransom but attacks continue from 2 nd source ProtonMail continues to suffer from ongoing high volume, complex attacks from a second, unknown source Radware s Emergency Response Team implements its attack mitigation solution to protect ProtonMail. Service is restored shortly after Attacks continue at high volume of 30-50G at peaks during these days. Attacks are mitigated successfully by Radware 29
ProtonMail Attack A Look Inside Persistent Denial of Service Attacks 60 50 40 30 20 10 0 ProtonMail Attack Volume, Mitigated by Radware Network Application UDP Flood DNS Reflection TCP RST Flood NTP Reflection TCP-SYN SSDP TCP Out-of-State HTTP/S SYN Flood SYN-ACK ICMP 30
Evolution of Attack Vectors by Day Nov 8 th Nov 9 th Nov 10 th Nov 11 th UDP flood SYN flood DDoS-NTP-reflection DDoS-DNS-reflection SYN-ACK Flood DDoS-TCP-urgent DDoS-TCP-zero-seq DDoS-chargenreflected events UDP Flood Reflective DNS TCP RST Flood ICMP Flood SYN Flood HTTPS SYN Flood HTTP UDP Flood SSDP & NTP Reflection ICMP Flood TCP SYN Flood TCP Out-of-State Flood UDP flood DDoS-SSL TCP Out-of-Stat DDoS-udpfragmented DDoS-NTP-reflection DDoS-DNS-reflection SYN-ACK Flood Minor ICMP flood/rst flood SYN flood 31
Leading US Airline Fingerprinting Case Sophisticated attacks - bad bots programmed to scrape certain flights, routes and classes of tickets. Bots acting as faux buyers continuously creating but never completing reservations on those tickets Airline unable to sell the seats to real customers Major US Airline Dynamic source-ip attacks so security protection could not differentiate between good and bad bots Chose Radware s WAF with fingerprinting technology to block dynamic IP attack 32
Looking Ahead
Summary: What Can You Do? Preparedness is Key. Multi-layered solutions are a Must. Services are Important. Bet on Automation. It has become necessary to fight automated threats with automation technology. Cover the Blind Spot. Choose a solution with the widest coverage to protect from multivector attacks. Multi Layered Solution. Look for a single vendor, hybrid solution that can protect networks and applications for a wide range of attacks, and includes DoS protection, behavioral analysis, IPS, encrypted attack protection and web application firewall (WAF). Protect from Encrypted Attacks. SSL-based DDoS mitigation solution deployments must not affect legitimate traffic performance. Single point of contact is crucial when under attack - it will help to divert internet traffic and deploy mitigation solutions. 34