Combating Cyberattacks Through Network Agility and Automation Sagi Brody @webairsagi Chief Technology Officer
Leverage new technologies to: 1) Improve traditional DDoS monitoring & mitigation 2) Enhance disaster & ransomware recovery orchestration 3) Provide end-to-end service assurance for Hybrid IT
DDoS & Cyberattack -2017 FUD 2017 Global Ransomware damage exceeds $5B. Up from $325M in 2015 35% increase in # of attacks per target, Q1 to Q3 2017* 55% increase in attacks >10Gbps* 20+ reflection vectors with 600x1 amplification (CLDAP newest) EternalRed/SambaCry *nix server exploit Repear sleeper BotNet: 9 exploits in D-link, Linksys (Mirai 2.0) DDoS being used as a distraction for Cybersecurity *Corero DDoS Trends Report 2017
Ransom DDoS (RDoS) We are Armada Collective. If you haven heard for us, use Google. Recently, we have launched some of the largest DDoS attacks in history. Check this out, for example: https://twitter.com/optucker/status/665470164411023360 (and it was measured while we were DDoS-ing 3 other sites at the same time) We will start DDoS-ing your network if you don't pay 20 Bitcoins @ 14sJhJTVzQBAhZ4a8o2BCb1LufxoZ7UpAT by Monday Right now we will start small 30 minutes UDP attack on your site's IP: xx.xx.xx.xx. It will not be hard, just to prove that we are for real Armada Collective. Check your logs. If you don't pay by Friday, massive attack will start, price to stop will increase to 40 BTC and will go up 2 BTC for every hourof attack. In addition, we will be contacting affected customers to explain why they are down and recommend them to move to OVH. We willdothe same on social networks Our attacks are extremely powerful - sometimes over 1 Tbps per second. Prevent it all with just 20 BTC @ 14sJhJTVzQBAhZ4a8o2BCb1LufxoZ7UpAT Do not reply, we will not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US! AAnd nobody will ever know you cooperated.
I don t need to worry about DDoS attacks.. Internet Exposed Assets: Volumetric Attacks Solution: Mitigation Services via BGP/GRE, DNS, Proxy Application Attacks Solution: Proxy service, Appliance/WAF, FW+Service, App specific Private Assets: Outbound attacks via endpoint malware infection Large amount of response traffic Effects all industries, commonly seen at schools
Traditional DDoS Mitigation Internet connectivity required to communicate with DDoS Partner Announcement based services will not withstand large volumetric attacks automatically Alternatives require physical connectivity in-region
Leveraging Interconnection Fabrics
Fabric empowered Mitigation
Abstracting DDoS Services & Providers
Why Segment DDoS Monitoring? Monitoring vs Mitigation are 2 distinct tasks Integrate once Use multiple mitigation partners
Ransomware: Proactive solutions are not enough Threat monitoring & mitigation Disaster Recovery & IT Resiliency Orchestration Proactive Reactive Full Cyber & Business Continuity Protection
Disaster-Recovery-as-an-entry-point Recovery infrastructure is often ignored until needed DR site security not on-par with production MSSP monitoring at recovery site? Asset, Vulnerability, Penetration testing of DR site? Forcing a DR failover event can expose new attack vectors
Full Security Accountability MSSP full accountability Consistent security & technology Reference Architecture: Replica of production @DR SIEM @DR DRaaS API Free Usage of DR Enhanced Security: Replica for DLP, asset & vulnerability scanning, penetration testing Reduce production vulnerability exposure time Reduce time to remediation
Proper Ransomware Recovery Application specific failover & failback Is it easier than paying off the ransom? DRaaS and RRaaS is not about replicating data, its about the network.
DR Network Automation & Exposure Traditional Methods: MPLS, VPN, cross connects Internal & external route injection (ibgp/ebgp, static ) DNS Double-NAT L2 Stretch.. More dirtiness Security Implications: All security related change control must be matched at DR (ACLs..) DR-Site must be considered standalone branch office DR-Site requires feature parity to support security platforms Solid/Proper Security & DR scenario may require major changes to production (re-ip)
DR Networking & Security: A better way Using Software-Defined Perimeter tools for DRaaS automation i.e: AppGate, ScaleFT Enforces Zero-Trust security models across organization Abstracts security control from network architecture Policy based, global security Provides software-defined controller for automation
DR Networking & Security: A better way SDP for Disaster Recovery Policy based failover & failback between production/dr No traditional network changes required to failover/back Network team not required for proper DR configuration Security guaranteed to be same at DR site Requirement: Organization must utilize the SDP software DRaaS provider/infrastructure must support 1+1 = 3
DR Networking & Security: Fabric Fabric for Disaster Recovery Automated capacity increases to recovery site via API Follows your infrastructure Easy traffic segmentation: Replication traffic Easy traffic segmentation via multiple VXCs Dangerous L2 stretch only enabled at recovery time (l2 overlap) Part of IT Resilience Orchestration
Future Production Environments: Hybrid IT
Hybrid IT: New Disruption Opportunities Non-traditional Prod/DR Production in SaaS Internet connectivity more important Hyperscale on-ramp IoT phone-home to SaaS Hosted Voice & SIP 3rd parties being attacked Cohesive Security Policies
Direct Access Cloud Cloud infrastructure privately connected to customer environments Cloud infrastructure which is local, low-latency, data-sovereign Predictable performance Utilize organization s existing security policies and devices Air-Gapped cloud infrastructure Single point accountability Single network & security integration Workloads s best interest at heart Who will own management, monitoring, securing and scaling of Hybrid IT in the future
THANK YOU Sagi Brody Chief Technology Officer @webairsagi