2011 Global Application & Network Security Report Emergency Response Team (ERT)
Oct 19, 2014
2011 Global Application& Network Security Report
Emergency Response Team (ERT)
AGENDA
The ERT Report
Attack Motivation & Targets
The Multi Vector Attack Campaign
ERT Visibility Into Attacks
Radware’s ERT helps customers when they under attack
• “Free” access to network architecture & configurations
• Unique visibility about how attack actually looks like
• Visibility into traffic distribution
• Resource status of the network and the applications components
• Measure the impact of attacks and the network points of weakness
• Lab research (Botnet lab)
03
ERT Sees Attacks in Real-time on a Daily Basis
The ERT Annual Report
The Report is Based on Two Sources• Survey sent to a wide variety of internet organizations
in order to get responses that were vendor neutral and as objective as possible
• Includes analysis of about 40 selected cases that were handled by Radware’s ERT
04
To download the full report, please visit: http://www.radware.com/2011globalsecurityreport
AGENDA
The ERT Report
Attack Motivation & Targets
The Multi Vector Attack Campaign
Attackers Change in Motivation & Techniques
06
2001 20102005
Attack Risk
Time
Blaster2003
CodeRed2001
Nimda(Installed Trojan)
2001Slammer
(Attacking SQL sites)2003
Vandalism and Publicity
Storm(Botnet)
2007
Agobot(DoS Botnet)
Srizbi(Botnet)
2007Rustock(Botnet)
2007
Kracken(Botnet)
2009
2010IMDDOS(Botnet)
Financially Motivated
Mar 2011 DDoSWordpress.com
Blending Motives
Mar 2011Codero DDoS /
Google / Twitter Attacks2009
Republican website DoS
2004
Estonia’s Web SitesDoS2007
Georgia Web sitesDoS 2008
July 2009 Cyber Attacks
US & Korea
Dec 2010Operation Payback
Mar 2011Netbot DDoS
Mar 2011Operation Payback II
“Hacktivism”
LulzSecSony, CIA, FBI
Peru, Chile
“Worms”
DDoS
“Blend”
Attacker’s Motivation (Survey)
Mainly for political reasons • Uses the power of masses of laymen users who were not even
fully aware of what the tools they downloaded were doing
• In 2011 : Trend toward more sophisticated attack campaigns that are generated also by the “inner-circle” …
07
Attacker’s Motivation (Survey)
08
Attack Sophistication in 2011
• The attacks became more complex with attackers using as many as five different attack vectors in a single “attack campaign”
• Blending both network and application attacks in a single attack campaign
• Vote on a target, select the most appropriate attack tools, advertise the campaign, invite anyone capable…
• Attacker set the attack to the most painful time period for its victim
• Perform short “proof-firing” prior to the attack
• Tend to not rely just on volunteer participants, but the inner circle
09
AGENDA
The ERT Report
Attack Motivation & Targets
The Multi Vector Attack Campaign
11
Multi Vector Attack Campaign
Network
Server
Application
Business
• Volumetric network level• Application level , Encrypted• Low & Slow• Directed Application DoS• Intrusions • Web attacks (injections, XSS,…)
12
Network Vulnerability Points (Survey Results)
Stateful Devices
13
The Server Isn’t Necessarily the 1st to Fail
Attackers also seem to understand that availability based threats are more likely to impact the firewall rather than the server.
14
When You Don’t Protect the Firewall
Actions:1st – User Agent filter on the Web servers … partial DoS
2nd – Attack mitigation device in front of the servers … partial DoS
3rd – Attack mitigation device in front of the firewall - 100% Availability
• A leading online travel agency was hit by a massive HTTP page flood• More than 4,000 attackers pounded this site for three days with the aim of overloading the site…
Firewall Resources Status
15
Low and Slow Tools & Trends
• “Low & Slow” attacks are gaining attention !• Tools such as Slowloris and Socketstress have been able to
exploit design weakness a very low rate • R.U.D.Y. - A new tool that can attack any website
16
Low and Slow Tools & Trends
THC-SSL-DoS • This tool allows a single computer to knock web servers offline by targeting a
well-known weakness in the secure sockets layer implementations.
• An “asymmetric attack” - Single client request can cause the server to invest up to 15 times more resources
17
Attack Impact – The “Size Doesn’t Matter”
Slide 17Attack Category
Attack “Size”
Attack “Size”
HTTP “Floods” UDP TCP Connection
App-based Brute Force Connection based
Attack Category
Low
High
Impact levels
HTTP Flood DNS Flood TCP Connection
Real Case Attack Campaign
18
Multi Vector Attack Campaign – Advanced Tools
• Post-LOIC period , Anonymous is not depending on mass user
participate for their attacks in order to protect their supporters from
legal actions that several countries are already enforcing
• To compensate for the LOIC, Anonymous is focusing on their inner-circle
hacking activities, which include the development of tools such as #refref that
rely on exploiting software vulnerabilities rather than brute force attacks…
act as an advanced persistent threat (APT)…
19
Recommendations
• Be Prepared for DoS / DDoS Attacks
• Be Wary of Complimentary DoS/DDoS Protection
• Collect information about attacks such as type, size and frequency;use the right measure
• Position Your DoS/DDoS Mitigation Solution Properly
• Ensure Your DoS/DDoS Mitigation Solution Encompasses Many Technologies
• Have a Consolidated or “Context Aware” View into Enterprise Security
• Invest in Education and Develop Good Internal Security Policies
Thank Youwww.radware.com