© Radware, Inc. 2014 The Art of Cyber War Strategies in a rapidly evolving theatre July 2014
Aug 19, 2015
© Radware, Inc. 2014
The Art of Cyber War
Strategies in a rapidly evolving theatre
July 2014
The Art of War is an ancient Chinese military treatise attributed to Sun Tzu,
a high-ranking military general, strategist and tactician. It is commonly
known to be the definitive work on military strategy and tactics, and for the
last two thousand years has remained the most important military
dissertation in Asia. It has had an influence on Eastern and Western military
thinking, business tactics, legal strategy and beyond. Leaders as diverse as
Mao Zedong and General Douglas MacArthur have drawn inspiration from
the work.
Many of its conclusions remain valid today in the cyber warfare era.
2 © Radware, Inc. 2014
Variation of Tactics 九變
The Army on the March 行軍
Illusion & Reality 虛實
The Use of Intelligence 用間
Laying Plans 始計
© Radware, Inc. 2014
Attack Vectors: Increasing Complexity
4 © Radware, Inc. 2014
Individual Servers
Malicious software
installed on hosts and
servers (mostly located
at Russian and east
European universities),
controlled by a single
entity by direct
communication.
Examples:
Trin00, TFN, Trinity
Botnets
Stealthy malicious
software installed
mostly on personal
computers without the
owner’s consent;
controlled by a single
entity trough indirect
channels (IRC, HTTP)
Examples:
Agobot, DirtJumper,
Zemra
Voluntary Botnets
Many users, at times
as part of a Hacktivist
group, willingly share
their personal
computers. Using
predetermined and
publicly available attack
tools and methods,
with an optional remote
control channel.
Examples:
LOIC, HOIC
New Server-based
Botnets
Powerful, well
orchestrated attacks,
using a geographically
spread server
infrastructure. Few
attacking servers
generate the same
impact as hundreds of
clients.
2012 1998 - 2002 1998 - Present 2010 - Present
不戰而屈人之兵,善之善者也 To subdue the enemy without fighting is the acme of skill
5 © Radware, Inc. 2014
不戰而屈人之兵,善之善者也
Current prices on the Russian underground market:
Hacking corporate mailbox: $500
Winlocker ransomware: $10-$20
Unintelligent exploit bundle: $25
Intelligent exploit bundle: $10-$3,000
Basic crypter (for inserting rogue code into benign file): $10-$30
SOCKS bot (to get around firewalls): $100
Hiring a DDoS attack: $30-$70 / day, $1,200 / month
Botnet: $200 for 2,000 bots
DDoS Botnet: $700
ZeuS source code: $200-$250
Windows rootkit (for installing malicious drivers): $292
Hacking Facebook or Twitter account: $130
Hacking Gmail account: $162
Email spam: $10 per one million emails
Email scam (using customer database): $50-$500 per one million emails
6 © Radware, Inc. 2014
不戰而屈人之兵,善之善者也
7 © Radware, Inc. 2014
Attack Length: Increasing Duration
8 © Radware, Inc. 2014
Sophis
tic
atio
n
2013 2010 2011 2012
• Duration: 3 Days
• 4 Attack Vectors
• Attack target: Visa, MasterCard
• Duration: 3 Days
• 5 Attack Vectors
• Attack target: HKEX
• Duration: 20 Days
• More than 7 Attack vectors
• Attack target: Vatican
• Duration: 7 Months
• Multiple attack vectors
• Attack target: US Banks
故善战者,立于不败之地 The good fighters of old first put themselves beyond the possibility of defeat
9 © Radware, Inc. 2014
Variation of Tactics 九變
The Army on the March 行軍
Illusion & Reality 虛實
The Use of Intelligence 用間
Laying Plans 始計
© Radware, Inc. 2014
知彼知己,百戰不殆
If you know the enemy and know yourself, you need not fear the result of a hundred battles
Notable DDoS Attacks in the Last 12 Months
11 © Radware, Inc. 2014
Battlefield: Columbia Government On-line Services
Cause: Columbian Independence
Battle: A large scale cyber attack held on July 20th - Columbian
Independence Day - against 30 Colombian government websites.
Result: Most web sites were either defaced or shut down completely
for the entire day of the attack.
行軍: Columbia
12 © Radware, Inc. 2014
Attackers: Columbian Hackers
• A known hacker collective group suspected as being responsible
for several other cyber attacks in Colombia during 2012-13. The
group was supported by sympathizers use Twitter to communicate.
Motivation: Ideological
• Anti-government stance claiming to stand for “freedom, justice
and peace.” Mantra: “We are Colombian Hackers, to serve the
people.”
行軍: Columbia
13 © Radware, Inc. 2014
行軍: Columbia
Web application attacks:
• Directory traversal – web application attack to get access to
password files that can be later cracked offline.
• Brute force attacks on pcAnywhere service – looking for weak
password protected accounts enables attackers to gain remote access
to victim servers.
• SQL Injection attacks – web application attacks to gain remote
server access.
• Web application vulnerability scanning
• Application attacks: we have mainly seen HTTP Flood attacks
Network DDoS attacks:
• SYN floods, UDP floods, ICMP floods
• Anomalous traffic (invalid TCP flags, source port zero, invalid
L3/L4 header)
• TCP port scans
14 © Radware, Inc. 2014
行軍: Operation Ababil
Battlefield: U.S. Commercial Banks
Cause: Elimination of the Film “Innocence of Muslims”
Battle: Phase 4 of major multi-phase campaign – Operation Ababil –
that commenced during the week of July 22nd. Primary targets
included: Bank of America, Chase Bank, PNC, Union Bank,
BB&T, US Bank, Fifth Third Bank, Citibank and others.
Result: Major US financial institutions impacted by intensive and
protracted Distributed Denial of Service attacks.
15 © Radware, Inc. 2014
行軍: Operation Ababil
Attackers: Cyber Fighters of Izz ad-Din al-Qassam
• Purported Iranian state sponsored acktavist collective said to be acting
to defend Islam
Motivation: Religious Fundamentalism
• “Well, misters! The break's over and it's now time to pay off.
After a chance given to banks to rest awhile, now the Cyber Fighters of
Izz ad-Din al-Qassam will once again take hold of their destiny.
As we have said earlier, the Operation Ababil is performed because of
widespread and organized offends to Islamic spirituals and holy issues,
especially the great prophet of Islam(PBUH) and if the offended film is
eliminated from the Internet, the related attacks also will be stopped.
While the films exist, no one should expect this operation be fully
stopped.
The new phase will be a bit different and you'll feel this in the coming
days.
Mrt. Izz ad-Din al-Qassam Cyber Fighters”
16 © Radware, Inc. 2014
行軍: Operation Ababil
HTTP flood attacks:
• Cause web server resource starvation due to overwhelming number of page downloads.
Encrypted attacks:
• SSL based HTTPS GET requests generate a major load on the HTTP server by consuming 15x
more CPU in order to process the encrypted attack traffic.
Massive TCP and UDP flood attacks:
• Targeting both Web servers and DNS servers. Radware Emergency Response
Team tracked and mitigated attacks of up to 25Gbps against one of its
customers. Source appears to be Brobot botnet.
DNS amplification attacks:
• Attacker sends queries to a DNS server with a spoofed address that
identifies the target under attack. Large replies from the DNS servers,
usually so big that they need to be split over several packets, flood
the target.
17 © Radware, Inc. 2014
行軍: Operation Ababil
Parastoo
Iranian Cyber Army
al Qassam Cyber Fighters
Parastoo
Iranian Cyber Army
al Qassam Cyber Fighters
22 Events
1 Event
2010 2011 2012 2013 Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul
Source: Analysis Intelligence
Event Correlation: Iranian Linked Cyber Attacks
18 © Radware, Inc. 2014
行軍: Operation Ababil
Challenge & Response Escalations:
• Automatic Challenge mechanisms are employed by the Radware Attack
Mitigation System to discriminate between legitimate traffic and
attack tools
• Phase 4 attackers implemented advanced mechanisms that emulated
normal web browser users in order to circumvent mitigation tools
• Necessitated the implementation of increasingly sophisticated
challenge mechanisms that could not be supported by attack tools
S c r i p t
3 0 2
R e d i r e c t
C h a l l e n g e
J S
C h a l l e n g e
S p e c i a l
C h a l l e n g e
Kamikaze Pass Not pass Not pass
Kamina Pass Not pass Not pass
Terminator Pass Pass Not pass
19 © Radware, Inc. 2014
Battlefield: Spamhaus
Cause: Corporate Ideological Differences
Battle: A nine-day assault that resulted in the largest
recorded volumetric Distributed Denial of Service
attack that peaked at over 300Gbps.
Result: Spamhaus actually went down but claimed to have
withstood the attack but only with the assistance
from companies such as CloudFlare and Google.
Given the scale of the attack and the techniques
used, concerns were expressed that the very fabric
of the internet could be compromised.
行軍: Spamhaus
20 © Radware, Inc. 2014
行軍: Spamhaus
Attackers: CyberBunker?
• Provider of anonymous secure hosting services
Motivation: Retaliation against Spamhaus
• CyberBunker, a provider of secure and anonymous hosting services,
was blacklisted by Spamhaus, a non-profit anti-spamming
organization that advises ISPs. It was claimed that CyberBunker
was a 'rogue' host and a haven for cybercrime and spam
organizations. Spamhaus alleged that Cyberbunker, with the aid of
"criminal gangs" from Eastern Europe and Russia, launched a DDoS
attack against Spamhaus for “abusing its influence.”
21 © Radware, Inc. 2014
行軍: Spamhaus
Attack Method:
• The attack started as an 10-80Gbps attack that was firstly
contained successfully, it started as a volumetric attack on
layer 3 and peaked to 75Gbps on March 20.
• During March 24-25 the attack grew to 100Gbps, peaking at
309Gbps.
• No Botnet in use. Attackers were using servers on networks that
allow IP spoofing in conjunction with open DNS resolvers.
• Miss-configured DNS resolvers – with no response rate limiting -
allow the amplification of the attack by the factor of 50!
• Nearly 25% of the networks are configured to allow spoofing
instead of employing BCP38…
• There are over 28 Million open resolvers in operation…
22 © Radware, Inc. 2014
Battlefield: New York Times
Cause: Syrian Conflict
Battle: NYTimes Domain Name Server attack.
Result: New York Times website taken offline for almost
2 hours as domain was redirected to Syrian
Electronic Army servers.
行軍: New York Times
23 © Radware, Inc. 2014
行軍: New York Times
Attackers: Syrian Electronic Army
• Hackers aligned with Syrian President Bashar Assad. Mainly targets
political opposition groups and western websites, including news
organizations and human rights groups.
Attacks: Spear Phishing & Directed DNS Attacks
• Phishing attacks on Melbourne IT, the New York Times DNS registrar.
• SEA hacked the NYT account and redirected the domain to its servers.
24 © Radware, Inc. 2014
Variation of Tactics 九變
The Army on the March 行軍
Illusion & Reality 虛實
The Use of Intelligence 用間
Laying Plans 始計
© Radware, Inc. 2014
Internet
Pipe
Firewall IPS/IDS Load Balancer
(ADC)
Server SQL
Server
Internet
26
%
25
%
8%
11
%
22
%
8%
27
%
24
%
8%
4%
30
%
5%
不可胜在己 Being unconquerable lies with yourself
26 © Radware, Inc. 2014
不可胜在己
DoS Defense Component Vulnerability
Exploitation Network Flood
Infrastructure
Exhaustion Target Exhaustion
Network Devices No No Some Some
Over-Provisioning No Yes, bandwidth Yes, infrastructure Yes, server & app.
Firewall & Network Equipment No No Some Some
NIPS or WAF Security Appliances Yes No No, part of problem No
Anti-DoS Box (Stand-Alone) No No Yes Yes
ISP-Side Tools No Yes Rarely Rarely
Anti-Dos Appliances (ISP Connected) No Yes Yes Yes
Anti-DoS Specialty Provider No Yes Yes Yes
Content Delivery Network No Yes Yes Limited
27 © Radware, Inc. 2014
不可胜在己
Proportion of businesses relying on CDNs for DDoS Protection
70%
28 © Radware, Inc. 2014
不可胜在己
Bypassing CDN Protection
Bo
tn
et
E n t e r p r i s e
C D N
GET www.enterprise.com/?[Random]
29 © Radware, Inc. 2014
不可胜在己
Cloud protection limitations
Bo
tn
et
Volumetric attacks
Low & Slow attacks
SSL encrypted attacks
E n t e r p r i s e
C l o u d S c r u b b i n g
30 © Radware, Inc. 2014
兵者 詭道也 All warfare is based on deception
Threats: Universal DDoS Mitigation Bypass
Source: BlackHat USA 2013
Presenters: Nexusguard Ltd, NT-ISAC Bloodspear Labs
Goal: Defeat all known mechanisms for automatic
mitigation of DDoS attacks
Authors: Tony T.N. Miu, Albert K.T. Hui, W.L. Lee, Daniel
X.P. Luo, Alan K.L. Chung, Judy W.S. Wong
or CAPTCHA-based authentications being the most effective by
far. However, in our research weaknesses were found in a
majority of these sort of techniques.
We rolled all our exploits into a proof-of-concept attack tool,
giving it near-perfect DDoS mitigation bypass capability
against almost every existing commercial DDoS mitigation
solutions. The ramifications are huge. For the vast majority of
web sites, these mitigation solutions stand as the last line of
defense. Breaching this defense can expose these web sites'
backend to devastating damages.
We have extensively surveyed DDoS mitigation technologies
available on the market today, uncovering the countermeasure
techniques they employ, how they work, and 31 © Radware, Inc. 2014
兵者 詭道也
Tool: Kill ‘em All 1.0
• Harnesses techniques such as Authentication
Bypass, HTTP redirect, HTTP cookie and
JavaScript
• True TCP behavior, believable and random HTTP
headers, JavaScript engine, random payload,
tunable post authentication traffic model
• Defeats current anti-DDoS solutions that detect
malformed traffic, traffic profiling, rate
limiting, source verification, Javascript and
CAPTCHA-based authentication mechanisms
• Creators allege that the tool is technically
indistinguishable from legitimate human traffic
Tested: Arbor PeakFlow TMS, Akamai,
Cloudflare, NSFocus Anti-DDoS
System
32 © Radware, Inc. 2014
Variation of Tactics 九變
The Army on the March 行軍
Illusion & Reality 虛實
The Use of Intelligence 用間
Laying Plans 始計
© Radware, Inc. 2014
兵之情主速 Speed is the essence of war
Att
ack D
eg
ree
Axi
s Attack Area
Suspicious
Area
Normal
Area
34 © Radware, Inc. 2014
兵之情主速
T H E S E C U R I T Y G A P
Attacker has time to bypass automatic mitigation
Target does not possess required defensive skills
35 © Radware, Inc. 2014
兵之情主速
36 © Radware, Inc. 2014
兵之情主速
37 © Radware, Inc. 2014
Variation of Tactics 九變
The Army on the March 行軍
Illusion & Reality 虛實
The Use of Intelligence 用間
Laying Plans 始計
© Radware, Inc. 2014
故兵貴勝,不貴久 What is essential in war is victory, not prolonged operations
• Envelope Attacks – Device Overload
• Directed Attacks - Exploits
• Intrusions – Mis-Configurations
• Localized Volume Attacks
• Low & Slow Attacks
• SSL Floods
Detection: Encrypted / Non-Volumetric Attacks
39 © Radware, Inc. 2014
故兵貴勝,不貴久
• Web Attacks
• Application Misuse
• Connection Floods
• Brute Force
• Directory Traversals
• Injections
• Scraping & API Misuse
Detection: Application Attacks
40 © Radware, Inc. 2014
故兵貴勝,不貴久
Attack Detection: Volumetric Attacks
• Network DDoS
• SYN Floods
• HTTP Floods
41 © Radware, Inc. 2014
Attack Mitigation Network: Low & Slow, SSL Encrypted
Bo
tn
et
E n t e r p r i s e
C l o u d S c r u b b i n g
H o s t e d D a t a
C e n t e r
故兵貴勝,不貴久
42 © Radware, Inc. 2014
Attack Mitigation Network: Application Exploits
Bo
tn
et
E n t e r p r i s e
C l o u d S c r u b b i n g
H o s t e d D a t a
C e n t e r
Attack
signatures
故兵貴勝,不貴久
43 © Radware, Inc. 2014
Bo
tn
et
E n t e r p r i s e
C l o u d S c r u b b i n g
H o s t e d D a t a
C e n t e r
Attack Mitigation Network: Volumetric Attacks
故兵貴勝,不貴久
44 © Radware, Inc. 2014
Bo
tn
et
C l o u d S c r u b b i n g
H o s t e d D a t a
C e n t e r
Attack Mitigation Network: Volumetric Attacks
E n t e r p r i s e
Attack
signatures
故兵貴勝,不貴久
45 © Radware, Inc. 2014
Bo
tn
et
C l o u d S c r u b b i n g
H o s t e d D a t a
C e n t e r
Attack Mitigation Network: Volumetric Attacks
E n t e r p r i s e
故兵貴勝,不貴久
46 © Radware, Inc. 2014
Don’t assume that you’re not a
target.
Draw up battle plans. Learn from the
mistakes of others.
没有战略,战术是之前失败的噪音 Tactics without strategy is the noise before defeat
目标 Target
47 © Radware, Inc. 2014
Protecting your data is not the same
as protecting your business.
True security necessitates data
protection, system integrity and
operational availability.
没有战略,战术是之前失败的噪音
可用性 Protection
48 © Radware, Inc. 2014
You don’t control all of your critical
business systems.
Understand your vulnerabilities in the
distributed, outsourced world.
没有战略,战术是之前失败的噪音
漏洞 Vulnerability
49 © Radware, Inc. 2014
You can’t defend against attacks you
can’t detect.
The battle prepared business
harnesses an intelligence network.
没有战略,战术是之前失败的噪音
检测 Detection
50 © Radware, Inc. 2014
Don’t believe the DDoS protection
propaganda.
Understand the limitations of cloud-
based scrubbing solutions.
Not all networking and security
appliance solutions were created
equal.
没有战略,战术是之前失败的噪音
宣传 Propaganda
51 © Radware, Inc. 2014
Know your limitations.
Enlist forces that have expertise to
help you fight.
没有战略,战术是之前失败的噪音
限制 Limitations
52 © Radware, Inc. 2014
你准备好了吗? Are You Ready?
53 © Radware, Inc. 2014