Top Findings - Radware 2015 - 2016 Global Application & Network Security Report

Top Findings

Global Application & Network Security Report 2015-2016

Overview

The Report’s Purpose

3

5th Installment of Radware’s Global Application & Network Security Report

The Report’s Purpose Through firsthand & statistical research coupled with front-line experience, this

research identifies trends that can help educate the security community

Methodology & Sources

4

Key Findings

Key Findings

6

Growing Need for Security Automation

No One Immune Few Prepared

Shifts in Motives and Impact

Key Findings

7


Over 90% Experienced Attacks in 2015

Ring of Fire – Increased Attacks on Education and Hosting

Are You Ready? Preparedness for Cyber-Attacks Varies

Protection Gaps Identified Across the Board

Over 90% Experienced Attacks in 2015

Half of organizations experienced DDoS and Phishing attacks

Almost half had Worm and Virus Damage

One in ten have not experienced any of the attacks mentioned

9%

7%

15%

23%

25%

29%

34%

47%

50%

51%

0% 10% 20% 30% 40% 50% 60%

None of the above

Corporate/Geo-political Sabotage

Theft of Prop. Info./Intellectual Capital

Advanced Persistent Threat

Fraud

Criminal SPAM

Unauthorized Access

Worm and Virus Damage

Phishing

DDoS

8

Q: What type of attack have you experienced?

Increased Attacks on Education and Hosting

Comparing to 2014

Most verticals stayed the same

Education and Hosting – increased likelihood

Growing number of “help me DDoS my school” requests

Motivations varies for Hosting

- Some target end customers

- Some target the hosting companies 2015 Change from 2014

9


8%

9%

12%

14%

14%

20%

15%

15%

17%

29%

33%

33%

38%

38%

35%

44%

48%

47%

39%

41%

41%

36%

39%

30%

33%

32%

29%

20%

14%

12%

10%

7%

12%

7%

4%

6%

4%

3%

3%

2%

2%

3%

2%

1%

2%

0% 20% 40% 60% 80% 100%



Theft of Prop. Info./Intellectual…

Fraud

Phishing

DDoS

Criminal SPAM


Unauthorized Access

Extremely well prepared

Very well prepared

Somewhat prepared

Not very prepared

Not prepared at all

10

Q.9: In your opinion, how prepared is your organization to safeguard itself from the following cyber-attacks?


11

8%

9%

12%

14%

14%

20%

15%

15%

17%

29%

33%

33%

38%

38%

35%

44%

48%

47%

39%

41%

41%

36%

39%

30%

33%

32%

29%

20%

14%

12%

10%

7%

12%

7%

4%

6%

4%

3%

3%

2%

2%

3%

2%

1%

2%

0% 20% 40% 60% 80% 100%




Fraud

Phishing

DDoS

Criminal SPAM


Unauthorized Access


Very well prepared

Somewhat prepared

Not very prepared

Not prepared at all

3 out of 5 respondents feel they are extremely/very well prepared to safeguard against Unauthorized Access and Worm and Virus Damage.

Q: In your opinion, how prepared is your organization to safeguard itself from the following cyber-attacks?


12

8%

9%

12%

14%

14%

20%

15%

15%

17%

29%

33%

33%

38%

38%

35%

44%

48%

47%

39%

41%

41%

36%

39%

30%

33%

32%

29%

20%

14%

12%

10%

7%

12%

7%

4%

6%

4%

3%

3%

2%

2%

3%

2%

1%

2%

0% 20% 40% 60% 80% 100%




Fraud

Phishing

DDoS

Criminal SPAM


Unauthorized Access


Very well prepared

Somewhat prepared

Not very prepared

Not prepared at all


3 out of 5 respondents are somewhat/not very prepared against APT and information theft


13

8%

9%

12%

14%

14%

20%

15%

15%

17%

29%

33%

33%

38%

38%

35%

44%

48%

47%

39%

41%

41%

36%

39%

30%

33%

32%

29%

20%

14%

12%

10%

7%

12%

7%

4%

6%

4%

3%

3%

2%

2%

3%

2%

1%

2%

0% 20% 40% 60% 80% 100%




Fraud

Phishing

DDoS

Criminal SPAM


Unauthorized Access


Very well prepared

Somewhat prepared

Not very prepared

Not prepared at all


The results are split evenly between those that are prepared and not prepared to protect from DDoS attacks

Protection Gaps - Across the Board

A true protection gap for most organizations today

Weaknesses spread evenly among all attack types

Volumetric and HTTPS/SSL protection lead the gap

22% 19% 20% 21%

23% 26% 27%

33%

0%

20%

40%

14

Q: Where, if at all, do you think you have a weakness against DDoS attacks?

Slowness Still Main Impact of Cyber Attacks

DDoS Remains Biggest Threat of all Cyberattack Categories

Increases in Ransom as a Motive for Cyber-attacks

Tangible Concerns Expand

Key Findings

15




Slowness - Still the Main Impact

Impact on systems was mostly – slowness

Outage – not the impact in most cases – only 16% of the cases

About a third saw no impact on systems

Numbers are consistent with past years

Slowness, 46% No impact,

37%

Outage, 16%

16

Q: What are the three biggest cyber-attacks you have suffered: Affected System?

DDoS Continues to Lead as Biggest Threat

DDoS attacks and unauthorized access – the main causes which harm the organizations

0%

20%

40%

60%

Q: In your opinion, which of the following cyber-attacks will cause your organization the most harm?

Increase in Ransom as a Motive for Cyber-attacks

More than 50% increase in ransom as a motivator for attackers

Motivation behind cyber-attacks is still largely unknown

One-third cited political/hacktivism

About a quarter referenced competition, ransom, or angry users

18

34%

27%

16% 22%

69%

34%

27% 25% 25%

66%

0%

10%

20%

30%

40%

50%

60%

70%

2014

2015

Q: Which of the following motives are behind any cyber-attacks your organization experienced?

More than a third reported having experienced either a ransom attack or a SSL or TLS-based attack

Consistent with increased public interest and concerns over these types of attacks

37% 35%

63% 65%

0%

10%

20%

30%

40%

50%

60%

70%

Ransom Attacks SSL or TLS-based Attacks

Yes No

19

More than Third Experienced Ransom or SSL/TLS-Based Attacks

Q: Have you experienced any ransom attacks this year

Q: Have you experienced encrypted SSL or TLS-based attacks?

47%

21%

7% 5%

12%

3% 5%

26%

19%

11%

17%

22%

2% 6%

0%

25%

50%

2014 201547%

21%

7% 5%

12%

3% 5%

26%

19%

11%

17%

22%

2% 6%

0%

25%

50%

2014 2015

More Tangible Concerns from Cyber Attacks

Business Concerns Ranked 1st

Shift in concerns from reputation loss to serving customers and ensuring application SLA

20

Q: What are your business concerns if your organization is faced with a cyber-attack?

Reputation loss still cited as the biggest business concern but decreased significantly

More indicated being concerned about customer loss or service outage/limited availability

Key Findings

21




Today’s existing solutions – frequently are multi-vendor and manual

Burst Attacks on the Rise

Adoption of Hybrid Solutions Continues to Grow

Beyond Network: Similar Frequency for Network & Application Attacks

Existing Solutions – Multiple and Manual

Over 80% of solutions require a medium to high degree of manual tuning

Less than 20% require a low degree and are considered mostly automatic

Multiple solutions used by almost all (91%)

Only 6% use only one solution against cyber-attacks

High degree,

24%

Medium degree,

58%

Low degree,

17%

Q: What degree of manual tuning or configuration does your current solution require?

22

Burst Attacks on the Rise

More than half of the three biggest attacks experienced lasted 1 hour or less

Significant increase from the 27% in 2014

Another indication of increased automated attacks

57%

36%

4% 2% 1%

0%

20%

40%

60%

1 hour or less 1 hour to 1 day 1 day to 1 week Over a week Constantly

2011 2012 2013 2014 2015

23

Q: What are the three biggest cyber-attacks you have suffered: Duration?


Significant increase in current and planned adoptions of Hybrid

41% are using a hybrid solution, double from the 21% in 2014

Another 44% are planning to adopt a hybrid solution, significant increase from 2014

21% 17%

41% 44%

0%

25%

50%

Currently using ahybrid solution

Planning to adopt ahybrid solution

2014

2015

~50% increase

*Hybrid solutions combine an on-premise DDoS and any cloud-based solution (always-on cloud based service / on-demand cloud based service / CDN solution / ISP-based or clean link service).

~60% increase

Company Size

29%

42% 37% 38%

55% 51%

0%

20%

40%

60%



1K-10K >10K <1K

Revenue

35%

46% 49% 50%

0%

30%

60%



>$1B <$1B


25

Company Size

29%

42% 37% 38%

55% 51%

0%

20%

40%

60%



1K-10K >10K <1K

Revenue

35%

46% 49% 50%

0%

30%

60%



>$1B <$1B


26

Companies with the highest revenue or most employees

are most likely to have a hybrid solution

Similar Frequency for Network and Application Attacks

27

21% 22% 24% 35%

23% 25% 23% 23% 25% 15%

24%

42% 37% 38% 11% 41% 38% 38% 38% 34% 52% 41%

19% 22% 22%

43% 17% 20% 22% 23% 25%

17% 20%

0%

20%

40%

60%

80%

100%

Rarely-Never

Daily / Weekly / Monthly

Don't know

Network Attacks Application Attacks

21% 22% 24% 35%

23% 25% 23% 23% 25% 15%

24%

42% 37% 38% 11% 41% 38% 38% 38% 34% 52%

41%

19% 22% 22%

43% 17% 20% 22% 23% 25%

17% 20%

0%

20%

40%

60%

80%

100%

Rarely-Never


Don't know



28

21% 22% 24% 35%

23% 25% 23% 23% 25% 15%

24%

42% 37% 38% 11% 41% 38% 38% 38% 34% 52% 41%

19% 22% 22% 43%

17% 20% 22% 23% 25% 17% 20%

0%

20%

40%

60%

80%

100%

Rarely-Never


Don't know



29

experienced Network attacks daily, weekly or monthly 38-42% experienced Application attacks

daily, weekly or monthly 38-52%

Case Studies

In Nov 2015 experienced back-to-back attacks

initiated through a ransom request.

Over the course of 7-10 days, experienced

multiple attack vectors at high volume

Radware deployed emergency service a few

days into the campaign and was able to

mitigate the attacks

ProtonMail Ransom Attack Case

31

Swiss-based encrypted email service provider

Nov. 3 2015 Nov. 4 2015 Nov. 5-7 2015 Nov. 8 2015 Nov. 9-15 2015

ProtonMail Attack Timeline Largest and most extensive cyberattack in Switzerland

Attacks continue at high volume of 30-50G at peaks during these days. Attacks are mitigated successfully by Radware

Radware’s Emergency Response Team implements its attack mitigation solution to protect ProtonMail. Service is restored shortly after

ProtonMail continues to suffer from ongoing high volume, complex attacks from a second, unknown source

Next DDoS attacks hits in the morning and by afternoon reached over 100G directly attacking the datacenter and ISP infrastructure ProtonMail under pressure decides to pay ransom but attacks continue from 2nd source

ProtonMail receives ransom email from The Armada Collective, followed by DDoS attack that took them offline for 15 mins

32

ProtonMail Attack – A Look Inside Persistent Denial of Service Attacks

0

10

20

30

40

50

60

ProtonMail Attack Volume, Mitigated by Radware Network Application

UDP Flood DNS Reflection

TCP RST Flood NTP Reflection

TCP-SYN SSDP

TCP Out-of-State HTTP/S SYN Flood

SYN-ACK

ICMP

33

Evolution of Attack Vectors by Day

Nov 9th

UDP flood

SYN flood

DDoS-NTP-reflection

DDoS-DNS-reflection

SYN-ACK Flood

DDoS-TCP-urgent

DDoS-TCP-zero-seq

DDoS-chargen-reflected events

UDP Flood – Reflective

DNS

TCP RST Flood

ICMP Flood

SYN Flood – HTTPS

SYN Flood – HTTP

UDP Flood – SSDP &

NTP Reflection

ICMP Flood

TCP SYN Flood

TCP Out-of-State

Flood

UDP flood DDoS-SSL

TCP Out-of-Stat DDoS-udp-fragmented

DDoS-NTP-reflection DDoS-DNS-reflection

SYN-ACK Flood Minor ICMP flood/RST flood

SYN flood

Nov 8th Nov 10th Nov 11th

34

Sophisticated attacks - bad bots programmed to “scrape” certain flights, routes and classes of tickets. Bots acting as faux buyers—continuously creating but never completing reservations on those tickets

Airline unable to sell the seats to real customers

Dynamic source-IP attacks so security protection could not differentiate between “good” and “bad” bots

Chose Radware’s WAF with fingerprinting technology to block dynamic IP attack

Leading US Airline Fingerprinting Case

35

Major US Airline

Looking Ahead

Seven Predictions for 2016

37

Prediction #6: Growing Encryption to and from

Cloud Applications

Prediction #4: More Laws Governing Sensitive Data

Prediction #1: APDoS as SOP (Standard Operating Procedure)

Prediction #3: Privacy as a Right (Not Just a Regulation)

Prediction #5: Arrival of Permanent Denial-of-

Service (PDoS) Attacks Prediction #7:

The Internet of Zombies

Prediction #2: Continued Rise of RansomDoS (RDoS)

Summary: What Can You Do?

Preparedness is Key. Multi-layered solutions are a Must. Services are Important.

Bet on Automation. It has become necessary

to fight automated threats with automation technology.

Cover the Blind Spot. Choose a solution with

the widest coverage to protect from multi-vector attacks.

Multi Layered Solution. Look for a single

vendor, hybrid solution that can protect networks and applications for a wide range of

attacks, and includes DoS protection,

behavioral analysis, IPS, encrypted attack protection and web application firewall (WAF).

Protect from Encrypted Attacks. SSL-based

DDoS mitigation solution deployments must not affect legitimate traffic performance.

Single point of contact is crucial when under

attack - it will help to divert internet traffic and deploy mitigation solutions.

38

http://www.radware.com/social/ert-report-2015/








Top Findings - Radware 2015 - 2016 Global Application & Network Security Report

Technology