attackers vs. defenders: restoring the equilibrium
DESCRIPTION
Attackers Vs. Defenders: Restoring the Equilibrium. Ron Meyran Director of Security Marketing January 2013. AGENDA. Cyber security Statistics About 2012 Global Security Report Key Findings ERT Case Studies 2013 Recommendations. Cyber Security Study. - PowerPoint PPT PresentationTRANSCRIPT
Attackers Vs. Defenders: Restoring the Equilibrium
Ron MeyranDirector of Security Marketing
January 2013
AGENDA
Cyber security StatisticsAbout 2012 Global Security ReportKey FindingsERT Case Studies2013 Recommendations
Cyber Security Study
• A research study by Ponemon & Radware• Surveyed 700 IT & IT Security Practitioners • Non Radware customers• Release date: November 12th 2012
3
Interoperability Confidentiality Integrity Compliance Availability0
0.5
1
1.5
2
2.5
3
3.5
4
4.5
5
1.9
2.8
3.5
4.44.7
Ranking of cyber security objectives in terms of a business priority objective 5 = Highest Priority to 1 = Lowest Priority
Cyber Security Business Priorities
4
DDoS Attacks Frequency
of organizations had an average of 3 DDoS attacks in the past 12 months65%
How many DDoS attacks experienced in the past 12 months?
5
Less than 1 minute
1 to 10 minutes
11 to 20 minutes
21 to 30 minutes
31 to 60 minutes
1 to 2hours
3 to 5hours
More than
5 hours
Cannot deter-mine
0%
5%
10%
15%
20%
25%
10%
13%
16%
22%
11%9%
5%4%
10%
Minutes average downtime during one DDoS attack54
Average downtime during one DDoS attack
6
$1 to
$10
$10 t
o
$100
$1
01 to
$1,00
0
$1,00
1 to
$5,00
0
$5,00
1 to
$10,0
00
$10,0
01 to
$25,0
00
$25,0
01 to
$50,0
00
$50,0
01 to
$100
,000
More th
an
$100
,000
Canno
t determ
ine0%
5%
10%
15%
20%
25%
1%
8%
12%
15% 15%
21%
11%
7%5% 5%
Cost per minute of downtime
$22,000Average cost per minute of downtime
$3,000,000Average annual Cost of DDoS Attacks
Cost of Downtime
7
AGENDA
Cyber security StatisticsAbout 2012 Global Security ReportKey FindingsERT Case Studies2013 Recommendations
9
Information Resources
• Radware Security Survey– External survey – 179 participant– 95.5% are not using
Radware DoS mitigation solution
• ERT Survey – Internal survey– Unique visibility into
attacks behaviour– 95 selected cases
• Customer identity remains undisclosed
ERT gets to see attacks in
real-time on daily basis
AGENDA
Cyber security StatisticsAbout 2012 Global Security ReportKey FindingsERT Case Studies2013 Recommendations
11
Organizations Bring a Knife to a Gunfight
• ”Someone who brings a knife to a gun fight” – Is someone who does prepare himself for the fight, but does not
understand its true nature• Organizations today are like that
– They do invest before the attack starts, and conduct excellent forensics after it is over,
– however, they have one critical blind-spot – they don't have the capabilities or resources to sustain a long, complicated attack campaign.
• Attackers target this blind spot!
12
Attacked in 2012
They had the budgetThey made the investment
And yet they went offline
13
Organizations Deploy Two-phase Security Approach
Industry Security SurveyHow much did your organization invest in each of the following security
aspects in the last year?
Only 21% of company efforts are invested during the attack itself, while 79% is spent during the pre-attack and post-attack phase.
Before During After
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
Procedures
Human skills
Equipment
14
But attacks today have 3 phases
15
Attacks last longer
1-2 days
Half a week
1 week
2 weeks and more
0
2
4
6
8
10
12
14
2011
2012
2011
2012
Attacks last longer: The number of DoS attacks lasting over a week had doubled in 2012
21%
11%12%
21%
12%
23%
16
And become more complex
5-6
7-8
9-10
0%
5%
10%
15%
20%
25%
30%
4%
16%
7%
16%
29%29%
2011 2012 Complexity
ERT Cases – Attack Vectors
Attacks are more complex: 2012 DoS/DDoS attacks have become more sophisticated, using morecomplex attack vectors. Note the number of attacks using a complexity level of 7-10.
17
Content Delivery Network (CDN)
Do you consider Content Delivery Networks (CDNs)a solution for a DoS/DDoS attack?
70% of the companies who use CDN believe the CDN is a solution for DoS\DDoS attacks.
YesNo
30%70%
Attacks Evade CDN service
Internet
Legitimate users
CDN service
Botnet
GET www.exmaple.com
Backend Webserver
GET www.exmaple.com/?[Random]
Legitimate requests are refused
• In recent cyber attacks the CDN was easily bypassed – By changing the page request in every Web
transaction• These random request techniques force CDNs to
“raise the curtain”– All the attacks traffic is disembarked directly to the
customer premise– More complex to mitigate attacks masked by CDN
18
19
Attackers are well prepared
• By definition the defenders loose the battle• Equilibrium has been disrupted
20
The good news (1)
Industry Security SurveyHow likely is it that your organization will be attacked by cyber warfare?
Over half of the organizations believe their organization is likelyto be attacked by cyber warfare.
Unlikely45%
Possible37%
Likely8%
Very likely10%
Organizations start understanding the risk of DDoS
21
The good news (2)
Industry Security SurveyWhich solutions do you use against DoS attacks?
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
5%8%
5%
32%
27%
10%8%
5%
2%3%1%
40%
32%
12%
5%5%
2012
2011
Organizations start understanding Firewall and IPS cannot fight DDoS
attacks
22
Conclusions
• Today’s attacks are different– Carefully planned– Last days or weeks– Switching between attack vectors
• Organizations are ready to fight yesterdays’ attacks– Deploy security solutions that can absorb the first strike– But when attacks prolong - they have very limited gunfire– By the time they succeed blocking the first two attack vectors,
attackers switch to a third, more powerful one
23
A different approach is needed
• A team of security experts– Acquire capabilities to sustain long attacks– Train a team that is ready to respond to persistent attacks – Deploy the most up-to-date methodologies and tools– 24 x 7 availability to respond to attacks– Deploy counterattack techniques to cripple an attack
AGENDA
Cyber security StatisticsAbout 2012 Global Security ReportKey FindingsERT Case Studies2013 Recommendations
US Banks Under Attack: from the news
25
US Banks Under Attack: Operation Ababil
• Publication of the ‘Innocence of Muslim’ film on YouTube invokes demonstrations throughout the Muslim world
• September 18th- ‘Cyber Fighters of Izz ad-din Al Qassam’ announced an upcoming cyber attack campaign against ‘American and Zionist’ targets.
26
Attack Summary
• Attack targets– Bank of America– New York Stock Exchange (NYSE)– Chase– Wells Fargo
• Attacks lasted Sep 18-21, 2012• Multiple attacks’ waves on each target,
each wave lasted 4 to 9 hours• Victims suffered from temporary outages
and network slowness• ERT was actively involved in protecting
the attacked organizations
27
Why it was so challenging?
Business
Network
Business
UDP Garbage flood on ports 80 and 443
SSL Client Hello flood
Large volume SYN flood
SHUTDOWN
HTTP flood attack
Multi-vulnerability attack campaign
• Mitigation nearly impossible
• Attackers look for the blind spot
28
29
Recent updates
• HTTP flood was carried from compromised hosting servers– Highly distributed attacks
AGENDA
Cyber security StatisticsAbout 2012 Global Security ReportKey FindingsERT Case Studies2013 Recommendations
31
ERT recommendations for 2013
• Acquire capabilities to sustain a long sophisticated cyber attack
• Attack tools are known. Test yourself• Carefully plan the position of DoS/DDoS mitigation within
network architecture– On premise capabilities– In the cloud capabilities
Restore the equilibrium
Thank YouRon Meyran