cyber attacks: no one immune, few prepared · vendor, hybrid solution that can protect networks and...
TRANSCRIPT
Regional Director, Northern Europe
Cyber Attacks: No One Immune, Few Prepared
Adrian Crawley
September 9, 2016
The rise of automation
2
The stock market-1980 The stock market-2010
The rise of automation
3
Self delivering packages Self driving buses
“By 2018, the fastest-growing companies will have fewer employees than instances of smart machines”
4 “Top Strategic digital Predictions.”- Gartner technology research, 2015
There are more things to attack and attack you
There are more sensitive things to attack
We’re seeing more attacks. No one is immune.
7
Over 90% Experienced Attacks in 2015
Half of organizations experienced DDoS and Phishing attacks
Almost half had Worm and Virus Damage
One in ten have not experienced any of the attacks mentioned 9%
7%
15%
23%
25%
29%
34%
47%
50%
51%
0% 10% 20% 30% 40% 50% 60%
None of the above
Corporate/Geo-political…
Theft of Prop.…
Advanced Persistent Threat
Fraud
Criminal SPAM
Unauthorized Access
Worm and Virus Damage
Phishing
DDoS
8
Q: What type of attack have you experienced?
Increased Attacks on Education and Hosting
Comparing to 2014
Most verticals stayed the same
Education and Hosting – increased likelihood
Growing number of “help me DDoS my school” requests
Motivations varies for Hosting
- Some target end customers
- Some target the hosting companies 2015 Change from 2014
9
Everyone Is a Target
10
OpIcarus Financial Institutions
Feb-June 2016
Web Hosting Companies under attack
Feb-April 2016
India vs. Pakistan Conflict Goes Cyber
Jan-May 2016
COMELEC Philippines Election Breach
May 2016
DDoS Continues to Lead as Biggest Threat
DDoS attacks and unauthorized access – the main causes which harm the organizations
0%
20%
40%
60%
Q: In your opinion, which of the following cyber-attacks will cause your organization the most harm?
11
We’re seeing more sophisticated, automated
attacks
12
Attacker Motivation is Shifting
More than 50% increase in ransom as a motivator for attackers
Motivation behind cyber-attacks is still largely unknown
One-third cited political/hacktivism
About a quarter referenced competition, ransom, or angry users
13
34% 27%
16% 22%
69%
34% 27% 25% 25%
66%
0%10%20%30%40%50%60%70%
2014
Q: Which of the following motives are behind any cyber-attacks your organization experienced?
Increase in Ransom as a Motive
More than a third reported having experienced either a ransom attack or a SSL or TLS-based attack
Consistent with increased public interest and concerns over these types of attacks
37% 35%
63% 65%
0%
10%
20%
30%
40%
50%
60%
70%
Ransom Attacks SSL or TLS-basedAttacks
Yes
14
More than Third Experienced Ransom or SSL/TLS-Based Attacks
Q: Have you experienced any ransom attacks this year
Q: Have you experienced encrypted SSL or TLS-based attacks?
21% 22% 24% 35%
23% 25% 23% 23% 25% 15% 24%
42% 37% 38% 11% 41% 38% 38% 38% 34% 52% 41%
19% 22% 22% 43% 17% 20% 22% 23% 25% 17% 20%
0%
20%
40%
60%
80%
100%
Rarely-Never
Daily / Weekly /Monthly
Network Attacks Application Attacks
Similar Frequency for Network and Application Attacks
15
experienced Network attacks daily, weekly or monthly
38-42% experienced Application attacks daily, weekly or monthly
38-52%
How ProtonMail survived an Advanced Persistent DDoS attack
16
Email Service Providers Under Attack
Ransom attacks against email service providers
Original ransom source from The Armada Collective
Targets include ProtonMail, Neomailbox, VFEmail, Hushmail, Fastmail, Zoho and Runbox
Who is The Armada Collective?
Background Either originating from DD4BC or acting as copy cat and using their methods. Focused on hosting providers, e-commerce, financial services primarily in Europe. Two companies we know already have been taken down.
Strategy
Customers will receive a ransom mail, asking for 30 bitcoins (5.600 € – 8.400 €).
Warning attack follows within minutes. If payment refused, attacks increase to up to 1TB
Targeted - Emails sent to dedicated and named internal recipients
Do their homework – if victim has strong DDoS protection, they will not go after it.
Only attack when they can create real damage
Attack Methods Current vectors are amplification attacks (NTP, RIP Reflection Amplification)
Warning attacks up to 20GB
Risk Effected organizations have short time to act and prepare
Very high risk – aggressive and professional attackers
Proven results with high volume and taking down companies
In Nov 2015 experienced back-to-back attacks
initiated through a ransom request.
Over the course of 7-10 days, experienced
multiple attack vectors at high volume
Radware deployed emergency service a few
days into the campaign and was able to
mitigate the attacks
ProtonMail Ransom Attack Case
19
Swiss-based encrypted email service provider
ProtonMail Attack – A Look Inside Persistent Denial of Service Attacks
0
20
40
60
ProtonMail Attack Volume, Mitigated by Radware
Network Application
UDP Flood DNS Reflection
TCP RST Flood NTP Reflection
TCP-SYN SSDP
TCP Out-of-State HTTP/S SYN Flood
SYN-ACK
ICMP
20
Why aren’t we surviving? Few prepared.
21
Existing Solutions – Multiple and Manual
Over 80% of solutions require a medium to high degree of manual tuning
Less than 20% require a low degree and are considered mostly automatic
Multiple solutions used by almost all (91%)
Only 6% use only one solution against cyber-attacks
High degre
e, 24%
Medium
degree,
58%
Low degre
e, 17%
Q: What degree of manual tuning or configuration does your current solution require?
22
Protection Gaps - Across the Board
A true protection gap for most organizations today
Weaknesses spread evenly among all attack types
Volumetric and HTTPS/SSL protection lead the gap
22% 19% 20% 21%
23% 26% 27%
33%
0%
20%
40%
23
Q: Where, if at all, do you think you have a weakness against DDoS attacks?
We’re bringing a knife to a gun-fight
24
It’s time to bring a gun to a gun fight
25
“Low & Slow” DoS attacks (e.g.Slowloris)
Hybrid Solution is Needed
Multi-vector attacks target all layers of the infrastructure
IPS/IDS
Large volume network flood attacks
Syn Floods
Network Scan
HTTP Floods
SSL Floods App Misuse
Brute Force
On-Demand Cloud DDoS DoS protection Behavioral analysis IPS
WAF
SSL protection
Internet Pipe Firewall Load Balancer/ADC Server Under Attack SQL Server
26
XSS, CSRF SQL Injections
On-Premise
Automated & Synchronized Solution
All security elements exchange Defense Messaging for more accurate detection and protection and minimal impact on service-level
Defense Messaging
27
In-the-Cloud Defense Messaging
Behavioral-Based Detection
To prevent service-level impact of legit traffic
Behavioral-Based Detection
Radware
Rate-Based Detection
Non-Radware
28
Automation in Attack Mitigation
Anti-Bot Device Fingerprinting
Real-Time Signature Generation
Adaptive & Automated Security Protection
29
18 SECONDS
Operating System
System Fonts
Browser Plug-ins
Screen Resolution
Local IPs
Summary: What Can You Do?
Preparedness is Key. Multi-layered solutions are a Must. Services are Important.
Bet on Automation. It has become necessary to fight automated threats with automation technology.
Cover the Blind Spot. Choose a solution with the widest coverage to protect from multi-vector attacks.
Multi Layered Solution. Look for a single vendor, hybrid solution that can protect networks and applications for a wide range of
attacks, and includes DoS protection, behavioral analysis, IPS, encrypted attack protection and web application firewall (WAF).
Protect from Encrypted Attacks. SSL-based DDoS mitigation solution deployments must not affect legitimate traffic performance.
Single point of contact is crucial when under attack - it will help to divert internet traffic and deploy mitigation solutions.
30