Pushed to the Limit!Network and Application Security
Threat Landscape 2017-8
January 2018
2
• Global Trends
• Changes in the Attack Vector Landscape
• Business Concerns
• What’s Around the Corner?
• Example Attacks in Adriatics
• Summary and Predictions
Agenda
3
Radware Annual Security Reports
2017 real-life attack
data, security alerts
and threat research
Team of security
experts for fast
mitigation experts
under attack
WannaCry | OpIcarus |
XMR Squad Mirai botnet |
BrickerBot OpKillingBay |
CodeFork group
SOURCE #1 Radware Industry Survey 1,250
Number of Employees
10,000+
25%
<100
22%
100-499
17%
550-
999
8%
1,000-
2,999
5%
3,000-9,999
13%
25%
Europe
48%
North
America
18%
APAC
6%
Central /
South America
4%
Africa &
Middle-East
Retail and
Ecommerce
Technology
Products &
Services
Financial
Services
Education
Govt & Civil
Service
Healthcare
SOURCE #2 ERT Threat Research Center
4
Global Trends
5
IoTs integration complicates security
management
Global Trends in Threats & Attacks
Cyber-security pushed to the limit
BTC value and cybercrime climb
to new heights
Data protection is the top business concern
Bots challenge defense systems, generating
fictitious demand
6Slovenia Trends: Shift Towards Application Layer
Attacks: Volume & Non VolumeNetwork Volume
Large
Increase
Application
Attacks
22%
6%
41%3%
27%
1%
Attack Vectors
SYN HTTP
DNS
UDP
NTP
TCP Handshake
Violation
22%
47%
17%
13%
1%
Attack Category
Anomalies
Network DDoS
Apolication DDoS (DNS)
Intrusions
SYN Flood
Average Duration
63%
37%
Attack Duration
Less than 1 min
(Burst)
Steady Flood
(more than 1 hour)
7Cryptocurrency Prosperity Drives Cybercrime
• Ransom is the motivationbehind 50% of the attacks
• Incidence has grown by 40% Year-over-Year
• One in eight organizations suffered a DDoS Extortion
• Ransom is the top concern of security professionals in 2018
16%
25%
41%
50%
0%
10%
20%
30%
40%
50%
60%
2014 2015 2016 2017
Ransom as Motivation Tripled
8Protecting Sensitive Data is the #1 Concern
45% Have suffered
a data breach
30%Of customers will ask
for compensation, leave,
Or file a suit following
a data breach
28%Name data theft
as the #1 security
challenge
72%Are not fully
prepared for
GDPR
26%See data protection
as the top concern
in 2018
16%Intend to invest more in
data protection in 2018
9
47%
18%
15%
9%
9%
3%
0% 20% 40% 60% 80% 100%
More difficulty in security
management
DDoS attacks
Malware propagation
High rate of false alarms
Requiring more headcount
Other
What is your greatest fear when integrating
IoT devices into your network?
Who is accountable for risks
posed by IoT devices as hubs?
35%
34%
21%
11%
Business Organization
Manufacturer
Private Consumer
Service Provider
IoT Security – an Orphan Child
No agreement on who is accountable for securing IoT devices
Have you experienced DDoS attacks
by an IoT botnet?
Yes,
17%
No, 52%
Don't
know/Not
sure, 31%
1 in 6 organizations report
suffering an IoT botnet
attack in 2017
Management Complexity – the
greatest concern of IoT integration
10
For some organizations,bots represent more than 75% of their total traffic
79% organizations cannot distinguish between ‘good’ bots and ‘bad’ ones
What can bots do?
1. DDoS attacks2. Web scraping - steal data and
intellectual property3. Manipulate pricing4. Hold inventory
The Rise of the Botnets - Is Your Data in Good Hands?
11APIs – the Next Weak Link
Common API vulnerabilities
• Access violations
• Protocol attacks
• Invalidated redirects
• Parameter manipulations
• Irregular JSON/XML expressions
API security is often overlooked – data transferred is not subject to inspection or validation
51%
60%
52%
0%
20%
40%
60%
80%
Don’t analyze API vulnerabilities
prior to integration
Share and consume
sensitive data via APIs
Don't inspect data transferred
via APIs
12
Changes in the Attack Vector Landscape
13
37%
28%
33%
23%
7%
35%
23%
18%
12%10%
4%
0%
10%
20%
30%
40%
50%
HTTP HTTPS DNS SMTP VOIP TCP SYN
flood
UDP ICMP TCP-Other IPv6 Other
DDoS Attacks: Shift Towards Application Layer• Application attacks become the preferred DDoS vector
• Network attacks declined significantly
• HTTP/S and TCP-SYN Floods are causing the most damage
• 1 in every 5 attacks exceed 1Gbps
Application Network
+ 10%
DDoS
Attacks
14Slovenia Top Attacks: Shift Towards Application Layer
ApplicationNetwork
Large
Increase
Application
Attacks
0
500
1000
1500
2000
2500
3000
NTP
Reflection
UDP Flood SYN Flood
TOP Volumetric Attacks (Mbps)
0
0.5
1
1.5
2
2.5
3
NTP Reflection UDP Flood SYN Flood
TOP PPS Rate Attacks (Millions)
0 200 400 600 800 1000 1200 1400 1600 1800 2000
1
TOP Attacks per Application
Junk HTTPS NTP HTTP DNS SSH/TELNET 0 (Zero)
15DNS Attack Vectors 2017
• 41% suffered a DoS attack against their DNS server
• Brute Force attack and Basic Query Floods are the most common vectors
49%
42%
34%
26%
20%
0%
10%
20%
30%
40%
50%
60%
BruteForce
Basic QueryFlood
RecursiveFlood
Reflective Amplification
Attack
CachePoisoning
Which of these attack vectors did you experience?
16Emerging DDoS Attack Vectors
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
Permanent
Denial of
Service (PDoS)
SSL-Based
Attacks
IoT Botnets Burst Attacks
7%
31%
16%
42%
15%
57%
13%
10%
Concerned with in 2018
Experienced in 2017
17Bot Attacks
• Web scraping is the main plague
• Two of five report bot traffic exceeds 75%
• 44% still can’t distinguish between bots and a flash mob
32%
45%
39%
56%
0%
10%
20%
30%
40%
50%
60%
Inventory depleted (e.g., sold out within
minutes)
Inventory held (customers
cannot complete purchase)
Website copied (screen-captured
or content)
Intellectual Property
stolen (such as pricing)
Web Scraping Impact
18
01/17 Satori continues
01/25 Masuta
02/03 ADB.miner
02/08 JenX
02/15 DoubleDoor
02/21 OMG
2017 20182016
01/30 Linux.Proxy.10
02/22 Mirai turns to Windows
02/22 ‘BestBuy’ arrested in UK
10/19 Hajime
10/21 DYN
10/29 IRCTelnet (new Aidra)
11/23 400k+ Mirai botnet for rent by ‘BestBuy’11/27 DT, TalkTalk, Post Office UK – TR069 Exploit
12/21 Leet botnet: 650Gbps/150Mpps DDoS attack
Oct 2016
12/13 Mirai authors plead guilty
08/30 WireX
09/14 RouteX
09/26 Linux.ProxyM
10/23 Reaper
11/23 Satori
03/13 Imeij
04/07 Amnesia
04/10 BrickerBot
05/09 Persirai
2015 Moose
2014 MrBlack
2014 TheMoon
2014 Bashlite
2012 Aidra
08/2016 Mirai
08/2016 Rakos
Krebs 09/20
OVH 09/21
Mirai source leaked 09/30
19Failure Points in the Data Center
• Internet Pipe Saturation incidence grew 50% from 2016
• Servers are compromised the most - as they keep the lucrative data
• 40% growth in complete outages over mere service degradation
Internet Pipe (Saturation)
37%
Firewall
17%
IPS/IDS
6% Load Balancer(ADC)
4% The Server Under Attack
35% SQLServer
1%
Internet Pipe Firewall IPS/IDS Load Balancer/ADC
Server Under Attack
SQL Server
20Vertical Highlights
40% Of retailers report
bot traffic above
75% of total
42%Of education institutes
actually fear availability
issues, over data theft
or reputation loss
31%Of service providers
intend to invest in DDoS
mitigation in 2018
24%Of government
and public sector
organizations
suffer attacks daily
73%Of healthcare’s express low to medium
confidence in securing
patient records
44%Of financials do not
track the dark web
after a data security
breach
21
Business Concernsof Cyber-Attacks
22Biggest Business Concern When Attacked
• Data loss followed by reputation loss were the biggest concerns
• Fewer were concerned with revenue loss this year
What is your concern if faced with a cyber-attack?
10%
10%
13%
17%
23%
28%
0% 5% 10% 15% 20% 25% 30%
Productivity loss
Customer / partner loss
Revenue loss
Reputation loss
Availability / SLA Degradation
Data Leakage/ information loss
23Cost of a Cyber-Attack
1. 78% of organizations make no
cyber-attack cost analysis
2. Those who do provide a
higher than double
estimation
3. Most believe attacks cost less
than $100K USD.
41%
20%11% 10% 5% 4% 4% 5%
56%
16% 9% 11%4% 2%
2%
0%
20%
40%
60%
80%
100%
120%
Yes No
24Security Measures Following Attacks
• In general, customers are not holding organizations responsible for cyber-attacks
• Customers filing lawsuits following data breaches or DDoS downtime are more common in APAC
9%
9%
13%
7%
10%
5%
9%
11%
12%
75%
70%
70%
0% 20% 40% 60% 80% 100%
Malware contamination and
propogation
Data breach
DDoS downtime Customers asking for
compensation
Lawsuits
Customers leaving
Has any of your customers taken measures because of an attack against your organization?
25Multiple Touchpoints = Higher Risk
• Organizations do not take all the
necessary measures when their
application services communicate
with 3rd party services
• 47% do not use encryption
72%
50%
42%
32%
0%
10%
20%
30%
40%
50%
60%
70%
80%
Username/
password
Payment
details
Personally
identifiable
information
User behavior
/ preferences
/ analytics
Which data types do you share with 3rd parties?
26Application Security Concerns
1. Application layer DDoS
2. Encrypted / SSL-based attacks
3. API manipulations
4. Data breach
Most organizations feel they can handle the OWASP top 10 pretty well. They fear:
Which attacks against applications are most
difficult to prevent, detect and contain?
13%
13%
13%
15%
25%
44%
48%
57%
62%
0% 10% 20% 30% 40% 50% 60% 70%
Cross-site request forgery
SQL injection
Web Scraping
Cross-site scripting
Brute force
Data security breach
API manipulations
Encrypted web attacks (SSL/TLS-based)
Layer 7 DDoS
27Additional Gaps in Preparedness
30% Will hire hackers
to work in their
security team
41%Of security
professionals trust
the employees in
their organizations
33%Of organizations do
not have an
incident response
plan in place
68%Are not confident
in their security
posture
36%Limited
understanding
of blockchain
mechanism
25%Report an
application exploit
attempt every week
28
What’s Aroundthe Corner?
29Biggest Threats in 2018
Ransom and data theft are seen as the two biggest threats in the coming year
Which of the following attacks against applications and/or web
servers are most difficult to prevent, detect and contain?
2%
3%
8%
13%
22%
26%
26%
0% 10% 20% 30% 40% 50%
Other
API Integration
Permanent Denial of Service
IoT Botnets
Application vulnerabilities
Data Theft
Ransom
30Projected investments in 2018
The most popular investment areas are guarding sensitive data, endpoint protection, and SIEM/analytics.
In-house expertise
and application
infrastructure, 28%
Endpoint and
Malware Protection,
26%
Security
Management &
Analytics, 20%
DDoS Protection, 10%
Data Leakage
Prevention, 16%
MY 2018 INVESTMENT WILL BE IN…
31
Adopting Artificial Intelligence / Machine Learning
Better Security - #1 motivation for exploring AI solutions
Already rely
on, 20%
Plan to
integrate, 28%
Neither, 52%
8%
25%
25%
27%
27%
63%
0% 20% 40% 60% 80% 100%
Other
Cost reduction
Gaining a competitive
advantage
Filling in the skill gap
Simpler manageability
Better security
20% already rely on Machine
Learning/AI based protections
32
Examples of Risk to Financial Institutions such as in
Adriatic Region
33Ransom
• Ransom Denial of Service (RDoS)
• Objective: Cryptocurrencies
• Threatens use of latest techniques
• Increase in extortions
• Decrease in attacks
• South Korea – 2017
• 7 Banks
• $315,000 USD
• 5Gbps sample attack
• Result of Nayana Ransomware extortion
34Local Heists
• Jackpotting ATMs
• 2010 Barnaby Jack @ BlackHat
– Vector 1: Remote attack
– Vector 2: Key + USB Malware
• Tennessee - 2014
– 18 months spree
– Over $400,000
– Keypad attack
• Romainia - 2016
– 31 Machines in one day
– 3.8 Million Slopes (860,000 Euros)
– Raiffeisen Bank
o Spear-phising
o Malicious payload
o Gained access of ATM’s
35Digital Heist
• SWIFT – Society for Worldwide Interbank Financial Telecommunication
• Authenticated money moving messages
• Attacker injection fraudulent messages
• Transfers to attacker controlled accounts
• Central Bank of Bangladesh
• $81 Million USD
• $1 Billion USD attempt
– ‘Fandation’
36
Summary and Predictions
37Looking ahead to 2018
Build your protection strategy. Develop an incident response plan.
Weaponized Artificial Intelligence
Bots and automated attack tools can mimic human behavior. Can
they mimic human learning?
Attack via Proxies
Attackers target 3rd parties who accommodate a variety of businesses – CDNs, applications,
analytics services or download sites
APIs are a double-edged sword
APIs connect all platforms and services together. Businesses must audit
APIs prior to integration.
Automated Social Engineering
Bots already collect and analyze personal data. Next step is to add a component
that deceives and infects the victim
38Stay Focused. Be Prepared.
Build your protection strategy. Develop an incident response plan.
Consolidate and automate
Elastic, unified systems against multiple threats. Manageability, flexibility and scalability
are key for a seamless security experience
Fight fire with fire
AI based solutions to mitigate advanced cyber-weapons. Understand who is a bot and who isn’t to optimize your resources
and maximize your security
Versatile application protection
Cross platform API and Application security protect your data assets.
Evaluate before integrating 3rd party services
Hope for the best, Prepare for the worst
Reduce Cyber-Attacks’ Business Impact by getting readyStudy new technologies, have an ER plan, patch systems
on time, get a hybrid DDoS mitigation solution, hire hackers for clever forensics, rely on experts
https://www.radware.com/ert-report-2017