Pushed to the Limit!Network and Application Security

Threat Landscape 2017-8

January 2018

2

• Global Trends

• Changes in the Attack Vector Landscape

• Business Concerns

• What’s Around the Corner?

• Example Attacks in Adriatics

• Summary and Predictions

Agenda

3

Radware Annual Security Reports

2017 real-life attack

data, security alerts

and threat research

Team of security

experts for fast

mitigation experts

under attack

WannaCry | OpIcarus |

XMR Squad Mirai botnet |

BrickerBot OpKillingBay |

CodeFork group

SOURCE #1 Radware Industry Survey 1,250

Number of Employees

10,000+

25%

<100

22%

100-499

17%

550-

999

8%

1,000-

2,999

5%

3,000-9,999

13%

25%

Europe

48%

North

America

18%

APAC

6%

Central /

South America

4%

Africa &

Middle-East

Retail and

Ecommerce

Technology

Products &

Services

Financial

Services

Education

Govt & Civil

Service

Healthcare

SOURCE #2 ERT Threat Research Center

4

Global Trends

5

IoTs integration complicates security

management

Global Trends in Threats & Attacks

Cyber-security pushed to the limit

BTC value and cybercrime climb

to new heights

Data protection is the top business concern

Bots challenge defense systems, generating

fictitious demand

6Slovenia Trends: Shift Towards Application Layer

Attacks: Volume & Non VolumeNetwork Volume

Large

Increase

Application

Attacks

22%

6%

41%3%

27%

1%

Attack Vectors

SYN HTTP

DNS

UDP

NTP

TCP Handshake

Violation

22%

47%

17%

13%

1%

Attack Category

Anomalies

Network DDoS

Apolication DDoS (DNS)

Intrusions

SYN Flood

Average Duration

63%

37%

Attack Duration

Less than 1 min

(Burst)

Steady Flood

(more than 1 hour)

7Cryptocurrency Prosperity Drives Cybercrime

• Ransom is the motivationbehind 50% of the attacks

• Incidence has grown by 40% Year-over-Year

• One in eight organizations suffered a DDoS Extortion

• Ransom is the top concern of security professionals in 2018

16%

25%

41%

50%

0%

10%

20%

30%

40%

50%

60%

2014 2015 2016 2017

Ransom as Motivation Tripled

8Protecting Sensitive Data is the #1 Concern

45% Have suffered

a data breach

30%Of customers will ask

for compensation, leave,

Or file a suit following

a data breach

28%Name data theft

as the #1 security

challenge

72%Are not fully

prepared for

GDPR

26%See data protection

as the top concern

in 2018

16%Intend to invest more in

data protection in 2018

9

47%

18%

15%

9%

9%

3%

0% 20% 40% 60% 80% 100%

More difficulty in security

management

DDoS attacks

Malware propagation

High rate of false alarms

Requiring more headcount

Other

What is your greatest fear when integrating

IoT devices into your network?

Who is accountable for risks

posed by IoT devices as hubs?

35%

34%

21%

11%

Business Organization

Manufacturer

Private Consumer

Service Provider

IoT Security – an Orphan Child

No agreement on who is accountable for securing IoT devices

Have you experienced DDoS attacks

by an IoT botnet?

Yes,

17%

No, 52%

Don't

know/Not

sure, 31%

1 in 6 organizations report

suffering an IoT botnet

attack in 2017

Management Complexity – the

greatest concern of IoT integration

10

For some organizations,bots represent more than 75% of their total traffic

79% organizations cannot distinguish between ‘good’ bots and ‘bad’ ones

What can bots do?

1. DDoS attacks2. Web scraping - steal data and

intellectual property3. Manipulate pricing4. Hold inventory

The Rise of the Botnets - Is Your Data in Good Hands?

11APIs – the Next Weak Link

Common API vulnerabilities

• Access violations

• Protocol attacks

• Invalidated redirects

• Parameter manipulations

• Irregular JSON/XML expressions

API security is often overlooked – data transferred is not subject to inspection or validation

51%

60%

52%

0%

20%

40%

60%

80%

Don’t analyze API vulnerabilities

prior to integration

Share and consume

sensitive data via APIs

Don't inspect data transferred

via APIs

12

Changes in the Attack Vector Landscape

13

37%

28%

33%

23%

7%

35%

23%

18%

12%10%

4%

0%

10%

20%

30%

40%

50%

HTTP HTTPS DNS SMTP VOIP TCP SYN

flood

UDP ICMP TCP-Other IPv6 Other

DDoS Attacks: Shift Towards Application Layer• Application attacks become the preferred DDoS vector

• Network attacks declined significantly

• HTTP/S and TCP-SYN Floods are causing the most damage

• 1 in every 5 attacks exceed 1Gbps

Application Network

+ 10%

DDoS

Attacks

14Slovenia Top Attacks: Shift Towards Application Layer

ApplicationNetwork

Large

Increase

Application

Attacks

0

500

1000

1500

2000

2500

3000

NTP

Reflection

UDP Flood SYN Flood

TOP Volumetric Attacks (Mbps)

0

0.5

1

1.5

2

2.5

3

NTP Reflection UDP Flood SYN Flood

TOP PPS Rate Attacks (Millions)

0 200 400 600 800 1000 1200 1400 1600 1800 2000

1

TOP Attacks per Application

Junk HTTPS NTP HTTP DNS SSH/TELNET 0 (Zero)

15DNS Attack Vectors 2017

• 41% suffered a DoS attack against their DNS server

• Brute Force attack and Basic Query Floods are the most common vectors

49%

42%

34%

26%

20%

0%

10%

20%

30%

40%

50%

60%

BruteForce

Basic QueryFlood

RecursiveFlood

Reflective Amplification

Attack

CachePoisoning

Which of these attack vectors did you experience?

16Emerging DDoS Attack Vectors

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

Permanent

Denial of

Service (PDoS)

SSL-Based

Attacks

IoT Botnets Burst Attacks

7%

31%

16%

42%

15%

57%

13%

10%

Concerned with in 2018

Experienced in 2017

17Bot Attacks

• Web scraping is the main plague

• Two of five report bot traffic exceeds 75%

• 44% still can’t distinguish between bots and a flash mob

32%

45%

39%

56%

0%

10%

20%

30%

40%

50%

60%

Inventory depleted (e.g., sold out within

minutes)

Inventory held (customers

cannot complete purchase)

Website copied (screen-captured

or content)

Intellectual Property

stolen (such as pricing)

Web Scraping Impact

18

01/17 Satori continues

01/25 Masuta

02/03 ADB.miner

02/08 JenX

02/15 DoubleDoor

02/21 OMG

2017 20182016

01/30 Linux.Proxy.10

02/22 Mirai turns to Windows

02/22 ‘BestBuy’ arrested in UK

10/19 Hajime

10/21 DYN

10/29 IRCTelnet (new Aidra)

11/23 400k+ Mirai botnet for rent by ‘BestBuy’11/27 DT, TalkTalk, Post Office UK – TR069 Exploit

12/21 Leet botnet: 650Gbps/150Mpps DDoS attack

Oct 2016

12/13 Mirai authors plead guilty

08/30 WireX

09/14 RouteX

09/26 Linux.ProxyM

10/23 Reaper

11/23 Satori

03/13 Imeij

04/07 Amnesia

04/10 BrickerBot

05/09 Persirai

2015 Moose

2014 MrBlack

2014 TheMoon

2014 Bashlite

2012 Aidra

08/2016 Mirai

08/2016 Rakos

Krebs 09/20

OVH 09/21

Mirai source leaked 09/30

19Failure Points in the Data Center

• Internet Pipe Saturation incidence grew 50% from 2016

• Servers are compromised the most - as they keep the lucrative data

• 40% growth in complete outages over mere service degradation

Internet Pipe (Saturation)

37%

Firewall

17%

IPS/IDS

6% Load Balancer(ADC)

4% The Server Under Attack

35% SQLServer

1%

Internet Pipe Firewall IPS/IDS Load Balancer/ADC

Server Under Attack

SQL Server

20Vertical Highlights

40% Of retailers report

bot traffic above

75% of total

42%Of education institutes

actually fear availability

issues, over data theft

or reputation loss

31%Of service providers

intend to invest in DDoS

mitigation in 2018

24%Of government

and public sector

organizations

suffer attacks daily

73%Of healthcare’s express low to medium

confidence in securing

patient records

44%Of financials do not

track the dark web

after a data security

breach

21

Business Concernsof Cyber-Attacks

22Biggest Business Concern When Attacked

• Data loss followed by reputation loss were the biggest concerns

• Fewer were concerned with revenue loss this year

What is your concern if faced with a cyber-attack?

10%

10%

13%

17%

23%

28%

0% 5% 10% 15% 20% 25% 30%

Productivity loss

Customer / partner loss

Revenue loss

Reputation loss

Availability / SLA Degradation

Data Leakage/ information loss

23Cost of a Cyber-Attack

1. 78% of organizations make no

cyber-attack cost analysis

2. Those who do provide a

higher than double

estimation

3. Most believe attacks cost less

than $100K USD.

41%

20%11% 10% 5% 4% 4% 5%

56%

16% 9% 11%4% 2%

2%

0%

20%

40%

60%

80%

100%

120%

Yes No

24Security Measures Following Attacks

• In general, customers are not holding organizations responsible for cyber-attacks

• Customers filing lawsuits following data breaches or DDoS downtime are more common in APAC

9%

9%

13%

7%

10%

5%

9%

11%

12%

75%

70%

70%

0% 20% 40% 60% 80% 100%

Malware contamination and

propogation

Data breach

DDoS downtime Customers asking for

compensation

Lawsuits

Customers leaving

Has any of your customers taken measures because of an attack against your organization?

25Multiple Touchpoints = Higher Risk

• Organizations do not take all the

necessary measures when their

application services communicate

with 3rd party services

• 47% do not use encryption

72%

50%

42%

32%

0%

10%

20%

30%

40%

50%

60%

70%

80%

Username/

password

Payment

details

Personally

identifiable

information

User behavior

/ preferences

/ analytics

Which data types do you share with 3rd parties?

26Application Security Concerns

1. Application layer DDoS

2. Encrypted / SSL-based attacks

3. API manipulations

4. Data breach

Most organizations feel they can handle the OWASP top 10 pretty well. They fear:

Which attacks against applications are most

difficult to prevent, detect and contain?

13%

13%

13%

15%

25%

44%

48%

57%

62%

0% 10% 20% 30% 40% 50% 60% 70%

Cross-site request forgery

SQL injection

Web Scraping

Cross-site scripting

Brute force

Data security breach

API manipulations

Encrypted web attacks (SSL/TLS-based)

Layer 7 DDoS

27Additional Gaps in Preparedness

30% Will hire hackers

to work in their

security team

41%Of security

professionals trust

the employees in

their organizations

33%Of organizations do

not have an

incident response

plan in place

68%Are not confident

in their security

posture

36%Limited

understanding

of blockchain

mechanism

25%Report an

application exploit

attempt every week

28

What’s Aroundthe Corner?

29Biggest Threats in 2018

Ransom and data theft are seen as the two biggest threats in the coming year

Which of the following attacks against applications and/or web

servers are most difficult to prevent, detect and contain?

2%

3%

8%

13%

22%

26%

26%

0% 10% 20% 30% 40% 50%

Other

API Integration

Permanent Denial of Service

IoT Botnets

Application vulnerabilities

Data Theft

Ransom

30Projected investments in 2018

The most popular investment areas are guarding sensitive data, endpoint protection, and SIEM/analytics.

In-house expertise

and application

infrastructure, 28%

Endpoint and

Malware Protection,

26%

Security

Management &

Analytics, 20%

DDoS Protection, 10%

Data Leakage

Prevention, 16%

MY 2018 INVESTMENT WILL BE IN…

31

Adopting Artificial Intelligence / Machine Learning

Better Security - #1 motivation for exploring AI solutions

Already rely

on, 20%

Plan to

integrate, 28%

Neither, 52%

8%

25%

25%

27%

27%

63%

0% 20% 40% 60% 80% 100%

Other

Cost reduction

Gaining a competitive

advantage

Filling in the skill gap

Simpler manageability

Better security

20% already rely on Machine

Learning/AI based protections

32

Examples of Risk to Financial Institutions such as in

Adriatic Region

33Ransom

• Ransom Denial of Service (RDoS)

• Objective: Cryptocurrencies

• Threatens use of latest techniques

• Increase in extortions

• Decrease in attacks

• South Korea – 2017

• 7 Banks

• $315,000 USD

• 5Gbps sample attack

• Result of Nayana Ransomware extortion

34Local Heists

• Jackpotting ATMs

• 2010 Barnaby Jack @ BlackHat

– Vector 1: Remote attack

– Vector 2: Key + USB Malware

• Tennessee - 2014

– 18 months spree

– Over $400,000

– Keypad attack

• Romainia - 2016

– 31 Machines in one day

– 3.8 Million Slopes (860,000 Euros)

– Raiffeisen Bank

o Spear-phising

o Malicious payload

o Gained access of ATM’s

35Digital Heist

• SWIFT – Society for Worldwide Interbank Financial Telecommunication

• Authenticated money moving messages

• Attacker injection fraudulent messages

• Transfers to attacker controlled accounts

• Central Bank of Bangladesh

• $81 Million USD

• $1 Billion USD attempt

– ‘Fandation’

36

Summary and Predictions

37Looking ahead to 2018

Build your protection strategy. Develop an incident response plan.

Weaponized Artificial Intelligence

Bots and automated attack tools can mimic human behavior. Can

they mimic human learning?

Attack via Proxies

Attackers target 3rd parties who accommodate a variety of businesses – CDNs, applications,

analytics services or download sites

APIs are a double-edged sword

APIs connect all platforms and services together. Businesses must audit

APIs prior to integration.

Automated Social Engineering

Bots already collect and analyze personal data. Next step is to add a component

that deceives and infects the victim

38Stay Focused. Be Prepared.

Build your protection strategy. Develop an incident response plan.

Consolidate and automate

Elastic, unified systems against multiple threats. Manageability, flexibility and scalability

are key for a seamless security experience

Fight fire with fire

AI based solutions to mitigate advanced cyber-weapons. Understand who is a bot and who isn’t to optimize your resources

and maximize your security

Versatile application protection

Cross platform API and Application security protect your data assets.

Evaluate before integrating 3rd party services

Hope for the best, Prepare for the worst

Reduce Cyber-Attacks’ Business Impact by getting readyStudy new technologies, have an ER plan, patch systems

on time, get a hybrid DDoS mitigation solution, hire hackers for clever forensics, rely on experts

https://www.radware.com/ert-report-2017