the art of cyber war: cyber security strategies in a rapidly evolving theatre

© Radware, Inc. 2014

The Art of Cyber War

Strategies in a rapidly evolving theatre

July 2014

The Art of War is an ancient Chinese military treatise attributed to Sun Tzu,

a high-ranking military general, strategist and tactician. It is commonly

known to be the definitive work on military strategy and tactics, and for the

last two thousand years has remained the most important military

dissertation in Asia. It has had an influence on Eastern and Western military

thinking, business tactics, legal strategy and beyond. Leaders as diverse as

Mao Zedong and General Douglas MacArthur have drawn inspiration from

the work.

Many of its conclusions remain valid today in the cyber warfare era.

2 © Radware, Inc. 2014

Variation of Tactics 九變

The Army on the March 行軍

Illusion & Reality 虛實

The Use of Intelligence 用間

Laying Plans 始計


Attack Vectors: Increasing Complexity


Individual Servers

Malicious software

installed on hosts and

servers (mostly located

at Russian and east

European universities),

controlled by a single

entity by direct

communication.

Examples:

Trin00, TFN, Trinity

Botnets

Stealthy malicious

software installed

mostly on personal

computers without the

owner’s consent;

controlled by a single

entity trough indirect

channels (IRC, HTTP)

Examples:

Agobot, DirtJumper,

Zemra

Voluntary Botnets

Many users, at times

as part of a Hacktivist

group, willingly share

their personal

computers. Using

predetermined and

publicly available attack

tools and methods,

with an optional remote

control channel.

Examples:

LOIC, HOIC

New Server-based

Botnets

Powerful, well

orchestrated attacks,

using a geographically

spread server

infrastructure. Few

attacking servers

generate the same

impact as hundreds of

clients.

2012 1998 - 2002 1998 - Present 2010 - Present

不戰而屈人之兵，善之善者也 To subdue the enemy without fighting is the acme of skill


不戰而屈人之兵，善之善者也

Current prices on the Russian underground market:

Hacking corporate mailbox: $500

Winlocker ransomware: $10-$20

Unintelligent exploit bundle: $25

Intelligent exploit bundle: $10-$3,000

Basic crypter (for inserting rogue code into benign file): $10-$30

SOCKS bot (to get around firewalls): $100

Hiring a DDoS attack: $30-$70 / day, $1,200 / month

Botnet: $200 for 2,000 bots

DDoS Botnet: $700

ZeuS source code: $200-$250

Windows rootkit (for installing malicious drivers): $292

Hacking Facebook or Twitter account: $130

Hacking Gmail account: $162

Email spam: $10 per one million emails

Email scam (using customer database): $50-$500 per one million emails


不戰而屈人之兵，善之善者也


Attack Length: Increasing Duration


Sophis

tic

atio

n

2013 2010 2011 2012

• Duration: 3 Days

• 4 Attack Vectors

• Attack target: Visa, MasterCard


• 5 Attack Vectors

• Attack target: HKEX


• More than 7 Attack vectors

• Attack target: Vatican

• Duration: 7 Months

• Multiple attack vectors

• Attack target: US Banks

故善战者，立于不败之地 The good fighters of old first put themselves beyond the possibility of defeat






Laying Plans 始計


知彼知己，百戰不殆

If you know the enemy and know yourself, you need not fear the result of a hundred battles

Notable DDoS Attacks in the Last 12 Months


Battlefield: Columbia Government On-line Services

Cause: Columbian Independence

Battle: A large scale cyber attack held on July 20th - Columbian

Independence Day - against 30 Colombian government websites.

Result: Most web sites were either defaced or shut down completely

for the entire day of the attack.

行軍: Columbia


Attackers: Columbian Hackers

• A known hacker collective group suspected as being responsible

for several other cyber attacks in Colombia during 2012-13. The

group was supported by sympathizers use Twitter to communicate.

Motivation: Ideological

• Anti-government stance claiming to stand for “freedom, justice

and peace.” Mantra: “We are Colombian Hackers, to serve the

people.”

行軍: Columbia


行軍: Columbia

Web application attacks:

• Directory traversal – web application attack to get access to

password files that can be later cracked offline.

• Brute force attacks on pcAnywhere service – looking for weak

password protected accounts enables attackers to gain remote access

to victim servers.

• SQL Injection attacks – web application attacks to gain remote

server access.

• Web application vulnerability scanning

• Application attacks: we have mainly seen HTTP Flood attacks

Network DDoS attacks:

• SYN floods, UDP floods, ICMP floods

• Anomalous traffic (invalid TCP flags, source port zero, invalid

L3/L4 header)

• TCP port scans


行軍: Operation Ababil

Battlefield: U.S. Commercial Banks

Cause: Elimination of the Film “Innocence of Muslims”

Battle: Phase 4 of major multi-phase campaign – Operation Ababil –

that commenced during the week of July 22nd. Primary targets

included: Bank of America, Chase Bank, PNC, Union Bank,

BB&T, US Bank, Fifth Third Bank, Citibank and others.

Result: Major US financial institutions impacted by intensive and

protracted Distributed Denial of Service attacks.



Attackers: Cyber Fighters of Izz ad-Din al-Qassam

• Purported Iranian state sponsored acktavist collective said to be acting

to defend Islam

Motivation: Religious Fundamentalism

• “Well, misters! The break's over and it's now time to pay off.

After a chance given to banks to rest awhile, now the Cyber Fighters of

Izz ad-Din al-Qassam will once again take hold of their destiny.

As we have said earlier, the Operation Ababil is performed because of

widespread and organized offends to Islamic spirituals and holy issues,

especially the great prophet of Islam(PBUH) and if the offended film is

eliminated from the Internet, the related attacks also will be stopped.

While the films exist, no one should expect this operation be fully

stopped.

The new phase will be a bit different and you'll feel this in the coming

days.

Mrt. Izz ad-Din al-Qassam Cyber Fighters”



HTTP flood attacks:

• Cause web server resource starvation due to overwhelming number of page downloads.

Encrypted attacks:

• SSL based HTTPS GET requests generate a major load on the HTTP server by consuming 15x

more CPU in order to process the encrypted attack traffic.

Massive TCP and UDP flood attacks:

• Targeting both Web servers and DNS servers. Radware Emergency Response

Team tracked and mitigated attacks of up to 25Gbps against one of its

customers. Source appears to be Brobot botnet.

DNS amplification attacks:

• Attacker sends queries to a DNS server with a spoofed address that

identifies the target under attack. Large replies from the DNS servers,

usually so big that they need to be split over several packets, flood

the target.



Parastoo

Iranian Cyber Army

al Qassam Cyber Fighters

Parastoo

Iranian Cyber Army

al Qassam Cyber Fighters

22 Events

1 Event

2010 2011 2012 2013 Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul

Source: Analysis Intelligence

Event Correlation: Iranian Linked Cyber Attacks



Challenge & Response Escalations:

• Automatic Challenge mechanisms are employed by the Radware Attack

Mitigation System to discriminate between legitimate traffic and

attack tools

• Phase 4 attackers implemented advanced mechanisms that emulated

normal web browser users in order to circumvent mitigation tools

• Necessitated the implementation of increasingly sophisticated

challenge mechanisms that could not be supported by attack tools

S c r i p t

3 0 2

R e d i r e c t

C h a l l e n g e

J S

C h a l l e n g e

S p e c i a l

C h a l l e n g e

Kamikaze Pass Not pass Not pass

Kamina Pass Not pass Not pass

Terminator Pass Pass Not pass


Battlefield: Spamhaus

Cause: Corporate Ideological Differences

Battle: A nine-day assault that resulted in the largest

recorded volumetric Distributed Denial of Service

attack that peaked at over 300Gbps.

Result: Spamhaus actually went down but claimed to have

withstood the attack but only with the assistance

from companies such as CloudFlare and Google.

Given the scale of the attack and the techniques

used, concerns were expressed that the very fabric

of the internet could be compromised.

行軍: Spamhaus


行軍: Spamhaus

Attackers: CyberBunker?

• Provider of anonymous secure hosting services

Motivation: Retaliation against Spamhaus

• CyberBunker, a provider of secure and anonymous hosting services,

was blacklisted by Spamhaus, a non-profit anti-spamming

organization that advises ISPs. It was claimed that CyberBunker

was a 'rogue' host and a haven for cybercrime and spam

organizations. Spamhaus alleged that Cyberbunker, with the aid of

"criminal gangs" from Eastern Europe and Russia, launched a DDoS

attack against Spamhaus for “abusing its influence.”


行軍: Spamhaus

Attack Method:

• The attack started as an 10-80Gbps attack that was firstly

contained successfully, it started as a volumetric attack on

layer 3 and peaked to 75Gbps on March 20.

• During March 24-25 the attack grew to 100Gbps, peaking at

309Gbps.

• No Botnet in use. Attackers were using servers on networks that

allow IP spoofing in conjunction with open DNS resolvers.

• Miss-configured DNS resolvers – with no response rate limiting -

allow the amplification of the attack by the factor of 50!

• Nearly 25% of the networks are configured to allow spoofing

instead of employing BCP38…

• There are over 28 Million open resolvers in operation…


Battlefield: New York Times

Cause: Syrian Conflict

Battle: NYTimes Domain Name Server attack.

Result: New York Times website taken offline for almost

2 hours as domain was redirected to Syrian

Electronic Army servers.

行軍: New York Times


行軍: New York Times

Attackers: Syrian Electronic Army

• Hackers aligned with Syrian President Bashar Assad. Mainly targets

political opposition groups and western websites, including news

organizations and human rights groups.

Attacks: Spear Phishing & Directed DNS Attacks

• Phishing attacks on Melbourne IT, the New York Times DNS registrar.

• SEA hacked the NYT account and redirected the domain to its servers.






Laying Plans 始計


Internet

Pipe

Firewall IPS/IDS Load Balancer

(ADC)

Server SQL

Server

Internet

26

%

25

%

8%

11

%

22

%

8%

27

%

24

%

8%

4%

30

%

5%

不可胜在己 Being unconquerable lies with yourself


不可胜在己

DoS Defense Component Vulnerability

Exploitation Network Flood

Infrastructure

Exhaustion Target Exhaustion

Network Devices No No Some Some

Over-Provisioning No Yes, bandwidth Yes, infrastructure Yes, server & app.

Firewall & Network Equipment No No Some Some

NIPS or WAF Security Appliances Yes No No, part of problem No

Anti-DoS Box (Stand-Alone) No No Yes Yes

ISP-Side Tools No Yes Rarely Rarely

Anti-Dos Appliances (ISP Connected) No Yes Yes Yes

Anti-DoS Specialty Provider No Yes Yes Yes

Content Delivery Network No Yes Yes Limited


不可胜在己

Proportion of businesses relying on CDNs for DDoS Protection

70%


不可胜在己

Bypassing CDN Protection

Bo

tn

et

E n t e r p r i s e

C D N

GET www.enterprise.com/?[Random]


不可胜在己

Cloud protection limitations

Bo

tn

et

Volumetric attacks

Low & Slow attacks

SSL encrypted attacks

E n t e r p r i s e

C l o u d S c r u b b i n g


兵者詭道也 All warfare is based on deception

Threats: Universal DDoS Mitigation Bypass

Source: BlackHat USA 2013

Presenters: Nexusguard Ltd, NT-ISAC Bloodspear Labs

Goal: Defeat all known mechanisms for automatic

mitigation of DDoS attacks

Authors: Tony T.N. Miu, Albert K.T. Hui, W.L. Lee, Daniel

X.P. Luo, Alan K.L. Chung, Judy W.S. Wong

or CAPTCHA-based authentications being the most effective by

far. However, in our research weaknesses were found in a

majority of these sort of techniques.

We rolled all our exploits into a proof-of-concept attack tool,

giving it near-perfect DDoS mitigation bypass capability

against almost every existing commercial DDoS mitigation

solutions. The ramifications are huge. For the vast majority of

web sites, these mitigation solutions stand as the last line of

defense. Breaching this defense can expose these web sites'

backend to devastating damages.

We have extensively surveyed DDoS mitigation technologies

available on the market today, uncovering the countermeasure

techniques they employ, how they work, and 31 © Radware, Inc. 2014

兵者詭道也

Tool: Kill ‘em All 1.0

• Harnesses techniques such as Authentication

Bypass, HTTP redirect, HTTP cookie and

JavaScript

• True TCP behavior, believable and random HTTP

headers, JavaScript engine, random payload,

tunable post authentication traffic model

• Defeats current anti-DDoS solutions that detect

malformed traffic, traffic profiling, rate

limiting, source verification, Javascript and

CAPTCHA-based authentication mechanisms

• Creators allege that the tool is technically

indistinguishable from legitimate human traffic

Tested: Arbor PeakFlow TMS, Akamai,

Cloudflare, NSFocus Anti-DDoS

System






Laying Plans 始計


兵之情主速 Speed is the essence of war

Att

ack D

eg

ree

Axi

s Attack Area

Suspicious

Area

Normal

Area


兵之情主速

T H E S E C U R I T Y G A P

Attacker has time to bypass automatic mitigation

Target does not possess required defensive skills


兵之情主速






Laying Plans 始計


故兵貴勝，不貴久 What is essential in war is victory, not prolonged operations

• Envelope Attacks – Device Overload

• Directed Attacks - Exploits

• Intrusions – Mis-Configurations

• Localized Volume Attacks

• Low & Slow Attacks

• SSL Floods

Detection: Encrypted / Non-Volumetric Attacks


故兵貴勝，不貴久

• Web Attacks

• Application Misuse

• Connection Floods

• Brute Force

• Directory Traversals

• Injections

• Scraping & API Misuse

Detection: Application Attacks



Attack Detection: Volumetric Attacks

• Network DDoS

• SYN Floods

• HTTP Floods


Attack Mitigation Network: Low & Slow, SSL Encrypted

Bo

tn

et

E n t e r p r i s e


H o s t e d D a t a

C e n t e r



Attack Mitigation Network: Application Exploits

Bo

tn

et

E n t e r p r i s e


H o s t e d D a t a

C e n t e r

Attack

signatures



Bo

tn

et

E n t e r p r i s e


H o s t e d D a t a

C e n t e r

Attack Mitigation Network: Volumetric Attacks



Bo

tn

et


H o s t e d D a t a

C e n t e r


E n t e r p r i s e

Attack

signatures



Bo

tn

et


H o s t e d D a t a

C e n t e r


E n t e r p r i s e



Don’t assume that you’re not a

target.

Draw up battle plans. Learn from the

mistakes of others.

没有战略，战术是之前失败的噪音 Tactics without strategy is the noise before defeat

目标 Target


Protecting your data is not the same

as protecting your business.

True security necessitates data

protection, system integrity and

operational availability.

没有战略，战术是之前失败的噪音

可用性 Protection


You don’t control all of your critical

business systems.

Understand your vulnerabilities in the

distributed, outsourced world.


漏洞 Vulnerability


You can’t defend against attacks you

can’t detect.

The battle prepared business

harnesses an intelligence network.


检测 Detection


Don’t believe the DDoS protection

propaganda.

Understand the limitations of cloud-

based scrubbing solutions.

Not all networking and security

appliance solutions were created

equal.


宣传 Propaganda


Know your limitations.

Enlist forces that have expertise to

help you fight.


限制 Limitations


你准备好了吗? Are You Ready?


Carl Herberger, VP Security Solutions, Radware

[email protected]

谢谢 Thank You


the art of cyber war: cyber security strategies in a rapidly evolving theatre

Business

attack length

available attack tools

increasing duration

military strategy

vatican duration

mastercard duration

hkex duration

variation of tactics