The Art of Cyber War Werner Thalmeier – Director Security Solutions EMEA

& CALA

The Art of War is an ancient Chinese military treatise attributed to Sun Tzu,

a high-ranking military general, strategist and tactician. It is commonly

known to be the definitive work on military strategy and tactics, and for the

last two thousand years has remained the most important military

dissertation in Asia. It has had an influence on Eastern and Western military

thinking, business tactics, legal strategy and beyond. Leaders as diverse as

Mao Zedong and General Douglas MacArthur have drawn inspiration from

the work.

Many of its conclusions remain valid today in the cyber warfare era.

孫子兵法

3

知彼知己，百戰不殆

If you know the enemy and know yourself, you need not fear the result of a hundred battles.

Notable DDoS Attacks in the Last 12 Months

Feb/July 2013

USA

Operation Ababil Targeting financial institutions

July 2013

Colombia

The Colombian

Independence Day Attack

March 2013

The Netherlands

Spamhaus The biggest DDoS attack ever

August 2013

Syria

Syrian Electronic Army

attacking US media outlets

November 2013

Ukraine & Baltic Countries

Operation “Opindependence”

June 2013

South Korea

South Korea governement

websites under attacks

Variation of Tactics 九變

The Army on the March 行軍

Illusion & Reality 虛實

The Use of Intelligence 用間

Laying Plans 始計

Volumetric attacks Network & Stateful attacks Application attacks

App Misuse

6

Attackers Deploy Multi-vulnerability Attack Campaigns

High Bandwidth or PPS

Network flood attacks

Network Scan

Syn Floods SSL Floods

HTTP Floods

Brute

Force

Internet Pipe Firewall IPS/IDS ADC Attacked Server SQL Server

SQL

Injection

Cross Site

Scripting

Intrusions

“Low & Slow” DoS

attacks (e.g.Sockstress)

More than 50% of 2013 attack campaigns

had more than 5 attack vectors.

Source: Radware 2013 ERT Report

7

Hacktivism – Move To Campaign-APT Oriented

• Complex: More than seven different attack vectors at once

• Blending: Both network and application attacks

• Targeteering: Select the most appropriate target, attack tools

• Resourcing: Advertise, invite, coerce anyone capable

• Testing: Perform short “proof-firing” prior to the attack

• Timeline: Establish the most painful time period for his victim

Sophis

tic

atio

n

2013 2010 2011 2012

• Duration: 3 Days

• 4 attack vectors

• Attack target: Visa, MasterCard

• Duration: 3 Days

• 5 attack vectors

• Attack target: HKEX

• Duration: 20 Days

• More than 7 attack vectors

• Attack target: Vatican

• Duration: 7 Months

• Multiple attack vectors

• Attack target: US Banks

8

故善战者，立于不败之地 The good fighters of old, first put themselves beyond the possibility of defeat.

Slide

9

The Threat Landscape

DDoS is the most common

attack method. Attacks last longer.

Government and Financial Services

are the most attacked sectors. Multi-vector trend continues.

10

You don’t control all of your critical

business systems.

Understand your vulnerabilities in the

distributed, outsourced world.

没有战略，战术是之前失败的噪音

漏洞 Vulnerability

Variation of Tactics 九變

The Army on the March 行軍

Illusion & Reality 虛實

The Use of Intelligence 用間

Laying Plans 始計

Individual Servers

Malicious software

installed on hosts and

servers (mostly located

at Russian and east

European universities),

controlled by a single

entity by direct

communication.

Examples:

Trin00, TFN, Trinity

Botnets

Stealthy malicious

software installed

mostly on personal

computers without the

owner’s consent;

controlled by a single

entity through indirect

channels (IRC, HTTP)

Examples:

Agobot, DirtJumper,

Zemra

Voluntary Botnets

Many users, at times

part of a Hacktivist

group, willingly share

their personal

computers. Using

predetermined and

publicly available attack

tools and methods,

with an optional remote

control channel.

Examples:

LOIC, HOIC

New Server-based

Botnets

Powerful, well

orchestrated attacks,

using a geographically

spread server

infrastructure. Few

attacking servers

generate the same

impact as hundreds of

clients.

12

2012 1998 - 2002 1998 - Present 2010 - Present

不戰而屈人之兵，善之善者也 To subdue the enemy without fighting is the acme of skill

13

不戰而屈人之兵，善之善者也

Current prices on the Russian underground market:

Hacking corporate mailbox: $500

Winlocker ransomware: $10-$20

Unintelligent exploit bundle: $25

Intelligent exploit bundle: $10-$3,000

Basic crypter (for inserting rogue code into benign file): $10-$30

SOCKS bot (to get around firewalls): $100

Hiring a DDoS attack: $30-$70 / day, $1,200 / month

Botnet: $200 for 2,000 bots

DDoS Botnet: $700

ZeuS source code: $200-$250

Windows rootkit (for installing malicious drivers): $292

Hacking Facebook or Twitter account: $130

Hacking Gmail account: $162

Email spam: $10 per one million emails

Email scam (using customer database): $50-$500 per one million emails

14

不戰而屈人之兵，善之善者也

15

不戰而屈人之兵，善之善者也

16

Battlefield: U.S. Commercial Banks

Cause: Elimination of the Film “Innocence of Muslims”

Battle: Phase 4 of major multi-phase campaign – Operation Ababil –

that commenced during the week of July 22nd. Primary targets

included: Bank of America, Chase Bank, PNC, Union Bank,

BB&T, US Bank, Fifth Third Bank, Citibank and others.

Attackers: Cyber Fighters of Izz ad-Din al-Qassam

Result: Major US financial institutions impacted by intensive and

protracted Distributed Denial of Service attacks.

行軍: Operation Ababil

17

行軍: Operation Ababil

Massive TCP and UDP flood attacks:

• Targeting both Web servers and DNS servers. Radware Emergency Response

Team tracked and mitigated attacks of up to 25Gbps against one of its

customers. Source appears to be Brobot botnet.

DNS amplification attacks:

• Attacker sends queries to a DNS server with a spoofed address that

identifies the target under attack. Large replies from the DNS servers,

usually so big that they need to be split over several packets, flood

the target.

HTTP flood attacks:

• Cause web server resource starvation due to overwhelming number of page

downloads.

Encrypted attacks:

• SSL based HTTPS GET requests generate a major load on the HTTP server by

consuming 15x more CPU in order to process the encrypted attack traffic.

18

Don’t assume that you’re not a target.

Draw up battle plans. Learn from the

mistakes of others.

没有战略，战术是之前失败的噪音

目标 Target

Variation of Tactics 九變

The Army on the March 行軍

Illusion & Reality 虛實

The Use of Intelligence 用間

Laying Plans 始計

Internet Pipe Firewall IPS/IDS ADC Attacked Server SQL Server

20

0

5

10

15

20

25

30

35

Internet Pipe Firewall IPS / DSS ADC Server SQL Server

2011

2012

2013

Volumetric attacks Network & Session attacks Application attacks

不可胜在己 Being unconquerable lies within yourself.

不可胜在己

21

Proportion of businesses relying on CDNs for DDoS protection.

70%

不可胜在己

22

Bypassing CDN Protection

Bo

tn

et

E n t e r p r i s e

C D N

GET www.enterprise.com/?[Random]

不可胜在己

23

Cloud protection limitations.

Bo

tn

et

Volumetric attacks

Low & Slow attacks

SSL encrypted attacks

E n t e r p r i s e

C l o u d S c r u b b i n g

24

Don’t believe the propaganda.

Understand the limitations of solutions.

Not all networking and security solutions

are created equal.

没有战略，战术是之前失败的噪音

宣传 Propaganda

Variation of Tactics 九變

The Army on the March 行軍

Illusion & Reality 虛實

The Use of Intelligence 用間

Laying Plans 始計

26

兵之情主速

Speed is the essence of war

Att

ack D

eg

ree

Axi

s Attack Area

Suspicious

Area

Normal

Area

27

兵之情主速

T H E S E C U R I T Y G A P

Attacker has time to bypass automatic mitigation.

Target does not possess required defensive skills.

28

You can’t defend against attacks you can’t detect.

Know your limitations.

Enlist forces that have expertise to help you fight.

没有战略，战术是之前失败的噪音

检测 Detection

Variation of Tactics 九變

The Army on the March 行軍

Illusion & Reality 虛實

The Use of Intelligence 用間

Laying Plans 始計

30

故兵貴勝，不貴久

• Web Attacks

• Application Misuse

• Connection Floods

• Brute Force

• Directory Traversals

• Injections

• Scraping & API Misuse

Detection: Application Attacks

31

故兵貴勝，不貴久 What is essential in war is victory, not prolonged operations.

• Envelope Attacks – Device Overload

• Directed Attacks - Exploits

• Intrusions – Mis-Configurations

• Localized Volume Attacks

• Low & Slow Attacks

• SSL Floods

Detection: Encrypted / Non-Volumetric Attacks

32

故兵貴勝，不貴久

Attack Detection: Volumetric Attacks

• Network DDoS

• SYN Floods

• HTTP Floods

App Misuse App Misuse

Slide

33

Layered Lines Of Defense

Large volume

network flood

attacks Network Scan

Syn Floods

SSL Floods

“Low & Slow” DoS

attacks

(e.g.Sockstress)

HTTP Floods

Brute

Force

DoS protection

Behavioral analysis SSL protection

IPS

WAF

Cloud DDoS protection

Internet Pipe Firewall IPS/IDS ADC Attacked Server SQL Server

Volumetric attacks Network & Stateful attacks Application attacks

34

Aligned forces will make the difference

Protecting your data is not the same as protecting your business.

True security necessitates data protection, system integrity and operational availability.

没有战略，战术是之前失败的噪音

可用性 Protection

35

你准备好了吗? Are You Ready?

Thank You mottya@radware.com www.radware.com

http://security.radware.com