Werner Thalmeier Director, Security Solutions EMEA 7. April 2016 Switzerland under Attack
Switzerland under Attack Werner Thalmeier Director, Security Solutions EMEA 7. April 2016
A Look Into Attack Motives Remember “C.H.E.W.”—Richard Clarke
Cyber Crime
Hacktivism
Financial gain is the primary motive
Driven by ideological differences
Espionage Gaining information for political, financial, competitive leverage
War Damage/destroy centers of power; military or nonmilitary
Lines are blurring . . . “multi-motive” attacks Ironically – Evidently the more “secure”, your data risks a cyberattack
3
Over 90% Experienced Attacks in 2015 Half of organizations experienced DDoS and Phishing attacks Almost half had Worm and Virus Damage One in ten have not experienced any of the attacks mentioned
DDoS
51%
Phishing
50%
Worm and Virus Damage
47%
Unauthorized Access
34%
Criminal SPAM
29%
Fraud
25%
Advanced Persistent Threat
23%
Theft of Prop. Info./Intellectual…
15%
Corporate/Geo-political Sabotage
7%
None of the above
9%
0% 10% 20% 30% 40% 50% 60% Source: Radware ERT Report 2015
Increased Attacks on Education and Hosting Comparing to 2014 Most verticals stayed the same
Education and Hosting – increased likelihood Growing number of “help me DDoS my school” requests
Motivations varies for Hosting – Some target end customers – Some target the hosting companies 2015 Source: Radware ERT Report 2015
Change from 2014
Increase in Ransom as a Motive for Cyber-attacks
More than 50% increase in ransom as a motivator for attackers Motivation behind cyber-attacks is still largely unknown
70% 60% 50% 40% 30% 20% 10% 0%
69%66%
2014
2015 34%34%
27%27%
25% 22%25% 16%
One-third cited political/hacktivism
About a quarter referenced competition, ransom, or angry users Q: Which of the following motives are behind any cyber-attacks your organization experienced?
Burst Attacks on the Rise More than half of the three biggest attacks experienced lasted 1 hour or less Significant increase from the 27% in 2014
60%
57%
40%
36%
20% 4%
Another indication of increased automated attacks
1%
0% 1 hour or less 1 hour to 1 day
2011 Source: Radware ERT Report 2015
2%
2012
1 day to 1 week
2013
Over a week Constantly
2014
2015
Q: What are the three biggest cyber-attacks you have suffered: Duration?
Similar Frequency for Network and Application Attacks 100% 80% 60% 40% 20% 0%
Network Attacks
Application Attacks
19% 22% 22% 43% 17% 20% 22% 23% 25% 17% 20% 42% 37% 38% 21% 22% 24%
Rarely-Never
11% 41% 38% 38% 38% 34% 52% 41% 35%
23% 25% 23% 23% 25% 15% 24%
Network 38-42% experienced attacks daily, weekly or monthly
Daily / Weekly / Monthly
Application 38-52% experienced attacks daily, weekly or monthly
Complexity of Attacks Continues to Grow Multi-vector attacks target all layers of the infrastructure “Low & Slow” DoS attacks (e.g.Slowloris) SQL Injections
XSS, CSRF
HTTP Floods
Brute Force
SSL Floods
App Misuse
Large volume network flood attacks Network Scan
Internet Pipe
On-Demand Cloud DDoS
Syn Floods
Firewall
DoS protection
IPS/IDS
Load Balancer/ADC
Behavioral analysis
Server Under Attack
IP S
SSL protection
SQL Server
WA F
Internet Pipe – #1 Failure Point Internet pipe is the bottleneck of DDoS attacks
36 %
INTERNET PIPE (Saturation)
21%
10%
FIREWALL
Internet Pipe
IPS/IDS
Firewall
3%
LOAD BALANCER (ADC)
IPS/IDS
Load Balancer/ADC
28%
THE SERVER UNDER ATTACK
Server Under Attack
2 %
SQL SERVER
SQL Server
March 9th - Armada send ransom letter Armada is sending Ransom letter to Swiss Finance institutes They ask for 25 Bitcoins – 9.000,-€ or 9.800,- CHF
Swiss GovCert issued an alert – http://www.govcert.admin.ch/blog/
At least one payed...
Who is The Armada Collective? Background
Either originating from DD4BC or acting as copy cat and using their methods. Focused on hosting providers, e-commerce, financial services primarily in Europe. Two companies we know already have been taken down.
Strategy
Customers will receive a ransom mail, asking for 30 bitcoins (5.600 € – 8.400 €). Warning attack follows within minutes. If payment refused, attacks increase to up to 1TB Targeted - Emails sent to dedicated and named internal recipients Do their homework – if victim has strong DDoS protection, they will not go after it. Only attack when they can create real damage
Attack Methods
Current vectors are amplification attacks (NTP, RIP Reflection Amplification) Warning attacks up to 20GB
Risk
Effected organizations have short time to act and prepare Very high risk – aggressive and professional attackers Proven results with high volume and taking down companies
March 12th – Leading retailer and SBB became target Attacks persisted throughout the week for several companies – – – – – – – – – –
Digitec.ch Fust.ch Microspot.ch Interdiscount.ch Denner.ch Leshop.ch Coop.ch Galaxus.com SBB.ch Brack.ch
"It is correct that our Webshop did not work for a short time. We currently believe that it was a DDoS attack. We can confirm that the customer data is safe and not affected. The shop is now again," said Nadine, Media Spokesperson at Interdiscount.
SBB, Interdiscount and Microspot went offline SBB
Interdiscount
Microspot
Attack Vectors Focus on volumetric attacks on the network layer Network attacks typically exhaust network stack resources, router and switch processing capacity, and/or misuse bandwidth resources, all of which disrupt the victims’ network connectivity – – – – – – – –
SSDP NTP DNS TCP RST TCP SYN SYN Flood SYN ACK ICMP
Volumetric Attack – DNS Amplification • Most frequently used attack vector • Amplification affect • Regular DNS replies - a normal reply is 3-4 times larger than the request • Researched replies – can reach up to 10 times the original request • Crafted replies – attacker compromises a DNS server and ensures requests are answered with the maximum DNS reply message (4096 bytes) amplification factor of up to 100 times
Parrot OS Attack Tool •
Popular OS for hacker, like Kali Linux • • • •
DNS NTP SNMP SSDP
=> All are reflective attacks
Shenron Attack Tool Lizard Squads public stresser services 19,99$ => 15GB attack for 1200 second – DNS – SNMP – SYN
Generic Stresser Attack Tool Unnamed stresser offered via a hacker on twitter telnet, UDP, ACK, Joomala and Portmap attacks They also offer additional services like Skype, domain, and Cloudflare resolvers
VDoS Attack Tool One of the most popular tools 19,99 will gain access to 216 GBS Attack Network DNS, NTP, ESSYN, xSYN, TS3, TCPACK, Dominate, VSE, SNMP, PPS, Portmap and TCP-Amp We saw this tool also in Sweden Attacks
Hybrid DDoS Mitigation Solution Perimeter
Cloud Radware Cloud Scrubbing
LAN
Defense Messaging
Attack Mitigation Device
ADC
Traffic Attack Attack isbaseline diverted isVolumetric immediately is and synchronized scrubbed DDoS detected attack to in the Radware’s and saturates cloud mitigated freeing internet Cloud at Scrubbing the pipe Perimeter internet Center pipe
Radware’s Security Solution Addressing the Multi-Vector Challenge Radware Emergency Response Team 24x7 Security Experts
On-Demand Cloud DDoS
On-Demand Cloud DDoS Service DefensePipe +2TB mitigation capacity Hybrid or Standalone Models
DoS protection
Centralized Management & Reporting APSolute Vision
Behavioral analysis
IPS
Attack Mitigation Device DefensePro Throughput ranging 200Mbps – 300Gbps
SSL protection
WAF
Web Application Firewall AppWall, Cloud WAF Service
Lessons Learned - Successful Attack Mitigation Proactive Preparation and Planning is Key
Need for a Attack Mitigation solution with the widest coverage to protect from multi-vector attacks, including protection from network and application based DDoS attacks.
Consider a hybrid solution that integrates onpremise detection and mitigation with cloudbased protection - to block volumetric attacks.
Monitor security alerts and examine triggers carefully. Tune existing polices and protections to prevent false positives and accurate detection.
A cyber-security emergency response plan that includes an emergency response team and process in place. Identify areas where helped is needed from a third party. A single point of contact is crucial when under attack - it will help to divert internet traffic and deploy mitigation solutions.
Thank You
[email protected] www.radware.com security.radware.com
© Radware 2016