Abstract image of a woman sitting on books and studying on a laptop

SecureWorld: Information Security Adaption: Survival In An Evolving Threat Landscape

Radware, profile picture
Radware

The document discusses the evolving landscape of information security, highlighting increasing complexities in cyberattacks, including the blending of attack motives and sophisticated multi-vector tactics. It emphasizes the importance of perimeter defense and the need for organizations to adapt their security strategies against sophisticated threats, including various denial-of-service (DoS) tools like R.U.D.Y and Slowloris. The document concludes with recommendations for proactive defense planning and collaboration to better prepare for future attacks.

Technology
1 of 43
Downloaded 63 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
Information Security Adaption: Survival In An Evolving Threat Landscape Carl Herberger VP, Security Solutions, Radware
The Evolving Threat Landscape Anatomy of an Attack Securing Tomorrow’s Perimeter
The Evolving Threat Landscape
More Attacks. More Often.
Latency Yesterday for US Commercial Banks
Attack Motivation LulzSec Sony, CIA, FBI Vandalism and Publicity Financially Motivated “Hacktivism ” Dec 2010 Mar 2011 Blending Motives Operation Netbot Payback DDoS Attack Risk 2010 Peru, IMDDOS (Botnet) Chile Kracken Srizbi (Botnet) Mar 2011 (Botnet) 2009 Codero DDoS / Rustock 2007 July 2009 Twitter (Botnet) 2007 Cyber Attacks Storm US & Korea (Botnet) Mar 2011 2007 Operation Payback II Google / Twitter CodeRed Estonia’s Web Sites Attacks2009 2001 Blaster Agobot DoS 2003 (DoS Botnet) 2007 Mar 2011 DDoS Nimda (Installed Trojan) Wordpress.com 2001 Slammer Republican (Attacking SQL sites) 2003 website DoS 2004 Georgia Web sites DoS 2008 Time 2001 2005 2010
Hacktivism - Becomes More Campaign-APT Oriented  Complex: More than seven different attack vectors at once  Blending: both network and application attacks  Targeteering: Select the most appropriate target, attack tools,  Resourcing: Advertise, invite, coerce anyone capable …  Testing: Perform short “proof-firing” prior to the attack  Timeline: Establish the most painful time period for his victim Slide 7
Hacktivism - Becomes More Campaign-APT Oriented Sophistication • Duration: 20 Days measure • More than 7 Attack vectors • “Inner cycle” involvement Attack target: Vatican • Duration: 3 Days • 5 Attack vectors • Only “inner cycle” involvement • Attack target: HKEX • Duration: 6 Days • 5 Attack vectors • Duration: 3 Days • “Inner cycle” involvement • 4 Attack vectors Attack target: Israeli sites • Attack target: Visa, MasterCard Slide 8
The Anonymous Arms Race Network Application Flood Low & Slow Vulnerability Based UDP Floods Dynamic HTTP RUDY Intrusion Attempts SYN Floods HTTPS Floods Slowloris SQL Injection Fragmented Floods Pyloris #refref FIN + ACK xerex
Digital Supply Chain Defense Integration Cloud Common Targets: In-the-Cloud Defenses DNS, ISP, CDN & CA/CRL Perimeter Defenses – Perimeter Common Network & Application Targets: Firewalls, IPS, (Outer) DefensePro Routers, Load Balancers Advanced (Inner) Application Targets: Application Defenses AppWall Sessions, Connections, SSL Protected Online Services
2012 Security Report
Anatomy of an Attack The Evolving Threat Landscape Securing Tomorrow’s Perimeter
Example Stock Exchange Attack Attack Vector Time Stamp Attack Peak 95 Mbps Fragmented UDP Flood 1:00 AM 10K PPS 50 Mbps LOIC UDP 4:00 AM and 8:00 PM - 11:00 PM 5K PPS 13.6 Mbps TCP SYN Flood 1:40 PM 24K PPS 2.1 Mbps R.U.D.Y 4:00 PM 0.7K PPS 500 Kbps LOIC TCP 11:00 PM - 3:30 AM 0.2K PPS 86 Kbps Mobile LOIC 6:00 PM- 8:30 PM 13 PPS #RefRef 9:45 PM Few packets
The Security Trinity Security Confidentiality, a mainstream adaptation of the “need to know” principle of the military ethic, restricts the Security Integrity access of information to those in its broadest meaning refers systems, processes and to the trustworthiness of recipients from which the information over its entire Integrity content was intendedConfidentiality to be life cycle. exposed. Security Availability is a characteristic that distinguishes information objects that have signaling and self-sustaining processes from Availability those that do not, either because such functions have ceased (outage, an attack), or else because they lack such functions .
The Security Trinity Confidentiality Integrity Availability
Data Leakage 2005 Protection Ameriprise Financial 2006 24M Lost Boeing 386K Social Dept. of VA 29M Engineering Protection 2007 TJ Maxx 45M The Gap 800K IPv6 Encapsulated in IPv4 Compliance 2008 Countrywide 17M MITB Oriented GE Financial 800K Attacks Hash Attacks Activity AES SSL Attacks 2009 Attacks 3DES Heartland 100M Attacks ARP Rock You! 32M Attacks VPN Attacks O/S Exploits Enterprise 2010 +/- PPTP Attacks Encryption RSA 2-Factor Encryption & SIP Attacks Token Hack Authentication L2LP Attacks Weaknesses 2011 Database Sony 100M WEP Application HB Gary - FBI Attacks Security Exploits 2011 - 2012 TLS Attacks AES Hack Network Apple – 12M EAP Attacks Exploits Defenses Examples Attacks Vulnerabilities Confidentiality
The Security Trinity Confidentiality Integrity Availability
The Security Trinity Confidentiality Integrity Availability
Hardware Security 2002 Modules (HSM) SSH2 Hack 2006 Federated SSL / TLS 2008 Identity Plaintext Attack US CERT: MD5 Management Hash Insecure 2009 Fraud & Scams Encrypted Kernel Multi-Factored Exploit Discovered Authentication Man-in- Anonymizers the-Middle 2010 ARP PCI: Kiss your Malware Attacks WEP Goodbye! Public Key Infrastructure O/S Exploits Unauthorized Dec 2010 Authentication NIST: 1K Certs Not Recommended Transmission Steganography Network Encryption Weaknesses 2011 Spoofing Browser Exploit Access Control Against SSL / TLS Application (BEAST) Released Keyloggers Exploits Nov 2011 - Fraud Detection Rootkits Network THC – SSL / Hash Exploits Skimming Attack Released Checksums Integrity Vulnerabilities Attacks Examples Defenses
The Security Trinity Confidentiality Integrity Availability
The Security Trinity Confidentiality Integrity Availability
ICMP Floods Application Availability TCP RESET Network Floods TCP Fragment Exploits Exploits Floods TCP FIN Floods IGMP Floods Business Architecture HTTP POST Logic Floods Exploits ACK Floods TCP Stack O/S Exploits RFC Exploits Resource Attacks RFC Violation Attacks TCP SYN+ACK Floods LOIC HULK HTTP GET Vulnerabilities SIP Attacks Session Page Floods SSL Attacks Attacks Xerxes Memory SQL Concurrent DNS Query HOIC Allocation Attacks Attacks Connection Attacks Floods Brute Force TCP SYN Floods TCP Out-of- Leonitis #Refref Attacks State Floods Slowloris Socket Attacks Jun 2012 Stress AT&T DNS Feb 2010 R-U-Dead- Outage & L3 ISP Operation Titstorm: Plyoris Yet (RUDY) Outage Attacks Australian Government Outages Tools Jun 2011 Nov 2010 Operation AntiSec Operation Payback June 2011 AZ Department of Apr 2011 Public Safety Down Visa, MasterCard + Operation Iran Operation Sony other outages Iran Government Play Station.com Outages, Leaked Black / White Outage, Leaked CC# Hardware-Based Emails, Hacked IT / Access Volumetric Control Lists Examples Protections Challenge / Web-Application Behavioral Architecture Response Firewall Technologies Improvements Technology Defenses
Size Does Not Matter. Honest. The impact of application flood attacks are much more severe than network flood attacks 76% of attacks are below 1Gbps!
Availability-based Threats Tree Availability- based Threats Network Floods Application Single-packet Low-and-Slow (Volumetric) Floods DoS ICMP Web Flood DNS SMTP Flood UPD Flood HTTPS SYN Flood Radware Confidential Jan 2012 Slide 24
R.U.D.Y (R-U-Dead-Yet) R.U.D.Y. (R-U-Dead-Yet?) R.U.D.Y. (R-U-Dead-Yet?) is a slow-rate HTTP POST (Layer 7) denial-of-service tool created by Raviv Raz and named after the Children of Bodom album “Are You Dead Yet?” It achieves denial-of-service by using long form field submissions. By injecting one byte of information into an application POST field at a time and then waiting, R.U.D.Y. causes application threads to await the end of never-ending posts in order to perform processing (this behavior is necessary in order to allow web servers to support users with slower connections). Since R.U.D.Y. causes the target webserver to hang while waiting for the rest of an HTTP POST request, by initiating simultaneous connections to the server the attacker is ultimately able to exhaust the server’s connection table and create a denial-of-service condition. Slide 25 Radware Confidential Jan 2012
Slowloris Slowloris Slowloris is a denial-of-service (DoS) tool developed by the grey hat hacker “RSnake” that causes DoS by using a very slow HTTP request. By sending HTTP headers to the target site in tiny chunks as slow as possible (waiting to send the next tiny chunk until just before the server would time out the request), the server is forced to continue to wait for the headers to arrive. If enough connections are opened to the server in this fashion, it is quickly unable to handle legitimate requests. Slowloris is cross-platform, except due to Windows’ ~130 simultaneous socket use limit, it is only effective from UNIX-based systems which allow for more connections to be opened in parallel to a target server (although a GUI Python version of Slowloris dubbed Pyloris was able to overcome this limiting factor on Windows). Slide 26 Radware Confidential Jan 2012
Main Bottlenecks During DoS Attacks - ERT Survey Slide 27 Radware Confidential Jan 2012
The Impact Confidentiality Integrity Availability Target / Operation 2009 Iranian Avenge Ope Project Epilepsy AllHipHop No Cussing Operation Operation Oregon Tea Habbo Hal Turner Election Operation Payback Chanology Foundation Defacement Club Didgeridie Titstorm Party Raid Assange Bra Protests 2007 2008 2009 2010
APTs & Zero-Day Resolution Intensifies
Defense Blind Spot Map Anti-DoS Router Next Gen Cloud Protection Purpose Firewall IPS WAF Appliance DLP ACLs FW Anti-DoS (CPE) Data-At-Rest Protections (Confidentiality) Data-At-Endpoint (Confidentiality) Data-In-Transit (Confidentiality) Network Infrastructure Protection (Integrity) Application Infrastructure Protection (Integrity) Volumetric Attacks (Availability) Non-Volumetric Resource Attacks (Availability)
Gartner Sep 2012: Anti-DoS “BlindSpot”
Gartner Sep 2012: Anti-DoS “BlindSpot”
Securing Tomorrow’s Perimeter
What We Should Work Toward • 100% Architecture Protection. Varied Deployment Models. • Understand the behavior beyond protocol and content • It’s an eco-system….collaboration is key • Emergency response & triage: Practice cyber war rooms • Integrate offense into your security strategies. Slide 34
Perimeter Defense Planning
Perimeter Defense Planning Any gap in coverage represents a vulnerability. That will be exploited.
Perimeter Defense Planning
Emergency Response Teams & Existing Level of Cyber War Rooms skills Lack of Expertise Get ready Attack Time Forensics • Audits • Emergency Response • Analyze what happened • Policies Team that “fights” • Adjust policies • Technologies • Adapt new technologies • Required expertise during attack campaign – Complex risk assessment – Tracking and modifying protections against dynamically evolved attacks – Real time intelligence Strategy – Real time collaboration with other parties – Counter attack methods and plans – Preparation with cyber “war games” Slide 38
The Best Defense Is A… Key Notes: - Counter Attack’s Comeuppance is Upon Us - Key IR Assumptions are wrong – e.g. Law enforcement - Attack Mitigation Talent is Low. Knowledge must increase. - Corporate Policies are IR not ERT focused
Anatomy of an Attack The Evolving Threat Landscape Securing Tomorrow’s Perimeter
Adapting Perimeter Defenses • Plan for 100% architecture protection • Review your attack mitigation toolkit • Assess infrastructure vulnerabilities to DDoS attacks • Plan ahead – Can’t stop attacks without a game plan • Emergency response & triage - Practice cyber war rooms • Integrate offense into your security strategies • Watch what’s happening on the network – Do you have signals? • Assume attacks will be multi-vector in nature • Partner with companies that know how to defend against persistent attacks
Thank You Carl Herberger VP, Security Solutions Radware carl.herberger@radware.com
Low & Slow • Slowloris • Sockstress • R.U.D.Y. • Simultaneous Connection Saturation Slide 43 Radware Confidential Jan 2012

More Related Content

PPTX
2011 Global Application and Network Security Report
Radware
 
PPTX
In the Line of Fire-the Morphology of Cyber Attacks
Radware
 
PDF
Radware - DSS @Vilnius 2010
Andris Soroka
 
PPTX
OpenID Foundation Update at RSA Conference
Matterport
 
PPS
Anatomy of the MMO
George Dolbier
 
PDF
ICCE2009 Poster
N Masahiro
 
PDF
The Threat Landscape & Network Security Measures
Carl B. Forkner, Ph.D.
 
PPTX
Measure Network Performance, Security and Stability
Ixia
 
2011 Global Application and Network Security Report
Radware
 
In the Line of Fire-the Morphology of Cyber Attacks
Radware
 
Radware - DSS @Vilnius 2010
Andris Soroka
 
OpenID Foundation Update at RSA Conference
Matterport
 
Anatomy of the MMO
George Dolbier
 
ICCE2009 Poster
N Masahiro
 
The Threat Landscape & Network Security Measures
Carl B. Forkner, Ph.D.
 
Measure Network Performance, Security and Stability
Ixia
 

More from Radware (20)

PDF
Cyber Security Through the Eyes of the C-Suite (Infographic)
Radware
 
PDF
What’s the Cost of a Cyber Attack (Infographic)
Radware
 
PDF
DDoS Threat Landscape - Ron Winward CHINOG16
Radware
 
PPTX
Radware Cloud Security Services
Radware
 
PDF
Radware 2016 State of the Union: Multi Industry Web Performance (Desktop)
Radware
 
PDF
Radware Hybrid Cloud WAF Service
Radware
 
PDF
The Expanding Role and Importance of Application Delivery Controllers [Resear...
Radware
 
PDF
The Art of Cyber War [From Black Hat Brazil 2014]
Radware
 
PDF
The Real Cost of Slow Time vs Downtime
Radware
 
PPTX
Cyber Attack Survival: Are You Ready?
Radware
 
PDF
Radware ERT Threat Alert: Shellshock Bash
Radware
 
PDF
The Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving Theatre
Radware
 
PDF
Mobile Web Stress: Understanding the Neurological Impact of Poor Performance
Radware
 
PDF
Emotional Engagement and Brand Perception
Radware
 
PDF
InfoSecurity Europe 2014: The Art Of Cyber War
Radware
 
PDF
OpenStack Networking: Developing and Delivering a Commercial Solution for Lo...
Radware
 
PPTX
SecureWorld St. Louis: Survival in an Evolving Threat Landscape
Radware
 
PPTX
In the Line of Fire - The Morphology of Cyber-Attacks
Radware
 
PDF
Survival in an Evolving Threat Landscape
Radware
 
PPTX
In the Line of Fire-the Morphology of Cyber Attacks
Radware
 
Cyber Security Through the Eyes of the C-Suite (Infographic)
Radware
 
What’s the Cost of a Cyber Attack (Infographic)
Radware
 
DDoS Threat Landscape - Ron Winward CHINOG16
Radware
 
Radware Cloud Security Services
Radware
 
Radware 2016 State of the Union: Multi Industry Web Performance (Desktop)
Radware
 
Radware Hybrid Cloud WAF Service
Radware
 
The Expanding Role and Importance of Application Delivery Controllers [Resear...
Radware
 
The Art of Cyber War [From Black Hat Brazil 2014]
Radware
 
The Real Cost of Slow Time vs Downtime
Radware
 
Cyber Attack Survival: Are You Ready?
Radware
 
Radware ERT Threat Alert: Shellshock Bash
Radware
 
The Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving Theatre
Radware
 
Mobile Web Stress: Understanding the Neurological Impact of Poor Performance
Radware
 
Emotional Engagement and Brand Perception
Radware
 
InfoSecurity Europe 2014: The Art Of Cyber War
Radware
 
OpenStack Networking: Developing and Delivering a Commercial Solution for Lo...
Radware
 
SecureWorld St. Louis: Survival in an Evolving Threat Landscape
Radware
 
In the Line of Fire - The Morphology of Cyber-Attacks
Radware
 
Survival in an Evolving Threat Landscape
Radware
 
In the Line of Fire-the Morphology of Cyber Attacks
Radware
 
Ad

Recently uploaded (20)

PDF
AI.gov: A Trojan Horse in the Age of Artificial Intelligence
Michael Weaver
 
PDF
4 layer Arch & Reference Arch of IoT.pdf
sendilkumar66
 
PPTX
Internet of Everything -Basic concepts details
sendilkumar66
 
PDF
Aug23rd - Mulesoft Community Workshop - Hyd, India.pdf
Ravi Tamada
 
PDF
Convolutional neural network based encoder-decoder for efficient real-time ob...
IAESIJAI
 
PDF
5-Ways-AI-is-Revolutionizing-Telecom-Quality-Engineering.pdf
Kalilur Rahman
 
PDF
Transform-Quality-Engineering-with-AI-A-60-Day-Blueprint-for-Digital-Success.pdf
Kalilur Rahman
 
PDF
Dell Pro Micro: Speed customer interactions, patient processing, and learning...
Principled Technologies
 
PDF
Planning-an-Audit-A-How-To-Guide-Checklist-WP.pdf
DROK2
 
PDF
Statistics on Ai - sourced from AIPRM.pdf
AmelynLeeMeira
 
PPTX
MuleSoft-Compete-Deck for midddleware integrations
zupittejas
 
DOCX
Basics of Cloud Computing - Cloud Ecosystem
suthak11
 
PDF
Lung cancer patients survival prediction using outlier detection and optimize...
IAESIJAI
 
PDF
Comparative analysis of machine learning models for fake news detection in so...
IAESIJAI
 
PDF
Enhancing plagiarism detection using data pre-processing and machine learning...
IAESIJAI
 
PPTX
GROUP4NURSINGINFORMATICSREPORT-2 PRESENTATION
ClarisejaneSartillo1
 
PDF
“A New Era of 3D Sensing: Transforming Industries and Creating Opportunities,...
Edge AI and Vision Alliance
 
PPTX
AI-driven Assurance Across Your End-to-end Network With ThousandEyes
ThousandEyes
 
PDF
Transform-Your-Supply-Chain-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
PDF
giants, standing on the shoulders of - by Daniel Stenberg
Daniel Stenberg
 
AI.gov: A Trojan Horse in the Age of Artificial Intelligence
Michael Weaver
 
4 layer Arch & Reference Arch of IoT.pdf
sendilkumar66
 
Internet of Everything -Basic concepts details
sendilkumar66
 
Aug23rd - Mulesoft Community Workshop - Hyd, India.pdf
Ravi Tamada
 
Convolutional neural network based encoder-decoder for efficient real-time ob...
IAESIJAI
 
5-Ways-AI-is-Revolutionizing-Telecom-Quality-Engineering.pdf
Kalilur Rahman
 
Transform-Quality-Engineering-with-AI-A-60-Day-Blueprint-for-Digital-Success.pdf
Kalilur Rahman
 
Dell Pro Micro: Speed customer interactions, patient processing, and learning...
Principled Technologies
 
Planning-an-Audit-A-How-To-Guide-Checklist-WP.pdf
DROK2
 
Statistics on Ai - sourced from AIPRM.pdf
AmelynLeeMeira
 
MuleSoft-Compete-Deck for midddleware integrations
zupittejas
 
Basics of Cloud Computing - Cloud Ecosystem
suthak11
 
Lung cancer patients survival prediction using outlier detection and optimize...
IAESIJAI
 
Comparative analysis of machine learning models for fake news detection in so...
IAESIJAI
 
Enhancing plagiarism detection using data pre-processing and machine learning...
IAESIJAI
 
GROUP4NURSINGINFORMATICSREPORT-2 PRESENTATION
ClarisejaneSartillo1
 
“A New Era of 3D Sensing: Transforming Industries and Creating Opportunities,...
Edge AI and Vision Alliance
 
AI-driven Assurance Across Your End-to-end Network With ThousandEyes
ThousandEyes
 
Transform-Your-Supply-Chain-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
giants, standing on the shoulders of - by Daniel Stenberg
Daniel Stenberg
 
Ad

SecureWorld: Information Security Adaption: Survival In An Evolving Threat Landscape

  • 1. Information Security Adaption: Survival In An Evolving Threat Landscape Carl Herberger VP, Security Solutions, Radware
  • 2. The Evolving Threat Landscape Anatomy of an Attack Securing Tomorrow’s Perimeter
  • 5. Latency Yesterday for US Commercial Banks
  • 6. Attack Motivation LulzSec Sony, CIA, FBI Vandalism and Publicity Financially Motivated “Hacktivism ” Dec 2010 Mar 2011 Blending Motives Operation Netbot Payback DDoS Attack Risk 2010 Peru, IMDDOS (Botnet) Chile Kracken Srizbi (Botnet) Mar 2011 (Botnet) 2009 Codero DDoS / Rustock 2007 July 2009 Twitter (Botnet) 2007 Cyber Attacks Storm US & Korea (Botnet) Mar 2011 2007 Operation Payback II Google / Twitter CodeRed Estonia’s Web Sites Attacks2009 2001 Blaster Agobot DoS 2003 (DoS Botnet) 2007 Mar 2011 DDoS Nimda (Installed Trojan) Wordpress.com 2001 Slammer Republican (Attacking SQL sites) 2003 website DoS 2004 Georgia Web sites DoS 2008 Time 2001 2005 2010
  • 7. Hacktivism - Becomes More Campaign-APT Oriented  Complex: More than seven different attack vectors at once  Blending: both network and application attacks  Targeteering: Select the most appropriate target, attack tools,  Resourcing: Advertise, invite, coerce anyone capable …  Testing: Perform short “proof-firing” prior to the attack  Timeline: Establish the most painful time period for his victim Slide 7
  • 8. Hacktivism - Becomes More Campaign-APT Oriented Sophistication • Duration: 20 Days measure • More than 7 Attack vectors • “Inner cycle” involvement Attack target: Vatican • Duration: 3 Days • 5 Attack vectors • Only “inner cycle” involvement • Attack target: HKEX • Duration: 6 Days • 5 Attack vectors • Duration: 3 Days • “Inner cycle” involvement • 4 Attack vectors Attack target: Israeli sites • Attack target: Visa, MasterCard Slide 8
  • 9. The Anonymous Arms Race Network Application Flood Low & Slow Vulnerability Based UDP Floods Dynamic HTTP RUDY Intrusion Attempts SYN Floods HTTPS Floods Slowloris SQL Injection Fragmented Floods Pyloris #refref FIN + ACK xerex
  • 10. Digital Supply Chain Defense Integration Cloud Common Targets: In-the-Cloud Defenses DNS, ISP, CDN & CA/CRL Perimeter Defenses – Perimeter Common Network & Application Targets: Firewalls, IPS, (Outer) DefensePro Routers, Load Balancers Advanced (Inner) Application Targets: Application Defenses AppWall Sessions, Connections, SSL Protected Online Services
  • 12. Anatomy of an Attack The Evolving Threat Landscape Securing Tomorrow’s Perimeter
  • 13. Example Stock Exchange Attack Attack Vector Time Stamp Attack Peak 95 Mbps Fragmented UDP Flood 1:00 AM 10K PPS 50 Mbps LOIC UDP 4:00 AM and 8:00 PM - 11:00 PM 5K PPS 13.6 Mbps TCP SYN Flood 1:40 PM 24K PPS 2.1 Mbps R.U.D.Y 4:00 PM 0.7K PPS 500 Kbps LOIC TCP 11:00 PM - 3:30 AM 0.2K PPS 86 Kbps Mobile LOIC 6:00 PM- 8:30 PM 13 PPS #RefRef 9:45 PM Few packets
  • 14. The Security Trinity Security Confidentiality, a mainstream adaptation of the “need to know” principle of the military ethic, restricts the Security Integrity access of information to those in its broadest meaning refers systems, processes and to the trustworthiness of recipients from which the information over its entire Integrity content was intendedConfidentiality to be life cycle. exposed. Security Availability is a characteristic that distinguishes information objects that have signaling and self-sustaining processes from Availability those that do not, either because such functions have ceased (outage, an attack), or else because they lack such functions .
  • 15. The Security Trinity Confidentiality Integrity Availability
  • 16. Data Leakage 2005 Protection Ameriprise Financial 2006 24M Lost Boeing 386K Social Dept. of VA 29M Engineering Protection 2007 TJ Maxx 45M The Gap 800K IPv6 Encapsulated in IPv4 Compliance 2008 Countrywide 17M MITB Oriented GE Financial 800K Attacks Hash Attacks Activity AES SSL Attacks 2009 Attacks 3DES Heartland 100M Attacks ARP Rock You! 32M Attacks VPN Attacks O/S Exploits Enterprise 2010 +/- PPTP Attacks Encryption RSA 2-Factor Encryption & SIP Attacks Token Hack Authentication L2LP Attacks Weaknesses 2011 Database Sony 100M WEP Application HB Gary - FBI Attacks Security Exploits 2011 - 2012 TLS Attacks AES Hack Network Apple – 12M EAP Attacks Exploits Defenses Examples Attacks Vulnerabilities Confidentiality
  • 17. The Security Trinity Confidentiality Integrity Availability
  • 18. The Security Trinity Confidentiality Integrity Availability
  • 19. Hardware Security 2002 Modules (HSM) SSH2 Hack 2006 Federated SSL / TLS 2008 Identity Plaintext Attack US CERT: MD5 Management Hash Insecure 2009 Fraud & Scams Encrypted Kernel Multi-Factored Exploit Discovered Authentication Man-in- Anonymizers the-Middle 2010 ARP PCI: Kiss your Malware Attacks WEP Goodbye! Public Key Infrastructure O/S Exploits Unauthorized Dec 2010 Authentication NIST: 1K Certs Not Recommended Transmission Steganography Network Encryption Weaknesses 2011 Spoofing Browser Exploit Access Control Against SSL / TLS Application (BEAST) Released Keyloggers Exploits Nov 2011 - Fraud Detection Rootkits Network THC – SSL / Hash Exploits Skimming Attack Released Checksums Integrity Vulnerabilities Attacks Examples Defenses
  • 20. The Security Trinity Confidentiality Integrity Availability
  • 21. The Security Trinity Confidentiality Integrity Availability
  • 22. ICMP Floods Application Availability TCP RESET Network Floods TCP Fragment Exploits Exploits Floods TCP FIN Floods IGMP Floods Business Architecture HTTP POST Logic Floods Exploits ACK Floods TCP Stack O/S Exploits RFC Exploits Resource Attacks RFC Violation Attacks TCP SYN+ACK Floods LOIC HULK HTTP GET Vulnerabilities SIP Attacks Session Page Floods SSL Attacks Attacks Xerxes Memory SQL Concurrent DNS Query HOIC Allocation Attacks Attacks Connection Attacks Floods Brute Force TCP SYN Floods TCP Out-of- Leonitis #Refref Attacks State Floods Slowloris Socket Attacks Jun 2012 Stress AT&T DNS Feb 2010 R-U-Dead- Outage & L3 ISP Operation Titstorm: Plyoris Yet (RUDY) Outage Attacks Australian Government Outages Tools Jun 2011 Nov 2010 Operation AntiSec Operation Payback June 2011 AZ Department of Apr 2011 Public Safety Down Visa, MasterCard + Operation Iran Operation Sony other outages Iran Government Play Station.com Outages, Leaked Black / White Outage, Leaked CC# Hardware-Based Emails, Hacked IT / Access Volumetric Control Lists Examples Protections Challenge / Web-Application Behavioral Architecture Response Firewall Technologies Improvements Technology Defenses
  • 23. Size Does Not Matter. Honest. The impact of application flood attacks are much more severe than network flood attacks 76% of attacks are below 1Gbps!
  • 24. Availability-based Threats Tree Availability- based Threats Network Floods Application Single-packet Low-and-Slow (Volumetric) Floods DoS ICMP Web Flood DNS SMTP Flood UPD Flood HTTPS SYN Flood Radware Confidential Jan 2012 Slide 24
  • 25. R.U.D.Y (R-U-Dead-Yet) R.U.D.Y. (R-U-Dead-Yet?) R.U.D.Y. (R-U-Dead-Yet?) is a slow-rate HTTP POST (Layer 7) denial-of-service tool created by Raviv Raz and named after the Children of Bodom album “Are You Dead Yet?” It achieves denial-of-service by using long form field submissions. By injecting one byte of information into an application POST field at a time and then waiting, R.U.D.Y. causes application threads to await the end of never-ending posts in order to perform processing (this behavior is necessary in order to allow web servers to support users with slower connections). Since R.U.D.Y. causes the target webserver to hang while waiting for the rest of an HTTP POST request, by initiating simultaneous connections to the server the attacker is ultimately able to exhaust the server’s connection table and create a denial-of-service condition. Slide 25 Radware Confidential Jan 2012
  • 26. Slowloris Slowloris Slowloris is a denial-of-service (DoS) tool developed by the grey hat hacker “RSnake” that causes DoS by using a very slow HTTP request. By sending HTTP headers to the target site in tiny chunks as slow as possible (waiting to send the next tiny chunk until just before the server would time out the request), the server is forced to continue to wait for the headers to arrive. If enough connections are opened to the server in this fashion, it is quickly unable to handle legitimate requests. Slowloris is cross-platform, except due to Windows’ ~130 simultaneous socket use limit, it is only effective from UNIX-based systems which allow for more connections to be opened in parallel to a target server (although a GUI Python version of Slowloris dubbed Pyloris was able to overcome this limiting factor on Windows). Slide 26 Radware Confidential Jan 2012
  • 27. Main Bottlenecks During DoS Attacks - ERT Survey Slide 27 Radware Confidential Jan 2012
  • 28. The Impact Confidentiality Integrity Availability Target / Operation 2009 Iranian Avenge Ope Project Epilepsy AllHipHop No Cussing Operation Operation Oregon Tea Habbo Hal Turner Election Operation Payback Chanology Foundation Defacement Club Didgeridie Titstorm Party Raid Assange Bra Protests 2007 2008 2009 2010
  • 29. APTs & Zero-Day Resolution Intensifies
  • 30. Defense Blind Spot Map Anti-DoS Router Next Gen Cloud Protection Purpose Firewall IPS WAF Appliance DLP ACLs FW Anti-DoS (CPE) Data-At-Rest Protections (Confidentiality) Data-At-Endpoint (Confidentiality) Data-In-Transit (Confidentiality) Network Infrastructure Protection (Integrity) Application Infrastructure Protection (Integrity) Volumetric Attacks (Availability) Non-Volumetric Resource Attacks (Availability)
  • 31. Gartner Sep 2012: Anti-DoS “BlindSpot”
  • 32. Gartner Sep 2012: Anti-DoS “BlindSpot”
  • 34. What We Should Work Toward • 100% Architecture Protection. Varied Deployment Models. • Understand the behavior beyond protocol and content • It’s an eco-system….collaboration is key • Emergency response & triage: Practice cyber war rooms • Integrate offense into your security strategies. Slide 34
  • 36. Perimeter Defense Planning Any gap in coverage represents a vulnerability. That will be exploited.
  • 38. Emergency Response Teams & Existing Level of Cyber War Rooms skills Lack of Expertise Get ready Attack Time Forensics • Audits • Emergency Response • Analyze what happened • Policies Team that “fights” • Adjust policies • Technologies • Adapt new technologies • Required expertise during attack campaign – Complex risk assessment – Tracking and modifying protections against dynamically evolved attacks – Real time intelligence Strategy – Real time collaboration with other parties – Counter attack methods and plans – Preparation with cyber “war games” Slide 38
  • 39. The Best Defense Is A… Key Notes: - Counter Attack’s Comeuppance is Upon Us - Key IR Assumptions are wrong – e.g. Law enforcement - Attack Mitigation Talent is Low. Knowledge must increase. - Corporate Policies are IR not ERT focused
  • 40. Anatomy of an Attack The Evolving Threat Landscape Securing Tomorrow’s Perimeter
  • 41. Adapting Perimeter Defenses • Plan for 100% architecture protection • Review your attack mitigation toolkit • Assess infrastructure vulnerabilities to DDoS attacks • Plan ahead – Can’t stop attacks without a game plan • Emergency response & triage - Practice cyber war rooms • Integrate offense into your security strategies • Watch what’s happening on the network – Do you have signals? • Assume attacks will be multi-vector in nature • Partner with companies that know how to defend against persistent attacks
  • 42. Thank You Carl Herberger VP, Security Solutions Radware [email protected]
  • 43. Low & Slow • Slowloris • Sockstress • R.U.D.Y. • Simultaneous Connection Saturation Slide 43 Radware Confidential Jan 2012