The Art of Cyber War Strategies in a rapidly evolving theatre RSI, May 2014 © Radware, Inc. 2014 The Art of War is an ancient Chinese military treatise attributed to Sun Tzu, a highranking military general, strategist and tactician. It is commonly known to be the definitive work on military strategy and tactics, and for the last two thousand years has remained the most important military dissertation in Asia. It has had an influence on Eastern and Western military thinking, business tactics, legal strategy and beyond. Leaders as diverse as Mao Zedong and General Douglas MacArthur have drawn inspiration from the work. Many of its conclusions remain valid today in the cyber warfare era. 2 Variation of Tactics 九變 The Army on the March 行軍 Illusion & Reality 虛實 The Use of Intelligence 用間 Laying Plans 始計 Attack Vectors %: Increasing Complexity 4 Application: 62% Attack Vectors 5 Network: 38% 不戰而屈人之兵，善之善者也 To subdue the enemy without fighting is the acme of skill Individual Servers Malicious software installed on hosts and servers (mostly located at Russian and east European universities), controlled by a single entity by direct communication. Examples: Trin00, TFN, Trinity 1998 - 2002 6 Botnets Stealthy malicious software installed mostly on personal computers without the owner’s consent; controlled by a single entity trough indirect channels (IRC, HTTP) Examples: Agobot, DirtJumper, Zemra 1998 - Present Voluntary Botnets Many users, at times as part of a Hacktivist group, willingly share their personal computers. Using predetermined and publicly available attack tools and methods, with an optional remote control channel. New Server-based Botnets Powerful, well orchestrated attacks, using a geographically spread server infrastructure. Few attacking servers generate the same impact as hundreds of clients. Examples: LOIC, HOIC 2010 - Present 2012 不戰而屈人之兵，善之善者也 Current prices on the Russian underground market: Hacking corporate mailbox: $500 Winlocker ransomware: $10-$20 Unintelligent exploit bundle: $25 Intelligent exploit bundle: $10-$3,000 Basic crypter (for inserting rogue code into benign file): $10-$30 SOCKS bot (to get around firewalls): $100 Hiring a DDoS attack: $30-$70 / day, $1,200 / month Botnet: $200 for 2,000 bots DDoS Botnet: $700 ZeuS source code: $200-$250 Windows rootkit (for installing malicious drivers): $292 Hacking Facebook or Twitter account: $130 Hacking Gmail account: $162 Email spam: $10 per one million emails Email scam (using customer database): $50-$500 per one million emails 7 不戰而屈人之兵，善之善者也 8 Attack Length %: Increasing Duration 9 故善战者，立于不败之地 Sophistication The good fighters of old first put themselves beyond the possibility of defeat • Duration: 20 Days • More than 7 Attack vectors • Attack target: Vatican • Duration: 3 Days • 5 Attack Vectors • Attack target: HKEX • Duration: 7 Months • Multiple attack vectors • Attack target: US Banks • Duration: 3 Days • 4 Attack Vectors • Attack target: Visa, MasterCard 2010 10 2011 2012 2013 Variation of Tactics 九變 The Army on the March 行軍 Illusion & Reality 虛實 The Use of Intelligence 用間 Laying Plans 始計知彼知己，百戰不殆 If you know the enemy and know yourself, you need not fear the result of a hundred battles Notable DDoS Attacks in the Last 12 Months 12 行軍: Columbia Battlefield: Cause: Columbia Government On-line Services Columbian Independence Battle: A large scale cyber attack held on July 20th - Columbian Independence Day - against 30 Colombian government websites. Result: Most web sites were either defaced or shut down completely for the entire day of the attack. 13 行軍: Columbia Attackers: Columbian Hackers • A known hacker collective group suspected as being responsible for several other cyber attacks in Colombia during 2012-13. The group was supported by sympathizers use Twitter to communicate. Motivation: Ideological • Anti-government stance claiming to stand for “freedom, justice and peace.” Mantra: “We are Colombian Hackers, to serve the people.” 14 行軍: Columbia Web application attacks: • Directory traversal – web application attack to get access to password files that can be later cracked offline. • Brute force attacks on pcAnywhere service – looking for weak password protected accounts enables attackers to gain remote access to victim servers. • SQL Injection attacks – web application attacks to gain remote server access. • Web application vulnerability scanning • Application attacks: we have mainly seen HTTP Flood attacks Network DDoS attacks: • SYN floods, UDP floods, ICMP floods • Anomalous traffic (invalid TCP flags, source port zero, invalid L3/L4 header) • TCP port scans 15 行軍: Operation Ababil Battlefield: Cause: U.S. Commercial Banks Elimination of the Film “Innocence of Muslims” Battle: Phase 4 of major multi-phase campaign – Operation Ababil – that commenced during the week of July 22nd. Primary targets included: Bank of America, Chase Bank, PNC, Union Bank, BB&T, US Bank, Fifth Third Bank, Citibank and others. Result: Major US financial institutions impacted by intensive and protracted Distributed Denial of Service attacks. 16 行軍: Operation Ababil Attackers: Cyber Fighters of Izz ad-Din al-Qassam • Purported Iranian state sponsored hacktivist collective said to be acting to defend Islam Motivation: Religious Fundamentalism • “Well, misters! The break's over and it's now time to pay off. After a chance given to banks to rest awhile, now the Cyber Fighters of Izz ad-Din al-Qassam will once again take hold of their destiny. As we have said earlier, the Operation Ababil is performed because of widespread and organized offends to Islamic spirituals and holy issues, especially the great prophet of Islam(PBUH) and if the offended film is eliminated from the Internet, the related attacks also will be stopped. While the films exist, no one should expect this operation be fully stopped. The new phase will be a bit different and you'll feel this in the coming days. Mrt. Izz ad-Din al-Qassam Cyber Fighters” 17 行軍: Operation Ababil Massive TCP and UDP flood attacks: • Targeting both Web servers and DNS servers. Radware Emergency Response Team tracked and mitigated attacks of up to 25Gbps against one of its customers. Source appears to be Brobot botnet. DNS amplification attacks: • Attacker sends queries to a DNS server with a spoofed address that identifies the target under attack. Large replies from the DNS servers, usually so big that they need to be split over several packets, flood the target. HTTP flood attacks: • Cause web server resource starvation due to overwhelming number of page downloads. Encrypted attacks: • SSL based HTTPS GET requests generate a major load on the HTTP server by consuming 15x more CPU in order to process the encrypted attack traffic. 18 行軍: Operation Ababil Event Correlation: Iranian Linked Cyber Attacks Parastoo Parastoo Iranian Cyber Army al Qassam Cyber Fighters 22 Events Iranian Cyber Army 1 Event al Qassam Cyber Fighters Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun 2011 2010 2012 Source: Analysis Intelligence 19 Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul 2013 行軍: Operation Ababil Challenge & Response Escalations: • Automatic Challenge mechanisms are employed by the Radware Attack Mitigation System to discriminate between legitimate traffic and attack tools • Phase 4 attackers implemented advanced mechanisms that emulated normal web browser users in order to circumvent mitigation tools • Necessitated the implementation of increasingly sophisticated challenge mechanisms that could not be supported by attack tools 20 Script 302 Redirect Challenge JS Challenge Special Challenge Kamikaze Pass Not pass Not pass Kamina Pass Not pass Not pass Terminator Pass Pass Not pass 行軍: Spamhaus Battlefield: Cause: Spamhaus Corporate Ideological Differences Battle: A nine-day assault that resulted in the largest recorded volumetric Distributed Denial of Service attack that peaked at over 300Gbps. Result: Spamhaus actually went down but claimed to have withstood the attack but only with the assistance from companies such as CloudFlare and Google. Given the scale of the attack and the techniques used, concerns were expressed that the very fabric of the internet could be compromised. 21 行軍: Spamhaus Attackers: CyberBunker? • Provider of anonymous secure hosting services Motivation: Retaliation against Spamhaus • CyberBunker, a provider of secure and anonymous hosting services, was blacklisted by Spamhaus, a non-profit anti-spamming organization that advises ISPs. It was claimed that CyberBunker was a 'rogue' host and a haven for cybercrime and spam organizations. Spamhaus alleged that Cyberbunker, with the aid of "criminal gangs" from Eastern Europe and Russia, launched a DDoS attack against Spamhaus for “abusing its influence.” 22 行軍: Spamhaus Attack Method: • The attack started as an 10-80Gbps attack that was firstly contained successfully, it started as a volumetric attack on layer 3 and peaked to 75Gbps on March 20. • During March 24-25 the attack grew to 100Gbps, peaking at 309Gbps. • No Botnet in use. Attackers were using servers on networks that allow IP spoofing in conjunction with open DNS resolvers. • Miss-configured DNS resolvers – with no response rate limiting allow the amplification of the attack by the factor of 50! • Nearly 25% of the networks are configured to allow spoofing instead of employing BCP38… • There are over 28 Million open resolvers in operation… 23 行軍: New York Times Battlefield: Cause: New York Times Syrian Conflict Battle: NYTimes Domain Name Server attack. Result: New York Times website taken offline for almost 2 hours as domain was redirected to Syrian Electronic Army servers. 24 行軍: New York Times Attackers: Syrian Electronic Army • Hackers aligned with Syrian President Bashar Assad. Mainly targets political opposition groups and western websites, including news organizations and human rights groups. Attacks: Spear Phishing & Directed DNS Attacks • Phishing attacks on Melbourne IT, the New York Times DNS registrar. • SEA hacked the NYT account and redirected the domain to its servers. 25 Variation of Tactics 九變 The Army on the March 行軍 Illusion & Reality 虛實 The Use of Intelligence 用間 Laying Plans 始計不可胜在己 Being unconquerable lies with yourself 20% 15% 10% 5% Internet 27 Internet Pipe Firewall IPS/IDS Load Balancer (ADC) Server • Application Misuse 2013 • Volumetric Floods 25% • Network Scans • Syn Floods 2012 • Low & Slow e.g. Sockstress • HTTP Floods • SSL Floods • Brute Force 30% 2011 SQL Server 不可胜在己 Vulnerability Exploitation DoS Defense Component 28 Infrastructure Exhaustion Network Flood Target Exhaustion Network Devices No No Some Some Over-Provisioning No Yes, bandwidth Yes, infrastructure Yes, server & app. Firewall & Network Equipment No No Some Some NIPS or WAF Security Appliances Yes No No, part of problem No Anti-DoS Box (Stand-Alone) No No Yes Yes ISP-Side Tools No Yes Rarely Rarely Anti-Dos Appliances (ISP Connected) No Yes Yes Yes Anti-DoS Specialty Provider No Yes Yes Yes Content Delivery Network No Yes Yes Limited Variation of Tactics 九變 The Army on the March 行軍 Illusion & Reality 虛實 The Use of Intelligence 用間 Laying Plans 始計兵之情主速 THE SECURITY GAP Attacker has time to bypass automatic mitigation Target does not possess required defensive skills 31 兵之情主速 32 Variation of Tactics 九變 The Army on the March 行軍 Illusion & Reality 虛實 The Use of Intelligence 用間 Laying Plans 始計故兵貴勝，不貴久 What is essential in war is victory, not prolonged operations • • • • • • Envelope Attacks – Device Overload Directed Attacks - Exploits Intrusions – Mis-Configurations Localized Volume Attacks Low & Slow Attacks SSL Floods Detection: Encrypted / Non-Volumetric Attacks 34 故兵貴勝，不貴久 • • • • • • • Detection: Application Attacks 35 Web Attacks Application Misuse Connection Floods Brute Force Directory Traversals Injections Scraping & API Misuse 故兵貴勝，不貴久 • Network DDoS • SYN Floods • HTTP Floods Attack Detection: Volumetric Attacks 36 没有战略，战术是之前失败的噪音 Tactics without strategy is the noise before defeat 目标 Target Don’t assume that you’re not a target. Draw up battle plans. Learn from the mistakes of others. 37 没有战略，战术是之前失败的噪音可用性 Protection Protecting your data is not the same as protecting your business. True security necessitates data protection, system integrity and operational availability. 38 没有战略，战术是之前失败的噪音漏洞 Vulnerability You don’t control all of your critical business systems Understand your vulnerabilities in the distributed, outsourced world. 39 没有战略，战术是之前失败的噪音检测 Detection You can’t defend against attacks you can’t detect. The battle prepared business harnesses an intelligence network 40 没有战略，战术是之前失败的噪音宣传 Propaganda Don’t believe the DDoS protection propaganda. Understand the limitations of cloud-based scrubbing solutions. Not all networking and security appliance solutions were created equal. 41 没有战略，战术是之前失败的噪音限制 Limitations Know your limitations. Enlist forces that have expertise to help you fight. 42 你准备好了吗? Are You Ready? 43 谢谢 Thank You Michael Tememe, Regional Sales Manager, Radware [email protected] © Radware, Inc. 2014