The Art of Cyber War Strategies in a rapidly evolving theatre SecureWorld, October 2013 © Radware, Inc. 2013 The Art of War is an ancient Chinese military treatise attributed to Sun Tzu, a high-ranking military general, strategist and tactician. It is commonly known to be the definitive work on military strategy and tactics, and for the last two thousand years has remained the most important military dissertation in Asia. It has had an influence on Eastern and Western military thinking, business tactics, legal strategy and beyond. Leaders as diverse as Mao Zedong and General Douglas MacArthur have drawn inspiration from the work. Many of its conclusions remain valid today in the cyber warfare era. 2 Variation of Tactics 九變 The Army on the March 行軍 Illusion & Reality 虛實 The Use of Intelligence 用間 Laying Plans 始計故善战者，立于不败之地 Sophistication The good fighters of old first put themselves beyond the possibility of defeat • Duration: 20 Days • More than 7 Attack vectors • Attack target: Vatican • Duration: 3 Days • 5 Attack Vectors • Attack target: HKEX • Duration: 7 Months • Multiple attack vectors • Attack target: US Banks • Duration: 3 Days • 4 Attack Vectors • Attack target: Visa, MasterCard 2010 4 2011 2012 2013 Attack Vectors: Increasing Complexity 5 Attack Length: Increasing Duration 6 不戰而屈人之兵，善之善者也 To subdue the enemy without fighting is the acme of skill Individual Servers Malicious software installed on hosts and servers (mostly located at Russian and east European universities), controlled by a single entity by direct communication. 7 Botnets Stealthy malicious software installed mostly on personal computers without the owner’s consent; controlled by a single entity trough indirect channels (IRC, HTTP) Examples: Trin00, TFN, Trinity Examples: Agobot, DirtJumper, Zemra 1998 - 2002 1998 - Present Voluntary Botnets Many users, at times as part of a Hacktivist group, willingly share their personal computers. Using predetermined and publicly available attack tools and methods, with an optional remote control channel. Examples: LOIC, HOIC 2010 - Present New Server-based Botnets Powerful, well orchestrated attacks, using a geographically spread server infrastructure. Few attacking servers generate the same impact as hundreds of clients. 2012 不戰而屈人之兵，善之善者也 Current prices on the Russian underground market: Hacking corporate mailbox: $500 Winlocker ransomware: $10-$20 Unintelligent exploit bundle: $25 Intelligent exploit bundle: $10-$3,000 Basic crypter (for inserting rogue code into benign file): $10-$30 SOCKS bot (to get around firewalls): $100 Hiring a DDoS attack: $30-$70 / day, $1,200 / month Botnet: $200 for 2,000 bots DDoS Botnet: $700 ZeuS source code: $200-$250 Windows rootkit (for installing malicious drivers): $292 Hacking Facebook or Twitter account: $130 Hacking Gmail account: $162 Email spam: $10 per one million emails Email scam (using customer database): $50-$500 per one million emails 8 不戰而屈人之兵，善之善者也 9 Variation of Tactics 九變 The Army on the March 行軍 Illusion & Reality 虛實 The Use of Intelligence 用間 Laying Plans 始計知彼知己，百戰不殆 If you know the enemy and know yourself, you need not fear the result of a hundred battles Notable DDoS Attacks in the Last 12 Months 11 行軍: Columbia Battlefield: Cause: Columbia Government On-line Services Columbian Independence Battle: A large scale cyber attack held on July 20th - Columbian Independence Day - against 30 Colombian government websites. Result: Most web sites were either defaced or shut down completely for the entire day of the attack. 12 行軍: Columbia Attackers: Columbian Hackers • A known hacker collective group suspected as being responsible for several other cyber attacks in Colombia during 2012-13. The group was supported by sympathizers use Twitter to communicate. Motivation: Ideological • Anti-government stance claiming to stand for “freedom, justice and peace.” Mantra: “We are Colombian Hackers, to serve the people.” 13 行軍: Columbia Web application attacks: • Directory traversal – web application attack to get access to password files that can be later cracked offline. • Brute force attacks on pcAnywhere service – looking for weak password protected accounts enables attackers to gain remote access to victim servers. • SQL Injection attacks – web application attacks to gain remote server access. • Web application vulnerability scanning • Application attacks: we have mainly seen HTTP Flood attacks Network DDoS attacks: • SYN floods, UDP floods, ICMP floods • Anomalous traffic (invalid TCP flags, source port zero, invalid L3/L4 header) • TCP port scans 14 行軍: Operation Ababil Battlefield: Cause: U.S. Commercial Banks Elimination of the Film “Innocence of Muslims” Battle: Phase 4 of major multi-phase campaign – Operation Ababil – that commenced during the week of July 22nd. Primary targets included: Bank of America, Chase Bank, PNC, Union Bank, BB&T, US Bank, Fifth Third Bank, Citibank and others. Result: Major US financial institutions impacted by intensive and protracted Distributed Denial of Service attacks. 15 行軍: Operation Ababil Massive TCP and UDP flood attacks: • Targeting both Web servers and DNS servers. Radware Emergency Response Team tracked and mitigated attacks of up to 25Gbps against one of its customers. Source appears to be Brobot botnet. DNS amplification attacks: • Attacker sends queries to a DNS server with a spoofed address that identifies the target under attack. Large replies from the DNS servers, usually so big that they need to be split over several packets, flood the target. HTTP flood attacks: • Cause web server resource starvation due to overwhelming number of page downloads. Encrypted attacks: • SSL based HTTPS GET requests generate a major load on the HTTP server by consuming 15x more CPU in order to process the encrypted attack traffic. 16 行軍: Operation Ababil Attackers: Cyber Fighters of Izz ad-Din al-Qassam • Purported Iranian state sponsored acktavist collective said to be acting to defend Islam Motivation: Religious Fundamentalism • “Well, misters! The break's over and it's now time to pay off. After a chance given to banks to rest awhile, now the Cyber Fighters of Izz ad-Din al-Qassam will once again take hold of their destiny. As we have said earlier, the Operation Ababil is performed because of widespread and organized offends to Islamic spirituals and holy issues, especially the great prophet of Islam(PBUH) and if the offended film is eliminated from the Internet, the related attacks also will be stopped. While the films exist, no one should expect this operation be fully stopped. The new phase will be a bit different and you'll feel this in the coming days. Mrt. Izz ad-Din al-Qassam Cyber Fighters” 17 行軍: Operation Ababil Event Correlation: Iranian Linked Cyber Attacks Parastoo Parastoo Iranian Cyber Army al Qassam Cyber Fighters 22 Events Iranian Cyber Army 1 Event al Qassam Cyber Fighters Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun 2011 2010 2012 Source: Analysis Intelligence 18 Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul 2013 行軍: Operation Ababil Challenge & Response Escalations: • Automatic Challenge mechanisms are employed by the Radware Attack Mitigation System to discriminate between legitimate traffic and attack tools • Phase 4 attackers implemented advanced mechanisms that emulated normal web browser users in order to circumvent mitigation tools • Necessitated the implementation of increasingly sophisticated challenge mechanisms that could not be supported by attack tools 19 Script 302 Redirect Challenge JS Challenge Special Challenge Kamikaze Pass Not pass Not pass Kamina Pass Not pass Not pass Terminator Pass Pass Not pass 行軍: Spamhaus Battlefield: Cause: Spamhaus Corporate Ideological Differences Battle: A nine-day assault that resulted in the largest recorded volumetric Distributed Denial of Service attack that peaked at over 300Gbps. Result: Spamhaus actually went down but claimed to have withstood the attack but only with the assistance from companies such as CloudFlare and Google. Given the scale of the attack and the techniques used, concerns were expressed that the very fabric of the internet could be compromised. 20 行軍: Spamhaus Attackers: CyberBunker? • Provider of anonymous secure hosting services Motivation: Retaliation against Spamhaus • CyberBunker, a provider of secure and anonymous hosting services, was blacklisted by Spamhaus, a non-profit anti-spamming organization that advises ISPs. It was claimed that CyberBunker was a 'rogue' host and a haven for cybercrime and spam organizations. Spamhaus alleged that Cyberbunker, with the aid of "criminal gangs" from Eastern Europe and Russia, launched a DDoS attack against Spamhaus for “abusing its influence.” 21 行軍: Spamhaus Attack Method: • The attack started as an 10-80Gbps attack that was firstly contained successfully, it started as a volumetric attack on layer 3 and peaked to 75Gbps on March 20. • During March 24-25 the attack grew to 100Gbps, peaking at 309Gbps. • No Botnet in use. Attackers were using servers on networks that allow IP spoofing in conjunction with open DNS resolvers. • Miss-configured DNS resolvers – with no response rate limiting allow the amplification of the attack by the factor of 50! • Nearly 25% of the networks are configured to allow spoofing instead of employing BCP38… • There are over 28 Million open resolvers in operation… 22 行軍: New York Times Battlefield: Cause: New York Times Syrian Conflict Battle: NYTimes Domain Name Server attack. Result: New York Times website taken offline for almost 2 hours as domain was redirected to Syrian Electronic Army servers. 23 行軍: New York Times Attackers: Syrian Electronic Army • Hackers aligned with Syrian President Bashar Assad. Mainly targets political opposition groups and western websites, including news organizations and human rights groups. Attacks: Spear Phishing & Directed DNS Attacks • Phishing attacks on Melbourne IT, the New York Times DNS registrar. • SEA hacked the NYT account and redirected the domain to its servers. 24 Variation of Tactics 九變 The Army on the March 行軍 Illusion & Reality 虛實 The Use of Intelligence 用間 Laying Plans 始計不可胜在己 Internet 26 Internet Pipe Firewall IPS/IDS Load Balancer (ADC) Server 8% 5% 22% 30% 11% 4% 8% 8% 25% 24% 26% 27% Being unconquerable lies with yourself SQL Server 不可胜在己 Vulnerability Exploitation DoS Defense Component 27 Network Flood Infrastructure Exhaustion Target Exhaustion Network Devices No No Some Some Over-Provisioning No Yes, bandwidth Yes, infrastructure Yes, server & app. Firewall & Network Equipment No No Some Some NIPS or WAF Security Appliances Yes No No, part of problem No Anti-DoS Box (Stand-Alone) No No Yes Yes ISP-Side Tools No Yes Rarely Rarely Anti-Dos Appliances (ISP Connected) No Yes Yes Yes Anti-DoS Specialty Provider No Yes Yes Yes Content Delivery Network No Yes Yes Limited 不可胜在己 70% Proportion of businesses relying on CDNs for DDoS Protection 28 不可胜在己 Botnet Enterprise GET www.enterprise.com/?[Random] Bypassing CDN Protection 29 CDN 不可胜在己 Low & Slow attacks SSL encrypted attacks Botnet Enterprise Volumetric attacks Cloud protection limitations 30 Cloud Scrubbing 兵者詭道也 All warfare is based on deception Threats: Source: Presenters: Goal: Authors: Universal DDoS Mitigation Bypass BlackHat USA 2013 Nexusguard Ltd, NT-ISAC Bloodspear Labs Defeat all known mechanisms for automatic mitigation of DDoS attacks Tony T.N. Miu, Albert K.T. Hui, W.L. Lee, Daniel X.P. Luo, Alan K.L. Chung, Judy W.S. Wong or CAPTCHA-based authentications being the most effective by far. However, in our research weaknesses were found in a majority of these sort of techniques. We rolled all our exploits into a proof-of-concept attack tool, giving it near-perfect DDoS mitigation bypass capability against almost every existing commercial DDoS mitigation solutions. The ramifications are huge. For the vast majority of web sites, these mitigation solutions stand as the last line of defense. Breaching this defense can expose these web sites' backend to devastating damages. We have extensively surveyed DDoS mitigation technologies available on the market today, uncovering the countermeasure techniques they employ, how they work, and 31 兵者詭道也 Tool: Kill ‘em All 1.0 • Harnesses techniques such as Authentication Bypass, HTTP redirect, HTTP cookie and JavaScript • True TCP behavior, believable and random HTTP headers, JavaScript engine, random payload, tunable post authentication traffic model • Defeats current anti-DDoS solutions that detect malformed traffic, traffic profiling, rate limiting, source verification, Javascript and CAPTCHA-based authentication mechanisms • Creators allege that the tool is technically indistinguishable from legitimate human traffic Tested: 32 Arbor PeakFlow TMS, Akamai, Cloudflare, NSFocus Anti-DDoS System, Juniper, Variation of Tactics 九變 The Army on the March 行軍 Illusion & Reality 虛實 The Use of Intelligence 用間 Laying Plans 始計兵之情主速 Attack Degree Axis Speed is the essence of war Attack Area Suspicious Area Normal Area 35 兵之情主速 THE SECURITY GAP Attacker has time to bypass automatic mitigation Target does not possess required defensive skills 36 兵之情主速 37 兵之情主速 38 Variation of Tactics 九變 The Army on the March 行軍 Illusion & Reality 虛實 The Use of Intelligence 用間 Laying Plans 始計故兵貴勝，不貴久 What is essential in war is victory, not prolonged operations • • • • • • Envelope Attacks – Device Overload Directed Attacks - Exploits Intrusions – Mis-Configurations Localized Volume Attacks Low & Slow Attacks SSL Floods Detection: Encrypted / Non-Volumetric Attacks 40 故兵貴勝，不貴久 • • • • • • • Detection: Application Attacks 41 Web Attacks Application Misuse Connection Floods Brute Force Directory Traversals Injections Scraping & API Misuse 故兵貴勝，不貴久 • Network DDoS • SYN Floods • HTTP Floods Attack Detection: Volumetric Attacks 42 故兵貴勝，不貴久 Botnet Hosted Data Center Attack Mitigation Network: Low & Slow, SSL Encrypted 43 Enterprise Cloud Scrubbing 故兵貴勝，不貴久 Botnet Hosted Data Center Attack Mitigation Network: Application Exploits 44 Attack signatures Enterprise Cloud Scrubbing 故兵貴勝，不貴久 Botnet Hosted Data Center Attack Mitigation Network: Volumetric Attacks 45 Enterprise Cloud Scrubbing 故兵貴勝，不貴久 Botnet Hosted Data Center Attack Mitigation Network: Volumetric Attacks 46 Enterprise Attack signatures Cloud Scrubbing 故兵貴勝，不貴久 Botnet Hosted Data Center Attack Mitigation Network: Volumetric Attacks 47 Enterprise Cloud Scrubbing 你准备好了吗? Are You Ready? 48 谢谢 Thank You Carl Herberger, VP Security Solutions, Radware [email protected] © Radware, Inc. 2013