Attackers Vs. Defenders: Restoring the Equilibrium Ron Meyran Director of Security Marketing

Attackers Vs. Defenders: Restoring the
Equilibrium
Ron Meyran
Director of Security Marketing
January 2013
AGENDA
Cyber security Statistics
About 2012 Global Security Report
Key Findings
ERT Case Studies
2013 Recommendations
Cyber Security Study
•
•
•
•
A research study by Ponemon & Radware
Surveyed 700 IT & IT Security Practitioners
Non Radware customers
Release date: November 12th 2012
3
Cyber Security Business Priorities
Ranking of cyber security objectives in terms of a business priority objective
5 = Highest Priority to 1 = Lowest Priority
5
4.7
4.4
4.5
4
3.5
3.5
2.8
3
2.5
2
1.9
1.5
1
0.5
0
Interoperability Confidentiality
Integrity
Compliance
Availability
4
DDoS Attacks Frequency
How many DDoS attacks experienced in the
past 12 months?
65%
of organizations had an
average of 3 DDoS
attacks in the past 12
months
5
Average downtime during one DDoS attack
25%
22%
20%
16%
15%
10%
13%
10%
54
Minutes average
11%
downtime
during
one DDoS9%attack
5%
5%
10%
4%
0%
Less than 1
minute
11 to 20 minutes
31 to 60 minutes
3 to 5
hours
Cannot
determine
6
Cost of Downtime
Cost per minute of downtime
25%
21%
20%
$22,000
15%
15%
15%
Average
cost per minute of downtime
12%
11%
10%
8%
5%
$3,000,000
7%
5%
5%
Average annual Cost of DDoS Attacks
1%
0%
$1 to $10 $10 to
$100
$101 to $1,001 to $5,001 to $10,001 $25,001 $50,001 More
Cannot
$1,000 $5,000 $10,000
to
to
to
than determine
$25,000 $50,000 $100,000 $100,000
7
AGENDA
Cyber security Statistics
About 2012 Global Security Report
Key Findings
ERT Case Studies
2013 Recommendations
Information Resources
• Radware Security Survey
– External survey
– 179 participant
– 95.5% are not using
Radware DoS mitigation
solution
• ERT Survey
– Internal survey
– Unique visibility into attacks
behaviour
– 95 selected cases
• Customer identity remains
undisclosed
ERT gets to see attacks in
real-time on daily basis
9
AGENDA
Cyber security Statistics
About 2012 Global Security Report
Key Findings
ERT Case Studies
2013 Recommendations
Organizations Bring a Knife to a Gunfight
• ”Someone who brings a knife to a gun fight”
– Is someone who does prepare himself for the fight, but does not
understand its true nature
• Organizations today are like that
– They do invest before the attack starts, and conduct excellent
forensics after it is over,
– however, they have one critical blind-spot – they don't have
the capabilities or resources to sustain a long, complicated
attack campaign.
• Attackers target this blind spot!
11
Attacked in 2012
They had the budget
They made the investment
And yet they went offline
12
Organizations Deploy Two-phase Security Approach
Industry Security Survey
How much did your organization invest in each of the following security
aspects in the last year?
45%
40%
35%
30%
25%
Procedures
20%
Human skills
15%
Equipment
10%
5%
0%
Before
During
After
Only 21% of company efforts are invested during the attack itself,
while 79% is spent during the pre-attack and post-attack phase.
13
But attacks today have 3 phases
14
Attacks last longer
21%
23%
14
21%
12%
12
10
2011
2012
8
6
11%
4
12%
2
2012
0
1-2 days
2011
Half a week
1 week
Attacks last longer: The number of DoS attacks lasting over a week had doubled in 2012
15
And become more complex
ERT Cases – Attack Vectors
29%
29%
16%
30%
25%
20%
15%
16%
10%
4%
5%
7%
0%
5-6
7-8
2011
2012
Complexity
9-10
Attacks are more complex: 2012 DoS/DDoS attacks have become more sophisticated, using
morecomplex attack vectors. Note the number of attacks using a complexity level of 7-10.
16
Content Delivery Network (CDN)
Do you consider Content Delivery Networks (CDNs)
a solution for a DoS/DDoS attack?
70%
30%
Yes
No
70% of the companies who use CDN believe the CDN is a solution for DoS\DDoS attacks.
17
Attacks Evade CDN service
GET
www.exmaple.com
Legitimate requests
are refused
Legitimate users
Internet
Backend Webserver
• In recent cyber attacks the CDN was easily bypassed
GETchanging the page request in every Web
– By
www.exmaple.com/?[Random]
transaction
Botnet • These random request techniques force CDNs to “raise
the curtain”
– All the attacks traffic is disembarked directly to the
customer premise
– More complex to mitigate attacks masked by CDN
CDN service
18
Attackers are well prepared
• By definition the defenders loose the battle
• Equilibrium has been disrupted
19
The good news (1)
Industry Security Survey
How likely is it that your organization will be attacked by cyber warfare?
Possible
37%
Organizations start understanding
the risk of DDoS
Unlikely
45%
Very likely
10%
Likely
8%
Over half of the organizations believe their organization is likely
to be attacked by cyber warfare.
20
The good news (2)
Industry Security Survey
Which solutions do you use against DoS attacks?
45%
40%
40%
32%
32%
35%
27%
30%
Organizations start understanding
Firewall and IPS cannot fight DDoS
attacks
25%
20%
12%
8%
5% 5%
15%
10%
8%
5%
5%
1%
3%
5%
2%
10%
5%
2012
0%
2011
21
Conclusions
• Today’s attacks are different
– Carefully planned
– Last days or weeks
– Switching between attack vectors
• Organizations are ready to fight yesterdays’ attacks
– Deploy security solutions that can absorb the first strike
– But when attacks prolong - they have very limited gunfire
– By the time they succeed blocking the first two attack vectors,
attackers switch to a third, more powerful one
22
A different approach is needed
• A team of security experts
–
–
–
–
–
Acquire capabilities to sustain long attacks
Train a team that is ready to respond to persistent attacks
Deploy the most up-to-date methodologies and tools
24 x 7 availability to respond to attacks
Deploy counterattack techniques to cripple an attack
23
AGENDA
Cyber security Statistics
About 2012 Global Security Report
Key Findings
ERT Case Studies
2013 Recommendations
US Banks Under Attack: from the news
25
US Banks Under Attack: Operation Ababil
• Publication of the ‘Innocence of Muslim’ film on YouTube invokes
demonstrations throughout the Muslim world
• September 18th- ‘Cyber Fighters of Izz ad-din Al Qassam’ announced
an upcoming cyber attack campaign against ‘American and Zionist’
targets.
26
Attack Summary
• Attack targets
– Bank of America
– New York Stock Exchange (NYSE)
– Chase
– Wells Fargo
• Attacks lasted Sep 18-21, 2012
• Multiple attacks’ waves on each target,
each wave lasted 4 to 9 hours
• Victims suffered from temporary outages
and network slowness
• ERT was actively involved in protecting
the attacked organizations
27
Why it was so challenging?
UDP Garbage flood on ports 80 and 443
Multi-vulnerability attack campaignLarge volume SYN flood
• Mitigation
nearly impossible
Business
• Attackers look for the blind spot
SSL Client Hello flood
HTTP flood attack
28
Recent updates
• HTTP flood was carried from compromised hosting servers
– Highly distributed attacks
29
AGENDA
Cyber security Statistics
About 2012 Global Security Report
Key Findings
ERT Case Studies
2013 Recommendations
ERT recommendations for 2013
• Acquire capabilities to sustain a long sophisticated cyber
attack
• Attack tools are known. Test yourself
• Carefully plan the position of DoS/DDoS mitigation within
network architecture
– On premise capabilities
– In the cloud capabilities
31
Thank You
Ron Meyran
[email protected]