Switzerland under Attack

Transcription

1 Switzerland under Attack Werner Thalmeier Director, Security Solutions EMEA 7. April 2016

2

3 A Look Into Attack Motives Remember C.H.E.W. Richard Clarke Cyber Crime Financial gain is the primary motive Hacktivism Driven by ideological differences Lines are blurring... multi-motive attacks Espionage Gaining information for political, financial, competitive leverage Ironically Evidently the more secure, your data risks a cyberattack War Damage/destroy centers of power; military or nonmilitary 3

4 Over 90% Experienced Attacks in 2015 Half of organizations experienced DDoS and Phishing attacks Almost half had Worm and Virus Damage One in ten have not experienced any of the attacks mentioned DDoS Phishing Worm and Virus Damage Unauthorized Access Criminal SPAM Fraud Advanced Persistent Threat Theft of Prop. Info./Intellectual Corporate/Geo-political Sabotage None of the above 7% 9% 15% 34% 29% 25% 23% 50% 47% 51% Source: Radware ERT Report % 10% 20% 30% 40% 50% 60%

5 Increased Attacks on Education and Hosting Comparing to 2014 Most verticals stayed the same Education and Hosting increased likelihood Growing number of help me DDoS my school requests Motivations varies for Hosting Some target end customers Some target the hosting companies Source: Radware ERT Report Change from 2014

6 Increase in Ransom as a Motive for Cyber-attacks More than 50% increase in ransom as a motivator for attackers Motivation behind cyber-attacks is still largely unknown 70% 60% 50% 40% 30% 20% 10% 0% 69% 66% 34% 34% 27% 27% 25% 22% 25% 16% One-third cited political/hacktivism About a quarter referenced competition, ransom, or angry users Q: Which of the following motives are behind any cyber-attacks your organization experienced?

7 Burst Attacks on the Rise More than half of the three biggest attacks experienced lasted 1 hour or less Significant increase from the 27% in 2014 Another indication of increased automated attacks 60% 40% 20% 0% 57% 36% 1 hour or less 1 hour to 1 day 1 day to 1 week 4% Over a week % 1% Constantly Source: Radware ERT Report 2015 Q: What are the three biggest cyber-attacks you have suffered: Duration?

8 Similar Frequency for Network and Application Attacks 100% Network Attacks Application Attacks 80% 60% 40% 20% 0% 19% 22% 22% 43% 17% 20% 22% 23% 25% 17% 20% 42% 37% 38% 11% 41% 38% 38% 38% 34% 52% 41% 21% 22% 24% 35% 23% 25% 23% 23% 25% 15% 24% Rarely-Never Daily / Weekly / Monthly experienced Network 38-42% attacks daily, weekly or monthly experienced Application 38-52% attacks daily, weekly or monthly

9 Complexity of Attacks Continues to Grow Multi-vector attacks target all layers of the infrastructure Low & Slow DoS attacks (e.g.slowloris) SQL Injections XSS, CSRF Large volume network flood attacks Network Scan Syn Floods HTTP Floods SSL Floods Brute Force App Misuse Internet Pipe Firewall IPS/IDS Load Balancer/ADC Server Under Attack SQL Server On-Demand Cloud DDoS DoS protection Behavioral analysis IP S SSL protection WA F

10 Internet Pipe #1 Failure Point Internet pipe is the bottleneck of DDoS attacks 36 % INTERNET PIPE (Saturation) 21% FIREWALL 3% 10% IPS/IDS LOAD BALANCER (ADC) 28% THE SERVER UNDER ATTACK 2 % SQL SERVER IPS/IDS Internet Pipe Firewall Load Balancer/ADC Server Under Attack SQL Server

11

12 March 9th - Armada send ransom letter Armada is sending Ransom letter to Swiss Finance institutes They ask for 25 Bitcoins 9.000,- or 9.800,- CHF Swiss GovCert issued an alert At least one payed...

13 Who is The Armada Collective? Background Strategy Attack Methods Risk Either originating from DD4BC or acting as copy cat and using their methods. Focused on hosting providers, e-commerce, financial services primarily in Europe. Two companies we know already have been taken down. Customers will receive a ransom mail, asking for 30 bitcoins ( ). Warning attack follows within minutes. If payment refused, attacks increase to up to 1TB Targeted - s sent to dedicated and named internal recipients Do their homework if victim has strong DDoS protection, they will not go after it. Only attack when they can create real damage Current vectors are amplification attacks (NTP, RIP Reflection Amplification) Warning attacks up to 20GB Effected organizations have short time to act and prepare Very high risk aggressive and professional attackers Proven results with high volume and taking down companies

14 March 12th Leading retailer and SBB became target Attacks persisted throughout the week for several companies Digitec.ch Fust.ch Microspot.ch Interdiscount.ch Denner.ch Leshop.ch Coop.ch Galaxus.com SBB.ch Brack.ch "It is correct that our Webshop did not work for a short time. We currently believe that it was a DDoS attack. We can confirm that the customer data is safe and not affected. The shop is now again," said Nadine, Media Spokesperson at Interdiscount.

15 SBB, Interdiscount and Microspot went offline SBB Interdiscount Microspot

16 Attack Vectors Focus on volumetric attacks on the network layer Network attacks typically exhaust network stack resources, router and switch processing capacity, and/or misuse bandwidth resources, all of which disrupt the victims network connectivity SSDP NTP DNS TCP RST TCP SYN SYN Flood SYN ACK ICMP

17 Volumetric Attack DNS Amplification Most frequently used attack vector Amplification affect Regular DNS replies - a normal reply is 3-4 times larger than the request Researched replies can reach up to 10 times the original request Crafted replies attacker compromises a DNS server and ensures requests are answered with the maximum DNS reply message (4096 bytes) - amplification factor of up to 100 times

18 Parrot OS Attack Tool Popular OS for hacker, like Kali Linux DNS NTP SNMP SSDP => All are reflective attacks

19 Shenron Attack Tool Lizard Squads public stresser services 19,99$ => 15GB attack for 1200 second DNS SNMP SYN

20 Generic Stresser Attack Tool Unnamed stresser offered via a hacker on twitter telnet, UDP, ACK, Joomala and Portmap attacks They also offer additional services like Skype, domain, and Cloudflare resolvers

21 VDoS Attack Tool One of the most popular tools 19,99 will gain access to 216 GBS Attack Network DNS, NTP, ESSYN, xsyn, TS3, TCP- ACK, Dominate, VSE, SNMP, PPS, Portmap and TCP-Amp We saw this tool also in Sweden Attacks

22

23 Hybrid DDoS Mitigation Solution Cloud Perimeter LAN Radware Cloud Scrubbing Defense Messaging Attack Mitigation Device Traffic Attack Attack is baseline diverted is Volumetric immediately is and synchronized scrubbed DDoS detected attack to in the Radware s and saturates cloud mitigated freeing internet Cloud at Scrubbing the pipe Perimeter internet Center pipe ADC

24 Radware s Security Solution Addressing the Multi-Vector Challenge Radware Emergency Response Team 24x7 Security Experts Centralized Management & Reporting APSolute Vision On-Demand Cloud DDoS DoS protection Behavioral analysis IPS SSL protection WAF On-Demand Cloud DDoS Service DefensePipe +2TB mitigation capacity Hybrid or Standalone Models Attack Mitigation Device DefensePro Throughput ranging 200Mbps 300Gbps Web Application Firewall AppWall, Cloud WAF Service

25 Lessons Learned - Successful Attack Mitigation Proactive Preparation and Planning is Key Need for a Attack Mitigation solution with the widest coverage to protect from multi-vector attacks, including protection from network and application based DDoS attacks. Consider a hybrid solution that integrates onpremise detection and mitigation with cloudbased protection - to block volumetric attacks. Monitor security alerts and examine triggers carefully. Tune existing polices and protections to prevent false positives and accurate detection. A cyber-security emergency response plan that includes an emergency response team and process in place. Identify areas where helped is needed from a third party. A single point of contact is crucial when under attack - it will help to divert internet traffic and deploy mitigation solutions.

26 Thank You security.radware.com Radware 2016