2011 Global Application and Network Security Report


Published on

The 2011 Radware Global Application & Network Security Report is an informative and practical compilation of security findings providing a view of the state of global cyber security worldwide.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

2011 Global Application and Network Security Report

  1. 1. 2011 Global Application& Network Security ReportEmergency Response Team (ERT)
  2. 2. AGENDAThe ERT ReportAttack Motivation & TargetsThe Multi Vector Attack Campaign
  3. 3. ERT Visibility Into AttacksRadware’s ERT helps customers when they under attack• “Free” access to network architecture & configurations• Unique visibility about how attack actually looks like• Visibility into traffic distribution• Resource status of the network and the applications components• Measure the impact of attacks and the network points of weakness• Lab research (Botnet lab) ERT Sees Attacks in Real-time on a Daily Basis 03
  4. 4. The ERT Annual ReportThe Report is Based on Two Sources• Survey sent to a wide variety of internet organizations in order to get responses that were vendor neutral and as objective as possible• Includes analysis of about 40 selected cases that were handled by Radware’s ERT To download the full report, please visit: http://www.radware.com/2011globalsecurityreport 04
  5. 5. AGENDAThe ERT ReportAttack Motivation & TargetsThe Multi Vector Attack Campaign
  6. 6. Attackers Change in Motivation & Techniques LulzSec Sony, CIA, FBI Vandalism and Publicity Financially Motivated “Hacktivism” Dec 2010 Mar 2011 Blending Motives Operation Netbot Payback DDoSAttack 2010 “Blend” Risk Peru, IMDDOS Chile Kracken (Botnet) Mar 2011 DDoS Srizbi (Botnet) Codero DDoS / (Botnet) 2009 Twitter Rustock 2007 July 2009 “Worms” (Botnet) 2007 Cyber Attacks Storm US & Korea (Botnet) Mar 2011 CodeRed 2007 Operation 2001 Blaster Payback II 2003 Google / Twitter Nimda (Installed Trojan) Estonia’s Web Sites Attacks2009 2001 Agobot DoS Slammer (DoS Botnet) 2007 Mar 2011 DDoS (Attacking SQL sites) Wordpress.com 2003 Republican website DoS 2004 Georgia Web sites DoS 2008 Time 2001 2005 2010 06
  7. 7. Attacker’s Motivation (Survey)Mainly for political reasons• Uses the power of masses of laymen users who were not even fully aware of what the tools they downloaded were doing• In 2011 : Trend toward more sophisticated attack campaigns that are generated also by the “inner-circle” … 07
  8. 8. Attacker’s Motivation (Survey) 08
  9. 9. Attack Sophistication in 2011• The attacks became more complex with attackers using as many as five different attack vectors in a single “attack campaign”• Blending both network and application attacks in a single attack campaign• Vote on a target, select the most appropriate attack tools, advertise the campaign, invite anyone capable…• Attacker set the attack to the most painful time period for its victim• Perform short “proof-firing” prior to the attack• Tend to not rely just on volunteer participants, but the inner circle 09
  10. 10. AGENDAThe ERT ReportAttack Motivation & TargetsThe Multi Vector Attack Campaign
  11. 11. Multi Vector Attack Campaign • Volumetric network level • Application level , Encrypted • Low & Slow • Directed Application DoS • Intrusions • Web attacks (injections, XSS,…) 11
  12. 12. Network Vulnerability Points (Survey Results) Stateful Devices 12
  13. 13. The Server Isn’t Necessarily the 1st to FailAttackers also seem to understand that availability based threatsare more likely to impact the firewall rather than the server. 13
  14. 14. When You Don’t Protect the Firewall • A leading online travel agency was hit by a massive HTTP page flood • More than 4,000 attackers pounded this site for three days with the aim of overloading the site…Actions:1st – User Agent filter on the Web servers … partial DoS2nd – Attack mitigation device in front of the servers … partial DoS3rd – Attack mitigation device in front of the firewall - 100% Availability Firewall Resources Status 14
  15. 15. Low and Slow Tools & Trends• “Low & Slow” attacks are gaining attention !• Tools such as Slowloris and Socketstress have been able to exploit design weakness a very low rate• R.U.D.Y. - A new tool that can attack any website 15
  16. 16. Low and Slow Tools & TrendsTHC-SSL-DoS• This tool allows a single computer to knock web servers offline by targeting a well-known weakness in the secure sockets layer implementations.• An “asymmetric attack” - Single client request can cause the server to invest up to 15 times more resources 16
  17. 17. Attack Impact – The “Size Doesn’t Matter”Attack “Size” Impact levels High Low Attack “Size” Real Case Attack Campaign Attack HTTP “Floods” UDP TCP Connection Category App-based Brute Force Connection based Attack HTTP Flood DNS Flood TCP Connection Category Slide 17 17
  18. 18. Multi Vector Attack Campaign – Advanced Tools• Post-LOIC period , Anonymous is not depending on mass user participate for their attacks in order to protect their supporters from legal actions that several countries are already enforcing• To compensate for the LOIC, Anonymous is focusing on their inner-circle hacking activities, which include the development of tools such as #refref that rely on exploiting software vulnerabilities rather than brute force attacks… act as an advanced persistent threat (APT)… 18
  19. 19. Recommendations• Be Prepared for DoS / DDoS Attacks• Be Wary of Complimentary DoS/DDoS Protection• Collect information about attacks such as type, size and frequency; use the right measure• Position Your DoS/DDoS Mitigation Solution Properly• Ensure Your DoS/DDoS Mitigation Solution Encompasses Many Technologies• Have a Consolidated or “Context Aware” View into Enterprise Security• Invest in Education and Develop Good Internal Security Policies 19
  20. 20. Thank Youwww.radware.com