• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
In the Line of Fire-the Morphology of Cyber Attacks

In the Line of Fire-the Morphology of Cyber Attacks



Dennis Ulse's Presentation from SecureWorld Expo Atlanta that discusses Availability-based threats; Attacks on U.S. banks and other popular attack patterns and trends.

Dennis Ulse's Presentation from SecureWorld Expo Atlanta that discusses Availability-based threats; Attacks on U.S. banks and other popular attack patterns and trends.



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds


Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • Radware breaks down the security model into three categories: Confidentiality, Integrity and Availability.Think of it as follows:Confidentiality: A compromise here results in the theft or destruction of business-critical information or customer dataIntegrity: Often linked to confidentiality but damage to a businesses systems obviously can have a major impact. An extreme example that you might have heard of would be the Stuxnet virus that was designed to damage the centrifuge machines used in Iran to purify nuclear material.Availability: The ability for your business to operate. Denial of Service attacks target this dimension – designed purely to disrutp business operation.
  • Here we have the 4 Primary Categories of Availability Based Threats, Network & Application Floods, Low & Slow and Single Packet DOS. The pie charts below illustrate actual use of these attack vectors based on ERT Case history. Over the past few years Application layer attacks have become a significant threat, with Web/SSL and DNS being the fast growing vectors.
  • Based on the Radware Global Security Survey of the industry 57% of attacks have unknown motive. 22% of attacks have an ideological/hacktivist motive.
  • 80% of respondents believe they are not protected and businesses will be impacted by DDOS attacks.
  • While Gaming, Ecommerce maintain risk. Government,Financial Institutions take the biggest shift toward bullseye! These are VERY Likely targets for 2013.
  • Attack Campaigns are becoming more and more persistent, with 23% of attacks lasting more than one week!
  • Shift from 2 Security Phases to 3Pre Attack – audit, vuln scanning, pen tests, etc.Post Attack - forensics, process adjustments, preparation, etc.NEW Phase Cyber War Room24/7Trained under fire (war games, etc)Coverage
  • SIZE
  • We are going to take a look at the attacks on the US Banks. We’ll review the attack source, motivation, duration, attack vectors and preparation.
  • -This pic is from the very beginning of the video, stating “There is an angry mob in the middle of the street”*Notes -  On September 9, 2012, an excerpt of the YouTube video was broadcast on Al-Nas TV, an Egyptian Islamist television station.[11][12]Demonstrations and violent protests against the film broke out on September 11 in Egypt and spread to other Arab and Muslim nations and some western countries.
  • -Libyan riots top left - http://www.foreignpolicy.com/articles/2012/09/14/why_the_embassy_riots_wont_stop.-Lebonon riots bottom left - http://au.ibtimes.com/articles_slideshows/384606/20120915/lebanon-protesters-destroy-kentucky-fried-chicken-and-hardees-over-innocence-of-muslims-film-photos.htm
  • Links about Izz as-Din al-Quassam The preacher - http://en.wikipedia.org/wiki/Izz_ad-Din_al-Qassam *Notes - The Levant includes most of modern Lebanon, Syria, Jordan, State of Palestine, Israel, Cyprus, Hatay Province of Turkey, some regions of northwestern Iraq and theSinai Peninsula.Links about the Cyber hacker group - http://www.globalpost.com/dispatches/globalpost-blogs/the-grid/who-are-the-izz-ad-din-al-qassam-cyber-fightershttp://www.ehackingnews.com/2012/12/izz-ad-din-al-qassam-cyber-fighters.htmlPic from - http://www.standupamericaus.org/terror-jihad/cyber-fighters-of-izz-al-din-al-qassam-alert-to-banks-in-usa/
  • Claim to have no current ties to Anonymous Collective nor any Nation State.Goal is to have the Anti-Muslim Video taken off of YouTubeAbabil (Persian) translates to Swallow Links for translation of ababil - http://en.wikipedia.org/wiki/Ghods_AbabilThe pic from - http://en.wikipedia.org/wiki/File:Hirundo_abyssinica.jpgClaims of Iranian involvement -http://betabeat.com/2012/09/iran-possibly-behind-operation-ababil-cyber-attacks-against-financial-institutions/http://features.rr.com/article/0coOckreSy1vL?q=Bank+of+America
  • Pic taken from - http://news.yahoo.com/americas-failing-grade-cyber-attack-readiness-153640058--abc-news-topstories.html
  • Data taken from internal doc.Phase 3 OpAbabil – Announced March 5th (ongoing) and expected to last 11 weeks. While Phase 3 is not in my presentation today . Encrypted Attacks are a BIG problem for the current protection in place.
  • -Taken from internal report.
  • -Taken from internal report.
  • Reflective attack - Attackers send forged requests of some type to a very large number of computers that will reply to the requests. Using spoofed SRC IP’s of the victim, which means all the replies will go to (and flood) the target.
  • -Stateful inspection in the DNS area is limited. Was in smartdefense at CP, but how many people use it?-The server is forced to respond with ICMP packets “Destination Unreachable” (ICMP type3 Code 3) for port closed when udp packet arrives.-Returning ICMP type 3 further saturate (Packet size in return will be close to received packet).
  • -Internal data.
  • -The SYN flood attack simply sends a high rate of SYN’s with spoofed IP’s and the server is left waiting for the ACK.-This means the attacker needs much fewer hosts to exhaust target machine because no session is actually kept alive on the “Attackers” side.-You exhaust the Backlog of the TCP stack (Linux default is 3mins and Win2k is 45 sec. for half open timeouts, these can be changed). So the server can no longer accept a new connection.-
  • -Another reported attack technique that was allegedly used during this campaign is a custom version of the Mobile LOIC tool (aka Mobile LOIC - Apache Killer) which is designed to exploit a known vulnerability in Apache servers – corresponding to CVE-2011-3192.-This attack tool targets Apache servers using Apache HTTP server versions 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19.
  • Target URL- Specifies the URL of the attacked target. Must start with http://. Requests per second-Specifies the number of desired requests to be sent per second. Append message-Specifies the content for the “msg” parameter to be sent within the URL of HTTP requests
  • Resource internal.
  • -This value is unique since it seems to contain a typo which is caused by placing the “User Agent:” string inside the user agent value itself.Resource internal.
  • Internal resources.
  • Resource internal.
  • Trend toward assymetricatacks with obvious reason. The attacker is required to utilize few resources while exhausting the target by sending small requests which result in large and or cpu intensive replies.
  • Identification: referrer (ask the audience)Iframe attack can be used to amplify a DDoS any site. For example, using the attack LOIC iframe (JavaScript) to amplify the attack.
  • RUDY or ARE YOU DEAD YET exploits the HTTP POST method by sending POST with long form field submission. It injects one byte of data then waiting causes application threads to await for never ending posts to perform processing.
  • Slowloris sends very slow HTTP Requests. The HTTP headers ares sent in tiny chunks as slowly as possible while the server si forced to wait for the headers to arrive. This causes many connections to be built up on the target server. Slowloris is cross platform, except for Windows due to a socket limitation (~130). Pyloris was developed to enable running on windows with a Python GUI).