• Save
SC Congress 2013:  Information Security Adaptation: Survival in an Evolving Threat Landscape
Upcoming SlideShare
Loading in...5

SC Congress 2013: Information Security Adaptation: Survival in an Evolving Threat Landscape



Carl’s Herberger, VP of Security Solutions’ presentation during SC Congress 2013. Carl discussed a breakdown of the anatomy of a cyber attack and demonstrated how the threat landscape has evolved. ...

Carl’s Herberger, VP of Security Solutions’ presentation during SC Congress 2013. Carl discussed a breakdown of the anatomy of a cyber attack and demonstrated how the threat landscape has evolved. This presentation also gives an analysis of recent attacks and what organizations can do to mitigate them. Most importantly, learn how one should be securing tomorrow’s perimeter.



Total Views
Views on SlideShare
Embed Views



1 Embed 4

https://twitter.com 4


Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

SC Congress 2013:  Information Security Adaptation: Survival in an Evolving Threat Landscape SC Congress 2013: Information Security Adaptation: Survival in an Evolving Threat Landscape Presentation Transcript

  • The Evolving Threat Landscape
  • More Attacks. More Often.
  • Latency Yesterday for USCommercial Banks
  • Attack MotivationBlaster2003CodeRed2001Nimda(Installed Trojan)2001Slammer(Attacking SQL sites)2003Storm(Botnet)2007Agobot(DoS Botnet)Srizbi(Botnet)2007Rustock(Botnet)2007Kracken(Botnet)20092010IMDDOS(Botnet)Google / TwitterAttacks2009Republicanwebsite DoS2004Estonia’s Web SitesDoS2007Georgia Web sitesDoS 2008July 2009Cyber AttacksUS & KoreaDec 2010OperationPaybackMar 2011NetbotDDoSMar 2011OperationPayback IILulzSecSony, CIA, FBIPeru,ChileMar 2011 DDoSWordpress.comMar 2011Codero DDoS /Twitter2001 20102005AttackRiskTimeVandalism and Publicity Financially MotivatedBlending Motives“Hacktivism ”
  • Hacktivism - Becomes MoreCampaign-APT Oriented Complex: More than seven different attack vectors at once Blending: both network and application attacks Targeteering: Select the most appropriate target, attack tools, Resourcing: Advertise, invite, coerce anyone capable … Testing: Perform short “proof-firing” prior to the attack Timeline: Establish the most painful time period for his victimSlide 7
  • Slide 8• Duration: 20 Days• More than 7 Attack vectors• “Inner cycle” involvementAttack target: VaticanSophisticationmeasure• Duration: 3 Days• 5 Attack vectors• Only “inner cycle” involvement• Attack target: HKEX• Duration: 3 Days• 4 Attack vectors• Attack target: Visa, MasterCard• Duration: 6 Days• 5 Attack vectors• “Inner cycle” involvementAttack target: Israeli sitesHacktivism - Becomes MoreCampaign-APT Oriented
  • Network Application Flood Low & Slow Vulnerability BasedUDP Floods Dynamic HTTP RUDY Intrusion AttemptsSYN Floods HTTPS Floods Slowloris SQL InjectionFragmented Floods Pyloris #refrefFIN + ACK xerexThe Anonymous Arms Race
  • 2012 Security Report
  • Example Stock ExchangeAttackAttack Vector Time Stamp Attack PeakFragmented UDP Flood 1:00 AM95 Mbps10K PPSLOIC UDP 4:00 AM and 8:00 PM - 11:00 PM50 Mbps5K PPSTCP SYN Flood 1:40 PM13.6 Mbps24K PPSR.U.D.Y 4:00 PM2.1 Mbps0.7K PPSLOIC TCP 11:00 PM - 3:30 AM500 Kbps0.2K PPSMobile LOIC 6:00 PM- 8:30 PM86 Kbps13 PPS#RefRef 9:45 PM Few packets
  • The Security TrinityIntegrityAvailabilityConfidentialitySecurity Confidentiality,a mainstream adaptation of the“need to know” principle of themilitary ethic, restricts theaccess of information to thosesystems, processes andrecipients from which thecontent was intended to beexposed.Security Integrityin its broadest meaning refersto the trustworthiness ofinformation over its entirelife cycle.Security Availabilityis a characteristic that distinguishes information objectsthat have signaling and self-sustaining processes fromthose that do not, either because such functions haveceased (outage, an attack), or else because they lack suchfunctions .
  • The Security TrinityConfidentiality IntegrityAvailabilityConfidentiality
  • ConfidentialityApplicationExploitsNetworkExploitsO/S ExploitsEAP AttacksTLS AttacksWEPAttacksL2LP AttacksSIP AttacksARPAttacks VPNAttacksPPTP AttacksAESAttacks 3DESAttacksSSL AttacksMITBAttacksHash AttacksIPv6 Encapsulatedin IPv4DatabaseSecurityEnterpriseEncryptionComplianceOrientedActivityData LeakageProtection 2005AmeripriseFinancial24M Lost2006Boeing 386KDept. of VA 29M2007TJ Maxx 45M TheGap 800K2008Countrywide 17MGE Financial 800K2009Heartland 100MRock You! 32M2011Sony 100MHB Gary - FBI2010 +/-RSA 2-FactorToken Hack2011 - 2012AES HackApple – 12MSocialEngineeringProtectionEncryption &AuthenticationWeaknessesDefenses Examples Attacks Vulnerabilities
  • The Security TrinityIntegrityAvailabilityConfidentiality
  • IntegrityAvailabilityConfidentialityThe Security Trinity
  • Integrity DefensesExamplesAttacksVulnerabilitiesApplicationExploitsNetworkExploitsO/S ExploitsTransmissionEncryption WeaknessesSkimmingARPAttacksRootkitsKeyloggersSpoofingUnauthorizedAuthenticationMalwareSteganographyMan-in-the-MiddleAnonymizersFraud & ScamsNov 2011 -THC – SSLAttack Released2011Browser ExploitAgainst SSL / TLS(BEAST) Released2008US CERT: MD5Hash Insecure2006SSL / TLSPlaintext Attack2002SSH2 HackHardwareSecurityModules (HSM)FederatedIdentityManagementMulti-FactoredAuthenticationPublic KeyInfrastructureNetworkAccess ControlFraud Detection/ HashChecksumsDec 2010NIST: 1K Certs NotRecommended2009Encrypted KernelExploit Discovered2010PCI: Kiss yourWEP Goodbye!
  • The Security TrinityIntegrityAvailabilityConfidentiality
  • AvailabilityICMP Floods TCP RESETFloodsTCP FIN FloodsHTTP POSTFloodsTCP Out-of-State FloodsTCP SYN+ACK FloodsTCP FragmentFloodsIGMP FloodsACK FloodsSIP AttacksRFC ViolationAttacksSessionAttacksTCP SYN FloodsHTTP GETPage FloodsMemoryAllocation AttacksDNS QueryFloodsSSL AttacksSQLAttacksBrute ForceAttacksTCP StackResource AttacksConcurrentConnection AttacksApplicationExploitsNetworkExploitsO/S ExploitsR-U-Dead-Yet (RUDY)#RefrefLOICXerxesPlyorisHOICLeonitisSlowlorisSocketStressHULKChallenge /ResponseTechnologyRFC ExploitsArchitectureExploitsBusinessLogicBlack / White/ AccessControl ListsHardware-BasedVolumetricProtectionsWeb-ApplicationFirewallBehavioralTechnologiesArchitectureImprovementsDefensesExamplesToolsAttacksVulnerabilitiesNov 2010Operation PaybackVisa, MasterCard +other outagesFeb 2010Operation Titstorm:AustralianGovernment OutagesJune 2011Operation IranIran GovernmentOutages, LeakedEmails, Hacked ITApr 2011Operation SonyPlay Station.comOutage, Leaked CC#Jun 2011Operation AntiSecAZ Department ofPublic Safety DownJun 2012AT&T DNSOutage & L3 ISPOutage Attacks
  • Size Does Not Matter. Honest.76% of attacksare below1Gbps!The impact ofapplication floodattacks are much moresevere than networkflood attacks
  • The ImpactConfidentialityIntegrityAvailabilityTarget / Operation2007 2008 2009 2010Habbo Hal TurnerProjectChanologyEpilepsyFoundationAllHipHopDefacementNo CussingClub2009 IranianElectionProtestsOperationDidgeridieOperationTitstormOregon TeaParty RaidOperation PaybackAvengeAssangeOpeBra
  • Securing Tomorrow’s Perimeter
  • Perimeter Defense Planning
  • Perimeter Defense PlanningAny gap in coveragerepresents a vulnerability.That will be exploited.
  • Perimeter Defense Planning
  • The Best Defense Is A…Key Notes:- Counter Attack’s Comeuppance is Upon Us- Key IR Assumptions are wrong – e.g. Law enforcement- Attack Mitigation Talent is Low. Knowledge must increase.- Corporate Policies are IR not ERT focused
  • Anatomy of an AttackThe Evolving Threat LandscapeSecuring Tomorrow’s Perimeter
  • Thank YouCarl HerbergerVP, Security SolutionsRadwarecarl.herberger@radware.com