InfoSecurity Europe 2014: The Art Of Cyber War


Published on

With cyber-attacks becoming a growing concern for organizations, availability-based attacks, also known as Denial of Service or Distributed Denial of Service attacks, have long moved from a form of cyber protest to a destructive weapon that is used by cyber criminals, hacktivists and even governments.

In 2013 we saw a growing use of a new type of attack where attackers used legitimate transactions to saturate application servers’ resources. In this presentation, Security Expert Werner Thalmeier demonstrates how such an advanced attack can be created from a laptop running in an anonymous public WiFi network. He also evaluates the attack landscape and its impact on organizations as well as shares the best practices to protect against such cyber-attacks.

Understand the current availability-based threat landscape and learn about new types of cyber-attacks that are being used to saturate resources. For more information on the state of Application and Network Security, please visit:

Published in: Technology
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

InfoSecurity Europe 2014: The Art Of Cyber War

  1. 1. The Art of Cyber War Werner Thalmeier – Security Evangelist
  2. 2. The Art of War is an ancient Chinese military treatise attributed to Sun Tzu, a high-ranking military general, strategist and tactician. It is commonly known to be the definitive work on military strategy and tactics, and for the last two thousand years has remained the most important military dissertation in Asia. It has had an influence on Eastern and Western military thinking, business tactics, legal strategy and beyond. Leaders as diverse as Mao Zedong and General Douglas MacArthur have drawn inspiration from the work. Many of its conclusions remain valid today in the cyber warfare era. 孫子兵法
  3. 3. 3 知彼知己,百戰不殆 If you know the enemy and know yourself, you need not fear the result of a hundred battles. Notable DDoS Attacks in the Last 12 Months
  4. 4. Variation of Tactics 九變 The Army on the March 行軍 Illusion & Reality 虛實 The Use of Intelligence 用間 Laying Plans 始計
  5. 5. Volumetric attacks Network & Stateful attacks Application attacks App Misuse 5 Attackers Deploy Multi-vulnerability Attack Campaigns High Bandwidth or PPS Network flood attacks Network Scan Syn Floods SSL Floods HTTP Floods Brute Force Internet Pipe Firewall IPS/IDS ADC Attacked Server SQL Server SQL Injection Cross Site Scripting Intrusions “Low & Slow” DoS attacks (e.g.Sockstress) More than 50% of 2013 attack campaigns had more than 5 attack vectors. Source: Radware 2013 ERT Report
  6. 6. 6 Hacktivism – Move To Campaign-APT Oriented • Complex: More than seven different attack vectors at once • Blending: Both network and application attacks • Target-eering: Select the most appropriate target, attack tools • Resourcing: Advertise, invite, coerce anyone capable • Testing: Perform short “proof-firing” prior to the attack • Timeline: Establish the most painful time period for his victim
  7. 7. Sophistication 20132010 2011 2012 • Duration: 3 Days • 4 attack vectors • Attack target: Visa, MasterCard • Duration: 3 Days • 5 attack vectors • Attack target: HKEX • Duration: 20 Days • More than 7 attack vectors • Attack target: Vatican • Duration: 7 Months • Multiple attack vectors • Attack target: US Banks 7 故善战者,立于不败之地 The good fighters of old, first put themselves beyond the possibility of defeat.
  8. 8. Slide 8 The Threat Landscape DDoS is the most common attack method. Attacks last longer. Government and Financial Services are the most attacked sectors. Multi-vector trend continues.
  9. 9. 9 You don’t control all of your critical business systems. Understand your vulnerabilities in the distributed, outsourced world. 没有战略,战术是之前失败的噪音 漏洞 Vulnerability
  10. 10. Variation of Tactics 九變 The Army on the March 行軍 Illusion & Reality 虛實 The Use of Intelligence 用間 Laying Plans 始計
  11. 11. Individual Servers Malicious software installed on hosts and servers (mostly located at Russian and east European universities), controlled by a single entity by direct communication. Examples: Trin00, TFN, Trinity Botnets Stealthy malicious software installed mostly on personal computers without the owner’s consent; controlled by a single entity through indirect channels (IRC, HTTP) Examples: Agobot, DirtJumper, Zemra Voluntary Botnets Many users, at times part of a Hacktivist group, willingly share their personal computers. Using predetermined and publicly available attack tools and methods, with an optional remote control channel. Examples: LOIC, HOIC New Server-based Botnets Powerful, well orchestrated attacks, using a geographically spread server infrastructure. Few attacking servers generate the same impact as hundreds of clients. 11 20121998 - 2002 1998 - Present 2010 - Present 不戰而屈人之兵,善之善者也 To subdue the enemy without fighting is the acme of skill
  12. 12. 12 R.U.D.Y. • Exploits a design weakness that became public in Nov 2010 • A slow rate attack tool that can cause DoS with a relatively low amount of traffic generated • Instead of sending the entire HTTP Post request at once, it sends one byte every 10 seconds making the connection last forever. It does it in parallel again and again over numerous connections until the server’s resources are exhausted.
  13. 13. 兵者 詭道也 13 Tool: Kill ‘em All 1.0 • Harnesses techniques such as Authentication Bypass, HTTP redirect, HTTP cookie and JavaScript • True TCP behavior, believable and random HTTP headers, JavaScript engine, random payload, tunable post authentication traffic model • Defeats current anti-DDoS solutions that detect malformed traffic, traffic profiling, rate limiting, source verification, Javascript and CAPTCHA-based authentication mechanisms • Creators allege that the tool is technically indistinguishable from legitimate human traffic Tested: Arbor PeakFlow TMS, Akamai, Cloudflare, NSFocus Anti-DDoS System All warfare is based on deception.
  14. 14. 14 不戰而屈人之兵,善之善者也 Current prices on the Russian underground market: Hackingcorporatemailbox: $500 Winlockerransomware: $10-$20 Unintelligentexploitbundle: $25 Intelligentexploitbundle: $10-$3,000 Basiccrypter(forinsertingroguecodeintobenignfile): $10-$30 SOCKSbot(togetaroundfirewalls): $100 HiringaDDoSattack: $30-$70/day,$1,200/month Botnet: $200for2,000bots DDoSBotnet: $700 ZeuSsourcecode: $200-$250 Windowsrootkit(forinstallingmaliciousdrivers): $292 HackingFacebookorTwitteraccount: $130 HackingGmailaccount: $162 Emailspam: $10peronemillionemails Emailscam(usingcustomerdatabase): $50-$500peronemillionemails
  15. 15. 15 不戰而屈人之兵,善之善者也
  16. 16. 16 Battlefield: U.S. Commercial Banks Cause: Elimination of the Film “Innocence of Muslims” Battle: Phase 4 of major multi-phase campaign – Operation Ababil – that commenced during the week of July 22nd. Primary targets included: Bank of America, Chase Bank, PNC, Union Bank, BB&T, US Bank, Fifth Third Bank, Citibank and others. Attackers: Cyber Fighters of Izz ad-Din al-Qassam Result: Major US financial institutions impacted by intensive and protracted Distributed Denial of Service attacks. 行軍: Operation Ababil
  17. 17. 17 行軍: Operation Ababil Massive TCP and UDP flood attacks: • Targeting both Web servers and DNS servers. Radware Emergency Response Team tracked and mitigated attacks of up to 25Gbps against one of its customers. Source appears to be Brobot botnet. DNS amplification attacks: • Attacker sends queries to a DNS server with a spoofed address that identifies the target under attack. Large replies from the DNS servers, usually so big that they need to be split over several packets, flood the target. HTTP flood attacks: • Cause web server resource starvation due to overwhelming number of page downloads. Encrypted attacks: • SSL based HTTPS GET requests generate a major load on the HTTP server by consuming 15x more CPU in order to process the encrypted attack traffic.
  18. 18. 18 行軍: Operation Ababil Parastoo Iranian Cyber Army al Qassam Cyber Fighters Parastoo Iranian Cyber Army al Qassam Cyber Fighters 22 Events 1 Event 2010 2011 2012 2013 Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Source: Analysis Intelligence Event Correlation: Iranian Linked Cyber Attacks
  19. 19. 19 Don’t assume that you’re not a target. Draw up battle plans. Learn from the mistakes of others. 没有战略,战术是之前失败的噪音 目标 Target
  20. 20. Variation of Tactics 九變 The Army on the March 行軍 Illusion & Reality 虛實 The Use of Intelligence 用間 Laying Plans 始計
  21. 21. Internet Pipe Firewall IPS/IDS ADC Attacked Server SQL Server 21 0 5 10 15 20 25 30 35 Internet Pipe Firewall IPS / DSS ADC Server SQL Server 2011 2012 2013 Volumetric attacks Network & Session attacks Application attacks 不可胜在己 Being unconquerable lies within yourself.
  22. 22. 22 不可胜在己 DoS Defense Component Vulnerability Exploitation Network Flood Infrastructure Exhaustion Target Exhaustion Network Devices No No Some Some Over-Provisioning No Yes, bandwidth Yes, infrastructure Yes, server & app. Firewall & Network Equipment No No Some Some NIPS or WAF Security Appliances Yes No No, part of problem No Anti-DoS Box (Stand-Alone) No No Yes Yes ISP-Side Tools No Yes Rarely Rarely Anti-Dos Appliances (ISP Connected) No Yes Yes Yes Anti-DoS Specialty Provider No Yes Yes Yes Content Delivery Network No Yes Yes Limited
  23. 23. 23 Analyst View • With the prevalence and duration of attacks on the rise, organizations need to take steps to protect their infrastructure from the advanced methods being employed. Despite the fact that volumetric-based attacks will remain the most common, more advanced hybrid attacks that include application layer and encrypted traffic in addition to volumetric methods will also grow, spurring growth in the use of on-premise equipment. I D C T E C H N O L O G Y S P O T L I G H T - Optimizing DDoS Mitigation Using Hybrid Approaches • Gartner expects high-bandwidth DDoS attacks to continue and to increase in frequency in 2013. Gartner also expects that at least 25% of DDoS attacks will be application-based, in which attackers send targeted commands to applications to tax CPU and memory and make the application unavailable. GARTNER
  24. 24. 不可胜在己 24 Proportion of businesses relying on CDNs for DDoS protection. 70%
  25. 25. 不可胜在己 25 Bypassing CDN Protection Botnet E n t e r p r i s e C D N GET[Random]
  26. 26. 不可胜在己 26 Cloud protection limitations. Botnet Volumetric attacks Low & Slow attacks SSL encrypted attacks E n t e r p r i s e C l o u d S c r u b b i n g
  27. 27. 27 Don’t believe the propaganda. Understand the limitations of solutions. Not all networking and security solutions are created equal. 没有战略,战术是之前失败的噪音 宣传 Propaganda
  28. 28. Variation of Tactics 九變 The Army on the March 行軍 Illusion & Reality 虛實 The Use of Intelligence 用間 Laying Plans 始計
  29. 29. 29 兵之情主速 Speed is the essence of war AttackDegreeAxis Attack Area Suspicious Area Normal Area
  30. 30. 30 兵之情主速 T H E S E C U R I T Y G A P Attacker has time to bypass automatic mitigation. Target does not possess required defensive skills.
  31. 31. 31 You can’t defend against attacks you can’t detect. Know your limitations. Enlist forces that have expertise to help you fight. 没有战略,战术是之前失败的噪音 检测 Detection
  32. 32. Variation of Tactics 九變 The Army on the March 行軍 Illusion & Reality 虛實 The Use of Intelligence 用間 Laying Plans 始計
  33. 33. 33 故兵貴勝,不貴久 • Web Attacks • Application Misuse • Connection Floods • Brute Force • Directory Traversals • Injections • Scraping & API Misuse Detection: Application Attacks
  34. 34. 34 Attack Mitigation Network: Low & Slow, SSL Encrypted Botnet E n t e r p r i s e C l o u d S c r u b b i n g H o s t e d D a t a C e n t e r 故兵貴勝,不貴久
  35. 35. 35 故兵貴勝,不貴久 What is essential in war is victory, not prolonged operations. • Envelope Attacks – Device Overload • Directed Attacks - Exploits • Intrusions – Mis-Configurations • Localized Volume Attacks • Low & Slow Attacks • SSL Floods Detection: Encrypted / Non-Volumetric Attacks
  36. 36. 36 Attack Mitigation Network: Application Exploits Botnet E n t e r p r i s e C l o u d S c r u b b i n g H o s t e d D a t a C e n t e r Attack signatures 故兵貴勝,不貴久
  37. 37. 37 故兵貴勝,不貴久 Attack Detection: Volumetric Attacks • Network DDoS • SYN Floods • HTTP Floods
  38. 38. 38 Botnet C l o u d S c r u b b i n g H o s t e d D a t a C e n t e r Attack Mitigation Network: Volumetric Attacks E n t e r p r i s e 故兵貴勝,不貴久 Attack signatures
  39. 39. App MisuseApp Misuse Slide 39 Layered Lines Of Defense Large volume network flood attacks Network Scan Syn Floods SSL Floods “Low & Slow” DoS attacks (e.g.Sockstress) HTTP Floods Brute Force DoS protection Behavioral analysis SSL protection IPS WAF Cloud DDoS protection Internet Pipe Firewall IPS/IDS ADC Attacked Server SQL Server Volumetric attacks Network & Stateful attacks Application attacks
  40. 40. 40 Layered Lines Of Defense – Attack Mitigation System
  41. 41. 41 Aligned forces will make the difference Protecting your data is not the same as protecting your business. True security necessitates data protection, system integrity and operational availability. 没有战略,战术是之前失败的噪音 可用性 Protection
  42. 42. 42 你准备好了吗? Are You Ready?
  43. 43. Thank You
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.