Our 2015 – 2016 Global Application and Network Security Report reveals attack trends and offers predictions as the rise of cyber botted-defense approaches.
Visit here: http://www.radware.com/social/ert-report-2015/ to download the full report.
3. The Report’s Purpose
3
5th Installment of Radware’s Global Application & Network Security Report
The Report’s Purpose
Through firsthand & statistical research coupled with front-line experience, this
research identifies trends that can help educate the security community
7. Key Findings
7
No One Immune
Few Prepared
Over 90% Experienced Attacks in 2015
Ring of Fire – Increased Attacks on Education and Hosting
Are You Ready? Preparedness for Cyber-Attacks Varies
Protection Gaps Identified Across the Board
8. Over 90% Experienced Attacks in 2015
Half of organizations experienced DDoS
and Phishing attacks
Almost half had Worm and Virus
Damage
One in ten have not experienced any of
the attacks mentioned
9%
7%
15%
23%
25%
29%
34%
47%
50%
51%
0% 10% 20% 30% 40% 50% 60%
None of the above
Corporate/Geo-political Sabotage
Theft of Prop. Info./Intellectual Capital
Advanced Persistent Threat
Fraud
Criminal SPAM
Unauthorized Access
Worm and Virus Damage
Phishing
DDoS
8
Q: What type of attack have you experienced?
9. Increased Attacks on Education and Hosting
Comparing to 2014
Most verticals stayed the same
Education and Hosting – increased
likelihood
Growing number of “help me DDoS my
school” requests
Motivations varies for Hosting
- Some target end customers
- Some target the hosting companies
2015 Change from 2014
9
10. Are You Ready? Preparedness for Cyber-Attacks Varies
8%
9%
12%
14%
14%
20%
15%
15%
17%
29%
33%
33%
38%
38%
35%
44%
48%
47%
39%
41%
41%
36%
39%
30%
33%
32%
29%
20%
14%
12%
10%
7%
12%
7%
4%
6%
4%
3%
3%
2%
2%
3%
2%
1%
2%
0% 20% 40% 60% 80% 100%
Corporate/Geo-political Sabotage
Advanced Persistent Threat
Theft of Prop. Info./Intellectual…
Fraud
Phishing
DDoS
Criminal SPAM
Worm and Virus Damage
Unauthorized Access
Extremely well prepared
Very well prepared
Somewhat prepared
Not very prepared
Not prepared at all
10
Q.9: In your opinion, how prepared is your organization to safeguard itself from the following cyber-attacks?
11. Are You Ready? Preparedness for Cyber-Attacks Varies
11
8%
9%
12%
14%
14%
20%
15%
15%
17%
29%
33%
33%
38%
38%
35%
44%
48%
47%
39%
41%
41%
36%
39%
30%
33%
32%
29%
20%
14%
12%
10%
7%
12%
7%
4%
6%
4%
3%
3%
2%
2%
3%
2%
1%
2%
0% 20% 40% 60% 80% 100%
Corporate/Geo-political Sabotage
Advanced Persistent Threat
Theft of Prop. Info./Intellectual…
Fraud
Phishing
DDoS
Criminal SPAM
Worm and Virus Damage
Unauthorized Access
Extremely well prepared
Very well prepared
Somewhat prepared
Not very prepared
Not prepared at all
3 out of 5 respondents feel they are extremely/very well prepared to safeguard
against Unauthorized Access and Worm and Virus Damage.
Q: In your opinion, how prepared is your organization to safeguard itself from the following cyber-attacks?
12. Are You Ready? Preparedness for Cyber-Attacks Varies
12
8%
9%
12%
14%
14%
20%
15%
15%
17%
29%
33%
33%
38%
38%
35%
44%
48%
47%
39%
41%
41%
36%
39%
30%
33%
32%
29%
20%
14%
12%
10%
7%
12%
7%
4%
6%
4%
3%
3%
2%
2%
3%
2%
1%
2%
0% 20% 40% 60% 80% 100%
Corporate/Geo-political Sabotage
Advanced Persistent Threat
Theft of Prop. Info./Intellectual…
Fraud
Phishing
DDoS
Criminal SPAM
Worm and Virus Damage
Unauthorized Access
Extremely well prepared
Very well prepared
Somewhat prepared
Not very prepared
Not prepared at all
Q: In your opinion, how prepared is your organization to safeguard itself from the following cyber-attacks?
3 out of 5 respondents are somewhat/not very prepared
against APT and information theft
13. Are You Ready? Preparedness for Cyber-Attacks Varies
13
8%
9%
12%
14%
14%
20%
15%
15%
17%
29%
33%
33%
38%
38%
35%
44%
48%
47%
39%
41%
41%
36%
39%
30%
33%
32%
29%
20%
14%
12%
10%
7%
12%
7%
4%
6%
4%
3%
3%
2%
2%
3%
2%
1%
2%
0% 20% 40% 60% 80% 100%
Corporate/Geo-political Sabotage
Advanced Persistent Threat
Theft of Prop. Info./Intellectual…
Fraud
Phishing
DDoS
Criminal SPAM
Worm and Virus Damage
Unauthorized Access
Extremely well prepared
Very well prepared
Somewhat prepared
Not very prepared
Not prepared at all
Q: In your opinion, how prepared is your organization to safeguard itself from the following cyber-attacks?
The results are split evenly between those that are prepared and not prepared
to protect from DDoS attacks
14. Protection Gaps - Across the Board
A true protection gap for most
organizations today
Weaknesses spread evenly among all
attack types
Volumetric and HTTPS/SSL protection lead
the gap
22%
19% 20% 21%
23%
26% 27%
33%
0%
20%
40%
14
Q: Where, if at all, do you think you have a weakness against DDoS attacks?
15. Slowness Still Main Impact of Cyber Attacks
DDoS Remains Biggest Threat of all Cyberattack Categories
Increases in Ransom as a Motive for Cyber-attacks
Tangible Concerns Expand
Key Findings
15
Growing Need for
Security Automation
No One Immune
Few Prepared
Shifts in Motives
and Impact
16. Slowness - Still the Main Impact
Impact on systems was mostly – slowness
Outage – not the impact in most cases –
only 16% of the cases
About a third saw no impact on systems
Numbers are consistent with past years
Slowness,
46%No impact,
37%
Outage, 16%
16
Q: What are the three biggest cyber-attacks you have suffered: Affected System?
17. DDoS Continues to Lead as Biggest Threat
DDoS attacks and unauthorized access – the main causes which harm the organizations
0%
20%
40%
60%
Q: In your opinion, which of the following cyber-attacks will cause your organization the most harm?
18. Increase in Ransom as a Motive for Cyber-attacks
More than 50% increase in ransom as a
motivator for attackers
Motivation behind cyber-attacks is still
largely unknown
One-third cited political/hacktivism
About a quarter referenced competition,
ransom, or angry users
18
34%
27%
16%
22%
69%
34%
27% 25% 25%
66%
0%
10%
20%
30%
40%
50%
60%
70%
2014
2015
Q: Which of the following motives are behind any cyber-attacks your organization
experienced?
19. More than a third reported having
experienced either a ransom attack or a
SSL or TLS-based attack
Consistent with increased public interest
and concerns over these types of attacks
37% 35%
63% 65%
0%
10%
20%
30%
40%
50%
60%
70%
Ransom Attacks SSL or TLS-based Attacks
Yes No
19
More than Third Experienced Ransom or SSL/TLS-
Based Attacks
Q: Have you experienced any
ransom attacks this year
Q: Have you experienced encrypted
SSL or TLS-based attacks?
21. Key Findings
21
Growing Need for
Security Automation
No One Immune
Few Prepared
Shifts in Motives
and Impact
Today’s existing solutions – frequently are multi-vendor and manual
Burst Attacks on the Rise
Adoption of Hybrid Solutions Continues to Grow
Beyond Network: Similar Frequency for Network & Application Attacks
22. Existing Solutions – Multiple and Manual
Over 80% of solutions require a medium
to high degree of manual tuning
Less than 20% require a low degree and
are considered mostly automatic
Multiple solutions used by almost all (91%)
Only 6% use only one solution against
cyber-attacks
High
degree,
24%
Medium
degree,
58%
Low
degree,
17%
Q: What degree of manual tuning or configuration does your current solution require?
22
23. Burst Attacks on the Rise
More than half of the three biggest
attacks experienced lasted 1 hour or less
Significant increase from the 27% in 2014
Another indication of increased
automated attacks
57%
36%
4%
2% 1%
0%
20%
40%
60%
1 hour or less 1 hour to 1 day 1 day to 1 week Over a week Constantly
2011 2012 2013 2014 2015
23
Q: What are the three biggest cyber-attacks you have suffered: Duration?
24. Adoption of Hybrid Solutions Continues to Grow
Significant increase in current and
planned adoptions of Hybrid
41% are using a hybrid solution, double
from the 21% in 2014
Another 44% are planning to adopt a
hybrid solution, significant increase from
2014
21%
17%
41%
44%
0%
25%
50%
Currently using a
hybrid solution
Planning to adopt a
hybrid solution
2014
2015
~50%
increase
*Hybrid solutions combine an on-premise DDoS and any cloud-based solution (always-on cloud based
service / on-demand cloud based service / CDN solution / ISP-based or clean link service).
~60%
increase
25. Company Size
29%
42%
37% 38%
55% 51%
0%
20%
40%
60%
Currently using a
hybrid solution
Planning to adopt a
hybrid solution
1K-10K >10K<1K
Revenue
35%
46%49% 50%
0%
30%
60%
Currently using a
hybrid solution
Planning to adopt a
hybrid solution
>$1B<$1B
Adoption of Hybrid Solutions Continues to Grow
25
26. Company Size
29%
42%
37% 38%
55% 51%
0%
20%
40%
60%
Currently using a
hybrid solution
Planning to adopt a
hybrid solution
1K-10K >10K<1K
Revenue
35%
46%49% 50%
0%
30%
60%
Currently using a
hybrid solution
Planning to adopt a
hybrid solution
>$1B<$1B
Adoption of Hybrid Solutions Continues to Grow
26
Companies with the highest revenue or most employees
are most likely to have a hybrid solution
31. In Nov 2015 experienced back-to-back attacks
initiated through a ransom request.
Over the course of 7-10 days, experienced
multiple attack vectors at high volume
Radware deployed emergency service a few
days into the campaign and was able to
mitigate the attacks
ProtonMail Ransom Attack Case
31
Swiss-based encrypted email service provider
32. Nov. 3 2015 Nov. 4 2015 Nov. 5-7 2015 Nov. 8 2015 Nov. 9-15 2015
ProtonMail Attack Timeline
Largest and most extensive cyberattack in Switzerland
Attacks continue at
high volume of 30-50G
at peaks during these
days. Attacks are
mitigated successfully
by Radware
Radware’s Emergency
Response Team
implements its attack
mitigation solution to
protect ProtonMail.
Service is restored
shortly after
ProtonMail continues
to suffer from ongoing
high volume, complex
attacks from a second,
unknown source
Next DDoS attacks hits
in the morning and by
afternoon reached
over 100G directly
attacking the
datacenter and ISP
infrastructure
ProtonMail under
pressure decides to
pay ransom but attacks
continue from 2nd
source
ProtonMail receives
ransom email from The
Armada Collective,
followed by DDoS
attack that took them
offline for 15 mins
32
33. ProtonMail Attack – A Look Inside
Persistent Denial of Service Attacks
0
10
20
30
40
50
60
ProtonMail Attack Volume, Mitigated by Radware Network Application
UDP Flood DNS Reflection
TCP RST Flood NTP Reflection
TCP-SYN SSDP
TCP Out-of-State HTTP/S SYN Flood
SYN-ACK
ICMP
33
34. Evolution of Attack Vectors by Day
Nov 9th
UDP flood
SYN flood
DDoS-NTP-reflection
DDoS-DNS-reflection
SYN-ACK Flood
DDoS-TCP-urgent
DDoS-TCP-zero-seq
DDoS-chargen-
reflected events
UDP Flood – Reflective
DNS
TCP RST Flood
ICMP Flood
SYN Flood – HTTPS
SYN Flood – HTTP
UDP Flood – SSDP &
NTP Reflection
ICMP Flood
TCP SYN Flood
TCP Out-of-State
Flood
UDP flood DDoS-SSL
TCP Out-of-Stat
DDoS-udp-
fragmented
DDoS-NTP-reflection
DDoS-DNS-reflection
SYN-ACK Flood Minor
ICMP flood/RST flood
SYN flood
Nov 8th Nov 10th Nov 11th
34
35. Sophisticated attacks - bad bots programmed to
“scrape” certain flights, routes and classes of
tickets. Bots acting as faux buyers—continuously
creating but never completing reservations on
those tickets
Airline unable to sell the seats to real customers
Dynamic source-IP attacks so security protection
could not differentiate between “good” and “bad”
bots
Chose Radware’s WAF with fingerprinting
technology to block dynamic IP attack
Leading US Airline Fingerprinting Case
35
Major US Airline
37. Seven Predictions for 2016
37
Prediction #6:
Growing Encryption to and from
Cloud Applications
Prediction #4:
More Laws Governing Sensitive Data
Prediction #1:
APDoS as SOP (Standard Operating Procedure)
Prediction #3:
Privacy as a Right (Not Just a Regulation)
Prediction #5:
Arrival of Permanent Denial-of-
Service (PDoS) Attacks
Prediction #7:
The Internet of Zombies
Prediction #2:
Continued Rise of RansomDoS (RDoS)
38. Summary: What Can You Do?
Preparedness is Key. Multi-layered solutions are a Must. Services are Important.
Bet on Automation. It has become necessary
to fight automated threats with automation
technology.
Cover the Blind Spot. Choose a solution with
the widest coverage to protect from multi-
vector attacks.
Multi Layered Solution. Look for a single
vendor, hybrid solution that can protect
networks and applications for a wide range of
attacks, and includes DoS protection,
behavioral analysis, IPS, encrypted attack
protection and web application firewall (WAF).
Protect from Encrypted Attacks. SSL-based
DDoS mitigation solution deployments must
not affect legitimate traffic performance.
Single point of contact is crucial when under
attack - it will help to divert internet traffic and
deploy mitigation solutions.
38