SlideShare a Scribd company logo

Ben herzberg/incapsula trends of cyber attacks

C
ChungSC_tw

經濟日報、遠傳電信主辦;資策會協辦 2017創新論壇-防駭大作戰

Technology
1 of 47
© 2016 Imperva, Inc. All rights reserved. Cyber Attack Trends Ben Herzberg @KernelXSS @imperva
© 2017 Imperva, Inc. All rights reserved. - @KernelXSS - about() 2 > ben.childNodes.length <· 2 > ben.history <· [“PT”,”Dev”] > ben.employer <· “Imperva” > ben.positionX <· “Research Group Manager” > ben.social <· {“TWT”: “@KernelXSS”, “LNK”: “Ben Herzberg”}
DoS / DDoS Attacks
WHAT’S DDOS (IN 6 SECONDS)
Volumetric Attacks
Layer 7 Attacks
WHY?
Lately…
© 2017 Imperva, Inc. All rights reserved. @KernelXSS @Incapsula_com IoT DDoS through the (very recent) history 16 Mirai 20-SEP-2016 OVH Attack 21-OCT-2016 Dyn DNS DDoS 5-DEC-2016 INVESTIGATED IoT DDoSINVESTIGATED IoT DDoS BEFORE IT WAS COOLBEFORE IT WAS COOL
© 2017 Imperva, Inc. All rights reserved. @KernelXSS @Incapsula_com IoT DDoS through the (very recent) history 17 Mirai OVH Attack 30-DEC-2014 21-OCT-2015 20-SEP-2016 5-DEC-2016 … SOHO Routers CCTV DDoS 21-OCT-2016 Dyn DNS DDoS
@ZAvishh Why use IoTs 4 DDoS?
© 2016 Imperva, Inc. All rights reserved. @KernelXSS19
© 2016 Imperva, Inc. All rights reserved. @KernelXSS20 IoTPC internet connection IoTPC VVinternet connection
© 2016 Imperva, Inc. All rights reserved. @KernelXSS21 IoTPC VVinternet connection code execution IoTPC VVinternet connection VVcode execution
© 2016 Imperva, Inc. All rights reserved. @KernelXSS22 IoTPC VVinternet connection VVcode execution scanability IoTPC VVinternet connection VVcode execution VXscanability
© 2016 Imperva, Inc. All rights reserved. @KernelXSS23 IoTPC VVinternet connection VVcode execution VXscanability hackability IoTPC VVinternet connection VVcode execution VXscanability VXhackability IoTPC VVinternet connection VVcode execution VXscanability VXhackability
@KernelXSS The case of Mirai
© 2016 Imperva, Inc. All rights reserved. - @KernelXSS -25 func (this *Database) CreateUser(username string, password string, max_bots 
 int, duration int, cooldown int)
 bool {
 ...
 this.db.Exec("INSERT INTO users (username, password, max_bots, admin, "
 "last_paid, cooldown, duration_limit)"
 "VALUES (?, ?, ?, 0, UNIX_TIMESTAMP(), ?, ?)", 
 username, password, max_bots, cooldown, duration)
 return true
 }
© 2016 Imperva, Inc. All rights reserved. - @KernelXSS -26 #DEFINE TABLE_MEM_QBOT // REPORT %S:%S
 #DEFINE TABLE_MEM_QBOT2 // HTTPFLOOD
 #DEFINE TABLE_MEM_QBOT3 // LOLNOGTFO
 #DEFINE TABLE_MEM_UPX // X58X4DX4EX4EX43X50X46X22
 #DEFINE TABLE_MEM_ZOLLARD // ZOLLARD
 #DEFINE TABLE_KILLER_ANIME // .anime killer_kill_by_port(htons(23)) // Kill telnet service
 killer_kill_by_port(htons(22)) // Kill SSH service
 killer_kill_by_port(htons(80)) // Kill HTTP service
© 2016 Imperva, Inc. All rights reserved. - @KernelXSS -27 void attack_tcp_syn(uint8_t targs_len, struct attack_target *targs,…)
 void attack_tcp_ack(uint8_t targs_len, struct attack_target *targs,…)
 void attack_tcp_stomp(uint8_t targs_len, struct attack_target *targs,…)
 
 void attack_udp_generic(uint8_t targs_len, struct attack_target *targs,…)
 void attack_udp_plain(uint8_t targs_len, struct attack_target *targs,…)
 void attack_udp_dns(uint8_t targs_len, struct attack_target *targs,…)
 
 void attack_gre_ip(uint8_t targs_len, struct attack_target *targs,…)
 void attack_gre_eth(uint8_t targs_len, struct attack_target *targs,…)
 
 void attack_app_http(uint8_t targs_len, struct attack_target *targs,…)
© 2016 Imperva, Inc. All rights reserved. - @KernelXSS -28 # define TABLE_ATK_DOSARREST 45 // "server: dosarrest"
 # define TABLE_ATK_CLOUDFLARE_NGINX 46 // "server: cloudflare-nginx"
 
 if (util_stristr(generic_memes, ret, table_retrieve_val(TABLE_ATK_CLOUDFLARE_NGINX, NULL)) != -1)
 conn->protection_type = HTTP_PROT_CLOUDFLARE;
 
 if (util_stristr(generic_memes, ret, table_retrieve_val(TABLE_ATK_DOSARREST, NULL)) != -1)
 conn->protection_type = HTTP_PROT_DOSARREST;
© 2016 Imperva, Inc. All rights reserved. - @KernelXSS -29
© 2016 Imperva, Inc. All rights reserved. - @KernelXSS -30
Industry Challenges for 2018
“Secure by default”
TMI
Antivirus 1987 1992 Firewall 1999 WAF IPS NOW ?
Host IDS/IPS Database Access Management Network Anomaly Detection Threat Intelligence Sharing MDM DDoS Mitigation Cloud Access Security Broker Identity Management Threat Containment Solutions Forensic Kits Honeypots Decoys Automated Vulnerability Assessment File Access Management Patch Inventory Management Device Control Management Network Access Control Database Firewalls Data Vaults
DDoS Trends
Over 6,000,000,000 Smart-Phones By 2020
© 2017 Imperva, Inc. All rights reserved. @KernelXSS @Incapsula_com The growing prevalence of IoTs 39 Source: Ericsson Mobility Report; June 2016.
© 2017 Imperva, Inc. All rights reserved. @KernelXSS @Incapsula_com IoT botnets NG • Improving the C2 functionality: • DGA • P2P • Different spreading techniques • TR-069 vulnerabilities • Windows as a relay • Non-DDoS botnets • Bitcoin mining • SPAM spreading • Bruteforcing • IoT vigilantes - Hajime 41 Image credits: www.mobihealthnews.com
How do we do that?
Small Data is the new BigData
“SecOps”
Config: Less is More
Sometimes Cloud is the Security
© 2017 Imperva, Inc. All rights reserved.47 @KernelXSS, @imperva Thanks You! ⾮非常感谢您 linkedin.com/in/sysadmin ben.herzberg@imperva.com

Recommended

Network Monitoring with Icinga
Network Monitoring with IcingaNetwork Monitoring with Icinga
Network Monitoring with Icingalearjk
 
Info 2402 assignment 2_ crawler
Info 2402 assignment 2_ crawlerInfo 2402 assignment 2_ crawler
Info 2402 assignment 2_ crawlerShahriar Rafee
 
SBA Live Academy - Secure Containers for Developer by Mathias Tausig
SBA Live Academy - Secure Containers for Developer by Mathias TausigSBA Live Academy - Secure Containers for Developer by Mathias Tausig
SBA Live Academy - Secure Containers for Developer by Mathias TausigSBA Research
 
ExpertsLiveEurope The New Era Of Endpoint Security
ExpertsLiveEurope The New Era Of Endpoint SecurityExpertsLiveEurope The New Era Of Endpoint Security
ExpertsLiveEurope The New Era Of Endpoint SecurityAlexander Benoit
 
Logs And Backups
Logs And BackupsLogs And Backups
Logs And BackupsCharles Southerland
 
Cloud Intrusion Detection Reloaded - 2018
Cloud Intrusion Detection Reloaded - 2018Cloud Intrusion Detection Reloaded - 2018
Cloud Intrusion Detection Reloaded - 2018randomuserid
 
Artem Storozhuk - Search over encrypted records: from academic dreams to prod...
Artem Storozhuk - Search over encrypted records: from academic dreams to prod...Artem Storozhuk - Search over encrypted records: from academic dreams to prod...
Artem Storozhuk - Search over encrypted records: from academic dreams to prod...NoNameCon
 
Deep learning beyond the learning - Jörg Schad - Codemotion Rome 2018
Deep learning beyond the learning - Jörg Schad - Codemotion Rome 2018 Deep learning beyond the learning - Jörg Schad - Codemotion Rome 2018
Deep learning beyond the learning - Jörg Schad - Codemotion Rome 2018 Codemotion
 

Recommended

Network Monitoring with Icinga
Network Monitoring with IcingaNetwork Monitoring with Icinga
Network Monitoring with Icingalearjk
 
Info 2402 assignment 2_ crawler
Info 2402 assignment 2_ crawlerInfo 2402 assignment 2_ crawler
Info 2402 assignment 2_ crawlerShahriar Rafee
 
SBA Live Academy - Secure Containers for Developer by Mathias Tausig
SBA Live Academy - Secure Containers for Developer by Mathias TausigSBA Live Academy - Secure Containers for Developer by Mathias Tausig
SBA Live Academy - Secure Containers for Developer by Mathias TausigSBA Research
 
ExpertsLiveEurope The New Era Of Endpoint Security
ExpertsLiveEurope The New Era Of Endpoint SecurityExpertsLiveEurope The New Era Of Endpoint Security
ExpertsLiveEurope The New Era Of Endpoint SecurityAlexander Benoit
 
Logs And Backups
Logs And BackupsLogs And Backups
Logs And BackupsCharles Southerland
 
Cloud Intrusion Detection Reloaded - 2018
Cloud Intrusion Detection Reloaded - 2018Cloud Intrusion Detection Reloaded - 2018
Cloud Intrusion Detection Reloaded - 2018randomuserid
 
Artem Storozhuk - Search over encrypted records: from academic dreams to prod...
Artem Storozhuk - Search over encrypted records: from academic dreams to prod...Artem Storozhuk - Search over encrypted records: from academic dreams to prod...
Artem Storozhuk - Search over encrypted records: from academic dreams to prod...NoNameCon
 
Deep learning beyond the learning - Jörg Schad - Codemotion Rome 2018
Deep learning beyond the learning - Jörg Schad - Codemotion Rome 2018 Deep learning beyond the learning - Jörg Schad - Codemotion Rome 2018
Deep learning beyond the learning - Jörg Schad - Codemotion Rome 2018 Codemotion
 
Beyond Mirai: The new age of MDDoS attacks
Beyond Mirai: The new age of MDDoS attacksBeyond Mirai: The new age of MDDoS attacks
Beyond Mirai: The new age of MDDoS attacksAPNIC
 
CanSecWest 2017 - Port(al) to the iOS Core
CanSecWest 2017 - Port(al) to the iOS CoreCanSecWest 2017 - Port(al) to the iOS Core
CanSecWest 2017 - Port(al) to the iOS CoreStefan Esser
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeNowSecure
 
Powering Predictive Mapping at Scale with Spark, Kafka, and Elastic Search: S...
Powering Predictive Mapping at Scale with Spark, Kafka, and Elastic Search: S...Powering Predictive Mapping at Scale with Spark, Kafka, and Elastic Search: S...
Powering Predictive Mapping at Scale with Spark, Kafka, and Elastic Search: S...Spark Summit
 
Information track presentation_final
Information track presentation_finalInformation track presentation_final
Information track presentation_finalKazuki Omo
 
OSMC 2018 | Distributed Tracing FAQ by Gianluca Arbezzano
OSMC 2018 | Distributed Tracing FAQ by Gianluca ArbezzanoOSMC 2018 | Distributed Tracing FAQ by Gianluca Arbezzano
OSMC 2018 | Distributed Tracing FAQ by Gianluca ArbezzanoNETWAYS
 
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack FrameworkDragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack FrameworkDragos, Inc.
 
Doing Dropbox the Native Cloud Native Way
Doing Dropbox the Native Cloud Native WayDoing Dropbox the Native Cloud Native Way
Doing Dropbox the Native Cloud Native WayMinio
 
G3t R00t at IUT
G3t R00t at IUTG3t R00t at IUT
G3t R00t at IUTNahidul Kibria
 
Chapter TwelveNetwork SecurityData Communications an.docx
Chapter TwelveNetwork SecurityData Communications an.docxChapter TwelveNetwork SecurityData Communications an.docx
Chapter TwelveNetwork SecurityData Communications an.docxmccormicknadine86
 
Embedded linux 악성코드 동향 20150323 v1.0 공개판
Embedded linux 악성코드 동향 20150323 v1.0 공개판Embedded linux 악성코드 동향 20150323 v1.0 공개판
Embedded linux 악성코드 동향 20150323 v1.0 공개판Minseok(Jacky) Cha
 
D3TLV17- Keeping it Safe
D3TLV17- Keeping it SafeD3TLV17- Keeping it Safe
D3TLV17- Keeping it SafeImperva Incapsula
 
Trend briefs security
Trend briefs securityTrend briefs security
Trend briefs securityJongseok Choi
 
Automated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposAutomated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposPriyanka Aash
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsRod Soto
 
OSDC 2018 | From batch to pipelines – why Apache Mesos and DC/OS are a soluti...
OSDC 2018 | From batch to pipelines – why Apache Mesos and DC/OS are a soluti...OSDC 2018 | From batch to pipelines – why Apache Mesos and DC/OS are a soluti...
OSDC 2018 | From batch to pipelines – why Apache Mesos and DC/OS are a soluti...NETWAYS
 
9(1)
9(1)9(1)
9(1)sruthi c
 
Android Architecture components
Android Architecture componentsAndroid Architecture components
Android Architecture componentsMichelantonio Trizio
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityIOSR Journals
 
Mobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeMobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeNowSecure
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 

More Related Content

Similar to Ben herzberg/incapsula trends of cyber attacks

Beyond Mirai: The new age of MDDoS attacks
Beyond Mirai: The new age of MDDoS attacksBeyond Mirai: The new age of MDDoS attacks
Beyond Mirai: The new age of MDDoS attacksAPNIC
 
CanSecWest 2017 - Port(al) to the iOS Core
CanSecWest 2017 - Port(al) to the iOS CoreCanSecWest 2017 - Port(al) to the iOS Core
CanSecWest 2017 - Port(al) to the iOS CoreStefan Esser
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeNowSecure
 
Powering Predictive Mapping at Scale with Spark, Kafka, and Elastic Search: S...
Powering Predictive Mapping at Scale with Spark, Kafka, and Elastic Search: S...Powering Predictive Mapping at Scale with Spark, Kafka, and Elastic Search: S...
Powering Predictive Mapping at Scale with Spark, Kafka, and Elastic Search: S...Spark Summit
 
Information track presentation_final
Information track presentation_finalInformation track presentation_final
Information track presentation_finalKazuki Omo
 
OSMC 2018 | Distributed Tracing FAQ by Gianluca Arbezzano
OSMC 2018 | Distributed Tracing FAQ by Gianluca ArbezzanoOSMC 2018 | Distributed Tracing FAQ by Gianluca Arbezzano
OSMC 2018 | Distributed Tracing FAQ by Gianluca ArbezzanoNETWAYS
 
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack FrameworkDragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack FrameworkDragos, Inc.
 
Doing Dropbox the Native Cloud Native Way
Doing Dropbox the Native Cloud Native WayDoing Dropbox the Native Cloud Native Way
Doing Dropbox the Native Cloud Native WayMinio
 
Chapter TwelveNetwork SecurityData Communications an.docx
Chapter TwelveNetwork SecurityData Communications an.docxChapter TwelveNetwork SecurityData Communications an.docx
Chapter TwelveNetwork SecurityData Communications an.docxmccormicknadine86
 
Embedded linux 악성코드 동향 20150323 v1.0 공개판
Embedded linux 악성코드 동향 20150323 v1.0 공개판Embedded linux 악성코드 동향 20150323 v1.0 공개판
Embedded linux 악성코드 동향 20150323 v1.0 공개판Minseok(Jacky) Cha
 
Trend briefs security
Trend briefs securityTrend briefs security
Trend briefs securityJongseok Choi
 
Automated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposAutomated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposPriyanka Aash
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsRod Soto
 
OSDC 2018 | From batch to pipelines – why Apache Mesos and DC/OS are a soluti...
OSDC 2018 | From batch to pipelines – why Apache Mesos and DC/OS are a soluti...OSDC 2018 | From batch to pipelines – why Apache Mesos and DC/OS are a soluti...
OSDC 2018 | From batch to pipelines – why Apache Mesos and DC/OS are a soluti...NETWAYS
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityIOSR Journals
 
Mobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeMobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeNowSecure
 

Similar to Ben herzberg/incapsula trends of cyber attacks (20)

Beyond Mirai: The new age of MDDoS attacks
Beyond Mirai: The new age of MDDoS attacksBeyond Mirai: The new age of MDDoS attacks
Beyond Mirai: The new age of MDDoS attacks
 
CanSecWest 2017 - Port(al) to the iOS Core
CanSecWest 2017 - Port(al) to the iOS CoreCanSecWest 2017 - Port(al) to the iOS Core
CanSecWest 2017 - Port(al) to the iOS Core
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the Code
 
Powering Predictive Mapping at Scale with Spark, Kafka, and Elastic Search: S...
Powering Predictive Mapping at Scale with Spark, Kafka, and Elastic Search: S...Powering Predictive Mapping at Scale with Spark, Kafka, and Elastic Search: S...
Powering Predictive Mapping at Scale with Spark, Kafka, and Elastic Search: S...
 
Information track presentation_final
Information track presentation_finalInformation track presentation_final
Information track presentation_final
 
OSMC 2018 | Distributed Tracing FAQ by Gianluca Arbezzano
OSMC 2018 | Distributed Tracing FAQ by Gianluca ArbezzanoOSMC 2018 | Distributed Tracing FAQ by Gianluca Arbezzano
OSMC 2018 | Distributed Tracing FAQ by Gianluca Arbezzano
 
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack FrameworkDragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
 
Doing Dropbox the Native Cloud Native Way
Doing Dropbox the Native Cloud Native WayDoing Dropbox the Native Cloud Native Way
Doing Dropbox the Native Cloud Native Way
 
G3t R00t at IUT
G3t R00t at IUTG3t R00t at IUT
G3t R00t at IUT
 
Chapter TwelveNetwork SecurityData Communications an.docx
Chapter TwelveNetwork SecurityData Communications an.docxChapter TwelveNetwork SecurityData Communications an.docx
Chapter TwelveNetwork SecurityData Communications an.docx
 
Embedded linux 악성코드 동향 20150323 v1.0 공개판
Embedded linux 악성코드 동향 20150323 v1.0 공개판Embedded linux 악성코드 동향 20150323 v1.0 공개판
Embedded linux 악성코드 동향 20150323 v1.0 공개판
 
D3TLV17- Keeping it Safe
D3TLV17- Keeping it SafeD3TLV17- Keeping it Safe
D3TLV17- Keeping it Safe
 
Trend briefs security
Trend briefs securityTrend briefs security
Trend briefs security
 
Automated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposAutomated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gpos
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
 
OSDC 2018 | From batch to pipelines – why Apache Mesos and DC/OS are a soluti...
OSDC 2018 | From batch to pipelines – why Apache Mesos and DC/OS are a soluti...OSDC 2018 | From batch to pipelines – why Apache Mesos and DC/OS are a soluti...
OSDC 2018 | From batch to pipelines – why Apache Mesos and DC/OS are a soluti...
 
9(1)
9(1)9(1)
9(1)
 
Android Architecture components
Android Architecture componentsAndroid Architecture components
Android Architecture components
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utility
 
Mobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeMobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the Code
 

Recently uploaded

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 

Recently uploaded (20)

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 

Ben herzberg/incapsula trends of cyber attacks

  • 1. © 2016 Imperva, Inc. All rights reserved. Cyber Attack Trends Ben Herzberg @KernelXSS @imperva
  • 2. © 2017 Imperva, Inc. All rights reserved. - @KernelXSS - about() 2 > ben.childNodes.length <· 2 > ben.history <· [“PT”,”Dev”] > ben.employer <· “Imperva” > ben.positionX <· “Research Group Manager” > ben.social <· {“TWT”: “@KernelXSS”, “LNK”: “Ben Herzberg”}
  • 3. DoS / DDoS Attacks
  • 5.
  • 6.
  • 8.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14. WHY?
  • 16. © 2017 Imperva, Inc. All rights reserved. @KernelXSS @Incapsula_com IoT DDoS through the (very recent) history 16 Mirai 20-SEP-2016 OVH Attack 21-OCT-2016 Dyn DNS DDoS 5-DEC-2016 INVESTIGATED IoT DDoSINVESTIGATED IoT DDoS BEFORE IT WAS COOLBEFORE IT WAS COOL
  • 17. © 2017 Imperva, Inc. All rights reserved. @KernelXSS @Incapsula_com IoT DDoS through the (very recent) history 17 Mirai OVH Attack 30-DEC-2014 21-OCT-2015 20-SEP-2016 5-DEC-2016 … SOHO Routers CCTV DDoS 21-OCT-2016 Dyn DNS DDoS
  • 19. © 2016 Imperva, Inc. All rights reserved. @KernelXSS19
  • 20. © 2016 Imperva, Inc. All rights reserved. @KernelXSS20 IoTPC internet connection IoTPC VVinternet connection
  • 21. © 2016 Imperva, Inc. All rights reserved. @KernelXSS21 IoTPC VVinternet connection code execution IoTPC VVinternet connection VVcode execution
  • 22. © 2016 Imperva, Inc. All rights reserved. @KernelXSS22 IoTPC VVinternet connection VVcode execution scanability IoTPC VVinternet connection VVcode execution VXscanability
  • 23. © 2016 Imperva, Inc. All rights reserved. @KernelXSS23 IoTPC VVinternet connection VVcode execution VXscanability hackability IoTPC VVinternet connection VVcode execution VXscanability VXhackability IoTPC VVinternet connection VVcode execution VXscanability VXhackability
  • 25. © 2016 Imperva, Inc. All rights reserved. - @KernelXSS -25 func (this *Database) CreateUser(username string, password string, max_bots 
 int, duration int, cooldown int)
 bool {
 ...
 this.db.Exec("INSERT INTO users (username, password, max_bots, admin, "
 "last_paid, cooldown, duration_limit)"
 "VALUES (?, ?, ?, 0, UNIX_TIMESTAMP(), ?, ?)", 
 username, password, max_bots, cooldown, duration)
 return true
 }
  • 26. © 2016 Imperva, Inc. All rights reserved. - @KernelXSS -26 #DEFINE TABLE_MEM_QBOT // REPORT %S:%S
 #DEFINE TABLE_MEM_QBOT2 // HTTPFLOOD
 #DEFINE TABLE_MEM_QBOT3 // LOLNOGTFO
 #DEFINE TABLE_MEM_UPX // X58X4DX4EX4EX43X50X46X22
 #DEFINE TABLE_MEM_ZOLLARD // ZOLLARD
 #DEFINE TABLE_KILLER_ANIME // .anime killer_kill_by_port(htons(23)) // Kill telnet service
 killer_kill_by_port(htons(22)) // Kill SSH service
 killer_kill_by_port(htons(80)) // Kill HTTP service
  • 27. © 2016 Imperva, Inc. All rights reserved. - @KernelXSS -27 void attack_tcp_syn(uint8_t targs_len, struct attack_target *targs,…)
 void attack_tcp_ack(uint8_t targs_len, struct attack_target *targs,…)
 void attack_tcp_stomp(uint8_t targs_len, struct attack_target *targs,…)
 
 void attack_udp_generic(uint8_t targs_len, struct attack_target *targs,…)
 void attack_udp_plain(uint8_t targs_len, struct attack_target *targs,…)
 void attack_udp_dns(uint8_t targs_len, struct attack_target *targs,…)
 
 void attack_gre_ip(uint8_t targs_len, struct attack_target *targs,…)
 void attack_gre_eth(uint8_t targs_len, struct attack_target *targs,…)
 
 void attack_app_http(uint8_t targs_len, struct attack_target *targs,…)
  • 28. © 2016 Imperva, Inc. All rights reserved. - @KernelXSS -28 # define TABLE_ATK_DOSARREST 45 // "server: dosarrest"
 # define TABLE_ATK_CLOUDFLARE_NGINX 46 // "server: cloudflare-nginx"
 
 if (util_stristr(generic_memes, ret, table_retrieve_val(TABLE_ATK_CLOUDFLARE_NGINX, NULL)) != -1)
 conn->protection_type = HTTP_PROT_CLOUDFLARE;
 
 if (util_stristr(generic_memes, ret, table_retrieve_val(TABLE_ATK_DOSARREST, NULL)) != -1)
 conn->protection_type = HTTP_PROT_DOSARREST;
  • 29. © 2016 Imperva, Inc. All rights reserved. - @KernelXSS -29
  • 30. © 2016 Imperva, Inc. All rights reserved. - @KernelXSS -30
  • 33. TMI
  • 35. Host IDS/IPS Database Access Management Network Anomaly Detection Threat Intelligence Sharing MDM DDoS Mitigation Cloud Access Security Broker Identity Management Threat Containment Solutions Forensic Kits Honeypots Decoys Automated Vulnerability Assessment File Access Management Patch Inventory Management Device Control Management Network Access Control Database Firewalls Data Vaults
  • 36.
  • 39. © 2017 Imperva, Inc. All rights reserved. @KernelXSS @Incapsula_com The growing prevalence of IoTs 39 Source: Ericsson Mobility Report; June 2016.
  • 40.
  • 41. © 2017 Imperva, Inc. All rights reserved. @KernelXSS @Incapsula_com IoT botnets NG • Improving the C2 functionality: • DGA • P2P • Different spreading techniques • TR-069 vulnerabilities • Windows as a relay • Non-DDoS botnets • Bitcoin mining • SPAM spreading • Bruteforcing • IoT vigilantes - Hajime 41 Image credits: www.mobihealthnews.com
  • 42. How do we do that?
  • 43. Small Data is the new BigData
  • 47. © 2017 Imperva, Inc. All rights reserved.47 @KernelXSS, @imperva Thanks You! ⾮非常感谢您 linkedin.com/in/sysadmin ben.herzberg@imperva.com