Information Security Adaption:Survival In An Evolving ThreatLandscapeCarl HerbergerVP, Security Solutions, Radware
The Evolving Threat LandscapeAnatomy of an AttackSecuring Tomorrow’s Perimeter
The Evolving Threat Landscape
More Attacks. More Often.
Latency Yesterday for US      Commercial Banks
Attack Motivation                                                                                                         ...
Hacktivism - Becomes More                                         Campaign-APT Oriented Complex: More than seven differen...
Hacktivism - Becomes More                                                              Campaign-APT OrientedSophistication...
The Anonymous Arms RaceNetwork             Application Flood   Low & Slow        Vulnerability BasedUDP Floods          Dy...
Digital Supply Chain Defense                                                           Integration                        ...
2012 Security Report
Anatomy of an AttackThe Evolving Threat LandscapeSecuring Tomorrow’s Perimeter
Example Stock Exchange                                                              AttackAttack Vector          Time Stam...
The Security TrinitySecurity Confidentiality,a mainstream adaptation of the“need to know” principle of themilitary ethic, ...
The Security TrinityConfidentiality            Integrity            Availability
Data Leakage                                                                                                      2005    ...
The Security TrinityConfidentiality            Integrity            Availability
The Security TrinityConfidentiality            Integrity            Availability
Hardware                                                         Security      2002                                       ...
The Security TrinityConfidentiality            Integrity            Availability
The Security TrinityConfidentiality            Integrity            Availability
ICMP Floods                             Application                                                                Availab...
Size Does Not Matter. Honest.                                       The impact of                                    appli...
Availability-based Threats Tree                                 Availability-                                based Threats...
R.U.D.Y (R-U-Dead-Yet)R.U.D.Y. (R-U-Dead-Yet?)R.U.D.Y. (R-U-Dead-Yet?) is a slow-rate HTTP POST (Layer 7) denial-of-servic...
SlowlorisSlowlorisSlowloris is a denial-of-service (DoS) tool developed by the grey hat hacker “RSnake” that causes DoS by...
Main Bottlenecks During DoS                              Attacks - ERT SurveySlide 27           Radware Confidential Jan 2...
The ImpactConfidentialityIntegrityAvailabilityTarget / Operation                                                          ...
APTs & Zero-Day Resolution                Intensifies
Defense Blind Spot Map                                                                  Anti-DoS                          ...
Gartner Sep 2012: Anti-DoS               “BlindSpot”
Gartner Sep 2012: Anti-DoS               “BlindSpot”
Securing Tomorrow’s Perimeter
What We Should Work Toward• 100% Architecture Protection. Varied Deployment  Models.• Understand the behavior beyond proto...
Perimeter Defense Planning
Perimeter Defense Planning   Any gap in coveragerepresents a vulnerability.  That will be exploited.
Perimeter Defense Planning
Emergency Response Teams &Existing Level of                                          Cyber War Roomsskills                ...
The Best Defense Is A…Key Notes:- Counter Attack’s Comeuppance is Upon Us- Key IR Assumptions are wrong – e.g. Law enforce...
Anatomy of an AttackThe Evolving Threat LandscapeSecuring Tomorrow’s Perimeter
Adapting Perimeter Defenses• Plan for 100% architecture protection• Review your attack mitigation toolkit• Assess infrastr...
Thank YouCarl HerbergerVP, Security SolutionsRadwarecarl.herberger@radware.com
Low & Slow           •   Slowloris           •   Sockstress           •   R.U.D.Y.           •   Simultaneous Connection S...
Upcoming SlideShare
Loading in …5
×

SecureWorld: Information Security Adaption: Survival In An Evolving Threat Landscape

1,593 views

Published on

Carl Herberger’s presentation during his series of SecureWorld events. Carl discusses the evolving threat landscape, the anatomy of an attack and securing tomorrow’s perimeter.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,593
On SlideShare
0
From Embeds
0
Number of Embeds
40
Actions
Shares
0
Downloads
58
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

SecureWorld: Information Security Adaption: Survival In An Evolving Threat Landscape

  1. 1. Information Security Adaption:Survival In An Evolving ThreatLandscapeCarl HerbergerVP, Security Solutions, Radware
  2. 2. The Evolving Threat LandscapeAnatomy of an AttackSecuring Tomorrow’s Perimeter
  3. 3. The Evolving Threat Landscape
  4. 4. More Attacks. More Often.
  5. 5. Latency Yesterday for US Commercial Banks
  6. 6. Attack Motivation LulzSec Sony, CIA, FBI Vandalism and Publicity Financially Motivated “Hacktivism ” Dec 2010 Mar 2011 Blending Motives Operation Netbot Payback DDoSAttack Risk 2010 Peru, IMDDOS (Botnet) Chile Kracken Srizbi (Botnet) Mar 2011 (Botnet) 2009 Codero DDoS / Rustock 2007 July 2009 Twitter (Botnet) 2007 Cyber Attacks Storm US & Korea (Botnet) Mar 2011 2007 Operation Payback II Google / Twitter CodeRed Estonia’s Web Sites Attacks2009 2001 Blaster Agobot DoS 2003 (DoS Botnet) 2007 Mar 2011 DDoS Nimda (Installed Trojan) Wordpress.com 2001 Slammer Republican (Attacking SQL sites) 2003 website DoS 2004 Georgia Web sites DoS 2008 Time 2001 2005 2010
  7. 7. Hacktivism - Becomes More Campaign-APT Oriented Complex: More than seven different attack vectors at once Blending: both network and application attacks Targeteering: Select the most appropriate target, attack tools, Resourcing: Advertise, invite, coerce anyone capable … Testing: Perform short “proof-firing” prior to the attack Timeline: Establish the most painful time period for his victimSlide 7
  8. 8. Hacktivism - Becomes More Campaign-APT OrientedSophistication • Duration: 20 Days measure • More than 7 Attack vectors • “Inner cycle” involvement Attack target: Vatican • Duration: 3 Days • 5 Attack vectors • Only “inner cycle” involvement • Attack target: HKEX • Duration: 6 Days • 5 Attack vectors • Duration: 3 Days • “Inner cycle” involvement • 4 Attack vectors Attack target: Israeli sites • Attack target: Visa, MasterCard Slide 8
  9. 9. The Anonymous Arms RaceNetwork Application Flood Low & Slow Vulnerability BasedUDP Floods Dynamic HTTP RUDY Intrusion AttemptsSYN Floods HTTPS Floods Slowloris SQL InjectionFragmented Floods Pyloris #refrefFIN + ACK xerex
  10. 10. Digital Supply Chain Defense Integration Cloud Common Targets:In-the-Cloud Defenses DNS, ISP, CDN & CA/CRL Perimeter Defenses – Perimeter CommonNetwork & Application Targets: Firewalls, IPS, (Outer) DefensePro Routers, Load Balancers Advanced (Inner) Application Targets: Application Defenses AppWall Sessions, Connections, SSL Protected Online Services
  11. 11. 2012 Security Report
  12. 12. Anatomy of an AttackThe Evolving Threat LandscapeSecuring Tomorrow’s Perimeter
  13. 13. Example Stock Exchange AttackAttack Vector Time Stamp Attack Peak 95 MbpsFragmented UDP Flood 1:00 AM 10K PPS 50 MbpsLOIC UDP 4:00 AM and 8:00 PM - 11:00 PM 5K PPS 13.6 MbpsTCP SYN Flood 1:40 PM 24K PPS 2.1 MbpsR.U.D.Y 4:00 PM 0.7K PPS 500 KbpsLOIC TCP 11:00 PM - 3:30 AM 0.2K PPS 86 KbpsMobile LOIC 6:00 PM- 8:30 PM 13 PPS#RefRef 9:45 PM Few packets
  14. 14. The Security TrinitySecurity Confidentiality,a mainstream adaptation of the“need to know” principle of themilitary ethic, restricts the Security Integrityaccess of information to those in its broadest meaning referssystems, processes and to the trustworthiness ofrecipients from which the information over its entire Integritycontent was intendedConfidentiality to be life cycle.exposed. Security Availability is a characteristic that distinguishes information objects that have signaling and self-sustaining processes from Availability those that do not, either because such functions have ceased (outage, an attack), or else because they lack such functions .
  15. 15. The Security TrinityConfidentiality Integrity Availability
  16. 16. Data Leakage 2005 Protection Ameriprise Financial 2006 24M Lost Boeing 386K Social Dept. of VA 29M Engineering Protection 2007 TJ Maxx 45M The Gap 800K IPv6 Encapsulated in IPv4 Compliance 2008 Countrywide 17M MITB Oriented GE Financial 800K Attacks Hash Attacks Activity AES SSL Attacks 2009 Attacks 3DES Heartland 100M Attacks ARP Rock You! 32M Attacks VPN Attacks O/S Exploits Enterprise 2010 +/- PPTP Attacks Encryption RSA 2-Factor Encryption & SIP Attacks Token Hack Authentication L2LP Attacks Weaknesses 2011Database Sony 100M WEP Application HB Gary - FBI AttacksSecurity Exploits 2011 - 2012 TLS Attacks AES Hack Network Apple – 12M EAP Attacks ExploitsDefenses Examples Attacks Vulnerabilities Confidentiality
  17. 17. The Security TrinityConfidentiality Integrity Availability
  18. 18. The Security TrinityConfidentiality Integrity Availability
  19. 19. Hardware Security 2002 Modules (HSM) SSH2 Hack 2006 Federated SSL / TLS 2008 Identity Plaintext Attack US CERT: MD5 Management Hash Insecure 2009 Fraud & Scams Encrypted Kernel Multi-Factored Exploit Discovered Authentication Man-in- Anonymizers the-Middle 2010 ARP PCI: Kiss your Malware Attacks WEP Goodbye! Public Key Infrastructure O/S Exploits Unauthorized Dec 2010 Authentication NIST: 1K Certs Not Recommended Transmission Steganography NetworkEncryption Weaknesses 2011 Spoofing Browser Exploit Access Control Against SSL / TLS Application (BEAST) Released Keyloggers Exploits Nov 2011 - Fraud Detection Rootkits Network THC – SSL / Hash Exploits Skimming Attack Released ChecksumsIntegrity Vulnerabilities Attacks Examples Defenses
  20. 20. The Security TrinityConfidentiality Integrity Availability
  21. 21. The Security TrinityConfidentiality Integrity Availability
  22. 22. ICMP Floods Application Availability TCP RESET Network Floods TCP Fragment Exploits Exploits Floods TCP FIN Floods IGMP Floods Business Architecture HTTP POST Logic Floods Exploits ACK Floods TCP Stack O/S Exploits RFC Exploits Resource Attacks RFC Violation Attacks TCP SYN+ACK Floods LOIC HULK HTTP GET Vulnerabilities SIP Attacks Session Page Floods SSL Attacks Attacks Xerxes Memory SQL Concurrent DNS Query HOIC Allocation Attacks Attacks Connection Attacks Floods Brute Force TCP SYN Floods TCP Out-of- Leonitis #Refref Attacks State Floods Slowloris Socket Attacks Jun 2012 Stress AT&T DNS Feb 2010 R-U-Dead- Outage & L3 ISPOperation Titstorm: Plyoris Yet (RUDY) Outage Attacks AustralianGovernment Outages Tools Jun 2011 Nov 2010 Operation AntiSec Operation Payback June 2011 AZ Department of Apr 2011 Public Safety Down Visa, MasterCard + Operation Iran Operation Sony other outages Iran Government Play Station.com Outages, Leaked Black / White Outage, Leaked CC#Hardware-Based Emails, Hacked IT / Access Volumetric Control Lists Examples Protections Challenge / Web-Application Behavioral Architecture Response Firewall Technologies Improvements Technology Defenses
  23. 23. Size Does Not Matter. Honest. The impact of application flood attacks are much more severe than network flood attacks76% of attacksare below1Gbps!
  24. 24. Availability-based Threats Tree Availability- based Threats Network Floods Application Single-packet Low-and-Slow (Volumetric) Floods DoSICMP WebFlood DNS SMTP FloodUPDFlood HTTPS SYNFlood Radware Confidential Jan 2012 Slide 24
  25. 25. R.U.D.Y (R-U-Dead-Yet)R.U.D.Y. (R-U-Dead-Yet?)R.U.D.Y. (R-U-Dead-Yet?) is a slow-rate HTTP POST (Layer 7) denial-of-service tool created by Raviv Raz andnamed after the Children of Bodom album “Are You Dead Yet?” It achieves denial-of-service by using long formfield submissions. By injecting one byte of information into an application POST field at a time and then waiting,R.U.D.Y. causes application threads to await the end of never-ending posts in order to perform processing (thisbehavior is necessary in order to allow web servers to support users with slower connections). Since R.U.D.Y.causes the target webserver to hang while waiting for the rest of an HTTP POST request, by initiatingsimultaneous connections to the server the attacker is ultimately able to exhaust the server’s connection table andcreate a denial-of-service condition. Slide 25 Radware Confidential Jan 2012
  26. 26. SlowlorisSlowlorisSlowloris is a denial-of-service (DoS) tool developed by the grey hat hacker “RSnake” that causes DoS by using avery slow HTTP request. By sending HTTP headers to the target site in tiny chunks as slow as possible (waiting tosend the next tiny chunk until just before the server would time out the request), the server is forced to continue towait for the headers to arrive. If enough connections are opened to the server in this fashion, it is quickly unable tohandle legitimate requests.Slowloris is cross-platform, except due to Windows’ ~130 simultaneous socket use limit, it is only effective fromUNIX-based systems which allow for more connections to be opened in parallel to a target server (although a GUIPython version of Slowloris dubbed Pyloris was able to overcome this limiting factor on Windows). Slide 26 Radware Confidential Jan 2012
  27. 27. Main Bottlenecks During DoS Attacks - ERT SurveySlide 27 Radware Confidential Jan 2012
  28. 28. The ImpactConfidentialityIntegrityAvailabilityTarget / Operation 2009 Iranian Avenge Ope Project Epilepsy AllHipHop No Cussing Operation Operation Oregon Tea Habbo Hal Turner Election Operation Payback Chanology Foundation Defacement Club Didgeridie Titstorm Party Raid Assange Bra Protests 2007 2008 2009 2010
  29. 29. APTs & Zero-Day Resolution Intensifies
  30. 30. Defense Blind Spot Map Anti-DoS Router Next Gen CloudProtection Purpose Firewall IPS WAF Appliance DLP ACLs FW Anti-DoS (CPE)Data-At-RestProtections(Confidentiality)Data-At-Endpoint(Confidentiality)Data-In-Transit(Confidentiality)Network InfrastructureProtection (Integrity)ApplicationInfrastructureProtection (Integrity)Volumetric Attacks(Availability)Non-VolumetricResource Attacks(Availability)
  31. 31. Gartner Sep 2012: Anti-DoS “BlindSpot”
  32. 32. Gartner Sep 2012: Anti-DoS “BlindSpot”
  33. 33. Securing Tomorrow’s Perimeter
  34. 34. What We Should Work Toward• 100% Architecture Protection. Varied Deployment Models.• Understand the behavior beyond protocol and content• It’s an eco-system….collaboration is key• Emergency response & triage: Practice cyber war rooms• Integrate offense into your security strategies.Slide 34
  35. 35. Perimeter Defense Planning
  36. 36. Perimeter Defense Planning Any gap in coveragerepresents a vulnerability. That will be exploited.
  37. 37. Perimeter Defense Planning
  38. 38. Emergency Response Teams &Existing Level of Cyber War Roomsskills Lack of Expertise Get ready Attack Time Forensics • Audits • Emergency Response • Analyze what happened • Policies Team that “fights” • Adjust policies • Technologies • Adapt new technologies• Required expertise during attack campaign – Complex risk assessment – Tracking and modifying protections against dynamically evolved attacks – Real time intelligence Strategy – Real time collaboration with other parties – Counter attack methods and plans – Preparation with cyber “war games” Slide 38
  39. 39. The Best Defense Is A…Key Notes:- Counter Attack’s Comeuppance is Upon Us- Key IR Assumptions are wrong – e.g. Law enforcement- Attack Mitigation Talent is Low. Knowledge must increase.- Corporate Policies are IR not ERT focused
  40. 40. Anatomy of an AttackThe Evolving Threat LandscapeSecuring Tomorrow’s Perimeter
  41. 41. Adapting Perimeter Defenses• Plan for 100% architecture protection• Review your attack mitigation toolkit• Assess infrastructure vulnerabilities to DDoS attacks• Plan ahead – Can’t stop attacks without a game plan• Emergency response & triage - Practice cyber war rooms• Integrate offense into your security strategies• Watch what’s happening on the network – Do you have signals?• Assume attacks will be multi-vector in nature• Partner with companies that know how to defend against persistent attacks
  42. 42. Thank YouCarl HerbergerVP, Security SolutionsRadwarecarl.herberger@radware.com
  43. 43. Low & Slow • Slowloris • Sockstress • R.U.D.Y. • Simultaneous Connection SaturationSlide 43 Radware Confidential Jan 2012

×