This document discusses cyberattacks against stock exchanges and provides two case studies. The first case study describes a three-day attack against a stock exchange news site, beginning with a UDP flood that caused a four hour outage. On subsequent days, additional mitigation measures were implemented and the attacks were less effective. The second case study examines a 2012 attack against Israeli stock exchanges and banks. It identifies weaknesses in a two-phase security approach and argues for a three-phase approach with an active response team to sustain defense during attacks.

1. Session ID:
Session Classification:
Ziv Gadot
Radware
HT-R33
Intermediate
Stock Exchanges in the Line of Fire
Morphology of CyberAttacks

2. ► NYSE Euronext[1]
► NASDAQ OMX Group[2]
► Hong Kong Stock Exchange[3]
► TMX Group[4]
► BATS Global Markets[5]
► Chicago Board Options Exchange[6]
► Bursa Malaysia[7]
► Tel Aviv Stock Exchange[8]
► Tadawul (Saudi Arabia)[9]
Publicly Known Attacks on Stock Exchanges
Top 10
Downtime

3. ► It is Too Easy to Cause Impact
► - Morphology
► Resolution:
Transition from a 2-phase security
approach to a 3-phase security
approach
Agenda
2 Case Studies

4. Case Study I
Day I

5. Day I
10:51 Attack begins:
- UDP flood
- HTTP flood
- FIN+ACK flood
- Empty connection flood
Target: Stock Exchange News Site
Protection: Partial
Impact: Heavy
4 hour outage to News Site
Collateral damage to other sites
13:30 Noon trading opens, but trade is closed for several companies
16:00 Trading ends for the day
Evening Mitigation equipment is deployed and configured
Attacks halted (temporarily)
Network Impact Sever
Business Impact Sever

6. Day I
hour hour

7. Day I AttackVectors
Attack
Vector
Confirmed
Measurement
UDP Flood 44 Mbps
HTTP Flood 40K Concurrent Con.
Empty Connection Flood 5.2K PPS
FIN+ACK 4 Mbps
Pipe
Satur-
ation
FW
CPU
100%
Web
Server
Outage
X X
X X
X X
X X

8. Day I : Media Coverage
“Attack on stock
exchange triggers
halt in trade”
“Stock exchange hit
by hackers”

9. Stock exchange environment Malicious attack campaign
The Media Impact
1 Stock Exchange = 5 Banks = 5 Government Sites

10. Case Study I
Day 2

11. Day 2
08:00 Additional mitigation actions
Organization is concerned of false-positive
10:36 Attack begins: HTTP Flood
Target: Stock Exchange News Site
Protection: Connection Rate Limit + Temp ACL
Impact: 10-15 minutes slowness/outage
Network Impact Low
Business Impact None

12. Day 2
“Stock exchange IT
have been working
intensively to resolve
all issues”
“Experts successfully
implemented a
protection against the
attacks”
“Additional measures
were taken such as a
redundant New Site”

13. Case Study I
Day 3

14. Day 3
08:00
10:36 Attack begins: HTTP Flood
Target: Stock Exchange News Site
Protection: Connection limit  Temp ACL
Network Impact None
Business Impact None

15. Day 3
Legitimate traffic monitoring
TCP connection flood detection
and mitigated immediately

16. Day 3
13:32 Attack begins: UDP Flood
(Two minutes after the noon trading begins)
Target: Stock Exchange Mews Site
Protection:
- Behavioral technologies (primary)
- Connection Limit
- Blacklisting
Impact: None
Forensic: Attacker IP detected (eventually led to
arrest)
Network Impact None
Business Impact None

17. Attack begins but quickly
mitigated

18. Case Study I
Week 2

19. ► Stock Exchange remains in highest alert
► Eventually there were no serious attacks
► Protect additional networks
► Forensic process (with police)
► Arrests
Week 2

20. It isToo Easy to Cause
Impact

21. Static ContentStatic Content
Trade/Financial
Announcements
Trade/Financial
Announcements
HTTP Flood Impact
Trading API
HTTP Flood
Firewall L3 Router
Psychological
Impact
Trade
Disruption
Internet Pipe

22. Trade/Financial
Announcements
Trade/Financial
Announcements
Static ContentStatic Content
UDP Flood Impact
Trading API
UDP Flood
Firewall L3 Router
Psychological
Impact
Trade
Disruption
Internet Pipe
Trading API

23. Trade/Financial
Announcements
Trade/Financial
Announcements
Static ContentStatic Content
L3 Router Internet Pipe
SYN Flood Impact
Trading API
SYN Flood
Firewall
Psychological
Impact
Trade
Disruption
Trading API

24. 2010 no Real Protection
Stock Exchange
HTTP Flood
UDP Flood
SYN Flood
Protection

25. 2011 Protection Deployed
HTTP Flood
Stock Exchange
SYN Flood
UDP Flood
Protection

26. Stock Exchange
2012 Protection Enforced
HTTP Flood
UDP Flood
SYN Flood
Slow Rate Flood
Image Download Flood
Attackers will
eventually find
the weakest link!
Protection

27. Political/ - Ideal

28. Political/Hacktivist’s Bull’s Eye (Realistic)
Political/ - Realistic

29. Case Study 2
Israel Cyber Attack Jan 2012

30. January 3
Saudi hacker 0xOmar leaks tens of thousands Israeli credit card numbers and
other personal sensitive information.
January 16
Early Morning
0xOmar and the Pro-
Jerusalem Post, threatens to attack EL-AL website.
9:30 AM
EL-AL, Tel Aviv Stock Exchange, and several banks are attacked and are
unavailable for hours.
January 17
-
Exchanges websites.
January 18
Additional Israeli websites were targeted.
Case Study 2

31. LegitimateBypass CDN
CDN - False Sense of Security
Attack Directly

32. ► GET Request
► Requests for invalid random parameter evades CDN service
TASE Attack (Estimated)

33. AttackVector 2
Pragma: no-cache

34. ► HTTP Dynamic Flood
► HTTP Static Flood
► UDP Flood
► SYN Flood
► UDP Fragmented Flood
AttackVector Summary

35. -
Morphology

36. Attack Campaign Morphology
Mitigation
Continued
Service
Disruption
Test FireHeads Up
Attack
Begins
Reconnaissance
Automatic
Mitigation
Attack Ends Forensic
Manual
Mitigation
New Attack
Vectors
Service
Disruption

37. Resolution:
Transition from a 2-phase
security approach to a 3-
phase security approach

38. 2-Phase Security Model
“Peace”
Period
Pre-attack
Phase
Post-attack Phase Pre-attack Phase
Time
Attack
Period
Automatic Mitigation
(no time for human interaction)
Attack
Period
“Peace”
Period

39. 3-Phase Security Model
“Peace” Period
Pre-attack
Phase
Attack Period
THE SECURITY GAP
Attacker has time to bypass automatic mitigation.
Defenders have no skill/capacity to sustain it.
“Peace” Period
Post-attack
Phase

40. Industry Security Survey
Howmuchdidyourorganizationinvest ineachofthefollowingsecurityaspectsin
thelastyear?
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
Before During After
Procedures
Human skills
Equipment
Radware 2012 Global Application and Network Security Report

41. THE SECURITY GAP
Attacker has time to bypass automatic mitigation.
Defenders have no skill/capacity to sustain it.
Be prepared for prolonged attacks!
3-Phase Security
“Peace” Period
Pre-attack
Phase
Attack Period
“Peace” Period
Post-attack
Phase
Response Team

42. ResponseTeam
Response Team
24x7x365
Trained
Experienced
Active Mitigation
RT Intel
Counterattack

43. Summary

44. ► It is Too Easy to Cause an Impact
► - Morphology
► Resolution:
Transition from a 2-phase security
approach to a 3-phase security approach
Summary

45. Q & A
Ziv Gadot
Radware
zivg@radware.com

46. ► Radware 2012 Global Application and Network Security Report
► Radware 2011 Global Application and Network Security Report
► Cyber War Rooms: Why IT Needs New Expertise To Combat Today's
Cyberattacks - Avi Chesla
Additional Reading