The Art of Cyber War: Sun Tzu's Tactics Applied to Modern Network Defense

The Art of Cyber War
Werner Thalmeier – Security Evangelist

The Art of War is an ancient Chinese military treatise attributed to Sun Tzu,
a high-ranking military general, strategist and tactician. It is commonly
known to be the definitive work on military strategy and tactics, and for the
last two thousand years has remained the most important military
dissertation in Asia. It has had an influence on Eastern and Western military
thinking, business tactics, legal strategy and beyond. Leaders as diverse as
Mao Zedong and General Douglas MacArthur have drawn inspiration from
the work.
Many of its conclusions remain valid today in the cyber warfare era.
孫子兵法

3
知彼知己，百戰不殆
If you know the enemy and know yourself, you need not fear the result of a hundred battles.
Notable DDoS Attacks in the Last 12 Months

Variation of Tactics 九變
The Army on the March 行軍
Illusion & Reality 虛實
The Use of Intelligence 用間
Laying Plans 始計

Volumetric attacks Network & Stateful attacks Application attacks
App Misuse
5
Attackers Deploy Multi-vulnerability Attack Campaigns
High Bandwidth or PPS
Network flood attacks
Network Scan
Syn Floods
SSL Floods
HTTP Floods
Brute
Force
Internet Pipe Firewall IPS/IDS ADC Attacked Server SQL Server
SQL
Injection
Cross Site
Scripting
Intrusions
“Low & Slow” DoS
attacks (e.g.Sockstress)
More than 50% of 2013 attack campaigns
had more than 5 attack vectors.
Source: Radware 2013 ERT Report

6
Hacktivism – Move To Campaign-APT Oriented
• Complex: More than seven different attack vectors at once
• Blending: Both network and application attacks
• Target-eering: Select the most appropriate target, attack tools
• Resourcing: Advertise, invite, coerce anyone capable
• Testing: Perform short “proof-firing” prior to the attack
• Timeline: Establish the most painful time period for his victim

Sophistication
20132010 2011 2012
• Duration: 3 Days
• 4 attack vectors
• Attack target: Visa, MasterCard
• 5 attack vectors
• Attack target: HKEX
• More than 7 attack vectors
• Attack target: Vatican
• Duration: 7 Months
• Multiple attack vectors
• Attack target: US Banks
7
故善战者，立于不败之地
The good fighters of old, first put themselves beyond the possibility of defeat.

The Threat Landscape
DDoS is the most common
attack method.
Attacks last longer.
Government and Financial Services
are the most attacked sectors. Multi-vector trend continues.

9
You don’t control all of your critical
business systems.
Understand your vulnerabilities in the
distributed, outsourced world.
没有战略，战术是之前失败的噪音
漏洞
Vulnerability

Individual Servers
Malicious software
installed on hosts and
servers (mostly located
at Russian and east
European universities),
controlled by a single
entity by direct
communication.
Examples:
Trin00, TFN, Trinity
Botnets
Stealthy malicious
software installed
mostly on personal
computers without the
owner’s consent;
controlled by a single
entity through indirect
channels (IRC, HTTP)
Examples:
Agobot, DirtJumper,
Zemra
Voluntary Botnets
Many users, at times
part of a Hacktivist
group, willingly share
their personal
computers. Using
predetermined and
publicly available attack
tools and methods,
with an optional remote
control channel.
Examples:
LOIC, HOIC
New Server-based
Botnets
Powerful, well
orchestrated attacks,
using a geographically
spread server
infrastructure. Few
attacking servers
generate the same
impact as hundreds of
clients.
11
20121998 - 2002 1998 - Present 2010 - Present
不戰而屈人之兵，善之善者也
To subdue the enemy without fighting is the acme of skill

12
R.U.D.Y.
• Exploits a design weakness that became public in Nov 2010
• A slow rate attack tool that can cause DoS with a relatively low amount of traffic
generated
• Instead of sending the entire HTTP Post request at once, it sends one byte every 10
seconds making the connection last forever. It does it in parallel again and again over
numerous connections until the server’s resources are exhausted.

兵者詭道也
13
Tool: Kill ‘em All 1.0
• Harnesses techniques such as Authentication
Bypass, HTTP redirect, HTTP cookie and
JavaScript
• True TCP behavior, believable and random HTTP
headers, JavaScript engine, random payload,
tunable post authentication traffic model
• Defeats current anti-DDoS solutions that detect
malformed traffic, traffic profiling, rate
limiting, source verification, Javascript and
CAPTCHA-based authentication mechanisms
• Creators allege that the tool is technically
indistinguishable from legitimate human traffic
Tested: Arbor PeakFlow TMS, Akamai,
Cloudflare, NSFocus Anti-DDoS
System
All warfare is based on
deception.

14
Current prices on the Russian underground market:
Hackingcorporatemailbox: $500
Winlockerransomware: $10-$20
Unintelligentexploitbundle: $25
Intelligentexploitbundle: $10-$3,000
Basiccrypter(forinsertingroguecodeintobenignfile): $10-$30
SOCKSbot(togetaroundfirewalls): $100
HiringaDDoSattack: $30-$70/day,$1,200/month
Botnet: $200for2,000bots
DDoSBotnet: $700
ZeuSsourcecode: $200-$250
Windowsrootkit(forinstallingmaliciousdrivers): $292
HackingFacebookorTwitteraccount: $130
HackingGmailaccount: $162
Emailspam: $10peronemillionemails
Emailscam(usingcustomerdatabase): $50-$500peronemillionemails

15

16
Battlefield: U.S. Commercial Banks
Cause: Elimination of the Film “Innocence of Muslims”
Battle: Phase 4 of major multi-phase campaign – Operation Ababil –
that commenced during the week of July 22nd. Primary targets
included: Bank of America, Chase Bank, PNC, Union Bank,
BB&T, US Bank, Fifth Third Bank, Citibank and others.
Attackers: Cyber Fighters of Izz ad-Din al-Qassam
Result: Major US financial institutions impacted by intensive and
protracted Distributed Denial of Service attacks.
行軍: Operation Ababil

17
Massive TCP and UDP flood attacks:
• Targeting both Web servers and DNS servers. Radware Emergency Response
Team tracked and mitigated attacks of up to 25Gbps against one of its
customers. Source appears to be Brobot botnet.
DNS amplification attacks:
• Attacker sends queries to a DNS server with a spoofed address that
identifies the target under attack. Large replies from the DNS servers,
usually so big that they need to be split over several packets, flood
the target.
HTTP flood attacks:
• Cause web server resource starvation due to overwhelming number of page
downloads.
Encrypted attacks:
• SSL based HTTPS GET requests generate a major load on the HTTP server by
consuming 15x more CPU in order to process the encrypted attack traffic.

18
Parastoo
Iranian Cyber Army
al Qassam Cyber Fighters
Parastoo
Iranian Cyber Army
al Qassam Cyber Fighters
22 Events
1 Event
2010 2011 2012 2013
Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul
Source: Analysis Intelligence
Event Correlation: Iranian Linked Cyber Attacks

19
Don’t assume that you’re not a target.
Draw up battle plans. Learn from the
mistakes of others.
目标
Target

21
0
5
10
15
20
25
30
35
Internet Pipe Firewall IPS / DSS ADC Server SQL Server
2011
2012
2013
Volumetric attacks Network & Session attacks Application attacks
不可胜在己
Being unconquerable lies within yourself.

22
不可胜在己
DoS Defense Component
Vulnerability
Exploitation
Network Flood
Infrastructure
Exhaustion
Target Exhaustion
Network Devices No No Some Some
Over-Provisioning No Yes, bandwidth Yes, infrastructure Yes, server & app.
Firewall & Network Equipment No No Some Some
NIPS or WAF Security Appliances Yes No No, part of problem No
Anti-DoS Box (Stand-Alone) No No Yes Yes
ISP-Side Tools No Yes Rarely Rarely
Anti-Dos Appliances (ISP Connected) No Yes Yes Yes
Anti-DoS Specialty Provider No Yes Yes Yes
Content Delivery Network No Yes Yes Limited

23
Analyst View
• With the prevalence and duration of attacks on the rise, organizations need to
take steps to protect their infrastructure from the advanced methods being
employed. Despite the fact that volumetric-based attacks will remain the most
common, more advanced hybrid attacks that include application layer and
encrypted traffic in addition to volumetric methods will also grow, spurring
growth in the use of on-premise equipment.
I D C T E C H N O L O G Y S P O T L I G H T - Optimizing DDoS Mitigation Using Hybrid Approaches
• Gartner expects high-bandwidth DDoS attacks to continue and to increase in
frequency in 2013. Gartner also expects that at least 25% of DDoS attacks will
be application-based, in which attackers send targeted commands to
applications to tax CPU and memory and make the application unavailable.
GARTNER

不可胜在己
24
Proportion of businesses relying on CDNs for DDoS protection.
70%

不可胜在己
25
Bypassing CDN Protection
Botnet
E n t e r p r i s e
C D N
GET www.enterprise.com/?[Random]

不可胜在己
26
Cloud protection limitations.
Botnet
Volumetric attacks
Low & Slow attacks
SSL encrypted attacks
E n t e r p r i s e
C l o u d S c r u b b i n g

27
Don’t believe the propaganda.
Understand the limitations of solutions.
Not all networking and security solutions
are created equal.
宣传
Propaganda

29
兵之情主速
Speed is the essence of war
AttackDegreeAxis
Attack Area
Suspicious
Area
Normal
Area

30
兵之情主速
T H E S E C U R I T Y G A P
Attacker has time to bypass automatic mitigation.
Target does not possess required defensive skills.

31
You can’t defend against attacks you can’t
detect.
Know your limitations.
Enlist forces that have expertise to help
you fight.
检测
Detection

33
故兵貴勝，不貴久
• Web Attacks
• Application Misuse
• Connection Floods
• Brute Force
• Directory Traversals
• Injections
• Scraping & API Misuse
Detection: Application Attacks

34
Attack Mitigation Network: Low & Slow, SSL Encrypted
Botnet
E n t e r p r i s e
H o s t e d D a t a
C e n t e r

35
What is essential in war is victory, not prolonged operations.
• Envelope Attacks – Device Overload
• Directed Attacks - Exploits
• Intrusions – Mis-Configurations
• Localized Volume Attacks
• Low & Slow Attacks
• SSL Floods
Detection: Encrypted / Non-Volumetric Attacks

36
Attack Mitigation Network: Application Exploits
Botnet
E n t e r p r i s e
H o s t e d D a t a
C e n t e r
Attack
signatures

37
Attack Detection: Volumetric Attacks
• Network DDoS
• SYN Floods
• HTTP Floods

38
Botnet
H o s t e d D a t a
C e n t e r
Attack Mitigation Network: Volumetric Attacks
E n t e r p r i s e
Attack
signatures

App MisuseApp Misuse
Slide
39
Layered Lines Of Defense
Large volume
network flood
attacks
Network Scan
Syn Floods
SSL Floods
“Low & Slow” DoS
attacks
(e.g.Sockstress)
HTTP Floods
Brute
Force
DoS protection
Behavioral analysis SSL protection
IPS
WAF
Cloud DDoS protection
Volumetric attacks Network & Stateful attacks Application attacks

40
Layered Lines Of Defense – Attack Mitigation System

41
Aligned forces will make the difference
Protecting your data is not the same as
protecting your business.
True security necessitates data protection,
system integrity and operational availability.
可用性
Protection

42
你准备好了吗?
Are You Ready?

Thank You
mottya@radware.comwww.radware.com
http://security.radware.com/

The Art of Cyber War: Sun Tzu's Tactics Applied to Modern Network Defense

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (19)

Similar to The Art of Cyber War: Sun Tzu's Tactics Applied to Modern Network Defense

Similar to The Art of Cyber War: Sun Tzu's Tactics Applied to Modern Network Defense (20)

More from Radware

More from Radware (20)

Recently uploaded

Recently uploaded (20)

The Art of Cyber War: Sun Tzu's Tactics Applied to Modern Network Defense