David Hobbs’ presentation from SecureWorld Expo - St. Louis discusses availability-based threats; attacks on U.S. banks and other popular attack patterns & trends.
From his series of presentations during SecureWorld and also the iTech 2013 Conference, Radware Attack Mitigation Specialist David Hobbs presents “Survival in an Evolving Threat Landscape.” The discussion covers availability-based threats, attacks on the U.S. banks and others popular patterns & trends.
In the Line of Fire-the Morphology of Cyber AttacksRadware
David Hobbs’ Presentation from his series of presentations during SecureWorld that discusses Availability-based threats; Attacks on U.S. banks and others popular attack patterns & trends.
In the Line of Fire-the Morphology of Cyber AttacksRadware
Dennis Ulse's Presentation from SecureWorld Expo Atlanta that discusses Availability-based threats; Attacks on U.S. banks and other popular attack patterns and trends.
In the Line of Fire - The Morphology of Cyber-AttacksRadware
Presentation from Dennis Usle during TakeDownCon in Huntsville, AL that discusses Availability-based threats; Attacks on U.S. banks and others popular attack patterns & trends.
This session will provide insight into highly disruptive breaches that MANDIANT investigated over the past year. It describes how threat actors have destroyed system infrastructure and taken companies offline for weeks. The threat actors are split into two categories for this talk and focused on the SHAMOON cases. I will also talk about highlights from Incident Response cases of 2017. Financially motivated vs Non Financially motivated. I will talk about how recent attacks with SHAMOON differ - their motives compared to financially motivated threat actors. Highlights from a couple of 2017 IRs - Overview of TTPs of the important State Sponsored Attacks seen in 2017.
HITCON 2015 - DGAs, DNS and Threat IntelligenceJohn Bambenek
Domain Generation Algorithms (DGAs) and DNS provide a layer of resilience to botnets and malware. They also provide new and novel ways to monitor and surveil malicious networks. This talk will discuss methods you can use to turn DGAs and DNS against malware operators in order to better protect your enterprise.
From his series of presentations during SecureWorld and also the iTech 2013 Conference, Radware Attack Mitigation Specialist David Hobbs presents “Survival in an Evolving Threat Landscape.” The discussion covers availability-based threats, attacks on the U.S. banks and others popular patterns & trends.
In the Line of Fire-the Morphology of Cyber AttacksRadware
David Hobbs’ Presentation from his series of presentations during SecureWorld that discusses Availability-based threats; Attacks on U.S. banks and others popular attack patterns & trends.
In the Line of Fire-the Morphology of Cyber AttacksRadware
Dennis Ulse's Presentation from SecureWorld Expo Atlanta that discusses Availability-based threats; Attacks on U.S. banks and other popular attack patterns and trends.
In the Line of Fire - The Morphology of Cyber-AttacksRadware
Presentation from Dennis Usle during TakeDownCon in Huntsville, AL that discusses Availability-based threats; Attacks on U.S. banks and others popular attack patterns & trends.
This session will provide insight into highly disruptive breaches that MANDIANT investigated over the past year. It describes how threat actors have destroyed system infrastructure and taken companies offline for weeks. The threat actors are split into two categories for this talk and focused on the SHAMOON cases. I will also talk about highlights from Incident Response cases of 2017. Financially motivated vs Non Financially motivated. I will talk about how recent attacks with SHAMOON differ - their motives compared to financially motivated threat actors. Highlights from a couple of 2017 IRs - Overview of TTPs of the important State Sponsored Attacks seen in 2017.
HITCON 2015 - DGAs, DNS and Threat IntelligenceJohn Bambenek
Domain Generation Algorithms (DGAs) and DNS provide a layer of resilience to botnets and malware. They also provide new and novel ways to monitor and surveil malicious networks. This talk will discuss methods you can use to turn DGAs and DNS against malware operators in order to better protect your enterprise.
The June 2016 revelations of the DNC breach by two Russia-based advanced persistent threat groups was only the beginning of a series of strategic leaks and conflicting attribution claims. In a series of “1-2 punches”, we saw attacks designed to breach the target and exfiltrate data reinforced by a campaign to leak information using mouthpieces posing as hacktivists. In this presentation we'll demonstrate techniques used to identify additional malicious infrastructure, evaluate the validity of “faketivists” like the Guccifer 2.0 persona, strengths and gaps in the attribution analysis, and how the adversary might adjust their tactics going forward.
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...CODE BLUE
Malware utilize many cryptographic algorithms.
To fight against malware, analysts have to reveal details on malware activities.
Accordingly, it is important to identify cryptographic algorithms used in malware.
In this track, I propose a faster and extensible method to automatically detect known cryptographic algorithms in malware using dynamic binary instrumentation and fuzzy hashing.
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureShakacon
As an incident responder, have you ever thought about how much easier an investigation would be if you had the C2 server in your possession? In this talk, we are going to deep dive a rare investigation in which Mandiant obtained a forensic copy of an attacker C2 system. You will learn about the initial compromise of the C2 server, the tools and tactics used by the attacker, and the investigative steps taken to identify the full scope of the attack. In addition, you will learn about the specific challenges involved with the analysis, the tool I developed to carve all PostGreSQL rows from a forensic image, and some unique lessons learned from performing this investigation.
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoShakacon
Since 2014, fifteen new malware or riskware families successfully attacked non-jailbroken iOS devices (e.g., WireLurker, Oneclickfraud, XcodeGhost, InstaAgent, ZergHelper, AceDeceiver), affected thousands of iOS apps and tens of millions users around the world. Ten of them even bypassed Apple’s code vetting and occurred at App Store. In this presentation, we will systematically study how could these malware, riskware and some Proof-of-Concepts infect non-jailbroken devices via practical vectors and approaches including abusing development certificates, bypassing code review by obfuscation, performing FairPlay MITM attack, abusing MDM solution, abusing private APIs, exploiting design flaws or app level vulnerabilities, and stealing privacy data. For each topic, we will introduce its implementation, explore real world cases, analyze its risky and consequences, explain Apple’s countermeasures, and discuss why some problems will still exist in near future. We will also share some stories of how we discovered those interesting iOS malware. Through this topic, audiences could make more effective policies to protect iOS devices in their organizations, build their own systems/tools to evaluate security risks in iOS apps, and hunt more iOS malware in the future.
Philippines Cybersecurity Conference 2021: The role of CERTsAPNIC
APNIC Senior Security Specialist Adli Wahid spoke on the importance and role of CERTs in helping prevent cyber attacks at the Philippines Cybersecurity Conference 2021, held online from 13 to 29 October 2021.
Risk-based Security Technical Debt Reduction: When everything’s important, n...laurieannwilliams
While engineers are increasingly aware of security requirements, in many organizations security remains the responsibility of “those security people” and is not tightly integrated into the development cycle. Productivity and feature goals can result in engineers focusing on deployment rather than on fixing non-critical security issues or on building security into a product, resulting in an increase of security technical debt. Attackers eagerly exploit the vulnerabilities lying in the security technical debt pile. Organizations can benefit from risk-based practices for shrinking this debt. This talk will present two research projects in which risk is being used to prioritize security mitigations. The first project is focused on reducing secrets and credentials that have been checked into a code base. The second project relates to the prioritization of patching the continuous onslaught of vulnerable components and libraries that comprise a product.
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
Speakers: Ashley Shen, Steve Su
This is a threat hunting and campaign tracking 101 workshop Ashley Shen (Google) and Steve (FireEye) prepared for the HITCON 2020 CTI Village. In this presentation we share the threat hunting concept with some basic techniques and explain the process and guidance for campaign tracking. The presentation was only 65 mins so we couldn't covered everything. However through this talk we hope to share our experience and insight to the beginners.
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
This talk presents a case study which demonstrates that we should consider the knowledge and wisdom contained within ATT&CK in all organizational security initiatives to make sure by fixing one thing we have not just created an opportunity.
The presentation shows how to leverage the analysis and classification of APT tactics and procedures (TTP) to guide research into new and novel techniques, specifically focusing on exfiltration and command and control.
DNS over HTTPS (DoH) aims to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks. Major web browsers such as Firefox are considering its implementation by default. But what could this possibly mean for exfiltration and command and control?
This session provides an end-to-end demo that shows DoH being implemented to provide full command and control in a popular attack simulation framework and discusses associated mitigations.
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...CODE BLUE
Japan is recently experiencing a rise in targeted attacks. However, it is rare that details of such attacks are revealed. Under this circumstance, JPCERT/CC has been investigating the attack operations targeting Japanese organizations including the government and leading enterprises. We have especially been tracking two distinct cases over a prolonged period.
The first case, which became public in 2015, drew nationwide attention for victimizing several Japanese organizations. In this case, the attacker conducts sophisticated attacks through network intrusion and targeting weak points of the organizations.
The second case has been continuously targeting certain Japanese organizations since 2013. Although this case has not drawn as much attention, the attacker has advanced techniques and uses various interesting attack methods.
This presentation will introduce the above two attack operations, including attack techniques we revealed through prolonged investigation, the malware/tools being used, as well as useful techniques/tools for analyzing related malware.
HITCON 2017: Building a Public RPZ Service to Protect the World's ConsumersJohn Bambenek
While we have many products and tools to protect enterprises and government networks, we are not using those same tools to protect consumers who cannot afford products and services by security companies. This talk will focus on the building of a RPZ service that can use already existing threat intelligence feeds that are freely accessible to protect consumers against threats we already know about.
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC GroupEC-Council
When the iPhone was first released, the security of its data was…not as good as it should’ve been. But with every release since then, data security has improved, until now it’s the subject of court cases and CNN panel discussions.
But how exactly does it work, anyway? Sure, it uses “encryption,” but what does that really mean, and just how far can we trust it?
I try to explain, in simple terms and with useful diagrams, just how the complex encryption models on iOS work. Based on published research and Apple’s own documentation, I show where there are things we don’t know, or don’t quite understand, and describe iOS protects (or doesn’t) against forensics, law enforcement, and hackers.
APNIC Senior Security Specialist Adli Wahid presented on the APNIC Honeynet Project, interesting observations, mitigation and multistakeholder collaboration at Threat Con 2021, held online from 8 to 11 September 2021.
The June 2016 revelations of the DNC breach by two Russia-based advanced persistent threat groups was only the beginning of a series of strategic leaks and conflicting attribution claims. In a series of “1-2 punches”, we saw attacks designed to breach the target and exfiltrate data reinforced by a campaign to leak information using mouthpieces posing as hacktivists. In this presentation we'll demonstrate techniques used to identify additional malicious infrastructure, evaluate the validity of “faketivists” like the Guccifer 2.0 persona, strengths and gaps in the attribution analysis, and how the adversary might adjust their tactics going forward.
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...CODE BLUE
Malware utilize many cryptographic algorithms.
To fight against malware, analysts have to reveal details on malware activities.
Accordingly, it is important to identify cryptographic algorithms used in malware.
In this track, I propose a faster and extensible method to automatically detect known cryptographic algorithms in malware using dynamic binary instrumentation and fuzzy hashing.
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureShakacon
As an incident responder, have you ever thought about how much easier an investigation would be if you had the C2 server in your possession? In this talk, we are going to deep dive a rare investigation in which Mandiant obtained a forensic copy of an attacker C2 system. You will learn about the initial compromise of the C2 server, the tools and tactics used by the attacker, and the investigative steps taken to identify the full scope of the attack. In addition, you will learn about the specific challenges involved with the analysis, the tool I developed to carve all PostGreSQL rows from a forensic image, and some unique lessons learned from performing this investigation.
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoShakacon
Since 2014, fifteen new malware or riskware families successfully attacked non-jailbroken iOS devices (e.g., WireLurker, Oneclickfraud, XcodeGhost, InstaAgent, ZergHelper, AceDeceiver), affected thousands of iOS apps and tens of millions users around the world. Ten of them even bypassed Apple’s code vetting and occurred at App Store. In this presentation, we will systematically study how could these malware, riskware and some Proof-of-Concepts infect non-jailbroken devices via practical vectors and approaches including abusing development certificates, bypassing code review by obfuscation, performing FairPlay MITM attack, abusing MDM solution, abusing private APIs, exploiting design flaws or app level vulnerabilities, and stealing privacy data. For each topic, we will introduce its implementation, explore real world cases, analyze its risky and consequences, explain Apple’s countermeasures, and discuss why some problems will still exist in near future. We will also share some stories of how we discovered those interesting iOS malware. Through this topic, audiences could make more effective policies to protect iOS devices in their organizations, build their own systems/tools to evaluate security risks in iOS apps, and hunt more iOS malware in the future.
Philippines Cybersecurity Conference 2021: The role of CERTsAPNIC
APNIC Senior Security Specialist Adli Wahid spoke on the importance and role of CERTs in helping prevent cyber attacks at the Philippines Cybersecurity Conference 2021, held online from 13 to 29 October 2021.
Risk-based Security Technical Debt Reduction: When everything’s important, n...laurieannwilliams
While engineers are increasingly aware of security requirements, in many organizations security remains the responsibility of “those security people” and is not tightly integrated into the development cycle. Productivity and feature goals can result in engineers focusing on deployment rather than on fixing non-critical security issues or on building security into a product, resulting in an increase of security technical debt. Attackers eagerly exploit the vulnerabilities lying in the security technical debt pile. Organizations can benefit from risk-based practices for shrinking this debt. This talk will present two research projects in which risk is being used to prioritize security mitigations. The first project is focused on reducing secrets and credentials that have been checked into a code base. The second project relates to the prioritization of patching the continuous onslaught of vulnerable components and libraries that comprise a product.
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
Speakers: Ashley Shen, Steve Su
This is a threat hunting and campaign tracking 101 workshop Ashley Shen (Google) and Steve (FireEye) prepared for the HITCON 2020 CTI Village. In this presentation we share the threat hunting concept with some basic techniques and explain the process and guidance for campaign tracking. The presentation was only 65 mins so we couldn't covered everything. However through this talk we hope to share our experience and insight to the beginners.
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
This talk presents a case study which demonstrates that we should consider the knowledge and wisdom contained within ATT&CK in all organizational security initiatives to make sure by fixing one thing we have not just created an opportunity.
The presentation shows how to leverage the analysis and classification of APT tactics and procedures (TTP) to guide research into new and novel techniques, specifically focusing on exfiltration and command and control.
DNS over HTTPS (DoH) aims to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks. Major web browsers such as Firefox are considering its implementation by default. But what could this possibly mean for exfiltration and command and control?
This session provides an end-to-end demo that shows DoH being implemented to provide full command and control in a popular attack simulation framework and discusses associated mitigations.
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...CODE BLUE
Japan is recently experiencing a rise in targeted attacks. However, it is rare that details of such attacks are revealed. Under this circumstance, JPCERT/CC has been investigating the attack operations targeting Japanese organizations including the government and leading enterprises. We have especially been tracking two distinct cases over a prolonged period.
The first case, which became public in 2015, drew nationwide attention for victimizing several Japanese organizations. In this case, the attacker conducts sophisticated attacks through network intrusion and targeting weak points of the organizations.
The second case has been continuously targeting certain Japanese organizations since 2013. Although this case has not drawn as much attention, the attacker has advanced techniques and uses various interesting attack methods.
This presentation will introduce the above two attack operations, including attack techniques we revealed through prolonged investigation, the malware/tools being used, as well as useful techniques/tools for analyzing related malware.
HITCON 2017: Building a Public RPZ Service to Protect the World's ConsumersJohn Bambenek
While we have many products and tools to protect enterprises and government networks, we are not using those same tools to protect consumers who cannot afford products and services by security companies. This talk will focus on the building of a RPZ service that can use already existing threat intelligence feeds that are freely accessible to protect consumers against threats we already know about.
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC GroupEC-Council
When the iPhone was first released, the security of its data was…not as good as it should’ve been. But with every release since then, data security has improved, until now it’s the subject of court cases and CNN panel discussions.
But how exactly does it work, anyway? Sure, it uses “encryption,” but what does that really mean, and just how far can we trust it?
I try to explain, in simple terms and with useful diagrams, just how the complex encryption models on iOS work. Based on published research and Apple’s own documentation, I show where there are things we don’t know, or don’t quite understand, and describe iOS protects (or doesn’t) against forensics, law enforcement, and hackers.
APNIC Senior Security Specialist Adli Wahid presented on the APNIC Honeynet Project, interesting observations, mitigation and multistakeholder collaboration at Threat Con 2021, held online from 8 to 11 September 2021.
This Document describes How to review a Network Architecture in context of Information security . It helps to identify the starting point for reviewing the components of network with respect to best practices. A Network Architecture Review is a review and analysis of relevant network artifacts (e.g. network diagrams, security requirements, technology inventory, DMZ).
The primary goal of the checklist is to make it useful and as a trusted guide for IT Auditors,Security Consultant in Network Architecture Review assignments.The checklist is drawn from numerous resources referred and my experience in network architecture reviews.Though the essentially doesn't essentially cover all elements of a network architecture review,I have tried to bring in aspects of the security element in a network architecture
Cyber Security Through the Eyes of the C-Suite (Infographic)Radware
C-level executives are grappling with a new breed of cyber-attacks. How are they responding to ransom-based threats? Why are they turning to ex-hackers for help? Radware interviewed 200 IT executives in the U.S. and U.K. to find out.
Alphorm.com Support de la Formation SolidWorks 2016- les fondamentauxAlphorm
Formation complète ici :
http://www.alphorm.com/tutoriel/formation-en-ligne-solidworks-2016-maitriser-les-fondamentaux
SolidWorks 2016 est un logiciel de conception 3D de Dassault Systemes, un modeleur 3D utilisant la conception paramétrique.
Utilisé par les plus grands groupes mondiaux, SolidWorks 2016 permet de concevoir de manière optimale tout type de système mécanique, surfacique, tôlerie et bien d’autres.
Cette formation SolidWorks 2016, vous apprendra les fondamentaux du logiciel SolidWorks 2016.
Durant cette formation SolidWorks 2016, vous découvrirez l'utilisation du software dans les différentes activités, son interface et ses fonctions principales.
Dans cette formation SolidWorks 2016, le formateur vous détaille les techniques pour créer efficacement des pièces industrielles. Vous commencez par les esquisses en 3D, vous passez aux fonctions d'extrusion, de révolution, de lissage et de balayage. Pour mettre en pratique cette formation SolidWorks 2016, vous allez créer des plaques et des vis, puis réaliser des assemblages, pour enfin passer à la mise en plan.
A l’issue de cette formation SolidWorks 2016, et après une mise en pratique sérieuse de SolidWorks 2016, vous pourrez prétendre à passer la Certification SolidWorks 2016 proposée par Dassault Systèmes.
Formation complète ici:
http://www.alphorm.com/tutoriel/formation-en-ligne-exchange-2016-configuration-avancee
Cette formation Exchange 2016 présente la version la plus récente du serveur de messagerie de Microsoft. Cette version est une évolution d'Exchange 2013 qui avait posé de nouvelles bases solides en termes d'architecture et d'administration.
Les évolutions de Microsoft Exchange Server 2016 visent à rendre accessible sur site les nouveautés déployées au fil des mois sur Office 365. Exchange 2016 offre ainsi de nombreuses nouveautés afin d'en améliorer l'expérience utilisateur, l'interopérabilité avec les autres outils de l'offre de communication unifiée de Microsoft (SharePoint...) tout en offrant plus de flexibilité et en renforçant la protection des messages et la sécurité.
Cette formation Exchange 2016 vous permettra de compléter vos connaissances et compétences nécessaires pour configurer et gérer un environnement de messagerie sous Microsoft Exchange Server 2016.
Durant cette formation Exchange 2016, Pierre NORMAND vous transmettra un ensemble de base de connaissances, son expérience, ceci dans le but de comprendre et configurer Exchange Server 2016. Il vous transmettra les meilleures pratiques et divers éléments à prendre en compte qui vous aideront à optimiser votre déploiement de serveur Exchange.
En fin de cette formation Exchange 2016, vous obtiendrez également une maquette fonctionnelle d’Exchange 2016.
Cette formation Exchange 2016 apporte une valeur ajoutée à tous ceux qui souhaitent également compléter leur formation sur l'exploitation et l'administration d'un environnement Exchange 2016 en PowerShell.
This introductory seminar explains Cloud Computing and Amazon Web Services (AWS) in great detail.
The presenter, Simone Brunozzi (@simon), is an AWS Technology Evangelist.
Recommended for business/technical audiences.
In this session, you'll learn what’s new and hot with AWS Lambda. Come learn about what we’ve been working on and what we are planning for the future. You'll get a hands-on demonstration of some our newest features.
Jon Noble. Jon will give a brief overview of why you should consider security as part of your CloudStack deployment, why your approach to security needs to be different than in a traditional environment, and also talk about some of the motives behind the attacks – why they attack you and what they do once they have compromised a system.
Eradicate the Bots in the Belfry - Information Security Summit - Eric VanderburgEric Vanderburg
Eric Vanderburg, Director of Information Systems and Security at JurInnov, presents "Eradicate the Bots in the Belfry" at the Information Security Summit.
In order to confidently scale your AWS deployments, continuous security must be built into your continuous integration and continuous delivery architecture. Participate in a series of interactive capture the flag challenges to get hands on experience with DevSecOps. We’ll teach you how to think like a Security Ninja, highlight common mistakes that can have catastrophic consequences, and provide tips to avoid them
Using NetFlow to Streamline Security Analysis and Response to Cyber ThreatsEmulex Corporation
Data centers move exabytes of data through their networks. This explosive growth in network traffic has put demands on data centers to adapt and add new technologies and standards to keep pace and make information easily accessible. Our personal information, company IP assets and sensitive data run across these networks that are constantly under persistent and malicious cyber attacks to look for vulnerabilities in their networks. IT security teams have to protect complex networks that are growing in size and complexity. They call for a new approach to gaining full – rather than partial – visibility into network behavior to stop downtime losses and data leaks.
By providing 1 to 1 NetFlow generation then collecting the data and analyzing the flow records is essential in time-to-resolution (TTR). To help you take full advantage of valuable NetFlow data for use in network security management, Emulex and Lancope have created a best-in-class network and security solution that allows you to quickly and continuously monitor the makeup of the traffic traversing your network.
In this webinar, we’ll explore why network security management is crucial in managing functionality and visibility of an organization’s network infrastructure and how Emulex helps address these deployment requirements. We'll also explore what matters most when network security is breached, and share some best practice insights gleaned from working with customers that run some of the largest and most critical data networks on the planet.
Protecting Financial Networks from Cyber CrimeLancope, Inc.
Financial services organizations are prime targets for cyber criminals. They must take extreme care to protect customer data, while also ensuring high levels of network availability to allow for 24/7 access to critical financial information. Additionally, industry consolidation has created large, heterogeneous network environments within large financial institutions, making it difficult to ensure that networks have the necessary visibility and protection to prevent a devastating security breach. By leveraging NetFlow from existing network infrastructure, financial services organizations can achieve comprehensive visibility across even the largest, most complex networks. The ability to quickly detect a wide range of potentially malicious activity helps prevent damaging data breaches and network disruptions. Attend this informational webinar, conducted by Lancope’s Director of Security Research, Tom Cross, to learn: How NetFlow can help quickly uncover both internal and external threats How pervasive network insight can accelerate incident response and forensic investigations How to substantially decrease enterprise risks
Talk given at PHDAYS V in Moscow, May 2015.
This talk will focus on a research into Domain Generation Algorithms used in several malware families. By reverse engineering the DGA, it became possible to create near-time intelligence feeds used to monitor malicious networks and provide information required for network protection.
As presented on 1/31/2018 at Cisco NYC Security Open House. These slides describe how a proper Disaster Recovery infrastructure, with a proper an automated network integration can provide instant recovery from Ransomware attacks and can improve security of the production environment.
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...CODE BLUE
This presentation provides an analysis of the advanced persistent threat (APT) attacks that have occurred during the past two years on the semiconductor industry. Our research shows that the majority of these attacks were concentrated on the Taiwan semiconductor sector. This is worthy of concern, as Taiwan's semiconductor industry plays a very crucial role in the world. Even a small disruption in the supply chain could have a serious ripple effect throughout the entire industry. Surprisingly, up until now, there has been less coverage on these attacks. In this presentation, we seek to shed light on the threat actors and campaigns of these attacks, where they are collectively referred to as Operation Chimera (a.k.a. Skeleton). Additionally, we provide a brief overview of the current information security status of Taiwan's semiconductor industry.
Between 2018 and 2019, we discovered several attacks on various semiconductor vendors located at the Hsinchu Science-based Industrial Park in Taiwan. As these attacks employed similar attack techniques and tactics, a pattern could be discerned from the malicious activities. From this pattern, we deduced that these attacks, which we dubbed Operation Chimera, were actually conducted by the same threat actor. The main objective of these attacks appeared to be stealing intelligence, specifically documents about IC chips, software development kits (SDKs), IC designs, the source code, etc. If such documents are successfully stolen, the impact can be devastating. The motive behind these attacks likely stems from competitors or even countries seeking to gain a competitive advantage over rivals.
Similar to SecureWorld St. Louis: Survival in an Evolving Threat Landscape (20)
What’s the Cost of a Cyber Attack (Infographic)Radware
How much does a cyber-attack actually cost an organization in hard dollars? What are the potential business impacts? This infographic answers these questions and more via two surveys Radware recently conducted of IT professionals.
The enterprise perimeter is disappearing. Migration to the cloud means a more distributed network infrastructure. Transition of web based applications to the cloud renders on premise mitigation tools ineffective against web attacks and requires organizations to protect applications both on premise and in-the-cloud.
Introducing Radware's Hybrid Cloud WAF Service - a fully-managed, always on service that integrates cloud-based with on premise protection against a broad range of attack vectors.
Visit here http://www.radware.com/social/hybridcloudwaf/ to read "The Dawn of Hybrid Cloud WAF" and to learn how the industry's first hybrid cloud-based WAF service addresses today's most challenging web-based cyber-attacks.
The Expanding Role and Importance of Application Delivery Controllers [Resear...Radware
When it Comes to ADCs, Perception is Not Reality.
The Enterprise Strategy Group and Radware recently conducted a collaborative research project about the current use and future strategies of application delivery controllers (ADCs).
Based on a survey of 243 IT professionals, the research reveals that the role of ADCs has expanded well beyond the historical perception of hardware-based load balancers.
What’s most interesting is that ADCs are becoming a critical component of a defense-in-depth security strategy as enterprises fine-tune security policy and enforcement to align with their sensitive business applications. Organizations are also deploying ADCs as virtual appliances at an increasing rate and taking advantage of ADC functionality from the network through the application layer.
There is a lesson to be learned here: enterprise organizations can get creative with ADC deployments for performance tuning, application-specific services, and critical system protection. Read this research http://www.radware.com/social/esg-adc-research/ to understand the benefits of applying ADCs in this fashion.
The Art of Cyber War [From Black Hat Brazil 2014]Radware
With cyber-attacks becoming a growing concern for organizations, availability-based attacks, also known as Denial of Service or Distributed Denial of Service attacks, have long moved from a form of cyber protest to a destructive weapon that is used by cyber criminals, hacktivists and even governments.
In 2013 we saw a growing use of a new type of attack where attackers used legitimate transactions to saturate application servers’ resources. In this presentation, Security Expert Werner Thalmeier demonstrates how such an advanced attack can be created from a laptop running in an anonymous public WiFi network. He also evaluates the attack landscape and its impact on organizations as well as shares the best practices to protect against such cyber-attacks.
Understand the current availability-based threat landscape and learn about new types of cyber-attacks that are being used to saturate resources. For more information on the state of Application and Network Security, please visit: http://www.radware.com/ert-report-2013/
Eventually, every website fails. If it's a household-name site like Amazon, then news of that failure gets around faster than a rocket full of monkeys. That's because downtime hurts. As a for-instance, in 2013 Amazon suffered a 40-minute outage that allegedly cost the company $5 million in lost sales. That's a big number, and everybody loves big numbers.
But when it comes to performance-related losses, is it the biggest number?
In this presentation from the CMG Performance and Capacity 2014 conference, Radware Web Performance Expert Tammy Everts reviews real-world examples that compare the cost of site slowdowns versus outages. We also talk about how to overcome the challenges of creating as much urgency around the topic of slow time as there is around the topic of downtime.
The Cyber Attack landscape is evolving with new attack vectors and dangerous trends that can affect the security of your business. Some attacks can take only minutes to complete, yet months to be discovered.
Determine your attack risk and learn what to look for in a quality cyber attack defense.
Please visit here: http://www.radware.com/social/amn/ for information on Radware's AMN (Attack Mitigation Network.
An Important Notice About Shellshock Bash Protection
Since the news about “Shellshock Bash” vulnerabilities came out, we have been working around the clock to ensure our customers and partners are getting the best solutions from us. We have published this Shellshock Security Advisory, which will help protect your business with:
• Two IPS signatures that can be used by DefensePro to block the vulnerability
• Recommendations provided by Radware’s Emergency Response Team (ERT) that can be applied immediately
• Recommended reference sources and vendor information
Radware's team of cyber-security experts is available to our customers, 24/7. Contact us if you require immediate support for this vulnerability. We assure you that we continue to closely monitor the situation in order to ensure we provide you with the best cyber-attack protection mechanisms.
The Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving TheatreRadware
Is the world in the midst of a cyber-war? If so, what are the implications?
In this presentation Carl Herberger, Radware's VP of Security Solutions, explores some of the most notable recent cyber-attacks and how many of the findings correlate with the tenets of warfare as defined in The Art of War by Sun Tzu, the ancient military general, strategist and tactician.
How should organizations be preparing for an information security landscape that is shaped by ideologically motivated cyber warfare rather than just opportunistic cyber-crime? Learn the techniques being employed to safeguard IT operations in a theatre that is witnessing ever more sophisticated attacks.
For more on how to help detect, mitigate and win this cyber war battle, visit here: http://www.radware.com/ert-report-2013/ to download the 2013 Global Application and Network Security Report.
Mobile Web Stress: Understanding the Neurological Impact of Poor PerformanceRadware
Slow pages hurt mobile user metrics, from bounce rate to online revenues and long-term user retention. At Radware, we wanted to understand the science behind this, so we engaged in the first documented study of the neurological impact of poor performance on mobile users. Your takeaway from this presentation is hard data that you can use to make a case for investing in mobile performance in your organization.
Based on similar research performed on desktop users, our study involved using a groundbreaking combination of eyetracking and electroencephalography (EEG) technologies to monitor brain wave activity in a group of mobile users who were asked to perform a series of online transactions via mobile devices.
In our study, participants were asked to complete standardized shopping tasks on four ecommerce sites while using a smartphone. We studied participants during these tasks, both at the normal speed over Wifi and also at a consistently slowed-down speed (using software that allowed us to create a 500ms network delay). The participants did not know that speed was a factor in the tests; rather, they believed that they were participating in a generic usability/brand perception study. From the data, we were able to extract measures of frustration and emotional engagement for the browsing and checkout stages of both the normal and slowed-down versions of all four sites.
This presentation, shared by Radware Web Performance Evangelist Tammy Everts at the 2014 Velocity Conference and the CMG Performance and Capacity 2014 Conference, provides a deeper understanding of the impact of performance on mobile users.
For even more on the research, you can also download it here: http://www.radware.com/mobile-eeg2013/
This is your brain.
This is your brain on a mobile site with throughput throttled just enough to frustrate the heck out of you.
This is your brain thinking about all the tests you could run if you had your own lightweight, wireless EEG braincap to directly but passively monitor brain activity in your customers as they interact with your digital assets.
From the eMetrics Conference in Chicago, Radware Evangelist Tammy Everts describes a mobile web stress test conducted to gauge the impact of network speed on emotional engagement and brand perception. Neural marketing has escaped the lab and has found its way into practical applications. For even more on the web stress tests, please visit: http://www.radware.com/mobile-eeg2013/
InfoSecurity Europe 2014: The Art Of Cyber WarRadware
With cyber-attacks becoming a growing concern for organizations, availability-based attacks, also known as Denial of Service or Distributed Denial of Service attacks, have long moved from a form of cyber protest to a destructive weapon that is used by cyber criminals, hacktivists and even governments.
In 2013 we saw a growing use of a new type of attack where attackers used legitimate transactions to saturate application servers’ resources. In this presentation, Security Expert Werner Thalmeier demonstrates how such an advanced attack can be created from a laptop running in an anonymous public WiFi network. He also evaluates the attack landscape and its impact on organizations as well as shares the best practices to protect against such cyber-attacks.
Understand the current availability-based threat landscape and learn about new types of cyber-attacks that are being used to saturate resources. For more information on the state of Application and Network Security, please visit: http://www.radware.com/ert-report-2013/
OpenStack Networking: Developing and Delivering a Commercial Solution for Lo...Radware
Why would you want to have an open source driver?
Samuel Bercovici, Radware's Director of Automation & Cloud Integration, answers this and offers an introduction to Drivers in Havana in this presentation from his recent appearance at OpenStack Israel.
Read more in our Press Release: http://www.radware.com/NewsEvents/PressReleases/Radware-Alteon-Provides-Load-Balancing-for-OpenStack-Cloud-Applications/
Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security Radware
http://www.radware.com/Products/DefenseFlow/
Learn about the industry's first SDN application that enables network operators to program the network to provide DDoS protection as a native network service.
SecureWorld: Information Security Adaption: Survival In An Evolving Threat L...Radware
Carl Herberger’s presentation during his series of SecureWorld events. Carl discusses the evolving threat landscape, the anatomy of an attack and securing tomorrow’s perimeter.
Stock Exchanges in the Line of Fire-Morphology of Cyber AttacksRadware
Stock exchanges are constantly targeted by cyber attacks. This presentation discusses several real life attacks cases studies discussing attack vectors, motivations, impacts and mitigation techniques.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Connector Corner: Automate dynamic content and events by pushing a button
SecureWorld St. Louis: Survival in an Evolving Threat Landscape
1. Survival in an
Evolving Threat
Landscape
David Hobbs
Director of Security Solutions
Emergency Response Team
DavidH@Radware.com
August 2013
Radware Confidential August 2013
11. “Overview”
• What triggered the recent US attacks?
• Who was involved in implementing the attacks and name of the operation?
• How long were the attacks and how many attack vectors were involved?
• How the attacks work and their effects.
• How can we prepare ourselves in the future?
Slide 11Radware Confidential Jan 2012
12. “What triggered the attacks on the US banks?”
• Nakoula Basseley Nakoula (Alias- “Sam Bacile”), an Egyption born US resident
created an anti Islam film.
• Early September the publication of the „Innocence of Muslims‟ film on YouTube
invokes demonstrations throughout the Muslim world.
• The video was 14 minutes though a full length movie was released.
Slide 12Radware Confidential Jan 2012
15. “Who is the group behind the cyber response?”
• A hacker group called “Izz as-Din al-Qassam Cyber fighters”.
• Izz as-Din al-Qassam was a famous Muslim preacher who was a leader in the
fight against the French, US and Zionist in the 1920‟s and 1930‟s.
• The group claims not to be affiliated to any government or Anonymous.
• This group claims to be independent, and it‟s goal is to defend Islam.
Slide 15Radware Confidential Jan 2012
16. “Operation Ababil launched!”
• “Operation Ababil” is the codename of the operation launched on
Septembetr18th 2012, by the group “Izz as-Din al-Qassam Cyber fighters”
• The attackers announced they would attack “American and Zionist targets”.
• “Ababil” translates to “swallow” from Persian. Until today the US thinks the
Iranian government may be behind the operation.
• The operations goal is to have “Youtube” remove the anti-muslim film from it‟s
site. Until today the video has not been removed.
Slide 16Radware Confidential Jan 2012
17. “The attack campaign in 2 phases”
• The attack campaign was split into 2 phases, a pubic announcement was made
in each phase.
• The attacks lasted 10 days, from the 18th until the 28th of September.
• Phase 1 - Targets > NYSE, BOA, JP Morgan.
• Phase 2 – Targets > Wells Fargo, US Banks, PNC.
Slide 17Radware Confidential Jan 2012
New York Stock
Exchange
19. “Attack Vectors”
• 5 Attack vectors were seen by the ERT team during Operation Ababil.
1. UDP garbage flood.
2. TCP SYN flood.
3. Mobile LOIC (Apache killer version).
4. HTTP Request flood.
5. ICMP Reply flood. (*Unconfirmed but reported on).
*Note: Data is gathered by Radware as well as it‟s partners.
Radware Confidential Jan 2012
20. “UDP Garbage Flood”
• Targeted the DNS servers of the organizations, also HTTP.
• Up to 1Gbps volume (Possibly higher).
• All attacks were identical in content and in size (Packet structure).
• UDP packets sent to port 53 and 80.
• Customer attacked Sep 18th and on the 19th.
Slide 20Radware Confidential Jan 2012
21. “Tactics used in the UDP garbage flood”
• Internal DNS servers were targeted , at a high rate.
• Web servers were also targeted, at a high rate.
• Spoofed IP‟s (But kept to just a few, this is unusual).
• ~ 1Gbps.
• Lasted more than 7 hours initially but still continues...
Packet structure
Slide 21
Parameter Value Port 53 Value Port 80
Packet size 1358 Bytes Unknown
Value in Garbage ‘A’ (0x41) characters
repeated
“/http1”
(x2fx68x74x74x70x
31) - repetitive
Radware Confidential Jan 2012
22. “DNS Garbage flood packet extract”
• Some reports of a DNS reflective attack was underway seem to be incorrect.
• The packets are considered “Malformed” DNS packets, no relevant DNS
header.
Slide 22Radware Confidential Jan 2012
23. “Attackers objective of the UDP Garbage flood”
• Saturate bandwidth.
• Attack will pass through firewall, since port is open.
• Saturate session tables/CPU resources on any state -full device, L4 routing
rules any router, FW session tables etc..
• Returning ICMP type 3 further saturate upstream bandwidth.
• All combined will lead to a DoS situation if bandwidth and infrastructure cannot
handle the volume or packet processing.
Slide 23Radware Confidential Jan 2012
24. “TCP SYN flood”
• Targeted Port 53, 80 and 443.
• The rate was around 100Mbps with around 135K PPS.
• This lasted from the Sep 18th for more than 3 days.
Slide 24Radware Confidential Jan 2012
25. “SYN flood Packet extract”
Slide 25
-All sources are spoofed.
-Multiple SYN packets to port 443.
Radware Confidential Jan 2012
26. “Attackers objective of the TCP SYN floods”
• SYN floods are a well known attack vector.
• Can be used to distract from more targeted attacks.
• The effect of the SYN flood if it slips through can devastate state-full devices
quickly. This is done by filling up the session table.
• All state-full device has some performance impact under such a flood.
• Easy to implement.
• Incorrect network architecture will quickly have issues.
Slide 26Radware Confidential Jan 2012
27. “Mobile LOIC (Apache killer version)”
• Mobile LOIC (Low Orbit Iron Cannon) is a DDoS tool written in HTML and
Javascript.
• This DDoS Tool does an HTTP GET flood.
• The tool is designed to do HTTP floods.
• We have no statistics on the exact traffic of mobile LOIC.
Slide 27
*Suspected*Suspected
Radware Confidential Jan 2012
28. “Mobile LOIC in a web browser”
Slide 28Radware Confidential Jan 2012
29. “HTTP Request Flood”
• Between 80K and 100K TPS (Transactions Per second)
• Port 80
• Followed the same patterns in the GET request (Except for the Input
parameter)
• Dynamic user agent
Slide 29Radware Confidential Jan 2012
30. “HTTP flood packet structure”
• Sources worldwide (True sources most likely hidden).
• User agent duplicated.
• Attack time was short (No confirmed timeline)
• Rates are unknown.
• Dynamic Input parameters.
GET Requests parameters
Slide 30Radware Confidential Jan 2012
31. “HTTP flood packet parameters identified”
Slide 31
HTTP Request Samples
GET /financial-literacy/all-about-investing/etvs?2408b
GET /financial-literacy/all-about-investing/bonds?4d094
GET /inside-the-exchange/visiting?aad95
GET /
HTTP Request Samples
DoCoMo/2.0 SH902i (compatible; Y!J-SRD/1.0;
http://help.yahoo.co.jp/help/jp/search/indexing/indexing-27.html)
Googlebot/2.1 ( http://www.googlebot.com/bot.html)
IE/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR
1.1.4322;)
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4b) Gecko/20030505 Mozilla Firebird/0.6
Opera/9.00 (Windows NT 5.1; U; en)
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)
msnbot-Products/1.0 (+http://search.msn.com/msnbot.htm)
Radware Confidential Jan 2012
33. “Attackers objective of the HTTP flood”
• Bypass CDN services by randomizing the input parameter and user agents.
• Because of the double user agent there was an flaw in the programming behind
the attacking tool.
• Saturating and exhausting web server resources by keeping session table and
web server connection limits occupied.
• The attack takes more resources to implement than non connection orientated
attacks like TCP SYN floods and UDP garbage floods. This is because of the
need to establish a connection.
Slide 33Radware Confidential Jan 2012
36. “Unconfirmed attacks”
• The following 2 attack vectors were reported to us by our customers however
we have no data internally to indicate these attacks took place.
• The data was either gathered through intelligence the customer had (IRC chat,
Forums etc..) or something they suspected and reported to Radware but never
provided logs for.
• The 2 other vectors suspected are:
– ICMP Reply Flood.
– Dirt Jumper.
Radware Confidential Jan 2012
37. “ICMP Reply flood”
• This attack was gathered through Cisco logs at the customers site.
• We have no statistics on the attack.
Slide 37Radware Confidential Jan 2012
38. “ICMP Reply Flood explained”
• ICMP “Requests” (ICMP Type 8) are sent to the target in order to generate multiple ICMP
“Reply” (ICMP Type 0) packets.
• This can also be from spoofed IP‟s (Sent packets, ICMP Type 8).
• This saturates bandwidth on the servers up/down stream as well as CPU processing to
process the ICMP packets and respond.
• To do a replay flood you just spoof the SRC IP of the ICMP request.
Slide 38Radware Confidential Jan 2012
39. “Dirt Jumper”
• Dirt Jumper is a BOT currently at version 5.
• Dirt jumper is used in various HTTP floods.
• POST, GET and download floods are supported by the latest version of Dirt
Jumper.
• User Agent and Referrer randomization are supported too.
Slide 39Radware Confidential Jan 2012
42. Availability-based Threats Tree
Slide 42
Availability-
based Threats
Network Floods
(Volumetric)
Application
Floods
Low-and-Slow
Single-packet
DoS
UPD
Flood
ICMP
Flood
SYN
Flood
Web
Flood
DNS SMTP
HTTPS
Radware Confidential Jan 2012
46. HTTPS – SSL Re Negotiation Attack
Slide 46
THC-SSL DoS
THC-SSL DOS was developed by a hacking group called The Hacker‟s Choice (THC), as a proof-
of-concept to encourage vendors to patch a serious SSL vulnerability. THC-SSL-DOS, as with other
“low and slow” attacks, requires only a small number of packets to cause denial-of-service for a
fairly large server. It works by initiating a regular SSL handshake and then immediately requesting
for the renegotiation of the encryption key, constantly repeating this server resource-intensive
renegotiation request until all server resources have been exhausted.
Radware Confidential Jan 2012
47. Low & Slow
Slide 47
Availability-
based Threats
Network Floods
(Volumetric)
Application
Floods
Low-and-Slow
Single-packet
DoS
UPD
Flood
ICMP
Flood
SYN
Flood
Web
Flood
DNS SMTP
HTTPS
Low-and-Slow
Radware Confidential Jan 2012
49. Slowloris
Slide 49
Slowloris
Slowloris is a denial-of-service (DoS) tool developed by the grey hat hacker “RSnake” that causes DoS by using a very slow
HTTP request. By sending HTTP headers to the target site in tiny chunks as slow as possible (waiting to send the next tiny
chunk until just before the server would time out the request), the server is forced to continue to wait for the headers to
arrive. If enough connections are opened to the server in this fashion, it is quickly unable to handle legitimate requests.
Slowloris is cross-platform, except due to Windows’ ~130 simultaneous socket use limit, it is only effective from UNIX-based
systems which allow for more connections to be opened in parallel to a target server (although a GUI Python version of
Slowloris dubbed PyLoris was able to overcome this limiting factor on Windows).
Radware Confidential Jan 2012
50. R.U.D.Y (R-U-Dead-Yet)
Slide 50
R.U.D.Y. (R-U-Dead-Yet?)
R.U.D.Y. (R-U-Dead-Yet?) is a slow-rate HTTP POST (Layer 7) denial-of-service tool created by Raviv Raz and
named after the Children of Bodom album “Are You Dead Yet?” It achieves denial-of-service by using long form
field submissions. By injecting one byte of information into an application POST field at a time and then waiting,
R.U.D.Y. causes application threads to await the end of never-ending posts in order to perform processing (this
behavior is necessary in order to allow web servers to support users with slower connections). Since R.U.D.Y.
causes the target webserver to hang while waiting for the rest of an HTTP POST request, by initiating
simultaneous connections to the server the attacker is ultimately able to exhaust the server‟s connection table and
create a denial-of-service condition.
Radware Confidential Jan 2012
51. Black hat 2013 - Universal DDoS Mitigation Bypass
The main idea behind this presentation was to demonstrate a new tool which is
combined with Captcha solving and JavaScript engine.
They covered the types and world of DDoS attack like -
• Volumetric – Packet rate based and Bit-rate based.
• Non Volumetric – Protocol and Application-based (Apache killer, Slowloris,
Rudy, SMURF)
• Blended – all of the above together – very common and effective.
After showing the different attack vectors they have covered the current known (to
them) mitigation techniques – non-vendor specific:
• Traffic policing (simple rate limit)
• Proactive resource release (Mostly for low&slow attacks)
• B/W listing
• Resource isolation (Across different AS)
• Secure CDN
Slide 51Radware Confidential Jan 2012
52. Black hat 2013 - Universal DDoS Mitigation Bypass
After complete w/ the long prolog they gave the specifications of the new tool
– Kill’em All 1.0
• The tool will support the following features -
• Auth bypass (including re-authentication every X seconds capability)
• HTTP redirect
• HTTP cookie
• JavaScript
• Captcha
According to the presenters the strengths of the tool are -
• True TCP behavior
• Believable and random HTTP headers (Including the GET request itself)
• JavaScript engine
• Captcha solving
• Random payload
• Tunable post authentication traffic model.
Slide 52Radware Confidential Jan 2012
53. Black hat 2013 - Universal DDoS Mitigation Bypass
The perpetrators allege that the tool is technically indistinguishable from human.
• They say it was tested successfully against both anti-DDoS devices and
Services, they mentioned by name only CloudFlare and Akamai.
• They have concluded the session saying that DDoS is very expensive and that
current solutions are falling behind.
Slide 53Radware Confidential Jan 2012
54. Challenge & Response Escalations
Slide
Radware Confidential Jan 2012
Script 302 Redirect
Challenge
JS Challenge Special Challenge
(6.09)
Kamikaze Pass Not pass Not pass
Kamina Pass Not pass Not pass
Terminator Pass Pass Not pass
Here are the results
Kamikaze and Kamina will not pass DefensePro JS Challenge. Terminator
will pass both 302 and JS, however, we have been prepared for this and
have developed a set of new challenges which it will not pass. They are
available at version 6.09.00 (current DP release). To our knowledge the
only tool in the world who can currently handle Terminator.
-This pic is from the very beginning of the video, stating “There is an angry mob in the middle of the street”*Notes - On September 9, 2012, an excerpt of the YouTube video was broadcast on Al-Nas TV, an Egyptian Islamist television station.[11][12]Demonstrations and violent protests against the film broke out on September 11 in Egypt and spread to other Arab and Muslim nations and some western countries.
-Libyan riots top left - http://www.foreignpolicy.com/articles/2012/09/14/why_the_embassy_riots_wont_stop.-Lebonon riots bottom left - http://au.ibtimes.com/articles_slideshows/384606/20120915/lebanon-protesters-destroy-kentucky-fried-chicken-and-hardees-over-innocence-of-muslims-film-photos.htm
Links about Izz as-Din al-Quassam The preacher - http://en.wikipedia.org/wiki/Izz_ad-Din_al-Qassam *Notes - The Levant includes most of modern Lebanon, Syria, Jordan, State of Palestine, Israel, Cyprus, Hatay Province of Turkey, some regions of northwestern Iraq and theSinai Peninsula.Links about the Cyber hacker group - http://www.globalpost.com/dispatches/globalpost-blogs/the-grid/who-are-the-izz-ad-din-al-qassam-cyber-fightershttp://www.ehackingnews.com/2012/12/izz-ad-din-al-qassam-cyber-fighters.htmlPic from - http://www.standupamericaus.org/terror-jihad/cyber-fighters-of-izz-al-din-al-qassam-alert-to-banks-in-usa/
Links for translation of ababil - http://en.wikipedia.org/wiki/Ghods_AbabilThe pic from - http://en.wikipedia.org/wiki/File:Hirundo_abyssinica.jpgClaims of Iranian involvement -http://betabeat.com/2012/09/iran-possibly-behind-operation-ababil-cyber-attacks-against-financial-institutions/http://features.rr.com/article/0coOckreSy1vL?q=Bank+of+America
Data taken from internal doc.
Pic taken from - http://news.yahoo.com/americas-failing-grade-cyber-attack-readiness-153640058--abc-news-topstories.html
-Taken from internal report.
-Taken from internal report.
Reflective attack - Attackers send forged requests of some type to a very large number of computers that will reply to the requests. Using spoofed SRC IP’s of the victim, which means all the replies will go to (and flood) the target.
-Stateful inspection in the DNS area is limited. Was in smartdefense at CP, but how many people use it?-The server is forced to respond with ICMP packets “Destination Unreachable” (ICMP type3 Code 3) for port closed when udp packet arrives.-Returning ICMP type 3 further saturate (Packet size in return will be close to received packet).
-Internal data.
-The SYN flood attack simply sends a high rate of SYN’s with spoofed IP’s and the server is left waiting for the ACK.-This means the attacker needs much fewer hosts to exhaust target machine because no session is actually kept alive on the “Attackers” side.-You exhaust the Backlog of the TCP stack (Linux default is 3mins and Win2k is 45 sec. for half open timeouts, these can be changed). So the server can no longer accept a new connection.-
-Another reported attack technique that was allegedly used during this campaign is a custom version of the Mobile LOIC tool (aka Mobile LOIC - Apache Killer) which is designed to exploit a known vulnerability in Apache servers – corresponding to CVE-2011-3192.-This attack tool targets Apache servers using Apache HTTP server versions 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19.
Target URL- Specifies the URL of the attacked target. Must start with http://. Requests per second-Specifies the number of desired requests to be sent per second. Append message-Specifies the content for the “msg” parameter to be sent within the URL of HTTP requests
Resource internal.
-This value is unique since it seems to contain a typo which is caused by placing the “User Agent:” string inside the user agent value itself.Resource internal.
Resource internal.
Resource internal.
Internal resources.
-Taken from Radware internal resources.
The image above shows how the agent controls the Botnet: The „Today‟ and „Online‟ shows the number of computers under its control, the „URLs‟ specify the URLs to be attacked, the „Flows‟ specify the attack vector and attack intensity, and the „Start‟ and „Stop‟ allows the agent to inflict pain and voluntarily stop it.