Regional Director, Northern Europe

Cyber Attacks: No One Immune, Few Prepared

Adrian Crawley

September 9, 2016

The rise of automation

2

The stock market-1980 The stock market-2010

The rise of automation

3

Self delivering packages Self driving buses

“By 2018, the fastest-growing companies will have fewer employees than instances of smart machines”

4 “Top Strategic digital Predictions.”- Gartner technology research, 2015

There are more things to attack and attack you

There are more sensitive things to attack

We’re seeing more attacks. No one is immune.

7

Over 90% Experienced Attacks in 2015

Half of organizations experienced DDoS and Phishing attacks

Almost half had Worm and Virus Damage

One in ten have not experienced any of the attacks mentioned 9%

7%

15%

23%

25%

29%

34%

47%

50%

51%

0% 10% 20% 30% 40% 50% 60%

None of the above

Corporate/Geo-political…

Theft of Prop.…

Advanced Persistent Threat

Fraud

Criminal SPAM

Unauthorized Access

Worm and Virus Damage

Phishing

DDoS

8

Q: What type of attack have you experienced?

Increased Attacks on Education and Hosting

Comparing to 2014

Most verticals stayed the same

Education and Hosting – increased likelihood

Growing number of “help me DDoS my school” requests

Motivations varies for Hosting

- Some target end customers

- Some target the hosting companies 2015 Change from 2014

9

Everyone Is a Target

10

OpIcarus Financial Institutions

Feb-June 2016

Web Hosting Companies under attack

Feb-April 2016

India vs. Pakistan Conflict Goes Cyber

Jan-May 2016

COMELEC Philippines Election Breach

May 2016

DDoS Continues to Lead as Biggest Threat

DDoS attacks and unauthorized access – the main causes which harm the organizations

0%

20%

40%

60%

Q: In your opinion, which of the following cyber-attacks will cause your organization the most harm?

11

We’re seeing more sophisticated, automated

attacks

12

Attacker Motivation is Shifting

More than 50% increase in ransom as a motivator for attackers

Motivation behind cyber-attacks is still largely unknown

One-third cited political/hacktivism

About a quarter referenced competition, ransom, or angry users

13

34% 27%

16% 22%

69%

34% 27% 25% 25%

66%

0%10%20%30%40%50%60%70%

2014

Q: Which of the following motives are behind any cyber-attacks your organization experienced?

Increase in Ransom as a Motive

More than a third reported having experienced either a ransom attack or a SSL or TLS-based attack

Consistent with increased public interest and concerns over these types of attacks

37% 35%

63% 65%

0%

10%

20%

30%

40%

50%

60%

70%

Ransom Attacks SSL or TLS-basedAttacks

Yes

14

More than Third Experienced Ransom or SSL/TLS-Based Attacks

Q: Have you experienced any ransom attacks this year

Q: Have you experienced encrypted SSL or TLS-based attacks?

21% 22% 24% 35%

23% 25% 23% 23% 25% 15% 24%

42% 37% 38% 11% 41% 38% 38% 38% 34% 52% 41%

19% 22% 22% 43% 17% 20% 22% 23% 25% 17% 20%

0%

20%

40%

60%

80%

100%

Rarely-Never

Daily / Weekly /Monthly

Network Attacks Application Attacks

Similar Frequency for Network and Application Attacks

15

experienced Network attacks daily, weekly or monthly

38-42% experienced Application attacks daily, weekly or monthly

38-52%

How ProtonMail survived an Advanced Persistent DDoS attack

16

Email Service Providers Under Attack

Ransom attacks against email service providers

Original ransom source from The Armada Collective

Targets include ProtonMail, Neomailbox, VFEmail, Hushmail, Fastmail, Zoho and Runbox

Who is The Armada Collective?

Background Either originating from DD4BC or acting as copy cat and using their methods. Focused on hosting providers, e-commerce, financial services primarily in Europe. Two companies we know already have been taken down.

Strategy

Customers will receive a ransom mail, asking for 30 bitcoins (5.600 € – 8.400 €).

Warning attack follows within minutes. If payment refused, attacks increase to up to 1TB

Targeted - Emails sent to dedicated and named internal recipients

Do their homework – if victim has strong DDoS protection, they will not go after it.

Only attack when they can create real damage

Attack Methods Current vectors are amplification attacks (NTP, RIP Reflection Amplification)

Warning attacks up to 20GB

Risk Effected organizations have short time to act and prepare

Very high risk – aggressive and professional attackers

Proven results with high volume and taking down companies

In Nov 2015 experienced back-to-back attacks

initiated through a ransom request.

Over the course of 7-10 days, experienced

multiple attack vectors at high volume

Radware deployed emergency service a few

days into the campaign and was able to

mitigate the attacks

ProtonMail Ransom Attack Case

19

Swiss-based encrypted email service provider

ProtonMail Attack – A Look Inside Persistent Denial of Service Attacks

0

20

40

60

ProtonMail Attack Volume, Mitigated by Radware

Network Application

UDP Flood DNS Reflection

TCP RST Flood NTP Reflection

TCP-SYN SSDP

TCP Out-of-State HTTP/S SYN Flood

SYN-ACK

ICMP

20

Why aren’t we surviving? Few prepared.

21

Existing Solutions – Multiple and Manual

Over 80% of solutions require a medium to high degree of manual tuning

Less than 20% require a low degree and are considered mostly automatic

Multiple solutions used by almost all (91%)

Only 6% use only one solution against cyber-attacks

High degre

e, 24%

Medium

degree,

58%

Low degre

e, 17%

Q: What degree of manual tuning or configuration does your current solution require?

22

Protection Gaps - Across the Board

A true protection gap for most organizations today

Weaknesses spread evenly among all attack types

Volumetric and HTTPS/SSL protection lead the gap

22% 19% 20% 21%

23% 26% 27%

33%

0%

20%

40%

23

Q: Where, if at all, do you think you have a weakness against DDoS attacks?

We’re bringing a knife to a gun-fight

24

It’s time to bring a gun to a gun fight

25

“Low & Slow” DoS attacks (e.g.Slowloris)

Hybrid Solution is Needed

Multi-vector attacks target all layers of the infrastructure

IPS/IDS

Large volume network flood attacks

Syn Floods

Network Scan

HTTP Floods

SSL Floods App Misuse

Brute Force

On-Demand Cloud DDoS DoS protection Behavioral analysis IPS

WAF

SSL protection

Internet Pipe Firewall Load Balancer/ADC Server Under Attack SQL Server

26

XSS, CSRF SQL Injections

On-Premise

Automated & Synchronized Solution

All security elements exchange Defense Messaging for more accurate detection and protection and minimal impact on service-level

Defense Messaging

27

In-the-Cloud Defense Messaging

Behavioral-Based Detection

To prevent service-level impact of legit traffic

Behavioral-Based Detection

Radware

Rate-Based Detection

Non-Radware

28

Automation in Attack Mitigation

Anti-Bot Device Fingerprinting

Real-Time Signature Generation

Adaptive & Automated Security Protection

29

18 SECONDS

Operating System

System Fonts

Browser Plug-ins

Screen Resolution

Local IPs

Summary: What Can You Do?

Preparedness is Key. Multi-layered solutions are a Must. Services are Important.

Bet on Automation. It has become necessary to fight automated threats with automation technology.

Cover the Blind Spot. Choose a solution with the widest coverage to protect from multi-vector attacks.

Multi Layered Solution. Look for a single vendor, hybrid solution that can protect networks and applications for a wide range of

attacks, and includes DoS protection, behavioral analysis, IPS, encrypted attack protection and web application firewall (WAF).

Protect from Encrypted Attacks. SSL-based DDoS mitigation solution deployments must not affect legitimate traffic performance.

Single point of contact is crucial when under attack - it will help to divert internet traffic and deploy mitigation solutions.

30