Session ID:

Session Classification:

Ziv GadotRadware

HT-R33

Intermediate

Stock Exchanges in the Line of Fire – Morphology of Cyber Attacks

► NYSE Euronext[1]

► NASDAQ OMX Group[2]

► Hong Kong Stock Exchange[3]

► TMX Group[4]

► BATS Global Markets[5]

► Chicago Board Options Exchange[6]

► Bursa Malaysia[7] ► Tel Aviv Stock Exchange[8] ► Tadawul (Saudi Arabia)[9]

Publicly Known Attacks on Stock Exchanges

Top 10

Downtime

► It is Too Easy to Cause Impact► ‘Attack Campaign’ - Morphology► Resolution:

Transition from a 2-phase security approach to a 3-phase security approach

Agenda

2 Case Studies

Case Study IDay I

Day I

10:51 Attack begins: - UDP flood- HTTP flood- FIN+ACK flood- Empty connection flood

Target: Stock Exchange News SiteProtection: PartialImpact: Heavy

4 hour outage to News SiteCollateral damage to other sites

13:30 Noon trading opens, but trade is closed for several companies 16:00 Trading ends for the dayEvening Mitigation equipment is deployed and configured

Attacks halted (temporarily)

Network Impact Sever Business Impact Sever

Day I

hour hour

Day I – Attack Vectors

Attack Vector

Confirmed Measurement

UDP Flood 44 MbpsHTTP Flood 40K Concurrent Con.Empty Connection Flood 5.2K PPSFIN+ACK 4 Mbps

Pipe Satur-ation

FW CPU100%

Web Server Outage

X X

X X

X X

X X

Day I : Media Coverage

“Attack on stock exchange triggers

halt in trade”

“Stock exchange hit by hackers”

Enormous Negative Psychological Impact

Stock exchange environment Malicious attack campaign

The Media Impact

1 Stock Exchange = 5 Banks = 5 Government Sites

Case Study IDay 2

Day 2

08:00 Additional mitigation actionsOrganization is concerned of false-positive

10:36 Attack begins: HTTP FloodTarget: Stock Exchange News Site Protection: Connection Rate Limit + Temp ACLImpact: 10-15 minutes slowness/outage

Network Impact LowBusiness Impact None

Day 2

“Stock exchange IT have been working

intensively to resolve all issues”

“Experts successfully implemented a

protection against the attacks”“Additional

measures were taken such as a redundant

New Site”

Case Study IDay 3

Day 3

08:00 Security configuration is enforced (“War Time” configuration)10:36 Attack begins: HTTP Flood

Target: Stock Exchange News Site Protection: Connection limit Temp ACL

Network Impact NoneBusiness Impact None

Day 3

Legitimate traffic monitoring

TCP connection flood detection and mitigated immediately

Day 3

13:32 Attack begins: UDP Flood (Two minutes after the noon trading begins) Target: Stock Exchange Mews Site Protection:

- Behavioral technologies (primary)

- Connection Limit - Blacklisting

Impact: NoneForensic: Attacker IP detected (eventually led to arrest)

Network Impact NoneBusiness Impact None

Attack begins but quickly mitigated

Case Study IWeek 2

► Stock Exchange remains in highest alert► Eventually there were no serious

attacks ► Protect additional networks ► Forensic process (with police) ► Arrests

Week 2

It is Too Easy to Cause Impact

Static ContentStatic Content

Trade/Financial AnnouncementsTrade/Financial Announcements

HTTP Flood Impact

Trading API

HTTP Flood

Firewall L3 Router

Psychological Impact

TradeDisruption

Internet Pipe

Trade/Financial AnnouncementsTrade/Financial Announcements

Static ContentStatic Content

UDP Flood Impact

Trading API

UDP Flood

Firewall L3 Router

Psychological Impact

TradeDisruption

Internet Pipe

Trading API

Trade/Financial AnnouncementsTrade/Financial Announcements

Static ContentStatic Content

L3 Router Internet Pipe

SYN Flood Impact

Trading API

SYN Flood

Firewall

Psychological Impact

TradeDisruption

Trading API

2010 – no Real Protection

Stock Exchange

HTTP Flood

UDP Flood

SYN Flood

Protection

2011 – Protection Deployed

HTTP Flood

Stock Exchange

SYN Flood

UDP Flood

Protection

Stock Exchange

2012 – Protection Enforced

HTTP Flood

UDP Flood

SYN Flood

Slow Rate Flood

Image Download Flood

Attackers will eventually find

the weakest link!

Protection

Political/Hacktivist’s Bull’s Eye - Ideal

Political/Hacktivist’s Bull’s Eye (Realistic)

Political/Hacktivist’s Bull’s Eye - Realistic

Case Study 2Israel Cyber Attack Jan 2012

January 3Saudi hacker 0xOmar leaks tens of thousands Israeli credit card numbers and other personal sensitive information.

January 16 Early Morning0xOmar and the Pro-Palestinian “Nightmare” hacker group sends an email to the Jerusalem Post, threatens to attack EL-AL website.9:30 AMEL-AL, Tel Aviv Stock Exchange, and several banks are attacked and are unavailable for hours.

January 17 Israeli hacker group “IDF-Team” retaliates by attacking Saudi and UAE’s Stock Exchanges websites.

January 18 Additional Israeli websites were targeted.

Case Study 2

LegitimateBypass CDN

CDN - False Sense of Security

Attack Directly

CDN

► “HTTP Dynamic GET Request Flood”► Requests for invalid random parameter evades CDN

service

TASE Attack (Estimated)

Attack Vector 2

Pragma: no-cache

► HTTP Dynamic Flood► HTTP Static Flood► UDP Flood► SYN Flood► UDP Fragmented Flood

Attack Vector Summary

‘Attack Campaign’ - Morphology

Attack Campaign Morphology

MitigationContinued

Service Disruption

Test FireHeads Up Attack Begins

Reconnaissance

Automatic Mitigation

Attack Ends Forensic

Manual Mitigation

New Attack Vectors

Service Disruption

Resolution: Transition from a 2-phase security approach to a 3-phase security approach

2-Phase Security Model

“Peace” Period

Pre-attack Phase

Post-attack Phase Pre-attack Phase

Time

AttackPeriod

Automatic Mitigation(no time for human interaction)

AttackPeriod

“Peace” Period

3-Phase Security Model

“Peace” Period

Pre-attack Phase

Attack Period

THE SECURITY GAPAttacker has time to bypass automatic mitigation.

Defenders have no skill/capacity to sustain it.

“Peace” Period

Post-attack Phase

Industry Security SurveyHow much did your organization invest in each

of the following security aspects in the last year?

Before During After

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

Procedures

Human skills

Equipment

Radware 2012 Global Application and Network Security Report

THE SECURITY GAPAttacker has time to bypass automatic mitigation.

Defenders have no skill/capacity to sustain it.

Be prepared for prolonged attacks!

3-Phase Security

“Peace” Period

Pre-attack Phase

Attack Period

“Peace” Period

Post-attack Phase

Response Team

Response Team

Response Team

24x7x365Trained

Experienced

Active Mitigation

RT Intel

Counterattack

Summary

► It is Too Easy to Cause an Impact► ‘Attack Campaign’ - Morphology► Resolution:

Transition from a 2-phase security approach to a 3-phase security approach

Summary

Q & A

Ziv GadotRadware zivg@radware.com

► Radware 2012 Global Application and Network Security Report

► Radware 2011 Global Application and Network Security Report

► Cyber War Rooms: Why IT Needs New Expertise To Combat Today's Cyberattacks - Avi Chesla

Additional Reading