November 16, 2015

Fighting the Shadows: How to Stop Real-world Cybersecurity Application Threats That You Can’t See

Louis Scialabba

Carrier Solutions Marketing

Nov 2015

Topics

• What’s New in Cybersecurity

• An Attack Mitigation Network Architecture

o Building a Better Mousetrap

o Reference Use Cases

o A Case Study

o Summary

Security Report Update – What’s Trending?

The Rise of the Continuous Attack

No One is Immune - Unexpected Targets

Internet Pipe – 2014’s #1 Failure Point

Reflective Attacks – the Largest DDoS Headache

Application Attacks on the Rise

Hybrid Solutions are Gaining Ground

Cloud, IoT & SDN are Changing the Rules of the Game

Losing Sleep in the C-suite

3

Motivation Behind Attacks are Changing

4

Cyber Crime

Financial gain is the primary motive

Hactivism

Driven by ideological differences

Espionage

Gaining information for political, financial, competitive leverage

War

Damage/destroy centers of power;

military or non-military

No One is Immune – Unexpected Targets

Threats in new industries, organizational sizes and technology deployments

Healthcare and Education – unexpected targets now at risk

Gaming, Hosting and ISP companies – increased likelihood

Financial Services – the only industry to have a reduced risk

2014 Change from 2013

5

Why Should You Care?

Today more than ever, TIME IS MONEY

* Representing lost revenues from on SLA breach | Based on 99.9% availability

1 minute OUTAGE

-$11,000 loss per server

Annual cost of -$5,780,000

per server

Did You Know?

Attacks evenly split across network and application layers

Web-based attacks remain the single most common attack vector

– 1 in every 4 are HTTPS

Increase reflective attacks cause UDP attacks to increase

– From 7% in 2013 to 16% in 2014

Reflective attacks represent 2014’s single largest DDoS “headache”

10%

16%

6%

18%

Network 51%

TCP- Other UDP

IPv6 1% TCP-SYN Flood

ICMP

9%

23%

16%

Application 49%

VoIP 1% Web (HTTP/HTTPS)

SMTP DNS

Carrier Threats Lurking in the Shadows

Multi-Vectors Attacks

IPS/IDS

“Low & Slow” DoS attacks (e.g.Sockstress)

Large volume network flood attacks

Syn Floods

Network Scan

HTTP Floods

SSL Floods App Misuse

Brute Force

Cloud DDoS protection DoS protection Behavioral analysis IPS WAF SSL protection

Internet Pipe Firewall Load Balancer/ADC Server Under Attack SQL Server

9

XSS, CSRF SQL Injections

Attack Mitigation Architecture

Attack Mitigation Pillars

Detection Mitigation Operation Collection

How Can You Protect From Something You Don’t See?

12

Multilayer Detection is Critical!

Non-Radware Radware

Network Attacks Network Attacks

Application Attacks

Source IP-agnostic detection

Encrypted SSL-based attacks

Beyond HTTP (SMTP, FTP, SQL)

OpenFlow-based Detection

Encapsulated attacks

Application Attacks

DefensePro

Real-time attack mitigation device

providing layer 4-7 multi-attack

coverage

DefensePro

Real-time attack mitigation device

providing layer 4-7 multi-attack

coverage

Radware Mitigation Elements

DefenseFlow

Network-wide attack

detection and cyber

command and control

AppWall

Web Application Firewall (WAF)

providing full coverage of OWASP

top-10 threats

DefenseFlow

Network-wide attack

detection and cyber

command and control

AppWall

Web Application Firewall (WAF)

providing full coverage of OWASP

top-10 threats

Robust Data Collection

Multi-source collection ensuring 100% attack coverage

CheckPoint DDoS Protector

Cisco FirePower 9300

Radware Virtual & Physical Appliances L3-4-7 Collection

3rd Party Detection Devices (NetFlow, SIEM, …)

Radware Flow Collector

NetFlow

SDN Enabled Devices OpenFlow / Open Daylight

Command & Control

Behavior-Based vs. Rate-Based Detection

To prevent service-level impact of legit traffic

Behavior-Based Detection

Radware

Rate-Based Detection

Non-Radware

0.0%

50.0%

100.0%

SYN SYN-ACK ACK Data RST FIN-ACK

TCP Flag Distribution Analysis

0.0%

50.0%

100.0%

SYN SYN-ACK ACK Data RST FIN-ACK

TCP Flag Distribution Analysis

Rate-Invariant Behavioral Analysis

Rate Analysis

Flash Crowd

RST Flood Attack

Rate Analysis

16

Beyond Primitive Source IP Blocking

Smart traffic blocking based on Real-Time Signature incorporating multiple

parameters comparing to primitive source IP address blocking

Non-Radware

Source IP Address Only X.X.X.X

Radware

Signature with multiple parameters

Shortest Time to Mitigate via Synchronized Operation

Radware synchronized operation = real-time mitigation engagement.

Non-synchronized operation = up to 28 minutes delay

Attack Detection

Attack Mitigation

Synchronized Operation

Radware

Signature is synched to Mitigation Device

Attack Detection

Attack Mitigation

Non-Synchronized Operation

Non-Radware

Signature regenerated from scratch by

Mitigation Device

Real-Time Signature Generation vs. Manual

Real-Time Signature Generation

Radware

18 SECONDS

Manual Signature Generation

Non-Radware

30 MINUTES

Manual signature creation can take up to 30 minutes. Radware Real-Time Signature is generated in up to 18 seconds.

Automatic vs. Labor-Intensive Operation

Manual SoC analysis is required for every attack causing high investment in HR

Automatic Attack Blocking

Real-Time Signature Generation

Radware

Manual Attack Blocking

Manual Signature Generation

Non-Radware

Complete & Automatic Attack Lifecycle Management

Lower TCO

Less dependency on HR

New service provisioning

Automatic mitigation activation

Traffic diversion

Attack termination

Cyber Attack Protection In Action

Use Case 1 – 3rd Party NetFlow-Based Attack Detection

Service Provider Network Internet

3rd Party NetFlow-based Attack Detector

Protected Objects

Scrubbing Center

DefensePro

Attack detection by the NetFlow Attack Detector DefenseFlow configures DefensePro with Traffic baselines and diversion information DefenseFlow Diverts traffic for attack cleansing

Use Case 2 – Radware NetFlow-Based Attack Detection

Service Provider Network Internet

Radware Flow Collector

DefenseFlow detects the attack (behavioral analysis)

Protected Objects

Scrubbing Center

DefenseFlow exports to DefensePro traffic baselines and diversion information DefenseFlow diverts traffic for attack cleansing

DefensePro

Use Case 3 – OpenFlow-Based Attack Detection

Service Provider Network Internet

SDN Controller

Protected Objects

Scrubbing Center

DefensePro

DefenseFlow detects the attack (behavioral analysis) DefenseFlow configures DefensePro for attack information and traffic diversion DefenseFlow Diverts suspicious traffic for attack cleansing

Use Case 4 – Layer-7 Attack Detection

Service Provider Network Internet Protected Objects

Scrubbing Center

DefensePro Detects the Application Layer (L7) Attack and sync attack baseline to DefenseFlow Radware WAF and SSL Inspection can also be utilized for advanced web tier protection DefenseFlow configures DefensePro for attack information and traffic diversion DefenseFlow Diverts suspicious traffic for attack cleansing

DefensePro

Summary of Use Cases

Traffic Redirection Attack Detection Attack Mitigation

DefensePro

Case

NetFlow Attack Detector

NetFlow Telemetry

OpenFlow (SDN) Telemetry

BGP Redirection

BGP Redirection

SDN Redirection

27

DefensePro BGP Redirection

A Case Study

About Boston’s Children Hospital

25,000 inpatients each year and 557,000 visits

Ranked nationally in 10 pediatric specialties

200+ specialized clinical programs

Clinical operations dependent upon networked data and

devices

Shared ISP services across a network of 7 other

healthcare providers

Why Attack a Hospital?

Case Study #1 - Boston’s Children Hospital

Early 2014, custody dispute related to 15-year old in

BCH’s care

Turned over to Massachusetts protective services

Group claiming affiliation with Anonymous begin

threatening BCH

29

A Look Inside the Attack

30

Attack Vectors Involved and Identified

Infrastructure

UDP Fragmented Flood

DNS Reflection

UDP Flood (PPS)

IPS/IDS Internet Pipe Firewall Load Balancer/ADC Server Under Attack SQL Server

State

TCP Out Of State Flood

UDP Scan

Zero Payload attacks

Zero sequence number attacks

Invalid ACK number attacks

ICMP Flood

Application

Slowloris

SQL-Injection

XSS

Worm infection - Mydoom

SIPVicious - Scanning tool

Web-etc/passwd-Dir-Traversal

31

BCH Attack Analysis Summary

32

Duration Total duration of the attack was over a month Radware solution was deployed after attack started

Multi Vector Total of 15 different attack vectors in the same attack campaign As many as 6 different vectors were observed simultaneously Mixture of web attacks and DDoS attacks - common in Hacktivism related events

Mitigation Proactive planning - didn’t assume they weren’t a target Identified impacted assets and processes Enlisted outside, expert support

Anyone may be a target! An integrated solution is required Prepare a response plan

Learnings