32
Attackers Vs. Defenders: Restoring the Equilibrium Ron Meyran Director of Security Marketing January 2013

Attackers Vs. Defenders: Restoring the Equilibrium

  • Upload
    radware

  • View
    1.126

  • Download
    2

Embed Size (px)

DESCRIPTION

 

Citation preview

Page 1: Attackers Vs. Defenders: Restoring the Equilibrium

Attackers Vs. Defenders: Restoring the Equilibrium

Ron MeyranDirector of Security Marketing

January 2013

Page 2: Attackers Vs. Defenders: Restoring the Equilibrium

AGENDA

Cyber security Statistics

About 2012 Global Security Report

Key Findings

ERT Case Studies

2013 Recommendations

Page 3: Attackers Vs. Defenders: Restoring the Equilibrium

Cyber Security Study

• A research study by Ponemon & Radware• Surveyed 700 IT & IT Security Practitioners • Non Radware customers• Release date: November 12th 2012

3

Page 4: Attackers Vs. Defenders: Restoring the Equilibrium

Interoperability Confidentiality Integrity Compliance Availability0

0.5

1

1.5

2

2.5

3

3.5

4

4.5

5

1.9

2.8

3.5

4.44.7

Ranking of cyber security objectives in terms of a business priority objective 5 = Highest Priority to 1 = Lowest Priority

Cyber Security Business Priorities

4

Page 5: Attackers Vs. Defenders: Restoring the Equilibrium

DDoS Attacks Frequency

of organizations had an average of 3 DDoS attacks in the past 12 months

65%

How many DDoS attacks experienced in the past 12 months?

5

Page 6: Attackers Vs. Defenders: Restoring the Equilibrium

Less than 1 minute

1 to 10 minutes

11 to 20 minutes

21 to 30 minutes

31 to 60 minutes

1 to 2hours

3 to 5hours

More than

5 hours

Cannot deter-mine

0%

5%

10%

15%

20%

25%

10%

13%

16%

22%

11%9%

5%4%

10%

Minutes average downtime during one DDoS attack54

Average downtime during one DDoS attack

6

Page 7: Attackers Vs. Defenders: Restoring the Equilibrium

$1 to $

10

$10 to

$100 $101 to

$1,000

$1,001 to

$5,000

$5,001 to

$10,000

$10,001 to

$25,000

$25,001 to

$50,000

$50,001 to

$100,000

More

than

$100,000

Cannot dete

rmin

e0%

5%

10%

15%

20%

25%

1%

8%

12%

15% 15%

21%

11%

7%5% 5%

Cost per minute of downtime

$22,000Average cost per minute of downtime

$3,000,000Average annual Cost of DDoS Attacks

Cost of Downtime

7

Page 8: Attackers Vs. Defenders: Restoring the Equilibrium

AGENDA

Cyber security Statistics

About 2012 Global Security Report

Key Findings

ERT Case Studies

2013 Recommendations

Page 9: Attackers Vs. Defenders: Restoring the Equilibrium

9

Information Resources

• Radware Security Survey– External survey – 179 participant– 95.5% are not using

Radware DoS mitigation solution

• ERT Survey – Internal survey– Unique visibility into

attacks behaviour– 95 selected cases

• Customer identity remains undisclosed

ERT gets to see attacks in

real-time on daily basis

Page 10: Attackers Vs. Defenders: Restoring the Equilibrium

AGENDA

Cyber security Statistics

About 2012 Global Security Report

Key Findings

ERT Case Studies

2013 Recommendations

Page 11: Attackers Vs. Defenders: Restoring the Equilibrium

11

Organizations Bring a Knife to a Gunfight

• ”Someone who brings a knife to a gun fight” – Is someone who does prepare himself for the fight, but does not

understand its true nature

• Organizations today are like that– They do invest before the attack starts, and conduct excellent

forensics after it is over, – however, they have one critical blind-spot – they don't have

the capabilities or resources to sustain a long, complicated attack campaign.

• Attackers target this blind spot!

Page 12: Attackers Vs. Defenders: Restoring the Equilibrium

12

Attacked in 2012

They had the budgetThey made the investment

And yet they went offline

Page 13: Attackers Vs. Defenders: Restoring the Equilibrium

13

Organizations Deploy Two-phase Security Approach

Industry Security SurveyHow much did your organization invest in each of the following security

aspects in the last year?

Only 21% of company efforts are invested during the attack itself, while 79% is spent during the pre-attack and post-attack phase.

Before During After

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

Procedures

Human skills

Equipment

Page 14: Attackers Vs. Defenders: Restoring the Equilibrium

14

But attacks today have 3 phases

Page 15: Attackers Vs. Defenders: Restoring the Equilibrium

15

Attacks last longer

1-2 days

Half a week

1 week

2 weeks and more

0

2

4

6

8

10

12

14

2011

2012

2011

2012

Attacks last longer: The number of DoS attacks lasting over a week had doubled in 2012

21%

11%12%

21%

12%

23%

Page 16: Attackers Vs. Defenders: Restoring the Equilibrium

16

And become more complex

5-6

7-8

9-10

0%

5%

10%

15%

20%

25%

30%

4%

16%

7%

16%

29%

29%

2011 2012Complexity

ERT Cases – Attack Vectors

Attacks are more complex: 2012 DoS/DDoS attacks have become more sophisticated, using morecomplex attack vectors. Note the number of attacks using a complexity level of 7-10.

Page 17: Attackers Vs. Defenders: Restoring the Equilibrium

17

Content Delivery Network (CDN)

Do you consider Content Delivery Networks (CDNs)a solution for a DoS/DDoS attack?

70% of the companies who use CDN believe the CDN is a solution for DoS\DDoS attacks.

YesNo

30%70%

Page 18: Attackers Vs. Defenders: Restoring the Equilibrium

Attacks Evade CDN service

Internet

Legitimate users

CDN service

Botnet

GET www.exmaple.com

Backend Webserver

GET www.exmaple.com/?[Random]

Legitimate requests are refused

• In recent cyber attacks the CDN was easily bypassed – By changing the page request in every Web

transaction• These random request techniques force CDNs to

“raise the curtain”– All the attacks traffic is disembarked directly to the

customer premise– More complex to mitigate attacks masked by CDN

18

Page 19: Attackers Vs. Defenders: Restoring the Equilibrium

19

Attackers are well prepared

• By definition the defenders loose the battle• Equilibrium has been disrupted

Page 20: Attackers Vs. Defenders: Restoring the Equilibrium

20

The good news (1)

Industry Security SurveyHow likely is it that your organization will be attacked by cyber warfare?

Over half of the organizations believe their organization is likelyto be attacked by cyber warfare.

Unlikely45%

Possible37%

Likely8%

Very likely10%

Organizations start understanding the risk of DDoS

Page 21: Attackers Vs. Defenders: Restoring the Equilibrium

21

The good news (2)

Industry Security SurveyWhich solutions do you use against DoS attacks?

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

5%

8%

5%

32%

27%

10%8%

5%

2%3%

1%

40%

32%

12%

5%5%

2012

2011

Organizations start understanding Firewall and IPS cannot fight DDoS

attacks

Page 22: Attackers Vs. Defenders: Restoring the Equilibrium

22

Conclusions

• Today’s attacks are different– Carefully planned– Last days or weeks– Switching between attack vectors

• Organizations are ready to fight yesterdays’ attacks– Deploy security solutions that can absorb the first strike– But when attacks prolong - they have very limited gunfire– By the time they succeed blocking the first two attack vectors,

attackers switch to a third, more powerful one

Page 23: Attackers Vs. Defenders: Restoring the Equilibrium

23

A different approach is needed

• A team of security experts– Acquire capabilities to sustain long attacks– Train a team that is ready to respond to persistent attacks – Deploy the most up-to-date methodologies and tools– 24 x 7 availability to respond to attacks– Deploy counterattack techniques to cripple an attack

Page 24: Attackers Vs. Defenders: Restoring the Equilibrium

AGENDA

Cyber security Statistics

About 2012 Global Security Report

Key Findings

ERT Case Studies

2013 Recommendations

Page 25: Attackers Vs. Defenders: Restoring the Equilibrium

US Banks Under Attack: from the news

25

Page 26: Attackers Vs. Defenders: Restoring the Equilibrium

US Banks Under Attack: Operation Ababil

• Publication of the ‘Innocence of Muslim’ film on YouTube invokes demonstrations throughout the Muslim world

• September 18th- ‘Cyber Fighters of Izz ad-din Al Qassam’ announced an upcoming cyber attack campaign against ‘American and Zionist’ targets.

26

Page 27: Attackers Vs. Defenders: Restoring the Equilibrium

Attack Summary

• Attack targets– Bank of America– New York Stock Exchange (NYSE)– Chase– Wells Fargo

• Attacks lasted Sep 18-21, 2012• Multiple attacks’ waves on each target,

each wave lasted 4 to 9 hours• Victims suffered from temporary outages

and network slowness• ERT was actively involved in protecting

the attacked organizations

27

Page 28: Attackers Vs. Defenders: Restoring the Equilibrium

Why it was so challenging?

Business

Network

Business

UDP Garbage flood on ports 80 and 443

SSL Client Hello flood

Large volume SYN flood

SHUTDOWN

HTTP flood attack

Multi-vulnerability attack campaign

• Mitigation nearly impossible

• Attackers look for the blind spot

28

Page 29: Attackers Vs. Defenders: Restoring the Equilibrium

29

Recent updates

• HTTP flood was carried from compromised hosting servers– Highly distributed attacks

Page 30: Attackers Vs. Defenders: Restoring the Equilibrium

AGENDA

Cyber security Statistics

About 2012 Global Security Report

Key Findings

ERT Case Studies

2013 Recommendations

Page 31: Attackers Vs. Defenders: Restoring the Equilibrium

31

ERT recommendations for 2013

• Acquire capabilities to sustain a long sophisticated cyber attack

• Attack tools are known. Test yourself• Carefully plan the position of DoS/DDoS mitigation within

network architecture– On premise capabilities– In the cloud capabilities

Restore the equilibrium

Page 32: Attackers Vs. Defenders: Restoring the Equilibrium

Thank YouRon Meyran

[email protected]