The Art of Cyber War Werner Thalmeier – Security Evangelist

The Art of War is an ancient Chinese military treatise attributed to Sun Tzu,

a high-ranking military general, strategist and tactician. It is commonly

known to be the definitive work on military strategy and tactics, and for the

last two thousand years has remained the most important military

dissertation in Asia. It has had an influence on Eastern and Western military

thinking, business tactics, legal strategy and beyond. Leaders as diverse as

Mao Zedong and General Douglas MacArthur have drawn inspiration from

the work.

Many of its conclusions remain valid today in the cyber warfare era.

孫子兵法

3

知彼知己，百戰不殆

If you know the enemy and know yourself, you need not fear the result of a hundred battles.

Notable DDoS Attacks in the Last 12 Months

Variation of Tactics 九變

The Army on the March 行軍

Illusion & Reality 虛實

The Use of Intelligence 用間

Laying Plans 始計

Volumetric attacks Network & Stateful attacks Application attacks

App Misuse

5

Attackers Deploy Multi-vulnerability Attack Campaigns

High Bandwidth or PPS

Network flood attacks

Network Scan

Syn Floods SSL Floods

HTTP Floods

Brute

Force

Internet Pipe Firewall IPS/IDS ADC Attacked Server SQL Server

SQL

Injection

Cross Site

Scripting

Intrusions

“Low & Slow” DoS

attacks (e.g.Sockstress)

More than 50% of 2013 attack campaigns

had more than 5 attack vectors.

Source: Radware 2013 ERT Report

6

Hacktivism – Move To Campaign-APT Oriented

• Complex: More than seven different attack vectors at once

• Blending: Both network and application attacks

• Target-eering: Select the most appropriate target, attack tools

• Resourcing: Advertise, invite, coerce anyone capable

• Testing: Perform short “proof-firing” prior to the attack

• Timeline: Establish the most painful time period for his victim

Sophis

tic

atio

n

2013 2010 2011 2012

• Duration: 3 Days

• 4 attack vectors

• Attack target: Visa, MasterCard

• Duration: 3 Days

• 5 attack vectors

• Attack target: HKEX

• Duration: 20 Days

• More than 7 attack vectors

• Attack target: Vatican

• Duration: 7 Months

• Multiple attack vectors

• Attack target: US Banks

7

故善战者，立于不败之地 The good fighters of old, first put themselves beyond the possibility of defeat.

Slide

8

The Threat Landscape

DDoS is the most common

attack method. Attacks last longer.

Government and Financial Services

are the most attacked sectors. Multi-vector trend continues.

9

You don’t control all of your critical

business systems.

Understand your vulnerabilities in the

distributed, outsourced world.

没有战略，战术是之前失败的噪音

漏洞 Vulnerability

Variation of Tactics 九變

The Army on the March 行軍

Illusion & Reality 虛實

The Use of Intelligence 用間

Laying Plans 始計

Individual Servers

Malicious software

installed on hosts and

servers (mostly located

at Russian and east

European universities),

controlled by a single

entity by direct

communication.

Examples:

Trin00, TFN, Trinity

Botnets

Stealthy malicious

software installed

mostly on personal

computers without the

owner’s consent;

controlled by a single

entity through indirect

channels (IRC, HTTP)

Examples:

Agobot, DirtJumper,

Zemra

Voluntary Botnets

Many users, at times

part of a Hacktivist

group, willingly share

their personal

computers. Using

predetermined and

publicly available attack

tools and methods,

with an optional remote

control channel.

Examples:

LOIC, HOIC

New Server-based

Botnets

Powerful, well

orchestrated attacks,

using a geographically

spread server

infrastructure. Few

attacking servers

generate the same

impact as hundreds of

clients.

11

2012 1998 - 2002 1998 - Present 2010 - Present

不戰而屈人之兵，善之善者也 To subdue the enemy without fighting is the acme of skill

12

R.U.D.Y.

• Exploits a design weakness that became public in Nov 2010

• A slow rate attack tool that can cause DoS with a relatively low amount of traffic

generated

• Instead of sending the entire HTTP Post request at once, it sends one byte every 10

seconds making the connection last forever. It does it in parallel again and again over

numerous connections until the server’s resources are exhausted.

兵者 詭道也

13

Tool: Kill ‘em All 1.0

• Harnesses techniques such as Authentication

Bypass, HTTP redirect, HTTP cookie and

JavaScript

• True TCP behavior, believable and random HTTP

headers, JavaScript engine, random payload,

tunable post authentication traffic model

• Defeats current anti-DDoS solutions that detect

malformed traffic, traffic profiling, rate

limiting, source verification, Javascript and

CAPTCHA-based authentication mechanisms

• Creators allege that the tool is technically

indistinguishable from legitimate human traffic

Tested: Arbor PeakFlow TMS, Akamai,

Cloudflare, NSFocus Anti-DDoS

System

All warfare is based on

deception.

14

不戰而屈人之兵，善之善者也

Current prices on the Russian underground market:

Hacking corporate mailbox: $500

Winlocker ransomware: $10-$20

Unintelligent exploit bundle: $25

Intelligent exploit bundle: $10-$3,000

Basic crypter (for inserting rogue code into benign file): $10-$30

SOCKS bot (to get around firewalls): $100

Hiring a DDoS attack: $30-$70 / day, $1,200 / month

Botnet: $200 for 2,000 bots

DDoS Botnet: $700

ZeuS source code: $200-$250

Windows rootkit (for installing malicious drivers): $292

Hacking Facebook or Twitter account: $130

Hacking Gmail account: $162

Email spam: $10 per one million emails

Email scam (using customer database): $50-$500 per one million emails

15

不戰而屈人之兵，善之善者也

16

Battlefield: U.S. Commercial Banks

Cause: Elimination of the Film “Innocence of Muslims”

Battle: Phase 4 of major multi-phase campaign – Operation Ababil –

that commenced during the week of July 22nd. Primary targets

included: Bank of America, Chase Bank, PNC, Union Bank,

BB&T, US Bank, Fifth Third Bank, Citibank and others.

Attackers: Cyber Fighters of Izz ad-Din al-Qassam

Result: Major US financial institutions impacted by intensive and

protracted Distributed Denial of Service attacks.

行軍: Operation Ababil

17

行軍: Operation Ababil

Massive TCP and UDP flood attacks:

• Targeting both Web servers and DNS servers. Radware Emergency Response

Team tracked and mitigated attacks of up to 25Gbps against one of its

customers. Source appears to be Brobot botnet.

DNS amplification attacks:

• Attacker sends queries to a DNS server with a spoofed address that

identifies the target under attack. Large replies from the DNS servers,

usually so big that they need to be split over several packets, flood

the target.

HTTP flood attacks:

• Cause web server resource starvation due to overwhelming number of page

downloads.

Encrypted attacks:

• SSL based HTTPS GET requests generate a major load on the HTTP server by

consuming 15x more CPU in order to process the encrypted attack traffic.

18

行軍: Operation Ababil

Parastoo

Iranian Cyber Army

al Qassam Cyber Fighters

Parastoo

Iranian Cyber Army

al Qassam Cyber Fighters

22 Events

1 Event

2010 2011 2012 2013 Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul

Source: Analysis Intelligence

Event Correlation: Iranian Linked Cyber Attacks

19

Don’t assume that you’re not a target.

Draw up battle plans. Learn from the

mistakes of others.

没有战略，战术是之前失败的噪音

目标 Target

Variation of Tactics 九變

The Army on the March 行軍

Illusion & Reality 虛實

The Use of Intelligence 用間

Laying Plans 始計

Internet Pipe Firewall IPS/IDS ADC Attacked Server SQL Server

21

0

5

10

15

20

25

30

35

Internet Pipe Firewall IPS / DSS ADC Server SQL Server

2011

2012

2013

Volumetric attacks Network & Session attacks Application attacks

不可胜在己 Being unconquerable lies within yourself.

22

不可胜在己

DoS Defense Component Vulnerability

Exploitation Network Flood

Infrastructure

Exhaustion Target Exhaustion

Network Devices No No Some Some

Over-Provisioning No Yes, bandwidth Yes, infrastructure Yes, server & app.

Firewall & Network Equipment No No Some Some

NIPS or WAF Security Appliances Yes No No, part of problem No

Anti-DoS Box (Stand-Alone) No No Yes Yes

ISP-Side Tools No Yes Rarely Rarely

Anti-Dos Appliances (ISP Connected) No Yes Yes Yes

Anti-DoS Specialty Provider No Yes Yes Yes

Content Delivery Network No Yes Yes Limited

23

Analyst View

• With the prevalence and duration of attacks on the rise, organizations need to take steps to protect their infrastructure from the advanced methods being employed. Despite the fact that volumetric-based attacks will remain the most common, more advanced hybrid attacks that include application layer and encrypted traffic in addition to volumetric methods will also grow, spurring growth in the use of on-premise equipment.

I D C T E C H N O L O G Y S P O T L I G H T - Optimizing DDoS Mitigation Using Hybrid Approaches

• Gartner expects high-bandwidth DDoS attacks to continue and to increase in frequency in 2013. Gartner also expects that at least 25% of DDoS attacks will be application-based, in which attackers send targeted commands to applications to tax CPU and memory and make the application unavailable.

GARTNER

不可胜在己

24

Proportion of businesses relying on CDNs for DDoS protection.

70%

不可胜在己

25

Bypassing CDN Protection

Bo

tn

et

E n t e r p r i s e

C D N

GET www.enterprise.com/?[Random]

不可胜在己

26

Cloud protection limitations.

Bo

tn

et

Volumetric attacks

Low & Slow attacks

SSL encrypted attacks

E n t e r p r i s e

C l o u d S c r u b b i n g

27

Don’t believe the propaganda.

Understand the limitations of solutions.

Not all networking and security solutions

are created equal.

没有战略，战术是之前失败的噪音

宣传 Propaganda

Variation of Tactics 九變

The Army on the March 行軍

Illusion & Reality 虛實

The Use of Intelligence 用間

Laying Plans 始計

29

兵之情主速

Speed is the essence of war

Att

ack D

eg

ree

Axi

s Attack Area

Suspicious

Area

Normal

Area

30

兵之情主速

T H E S E C U R I T Y G A P

Attacker has time to bypass automatic mitigation.

Target does not possess required defensive skills.

31

You can’t defend against attacks you can’t detect.

Know your limitations.

Enlist forces that have expertise to help you fight.

没有战略，战术是之前失败的噪音

检测 Detection

Variation of Tactics 九變

The Army on the March 行軍

Illusion & Reality 虛實

The Use of Intelligence 用間

Laying Plans 始計

33

故兵貴勝，不貴久

• Web Attacks

• Application Misuse

• Connection Floods

• Brute Force

• Directory Traversals

• Injections

• Scraping & API Misuse

Detection: Application Attacks

34

Attack Mitigation Network: Low & Slow, SSL Encrypted

Bo

tn

et

E n t e r p r i s e

C l o u d S c r u b b i n g

H o s t e d D a t a

C e n t e r

故兵貴勝，不貴久

35

故兵貴勝，不貴久 What is essential in war is victory, not prolonged operations.

• Envelope Attacks – Device Overload

• Directed Attacks - Exploits

• Intrusions – Mis-Configurations

• Localized Volume Attacks

• Low & Slow Attacks

• SSL Floods

Detection: Encrypted / Non-Volumetric Attacks

36

Attack Mitigation Network: Application Exploits

Bo

tn

et

E n t e r p r i s e

C l o u d S c r u b b i n g

H o s t e d D a t a

C e n t e r

Attack

signatures

故兵貴勝，不貴久

37

故兵貴勝，不貴久

Attack Detection: Volumetric Attacks

• Network DDoS

• SYN Floods

• HTTP Floods

38

Bo

tn

et

C l o u d S c r u b b i n g

H o s t e d D a t a

C e n t e r

Attack Mitigation Network: Volumetric Attacks

E n t e r p r i s e

故兵貴勝，不貴久

Attack

signatures

App Misuse App Misuse

Slide

39

Layered Lines Of Defense

Large volume

network flood

attacks Network Scan

Syn Floods

SSL Floods

“Low & Slow” DoS

attacks

(e.g.Sockstress)

HTTP Floods

Brute

Force

DoS protection

Behavioral analysis SSL protection

IPS

WAF

Cloud DDoS protection

Internet Pipe Firewall IPS/IDS ADC Attacked Server SQL Server

Volumetric attacks Network & Stateful attacks Application attacks

40

Layered Lines Of Defense – Attack Mitigation System

41

Aligned forces will make the difference

Protecting your data is not the same as protecting your business.

True security necessitates data protection, system integrity and operational availability.

没有战略，战术是之前失败的噪音

可用性 Protection

42

你准备好了吗? Are You Ready?

Thank You mottya@radware.com www.radware.com

http://security.radware.com/