radware global application & network security report 2013
DESCRIPTION
The 2013 Global Application and Network Security Report provides insight to help detect, mitigate and win the extended and persistent DoS/DDoS battle. Click through the key findings for cyber security statistics, trends, tools and information on the year's most notable attacks. To download the full report, please visit: http://www.radware.com/ert-report-2013/TRANSCRIPT
January 2014
AGENDA
Cyber Security Statistics
About the 2013 Report
Key Findings & Trends
Attack Tools Trends
Notable Attacks
Recommendations
DoS/DDoS – Most Common Cyber Attack
3
DDoS 28%
SQLi 23%
Defacement 17%
Account Hijacking
11%
Targeted attack (Various tools)
7%
DNS Hijacking 3%
Malware 3%
iFrame Injection 1%
Other 7%
Source: 2013 Cyber Attacks Trends, Hackmagedon
DoS/DDoS – Most Common Cyber Attack
4
DDoS 28%
SQLi 23%
Defacement 17%
Account Hijacking
11%
Targeted attack (Various tools)
7%
DNS Hijacking 3%
Malware 3%
iFrame Injection 1%
Other 7%
Source: 2013 Cyber Attacks Trends, Hackmagedon
28% of all cyber attacks in
2013 involved a
DoS/DDoS attack.
DDOS and Unplanned Outages in 2013
5 Source: “2013 Cost of Data Center Outages”, Ponemon Institute, Dec. 2013
0% 5% 10% 15% 20% 25% 30% 35%
Other
IT equipment failure
Generator failure
Water, heat or CRAC failure
Weather related
Cyber crime (DDoS)
Accidental/human error
UPS system failure
2010
2013
DDOS and Unplanned Outages in 2013
6 Source: “2013 Cost of Data Center Outages”, Ponemon Institute, Dec. 2013
0% 5% 10% 15% 20% 25% 30% 35%
Other
IT equipment failure
Generator failure
Water, heat or CRAC failure
Weather related
Cyber crime (DDoS)
Accidental/human error
UPS system failure
2010
201318% of unplanned outages
in 2013 were due to
DoS/DDoS attacks.
Root Causes of
Unplanned Outages
Cost of a DoS/DDoS Outage
7 Source: “2013 Cost of Data Center Outages”, Ponemon Institute, Dec. 2013
$0 $200 $400 $600 $800 $1,000 $1,200
Weather related
Generator failure
Water, heat or CRAC failure
UPS system failure
Cyber crime (DDoS)
IT equipment failure
2010
2013
Cost of a DoS/DDoS Outage
8 Source: “2013 Cost of Data Center Outages”, Ponemon Institute, Dec. 2013
$0 $200 $400 $600 $800 $1,000 $1,200
Weather related
Generator failure
Water, heat or CRAC failure
UPS system failure
Cyber crime (DDoS)
IT equipment failure
2010
2013$822,000 Cost of a single DoS/DDoS attack
that causes unplanned outage.
Cost of unplanned outage
AGENDA
Cyber Security Statistics
About the 2013 Report
Key Findings & Trends
Attack Tools Trends
Notable Attacks
Recommendations
Methodology and Sources
Security Industry Survey
– External survey
– 198 participants
– 93.8% are not using Radware
DoS/DDoS mitigation solution
Security Executive Survey
– External survey
– 15 participants
Radware’s Emergency Response
Team (ERT) 2013 Cases
– Unique visibility into attacks
behavior
– Attacks seen real-time on daily
basis
– More than 300 cases analyzed • Customer identity remains
undisclosed
10
AGENDA
Cyber Security Statistics
About the 2013 Report
Key Findings & Trends
Attack Tools Trends
Notable Attacks
Recommendations
The Unseen DoS/DDoS Attacks – Key Findings
• 60% of attacks result in service degradation
– Organizations’ attention is on the outage cases
– Web application slowness and degradation of service has devastating
outcomes
• ERT has identified a new set of attacks called “Web Stealth”
– Availability based attacks targeting the Web application
– Harder to detect by traditional network security and
DoS/DDoS mitigation tools
• Attackers shorten the time in takes them to bypass mitigation tools
12
13
Feb/July 2013
USA
Operation Ababil Targeting financial institutions
July 2013
Colombia
The Colombian
Independence Day Attack
March 2013
The Netherlands
Spamhaus The biggest DDoS attack ever
August 2013
Syria
Syrian Electronic Army
attacking US media outlets
November 2013
Ukraine & Baltic Countries
Operation “Opindependence”
June 2013
South Korea
South Korea governement
websites under attacks
DoS/DDoS Ring of Fire
14
Attack Risk Score
15
Radware DoS/DDoS Risk Score
S1 16
Attack Duration
Attack Vectors
Attack Complexity
Attack Length: Increasing Duration
17
DDoS Attacks are Not Singular Events
18
Attack Vectors: Increasing Complexity
19
Attackers Shorten Time to Bypass Mitigation Tools
20
“Peace” Period
Pre-attack
Phase
Post-attack
Phase
Pre-attack
Phase
Post-attack
Phase
2013 Attack Vectors
More than 50% of 2013 DDoS attacks
had more than 5 attack vectors. 21
2012 – 2013 Trend: Diversity of Attacks
22
Web Stealth Attacks
• More than HTTP floods
• Dynamic IP addresses
– High distributed attack
– Attacks using Anonymizers / Proxy
– Attacks passing CDNs
• Attacks that are being obfuscated by SSL
• Attacks with the ability to pass C/R
• Attacks that use low-traffic volume but saturate
servers’ resources
23
Attacks on Login Pages are
destructive
• Based on SSL
• No load-balancing yet
• Flood of Search requests will look legitimate
to network protection tools
• Creates resource saturation on app-server
Web Stealth Attacks
24
Bypassing CDN Protection B
ot
ne
t
E n t e r p r i s e
C D N
GET www.enterprise.com/?[Random]
25
Network Topology and DDoS Attacks
26
Server components that are likely to be attacked by DDoS attacks.
DDoS Attacks Results
27
Public attention
DDoS Attacks Results
28
Public attention
3.5%
Results of one-second delay in
Web page results
decrease in conversion rate
2.1% decrease in shopping cart size
9.4% decrease in page views
8.3% increase in bounce rate
Source: Strangeloop Networks, Case Study:
The impact of HTML delay on mobile business metrics, November 2011
Organizations are Adapting DDoS Mitigation Tools
29
Organizations are Adapting DDoS Mitigation Tools
30
Only 29% of organizations surveyed do
not have plans to deploy DDoS
mitigation tools in 2014.
AGENDA
Cyber Security Statistics
About the 2013 Report
Key Findings & Trends
Attack Tools Trends
Notable Attacks
Recommendations
HTTPS Based Attacks
32
• HTTPS based attacks are on the rise
• SSL traffic is not terminated by DDoS cloud scrubbers or DDoS solutions
• SSL traffic is terminated by ADC or web server
• SSL attacks hit their target and bypass security solutions
DNS Based Attacks
33
• Most frequently used attack vector
• Amplification affect
• Regular DNS replies: in DNS – a normal reply is 3-4 times larger than the
request
• Researched replies – can reach up to 10 times the original request
• Crafted replies – attacker compromises a DNS server and ensures
requests are answered with the maximum DNS reply message (4096
bytes) - amplification factor of up to 100 times
DNS Based Attacks – The Recursive Attack
34
Login Page Attacks
35
40% of organizations have been attacked by
Login Page attack in 2013.
Attacks on Login Pages are
Destructive
• Based on SSL
• No load-balancing yet
Web Stealth Attacks
36
Implications of Login Page Attacks
37
AGENDA
Cyber Security Statistics
About the 2013 Report
Key Findings & Trends
Attack Tools Trends
Notable Attacks
Recommendations
“Innocence of Muslims” Movie
July 12, 2012
“Innocence of Muslims”
trailer released on YouTube
September 11, 2012
World-wide protest against the movie resulting
in the deaths of 50 people
39
Operation Ababil Background
40
Operation Ababil
The cyber attack
is an act to stop
the movie
First targets • Bank of America
• NYSE
Group name is “Izz ad-din
Al qassam cyber fighters”
41
Operation Ababil Timeline
42
Operation Ababil Target Organizations
43
Financial Service Providers
Operation Ababil Attack Vectors
44
Overcoming HTTP Challenges
45
Script 302 Redirect
Challenge JS Challenge Special Challenge
Kamikaze Pass Not pass Not pass
Kamina Pass Not pass Not pass
Terminator Pass Pass Not pass
Operation Op Columbian
46
• Large scale cyber attack held on July 20,2013
• Colombian Independence
• Largest cyber attacks, ever
• Attack against 30 Colombian government websites
• Attacker: Columbian Hackers
• Known hacker collective group
• Group used Twitter to communicate
Government
Op Colombia Attack Vectors
47
Web Stealth
Directory traversal
Brute force
SQL Injection
Application
HTTP Flood
Network
SYN floods
UDP floods
ICMP floods
Spamhaus Attack
48
• Nine day volumetric attack
• Broke the ceiling of 100 GBPs
• Attack reached bandwidth of 300 GBPs
• Target: Anti-spam organization providing Internet service
• Attacker: CyberBunker and Sven Olaf Kamphuis
Internet Service Provider
Spamhaus Attack Vectors
49
AGENDA
Cyber Security Statistics
About the 2013 Report
Key Findings & Trends
Attack Tools Trends
Notable Attacks
Recommendations
DDoS Mitigation Selection Criteria
Time to protection
• The cost of a DDoS attack is significant
• The sooner the attack is over, the sooner the revenue loss
will stop
Attacks coverage
• Attackers are using a plethora of attack vectors
• More than 50% of attacks include more than 5 vectors
Single point of contact in case of attack
• Attacks are becoming longer and require manual
operations to mitigate
51
Recommendations
• Acquire capabilities to sustain long attacks
• Train a team that is ready to respond to persistent attacks
• Deploy the most up-to-date methodologies and tools
• 24/7 availability to respond to attacks
• Deploy counterattack techniques to cripple an attack
52