Three New Threats To Your ... Assets (and how to avoid them)

Transcription

Three New Threats To Your ... Assets (and how to avoid them)
Three New Threats To Your Web
Assets (and how to avoid them)
Three New Threats To Your Web Assets (and how to avoid them)
Introduction
Today’s Internet-connected business is facing a bewildering diversity of threats.
If your business has web assets, it is not a question of whether you will be attacked; it is merely a
question of when. A recent survey of data center operators showed that 94 percent experience at least
one Distributed Denial of Service (DDoS) attack per month, and 22 percent experience 11-100 attacks
per month.1
The costs associated with a successful attack are
substantial. According to a Ponemon Institute survey, the
average cost per data breach in the United States is $5.4
million. On average, an organization suffers a cost of
$277 for each customer record that is lost or stolen by a
malicious attack.2 Victims of DDoS attacks lose, on
average, $22,000 per minute of downtime. 3
Internet threats come in many forms, but three in
particular are growing rapidly worse: network intrusions,
DDoS attacks, and data scraping.
These threats are not new. What is new is the rapidly
escalating scale and sophistication of these attacks—and
the growing inadequacy of traditional defenses to protect
against them.
Executives need to understand:
• The nature of each threat.
• Why each threat is getting worse.
• And why traditional countermeasures have grown inadequate.
To fully protect against contemporary Internet threats, a robust next-generation solution is required. One
will be discussed at the end of this paper.
1 Worldwide Infrastructure Security Report 2012, Arbor Networks, p. 47
2 2013 Cost of Data Breach Study: United States, Symantec/Ponemon Institute, pp. 1, 3
3 Cyber Security on the Offense: A Study of IT Security Experts, Radware/Ponemon Institute, November 2012
1
Three New Threats To Your Web Assets (and how to avoid them)
Threat 1: System Intrusion
What It Is
A system intrusion is any event that involves malicious entry into your network. It includes a wide range of
attack techniques, including SQL injection, cross-site scripting, and more.
The motive for such intrusions can vary widely. Hackers often break into web servers merely to deface the
sites for political purposes. On the opposite side of the spectrum is the company recently described in a
speech by F.B.I. Executive Assistant Director Shawn Henry, which was the victim of an intrusion and “lost
10 years worth of research and development—valued at $1 billion—virtually overnight.” 4
Why It’s Getting Worse
As cybercrime has grown more lucrative, its practitioners have grown professional. (According to a
Washington Post article, organized crime now represents the majority of data breaches. 5) Today’s criminal
hackers are highly skilled, and often well financed. Their attacks are systematic and thorough.
There are three major forces driving the increasing
technical sophistication of hacker groups: the increasing
presence of organized crime, the rise of governmentsponsored groups, and new attack techniques introduced
by national ‘weaponized software’ packages.
• Organized crime groups (especially in Eastern
Europe) now treat computer crime as a profession,
and a mature industry has arisen around criminal
Example of services offered on
Russian hacker sites
Programming service; Perl, PHP, C, $250
Java, etc.
Trojan for bank account stealing
$1,300
Trojan for web page data replacement in a client’s browser
WebMoney Keeper Trojan
Credit card checker
hacking. There are underground marketplaces
Backdoor
where every possible resource or skill is available for
hire. Botnets and other attack resources can be
LiveJournal spammer
rented by the hour, day, week, or month. Hackers
with specific attack skills offer their services as
$850
$450
$70
$400
$70
$15–20
$2,500–3,000
Fakes of different programs
Eleonore Exploit Pack v. 1.6.2
Source: Russian Underground 101, Trend Micro Inc.,
2012
freelancers. Customized malware is available directly
from its authors, and the malware itself is
technologically advanced.
Government-sponsored cybercrime is the second force driving the increased professionalization of
illicit hacking. China in particular has a large program devoted to plundering technology from the West.
Media reports about foreign hacking tend to focus on high-profile weapons systems like the U.S. F-35
advanced fighter jet (the secrets of which were stolen by China), but the Chinese are equally interested in
stealing from private businesses. According to a New York Times article, “They have stolen product
blueprints, manufacturing plans, clinical trial results, pricing documents, negotiation strategies and other
proprietary information” from dozens of major corporations, including Coca-Cola, RSA, Scheider Electric,
and Lockheed Martin.6
4 www.fbi.gov/news/speeches/responding-to-the-cyber-threat
5 Brian Krebs, “Organized Crime Behind a Majority of Data Breaches,” Washington Post, April 15, 2009
6 David Sanger and Nicole Perlroth, “Hackers From China Resume Attacks on U.S. Targets,” The New York Times, May 19, 2013
2
Three New Threats To Your Web Assets (and how to avoid them)
Weaponized software is the third driver of increasing malware sophistication. In the last few years, there
have been several instances of governments attacking rival nations with software, such as the Stuxnet
computer worm (which destroyed much of Iran’s nuclear program), and other related applications.7
Many experts believe that these applications were supposed to delete themselves after their work was
done, but for various reasons, this failed to happen. In any case, these programs were discovered, and
copies have now been distributed around the world.
As former U.S. cyberterrorism czar Rickard Clarke explained:
“If you’re a computer whiz you can take it apart and you can say, ‘Oh, let’s change this over here,
let’s change that over there.’ Now I’ve got a really sophisticated weapon. So thousands of people
around the world have it and are playing with it... The best cyberweapon the United States has
ever developed, it then gave the world for free.” 8
These ‘weaponized software’ packages are very advanced, including multiple new attack techniques
never seen before. Now they’re being studied closely and adapted by criminal gangs for use in private
attacks against businesses. This is a very ominous trend.
Why Traditional Defenses Are Inadequate
Traditional countermeasures against intrusion usually involve on-site hardware and/or software solutions.
The problems with these are numerous:
• The wide variety of threats requires a multitude of products. It’s difficult to choose an optimal
combination that adequately defends against all possible threats. It’s also challenging for staff to
properly operate and maintain a diverse suite of software and hardware products from multiple
vendors.
• The threat environment is constantly evolving. Staying current on the newest forms of attacks is
mandatory to maintain adequate defenses, but organizational staff often find it difficult to do this.
• The solutions themselves can have vulnerabilities. Security devices and software packages are
complicated, and are (by their nature) in constant direct contact with attacking hackers, who are
always probing for weaknesses. Not infrequently, the hackers are successful in finding some.
Vendors must then issue revisions, but sometimes these revisions aren’t issued right away. Even if
patches are issued promptly, individual organizations might not deploy them immediately, possibly
from an inattentive IT staff, or poor communication with the vendor, or even an executive decision to
delay the updates (typically from reluctance to modify the web infrastructure during a busy, highrevenue period, such as holiday shopping seasons for e-commerce sites). Whatever the reason, as
long as unpatched problems exist in your defenses, your web assets are vulnerable.
• Continuous education is required for on-site staff. As security vendors update their products,
organizational staff must receive continuous education to keep up with the new capabilities.
All considered, these deficiencies make robust security extremely difficult today.
7 Related applications include Flame, Gauss, and DuQu.
8 “Richard Clarke on Who Was Behind the Stuxnet Attack,” Smithsonian Magazine, April 2012.
3
Three New Threats To Your Web Assets (and how to avoid them)
Threat 2: Massive Distributed Denial of Service (DDoS) Attacks
What It Is
A DDoS is an attempt to make some or all of your web resources unavailable to the intended users.
This is the most straightforward form of Internet attack. The assailant is not trying to break into the
targeted system; he merely intends to overwhelm it and make it unresponsive to legitimate traffic.
Why It’s Getting Worse
The scale and sophistication of DDoS attacks are growing to unprecedented levels. According to eWeek,
the average size of the largest DDoS attacks in early 2013 increased sevenfold since the previous year.9
There are three primary reasons for the increasing scale and success of DDoS assaults:
• Hacking software and tactics have grown increasingly powerful. New tools like High Orbit Ion
Cannon can target up to 256 web addresses simultaneously, leveraging the attacker’s efforts.
Meanwhile, attacks themselves are getting more sophisticated; for example, an application-layer
DDoS can exhaust the target’s resources merely by exploiting logical weaknesses in its software,
rather than using the cruder traditional method of overwhelming the server with incoming network
traffic.
• Attack resources are abundant and cheap. A DDoS attacker will frequently use a botnet (a
network of malware-infected computers which can be controlled remotely) to flood the target with a
deluge of traffic from a variety of locations. In the past, hackers had to build their own botnets,
which required considerable time and resources. Today, botnets can be rented very cheaply. For
example, DDoS services are available from the Russian underground for just $10 per hour, or $150
per week. 10
• “Hacktivism” has made DDoS accessible even to non-hackers. Hacktivist groups such as
Anonymous—hackers who mount cyber-assaults to promote a political or social cause—often
consist of a few technically skilled individuals who recruit and supervise a much larger number of
non-skilled attackers. To equip these attackers, hacktivist programmers have created simple but
powerful software that enables a mob of ordinary Internet users to successfully overwhelm a target
with no technical skill whatsoever. In some cases, all an attacker needs to do is browse to a web
page. The page can hit the target with 200 requests per second, for as long as the attacker keeps it
open in his browser.11 Thus, groups like Anonymous are no longer restrained by technical limitations;
for hacktivists, mounting a large-scale assault has become more of a sociological exercise (i.e., how
large of a mob can be recruited via the Internet to browse to a specified page and keep it open for
hours or even days).
DDoS attacks are cheaper and easier to mount than ever before, and they’re growing in ferocity and
sophistication.
9 “Top-End DDoS Attack Bandwidth Surges Sevenfold: Report,” www.eweek.com/security/top-end-ddos-attack-bandwidth-surges-sevenfold-report/
10 Russian Underground 101, Trend Micro Inc., 2012, p. 8
11 Imperva’s Hacker Intelligence Summary Report; The Anatomy of an Anonymous Attack, Imperva, 2012, p. 15
4
Three New Threats To Your Web Assets (and how to avoid them)
Why Current Defenses Are Inadequate
The most popular current solutions to DDoS threats can be sorted into two categories: on-site hardware
appliances and offsite services offered by vendors such as telcos and ISPs (Internet Service Providers).
Both are inadequate to fully protect an organization against a large-scale contemporary DDoS.
On-site hardware appliances can process incoming packets, to filter and discard illegitimate traffic. This
“bandwidth management” will provide some resistance, but not immunity, to DDoS attacks. Even if some
appliances can increase your effective bandwidth, your bandwidth will still have a limit, which can be
exceeded by a large-enough attack. Thus, even after investing in an expensive hardware platform, your
site can still be brought down.
Also, an on-site appliance only addresses the last stage of the problem. When a large DDoS attack
occurs against your site, the traffic flows through your upstream bandwidth provider, which must defend
itself against the onslaught. The easiest solution is often to ‘black hole’ (discard) all your traffic. Obviously,
your appliances will do no good if your service provider cuts them off from the Internet.
Lastly, hardware solutions can be challenging to deploy. They require a well-trained IT staff as operators,
who in turn require substantial education with frequent refresher training to stay current as the threat
environment evolves.
Off-site vendors such as telcos and ISPs avoid many of the downsides of onsite hardware solutions.
However, they have two major weaknesses of their own.
First, ISPs and telcos are in the business of selling bandwidth. Their staff personnel are generally not
DDoS specialists. (Indeed, for an ISP such specialized capabilities would be a cost center rather than a
profit center.) However, modern DDoS attacks are frequently very difficult to diagnose.
A skilled DDoS assailant will use techniques that masquerade as legitimate traffic. Although it might be
obvious that a massive DDoS is in progress, an ISP might still be helpless and unable to distinguish the
garbage traffic from the legitimate visitors.
For example, a Slowloris attack (named after the software tool written by security researcher Robert
Hansen) sends partial HTTP GET requests to a Web server, adding to these requests slowly over time,
but never completing them. Eventually, all available connections are occupied with Slowloris activity, and
the server becomes unavailable to any other traffic. A similar attack is SlowPost, which sends a very slow
series of HTTP POST requests to accomplish the same goal.
Slowloris and Slowpost are simple examples of a much broader trend: application-layer attacks that
target vulnerabilities in how specific server applications work. Attacks like these are very difficult for nonspecialist vendors to mitigate, because the requests being sent to the server appear to be legitimate. As
a result, they're becoming more popular among attackers.
According to Gartner Research, application-based attacks like these are expected to rise to 25 percent of
all DDoS activity in 2013.12 Organizations which rely on ISPs and other non-specialist vendors for
protection will be increasingly vulnerable.
12 Arming Financial and E-Commerce Services Against Top 2013 Cyberthreats, Gartner Research, January 29, 2013
5
Three New Threats To Your Web Assets (and how to avoid them)
The second major weakness of relying on ISPs for protection is the ballooning scale of current DDoS
assaults. According to a report from Arbor Networks, more than 21 percent of all DDoS attacks now
range from 2,000 Mbps (Megabits per second) to 10,000 Mbps. 13 Compare this to the bandwidth of
some commonly-used Internet pipes:
Connection
Mbps
Connection
Mbps
Connection
Mbps
T1
1.5
OC3
155.5
OC48
2,488
T3
43.2
OC12
622.1
OC192
9,953
OC1
51.8
OC24
1,244
OC768
39,813
In other words, if your organization has any connection below OC48, and you are hit with a DDoS, there's
a one in five chance that the DDoS will exceed the capacity of your entire pipe.
Consider also that if the assailant is truly motivated, even the largest pipes can be overwhelmed. The
record so far is a March 2013 attack on Spamhaus.org, which exceeded 120 Gbps (120,000 Mbps).
According to Prolexic Technologies, more than 10 percent of DDoS attacks now exceed 60 Gbps
(60,000 Mbps). 14
Few organizations have enough available bandwidth to withstand these levels. Again, if such an attack
occurs, the ISP will often be forced to ‘solve’ it by null routing (discarding) all the traffic. This cuts the
organization off from the Internet—which is exactly what the attacker wants to accomplish.
The growing scale and sophistication of contemporary DDoS attacks require a new approach for
mitigation.
Threat 3: Scraping
What It Is
Scraping is the automated copying of information from a web site. Some forms of scraping are
benevolent, such as Google’s indexing bots, which constantly crawl the web. Conversely, malicious
scraping bots harvest information for purposes that are harmful to the interests of the web site’s owner.
Scraping can be tremendously costly to the victim. The damage can be as subtle as a long-term loss of
sales, as when competitors scrape your site and set their prices to undercut yours. Or it can be as blatant
as the theft and publishing of your information on other websites, which can make your site less
important or even irrelevant in your market.
Scrapers account for a substantial percentage of web traffic today. These bots usually masquerade as
benevolent traffic, such as Googlebot. (In one study, 16 percent of the surveyed websites had been
targeted by Google impersonation attacks. Among these sites, 21 percent of the bots claiming to be
Googlebot were imposters.15)
13 Q1 Key Findings from ATLAS, Arbor Networks, Inc., www.arbornetworks.com/corporate/blog/4855-q1-key-findings-from-atlas, April 22, 2013
14 Q1 2013 Global DDoS Attack Report, Prolexic Technologies,
www.prolexic.com/news-events-pr-giant-ddos-attacks-overwheliming-appliances-isps-carriers-content-delivery-networks-q1-2013-report.html, April 17, 2013
15 www.incapsula.com/the-incapsula-blog/item/369-was-that-really-a-google-bot-crawling-my-site
6
Three New Threats To Your Web Assets (and how to avoid them)
Why It’s Getting Worse
By their nature, scrapers are difficult to exclude, because the information they harvest is usually meant to
be accessible to public web traffic. Therefore, your site must be able to distinguish an actual human
visitor from a malevolent scraper bot, so that one can be granted access, while the other is not.
This has grown very problematic, as hackers have created bots that masquerade not just as benevolent
bots, but as human visitors. These bots appear to be genuine browser traffic by sending keystrokes,
mouse movements, and mouse click events to the web site.
Why Current Defenses Are Inadequate
Traditional defenses against scraping include challenges such as CAPTCHA16 tests embedded in the
site’s code: tests that humans can pass, but bots cannot. Unfortunately, despite the ubiquity of
CAPTCHAs on the Internet, hackers have cracked many of these schemes.
A Stanford University study found that 13 out of 15
CAPTCHA schemes used by popular web sites were
vulnerable to automated attacks. The research team
demonstrated a tool called Decaptcha, which can crack
not only many text-based CAPTCHAs, but audio ones
as well. Even prominent sites are vulnerable: for
example, Decaptcha can break the CAPTCHAs for
Authorize.net (part of the Visa credit card network) twothirds of the time.17
A typical CAPTCHA test
CAPTCHA vendors have responded by trying to make the tests harder for bots to read. Unfortunately,
this has resulted in tests that even humans have difficulty decoding. Web site owners who use these new
schemes risk alienating their users and even preventing people from using their web sites at all.
Ultimately, CAPTCHA tests and similar efforts are doomed to failure. In addition to automated tools,
scrapers and hackers always have the ultimate trump card: paying live humans to pass the tests.
Abusive Internet practices like scraping and (especially) spamming are so lucrative that a thriving market
has arisen for CAPTCHA-passing services, including brokers and middlemen. (The going rate is anywhere
from $.80 to $1.20 per 1,000 deciphered boxes.) 18
The traditional defenses against scraping have failed. A new approach is needed.
16 “Completely Automated Public Turing test to tell Computers and Humans Apart,” a trademark of Carnegie Mellon University
17 Bursztein et al, “Text-based CAPTCHA Strengths and Weaknesses,” ACM Computer and Communication Security 2011. Available at
cdn.ly.tl/publications/text-based-captcha-strengths-and-weaknesses.pdf. See also news.stanford.edu/news/2011/may/captcha-security-flaw-052311.html
18 Vikas Bajaj, “Spammers Pay Others to Answer Security Tests,” The New York Times, April 25, 2010. Accessible at
www.nytimes.com/2010/04/26/technology/26captcha.html
7
Three New Threats To Your Web Assets (and how to avoid them)
A Next-Generation Solution to These Problems
As has been shown, the current generation of security solutions is inadequate to provide full protection.
Much of the problem originates in the typical network topology and data flow for a website:
In this configuration, all traffic—whether it’s legitimate or malevolent—flows directly to the datacenter
hosting the web site. The site must then defend itself against whatever threats are present in that traffic.
Reblaze is a next-generation cloud-based platform that restructures the traffic flow like this:
8
Three New Threats To Your Web Assets (and how to avoid them)
Here, traffic does not go directly to the web site. Instead, it is routed to Reblaze’s security gateways,
which are found around the world. Legitimate traffic is allowed to pass through the gateways to the web
site, while hostile traffic is blocked.
Reblaze blocks system intruders because:
• Dynamic address allocation hides the target’s network from the attackers.
• Would-be intruders must first make it through a Reblaze Security Gateway, a hardened portal
operated and monitored by a team of security experts. Even as attackers get more sophisticated
and new attack techniques are used, immediate countermeasures are deployed across the Reblaze
network.
• Protection is 24x7 and automatic. Reblaze’s goal is to make clients “secure by default.” On-site
organizational expertise is no longer needed. Nor is there a need for clients to keep on top of the
constantly changing threat environment on the web, because Reblaze’s experts do this already.
DDoS attacks are defeated because Reblaze provides:
• Instant bandwidth scaling. The cloud is used to absorb even the largest DDoS attacks, with
additional resources coming online as needed, instantly and automatically.
• Elastic load balancing, distributing attacks across Reblaze’s global clusters. This eliminates the
stress on both the targeted site and the site’s upstream provider, so that the provider has no reason
to throttle the traffic even during a large-scale assault.
• A team of specialists monitoring Reblaze’s gateways, detecting and defeating DDoS attacks as
they occur. Client organizations and businesses no longer need to maintain this expertise in-house,
nor do they need to worry about potentially unreliable support from telcos and ISPs.
• Automatic protection. Client organizations do not need to monitor their web assets 24/7, waiting
to respond to an attack. DDoS protection is continuously active—built into the design of Reblaze.
• Content Delivery Network (CDN) integration, providing the bandwidth of Amazon’s CloudFront to
client sites on-demand as needed. This is far larger than the bandwidth being offered to site owners
by telcos and ISPs.
• A private cloud network for each client. Every Reblaze client network operates in a secured
private environment. Thus, each client is unaffected by whatever attacks (DDoS or otherwise) other
clients might be experiencing.
Scraper bots and data thieves are excluded with:
• Next-generation bot identification algorithms, preventing malevolent bots from accessing
protected data.
• Advanced traffic analysis, using visitor behavior, challenges, and honeypots to detect even
advanced bots powered by full-stack browsers such as Webkit, Chromium/V8, and IEWebBrowserControl that bypass traditional bot detection methods. (This also defends against
automated penetration tools and attempted DDoS attacks.)
• Unique learning capabilities that allow Reblaze to identify and respond to scraping and other
threats even as they become more sophisticated.
9
Three New Threats To Your Web Assets (and how to avoid them)
In addition to the above, Reblaze offers many more benefits that traditional approaches cannot provide,
including:
• Advanced human detection and behavior detection algorithms, to exclude non-human traffic.
This alone greatly increases security, because it forces would-be assailants to personally conduct
each attack—something few hackers are willing to do (since large-scale automated attacks are
much more profitable).
• Site acceleration, making client sites more responsive to visitors.
• Real-time email and text message alerts and notifications, with alert levels configurable by the
client.
• Unmatched fine-tuning and control of Internet traffic to each web site. Every Reblaze client can
allow or deny access from specific countries, cities, networks, companies, anonymizer networks,
and more. Clients can watch, control, and re-route their traffic—all in real time.
• An affordable all-in-one solution. Organizations no longer need to choose among multiple
vendors and the countless security products being offered. Reblaze does it all.
• Easy deployment, with no installation required. Reblaze protection for an entire domain is enabled
merely with a DNS change. Clients can even keep all their existing security measures in place, and
merely add Reblaze as an extra layer of protection between their assets and the Internet.
Traditional web security approaches are inadequate and are rapidly growing obsolete. Reblaze is a nextgeneration solution, not only for today’s problems, but also tomorrow’s.
To learn more about protecting your web assets with Reblaze, visit reblaze.com
__
© All Rights Reserved
10