The Art of Cyber War Strategies in a rapidly evolving theatre

The Art of Cyber War
Strategies in a rapidly evolving theatre
RSI, May 2014
© Radware, Inc. 2014
The Art of War is an ancient Chinese military treatise attributed to Sun Tzu, a highranking military general, strategist and tactician. It is commonly known to be the
definitive work on military strategy and tactics, and for the last two thousand years
has remained the most important military dissertation in Asia. It has had an influence
on Eastern and Western military thinking, business tactics, legal strategy and
beyond. Leaders as diverse as Mao Zedong and General Douglas MacArthur have
drawn inspiration from the work.
Many of its conclusions remain valid today in the cyber warfare era.
2
Variation of Tactics 九變
The Army on the March 行軍
Illusion & Reality 虛實
The Use of Intelligence 用間
Laying Plans 始計
Attack Vectors %: Increasing Complexity
4
Application: 62%
Attack Vectors
5
Network: 38%
不戰而屈人之兵，善之善者也
To subdue the enemy without fighting is the acme of skill
Individual Servers
Malicious software
installed on hosts and
servers (mostly located
at Russian and east
European universities),
controlled by a single entity
by direct communication.
Examples:
Trin00, TFN, Trinity
1998 - 2002
6
Botnets
Stealthy malicious
software installed mostly
on personal computers
without the owner’s
consent; controlled by a
single entity trough indirect
channels (IRC, HTTP)
Examples:
Agobot, DirtJumper,
Zemra
1998 - Present
Voluntary Botnets
Many users, at times as
part of a Hacktivist group,
willingly share their
personal computers.
Using
predetermined and
publicly available attack
tools and methods, with
an optional remote control
channel.
New Server-based
Botnets
Powerful, well
orchestrated attacks,
using a geographically
spread server
infrastructure. Few
attacking servers generate
the same impact as
hundreds of clients.
Examples:
LOIC, HOIC
2010 - Present
2012
不戰而屈人之兵，善之善者也
Current prices on the Russian underground market:
Hacking corporate mailbox: $500
Winlocker ransomware: $10-$20
Unintelligent exploit bundle: $25
Intelligent exploit bundle: $10-$3,000
Basic crypter (for inserting rogue code into benign file): $10-$30
SOCKS bot (to get around firewalls): $100
Hiring a DDoS attack: $30-$70 / day, $1,200 / month
Botnet: $200 for 2,000 bots
DDoS Botnet: $700
ZeuS source code: $200-$250
Windows rootkit (for installing malicious drivers): $292
Hacking Facebook or Twitter account: $130
Hacking Gmail account: $162
Email spam: $10 per one million emails
Email scam (using customer database): $50-$500 per one million emails
7
不戰而屈人之兵，善之善者也
8
Attack Length %: Increasing Duration
9
故善战者，立于不败之地
Sophistication
The good fighters of old first put themselves beyond the possibility of defeat
• Duration: 20 Days
• More than 7 Attack vectors
• Attack target: Vatican
• Duration: 3 Days
• 5 Attack Vectors
• Attack target: HKEX
• Duration: 7 Months
• Multiple attack vectors
• Attack target: US Banks
• Duration: 3 Days
• 4 Attack Vectors
• Attack target: Visa, MasterCard
2010
10
2011
2012
2013
Variation of Tactics 九變
The Army on the March 行軍
Illusion & Reality 虛實
The Use of Intelligence 用間
Laying Plans 始計
知彼知己，百戰不殆
If you know the enemy and know yourself, you need not fear the result of a hundred battles
Notable DDoS Attacks in the Last 12 Months
12
行軍: Columbia
Battlefield:
Cause:
Columbia Government On-line Services
Columbian Independence
Battle:
A large scale cyber attack held on July 20th - Columbian
Independence Day - against 30 Colombian government websites.
Result:
Most web sites were either defaced or shut down completely
for the entire day of the attack.
13
行軍: Columbia
Attackers:
Columbian Hackers
• A known hacker collective group suspected as being responsible
for several other cyber attacks in Colombia during 2012-13. The
group was supported by sympathizers use Twitter to communicate.
Motivation:
Ideological
• Anti-government stance claiming to stand for “freedom, justice
and peace.” Mantra: “We are Colombian Hackers, to serve the
people.”
14
行軍: Columbia
Web application attacks:
• Directory traversal – web application attack to get access to
password files that can be later cracked offline.
• Brute force attacks on pcAnywhere service – looking for weak
password protected accounts enables attackers to gain remote access
to victim servers.
• SQL Injection attacks – web application attacks to gain remote
server access.
• Web application vulnerability scanning
• Application attacks: we have mainly seen HTTP Flood attacks
Network DDoS attacks:
• SYN floods, UDP floods, ICMP floods
• Anomalous traffic (invalid TCP flags, source port zero, invalid
L3/L4 header)
• TCP port scans
15
行軍: Operation Ababil
Battlefield:
Cause:
U.S. Commercial Banks
Elimination of the Film “Innocence of Muslims”
Battle:
Phase 4 of major multi-phase campaign – Operation Ababil –
that commenced during the week of July 22nd. Primary targets
included: Bank of America, Chase Bank, PNC, Union Bank,
BB&T, US Bank, Fifth Third Bank, Citibank and others.
Result:
Major US financial institutions impacted by intensive and
protracted Distributed Denial of Service attacks.
16
行軍: Operation Ababil
Attackers:
Cyber Fighters of Izz ad-Din al-Qassam
• Purported Iranian state sponsored hacktivist collective said to be acting
to defend Islam
Motivation:
Religious Fundamentalism
• “Well, misters! The break's over and it's now time to pay off.
After a chance given to banks to rest awhile, now the Cyber Fighters of
Izz ad-Din al-Qassam will once again take hold of their destiny.
As we have said earlier, the Operation Ababil is performed because of
widespread and organized offends to Islamic spirituals and holy issues,
especially the great prophet of Islam(PBUH) and if the offended film is
eliminated from the Internet, the related attacks also will be stopped.
While the films exist, no one should expect this operation be fully
stopped.
The new phase will be a bit different and you'll feel this in the coming
days.
Mrt. Izz ad-Din al-Qassam Cyber Fighters”
17
行軍: Operation Ababil
Massive TCP and UDP flood attacks:
• Targeting both Web servers and DNS servers. Radware Emergency Response
Team tracked and mitigated attacks of up to 25Gbps against one of its
customers. Source appears to be Brobot botnet.
DNS amplification attacks:
• Attacker sends queries to a DNS server with a spoofed address that
identifies the target under attack. Large replies from the DNS servers,
usually so big that they need to be split over several packets, flood
the target.
HTTP flood attacks:
• Cause web server resource starvation due to overwhelming number of page downloads.
Encrypted attacks:
• SSL based HTTPS GET requests generate a major load on the HTTP server by consuming 15x
more CPU in order to process the encrypted attack traffic.
18
行軍: Operation Ababil
Event Correlation: Iranian Linked Cyber Attacks
Parastoo
Parastoo
Iranian Cyber Army
al Qassam Cyber Fighters
22 Events
Iranian Cyber Army
1 Event
al Qassam Cyber Fighters
Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun
2011
2010
2012
Source: Analysis Intelligence
19
Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul
2013
行軍: Operation Ababil
Challenge & Response Escalations:
• Automatic Challenge mechanisms are employed by the Radware Attack
Mitigation System to discriminate between legitimate traffic and
attack tools
• Phase 4 attackers implemented advanced mechanisms that emulated
normal web browser users in order to circumvent mitigation tools
• Necessitated the implementation of increasingly sophisticated
challenge mechanisms that could not be supported by attack tools
20
Script
302
Redirect
Challenge
JS
Challenge
Special
Challenge
Kamikaze
Pass
Not pass
Not pass
Kamina
Pass
Not pass
Not pass
Terminator
Pass
Pass
Not pass
行軍: Spamhaus
Battlefield:
Cause:
Spamhaus
Corporate Ideological Differences
Battle:
A nine-day assault that resulted in the largest
recorded volumetric Distributed Denial of Service
attack that peaked at over 300Gbps.
Result:
Spamhaus actually went down but claimed to have
withstood the attack but only with the assistance
from companies such as CloudFlare and Google.
Given the scale of the attack and the techniques
used, concerns were expressed that the very fabric
of the internet could be compromised.
21
行軍: Spamhaus
Attackers:
CyberBunker?
• Provider of anonymous secure hosting services
Motivation:
Retaliation against Spamhaus
• CyberBunker, a provider of secure and anonymous hosting services,
was blacklisted by Spamhaus, a non-profit anti-spamming
organization that advises ISPs. It was claimed that CyberBunker
was a 'rogue' host and a haven for cybercrime and spam
organizations. Spamhaus alleged that Cyberbunker, with the aid of
"criminal gangs" from Eastern Europe and Russia, launched a DDoS
attack against Spamhaus for “abusing its influence.”
22
行軍: Spamhaus
Attack Method:
• The attack started as an 10-80Gbps attack that was firstly
contained successfully, it started as a volumetric attack on
layer 3 and peaked to 75Gbps on March 20.
• During March 24-25 the attack grew to 100Gbps, peaking at
309Gbps.
• No Botnet in use. Attackers were using servers on networks that
allow IP spoofing in conjunction with open DNS resolvers.
• Miss-configured DNS resolvers – with no response rate limiting allow the amplification of the attack by the factor of 50!
• Nearly 25% of the networks are configured to allow spoofing
instead of employing BCP38…
• There are over 28 Million open resolvers in operation…
23
行軍: New York Times
Battlefield:
Cause:
New York Times
Syrian Conflict
Battle:
NYTimes Domain Name Server attack.
Result:
New York Times website taken offline for almost
2 hours as domain was redirected to Syrian
Electronic Army servers.
24
行軍: New York Times
Attackers:
Syrian Electronic Army
• Hackers aligned with Syrian President Bashar Assad. Mainly targets
political opposition groups and western websites, including news
organizations and human rights groups.
Attacks:
Spear Phishing & Directed DNS Attacks
• Phishing attacks on Melbourne IT, the New York Times DNS registrar.
• SEA hacked the NYT account and redirected the domain to its servers.
25
Variation of Tactics 九變
The Army on the March 行軍
Illusion & Reality 虛實
The Use of Intelligence 用間
Laying Plans 始計
不可胜在己
Being unconquerable lies with yourself
20%
15%
10%
5%
Internet
27
Internet
Pipe
Firewall
IPS/IDS
Load Balancer
(ADC)
Server
• Application
Misuse
2013
• Volumetric
Floods
25%
• Network Scans
• Syn Floods
2012
• Low & Slow
e.g. Sockstress
• HTTP Floods
• SSL Floods
• Brute Force
30%
2011
SQL
Server
不可胜在己
Vulnerability
Exploitation
DoS Defense Component
28
Infrastructure
Exhaustion
Network Flood
Target Exhaustion
Network Devices
No
No
Some
Some
Over-Provisioning
No
Yes, bandwidth
Yes, infrastructure
Yes, server & app.
Firewall & Network Equipment
No
No
Some
Some
NIPS or WAF Security Appliances
Yes
No
No, part of problem
No
Anti-DoS Box (Stand-Alone)
No
No
Yes
Yes
ISP-Side Tools
No
Yes
Rarely
Rarely
Anti-Dos Appliances (ISP Connected)
No
Yes
Yes
Yes
Anti-DoS Specialty Provider
No
Yes
Yes
Yes
Content Delivery Network
No
Yes
Yes
Limited
Variation of Tactics 九變
The Army on the March 行軍
Illusion & Reality 虛實
The Use of Intelligence 用間
Laying Plans 始計
兵之情主速
THE SECURITY GAP
Attacker has time to bypass automatic mitigation
Target does not possess required defensive skills
31
兵之情主速
32
Variation of Tactics 九變
The Army on the March 行軍
Illusion & Reality 虛實
The Use of Intelligence 用間
Laying Plans 始計
故兵貴勝，不貴久
What is essential in war is victory, not prolonged operations
•
•
•
•
•
•
Envelope Attacks – Device Overload
Directed Attacks - Exploits
Intrusions – Mis-Configurations
Localized Volume Attacks
Low & Slow Attacks
SSL Floods
Detection: Encrypted / Non-Volumetric Attacks
34
故兵貴勝，不貴久
•
•
•
•
•
•
•
Detection: Application Attacks
35
Web Attacks
Application Misuse
Connection Floods
Brute Force
Directory Traversals
Injections
Scraping & API Misuse
故兵貴勝，不貴久
• Network DDoS
• SYN Floods
• HTTP Floods
Attack Detection: Volumetric Attacks
36
没有战略，战术是之前失败的噪音
Tactics without strategy is the noise before defeat
目标
Target
Don’t assume that you’re not a target.
Draw up battle plans. Learn from the
mistakes of others.
37
没有战略，战术是之前失败的噪音
可用性
Protection
Protecting your data is not the same as
protecting your business.
True security necessitates data protection,
system integrity and operational
availability.
38
没有战略，战术是之前失败的噪音
漏洞
Vulnerability
You don’t control all of your critical
business systems
Understand your vulnerabilities in the
distributed, outsourced world.
39
没有战略，战术是之前失败的噪音
检测
Detection
You can’t defend against attacks you can’t
detect.
The battle prepared business harnesses
an intelligence network
40
没有战略，战术是之前失败的噪音
宣传
Propaganda
Don’t believe the DDoS protection
propaganda.
Understand the limitations of cloud-based
scrubbing solutions.
Not all networking and security appliance
solutions were created equal.
41
没有战略，战术是之前失败的噪音
限制
Limitations
Know your limitations.
Enlist forces that have expertise to help
you fight.
42
你准备好了吗?
Are You Ready?
43
谢谢
Thank You
Michael Tememe, Regional Sales Manager, Radware
[email protected]
© Radware, Inc. 2014