Switzerland under Attack

Switzerland under Attack
Werner Thalmeier
Director, Security Solutions EMEA
7. April 2016
A Look Into Attack Motives
Remember “C.H.E.W.”—Richard Clarke
Cyber Crime
Hacktivism
Financial gain is
the primary
motive
Driven by
ideological
differences
Espionage
Gaining information
for political,
financial,
competitive
leverage
War
Damage/destroy
centers of power;
military or nonmilitary
Lines are blurring . . . “multi-motive” attacks
Ironically – Evidently the more “secure”, your data risks a cyberattack
3
Over 90% Experienced Attacks in 2015
Half of organizations
experienced DDoS and
Phishing attacks
Almost half had Worm and
Virus Damage
One in ten have not
experienced any of the
attacks mentioned
DDoS
51%
Phishing
50%
Worm and Virus Damage
47%
Unauthorized Access
34%
Criminal SPAM
29%
Fraud
25%
Advanced Persistent Threat
23%
Theft of Prop. Info./Intellectual…
15%
Corporate/Geo-political Sabotage
7%
None of the above
9%
0% 10% 20% 30% 40% 50% 60%
Source: Radware ERT Report 2015
Increased Attacks on Education and Hosting
Comparing to 2014
Most verticals stayed the same
Education and Hosting – increased likelihood
Growing number of “help me DDoS my school”
requests
Motivations varies for Hosting
– Some target end customers
– Some target the hosting companies
2015
Source: Radware ERT Report 2015
Change from 2014
Increase in Ransom as a Motive for Cyber-attacks
More than 50% increase in ransom as a
motivator for attackers
Motivation behind cyber-attacks is still
largely unknown
70%
60%
50%
40%
30%
20%
10%
0%
69%66%
2014
2015
34%34%
27%27%
25% 22%25%
16%
One-third cited political/hacktivism
About a quarter referenced competition,
ransom, or angry users
Q: Which of the following motives are behind any cyber-attacks your organization
experienced?
Burst Attacks on the Rise
More than half of the three
biggest attacks experienced
lasted 1 hour or less
Significant increase from the
27% in 2014
60%
57%
40%
36%
20%
4%
Another indication of
increased automated attacks
1%
0%
1 hour or less 1 hour to 1
day
2011
Source: Radware ERT Report 2015
2%
2012
1 day to 1
week
2013
Over a week Constantly
2014
2015
Q: What are the three biggest cyber-attacks you have suffered: Duration?
Similar Frequency for Network and Application Attacks
100%
80%
60%
40%
20%
0%
Network Attacks
Application Attacks
19% 22% 22% 43% 17% 20% 22% 23% 25% 17% 20%
42% 37% 38%
21% 22% 24%
Rarely-Never
11% 41% 38% 38% 38% 34% 52% 41%
35%
23% 25% 23% 23% 25% 15% 24%
Network
38-42% experienced
attacks
daily, weekly or monthly
Daily / Weekly /
Monthly
Application
38-52% experienced
attacks
daily, weekly or monthly
Complexity of Attacks Continues to Grow
Multi-vector attacks target all layers of the infrastructure
“Low & Slow” DoS
attacks (e.g.Slowloris)
SQL Injections
XSS, CSRF
HTTP Floods
Brute Force
SSL Floods
App Misuse
Large volume network
flood attacks
Network
Scan
Internet Pipe
On-Demand Cloud DDoS
Syn
Floods
Firewall
DoS protection
IPS/IDS
Load Balancer/ADC
Behavioral analysis
Server Under Attack
IP
S
SSL protection
SQL Server
WA
F
Internet Pipe – #1 Failure Point
Internet pipe is the bottleneck of DDoS attacks
36
%
INTERNET PIPE
(Saturation)
21%
10%
FIREWALL
Internet Pipe
IPS/IDS
Firewall
3%
LOAD BALANCER
(ADC)
IPS/IDS
Load Balancer/ADC
28%
THE SERVER
UNDER ATTACK
Server Under Attack
2
%
SQL
SERVER
SQL Server
March 9th - Armada send ransom letter
Armada is sending Ransom letter to
Swiss Finance institutes
They ask for 25 Bitcoins
– 9.000,-€ or 9.800,- CHF
Swiss GovCert issued an alert
– http://www.govcert.admin.ch/blog/
At least one payed...
Who is The Armada Collective?
Background
Either originating from DD4BC or acting as copy cat and using their methods.
Focused on hosting providers, e-commerce, financial services primarily in Europe.
Two companies we know already have been taken down.
Strategy
Customers will receive a ransom mail, asking for 30 bitcoins (5.600 € – 8.400 €).
Warning attack follows within minutes. If payment refused, attacks increase to up to
1TB
Targeted - Emails sent to dedicated and named internal recipients
Do their homework – if victim has strong DDoS protection, they will not go after it.
Only attack when they can create real damage
Attack Methods
Current vectors are amplification attacks (NTP, RIP Reflection Amplification)
Warning attacks up to 20GB
Risk
Effected organizations have short time to act and prepare
Very high risk – aggressive and professional attackers
Proven results with high volume and taking down companies
March 12th – Leading retailer and SBB became target
Attacks persisted throughout the week
for several companies
–
–
–
–
–
–
–
–
–
–
Digitec.ch
Fust.ch
Microspot.ch
Interdiscount.ch
Denner.ch
Leshop.ch
Coop.ch
Galaxus.com
SBB.ch
Brack.ch
"It is correct that our Webshop did not
work for a short time.
We currently believe that it was a DDoS
attack.
We can confirm that the customer data is
safe and not affected.
The shop is now again," said Nadine,
Media Spokesperson at Interdiscount.
SBB, Interdiscount and Microspot went offline
SBB
Interdiscount
Microspot
Attack Vectors
Focus on volumetric attacks on the network layer
Network attacks typically exhaust network stack resources, router and switch
processing capacity, and/or misuse bandwidth resources, all of which disrupt
the victims’ network connectivity
–
–
–
–
–
–
–
–
SSDP
NTP
DNS
TCP RST
TCP SYN
SYN Flood
SYN ACK
ICMP
Volumetric Attack – DNS Amplification
• Most frequently used attack vector
• Amplification affect
• Regular DNS replies - a normal reply is 3-4 times
larger than the request
• Researched replies – can reach up to 10 times the
original request
• Crafted replies – attacker compromises a DNS server
and ensures requests are answered with the
maximum DNS reply message (4096 bytes) amplification factor of up to 100 times
Parrot OS Attack Tool
•
Popular OS for hacker, like
Kali Linux
•
•
•
•
DNS
NTP
SNMP
SSDP
=> All are reflective attacks
Shenron Attack Tool
Lizard Squads public
stresser services
19,99$ => 15GB attack
for 1200 second
– DNS
– SNMP
– SYN
Generic Stresser Attack Tool
Unnamed stresser offered
via a hacker on twitter
telnet, UDP, ACK, Joomala
and Portmap attacks
They also offer additional
services like Skype, domain,
and Cloudflare resolvers
VDoS Attack Tool
One of the most popular tools
19,99 will gain access to 216 GBS
Attack Network
DNS, NTP, ESSYN, xSYN, TS3, TCPACK, Dominate, VSE, SNMP, PPS,
Portmap and TCP-Amp
We saw this tool also in Sweden
Attacks
Hybrid DDoS Mitigation Solution
Perimeter
Cloud
Radware
Cloud
Scrubbing
LAN
Defense
Messaging
Attack Mitigation
Device
ADC
Traffic
Attack
Attack
isbaseline
diverted
isVolumetric
immediately
is and
synchronized
scrubbed
DDoS
detected
attack
to
in the
Radware’s
and
saturates
cloud
mitigated
freeing
internet
Cloud
at Scrubbing
the
pipe
Perimeter
internet
Center
pipe
Radware’s Security Solution
Addressing the Multi-Vector Challenge
Radware Emergency Response Team
24x7 Security Experts
On-Demand Cloud DDoS
On-Demand Cloud DDoS Service
DefensePipe
+2TB mitigation capacity
Hybrid or Standalone Models
DoS protection
Centralized Management & Reporting
APSolute Vision
Behavioral analysis
IPS
Attack Mitigation Device
DefensePro
Throughput ranging 200Mbps – 300Gbps
SSL protection
WAF
Web Application Firewall
AppWall, Cloud WAF
Service
Lessons Learned - Successful Attack Mitigation
Proactive Preparation and Planning is Key
Need for a Attack Mitigation solution with the
widest coverage to protect from multi-vector
attacks, including protection from network
and application based DDoS attacks.
Consider a hybrid solution that integrates onpremise detection and mitigation with cloudbased protection - to block volumetric attacks.
Monitor security alerts and examine triggers
carefully. Tune existing polices and protections to
prevent false positives and accurate detection.
A cyber-security emergency response plan that
includes an emergency response team and
process in place. Identify areas where helped is
needed from a third party.
A single point of contact is crucial when under
attack - it will help to divert internet traffic and
deploy mitigation solutions.
Thank You
[email protected]
www.radware.com
security.radware.com
© Radware 2016