Prepared by Radware’s Emergency Response Team (ERT), 2012 Global Application and Network Security Report highlights server-based botnets and encrypted layer attacks as just two of the new attack tools challenging organizations during DDoS attacks. Most recently, these tactics were leveraged by perpetrators in the attacks against U.S. financial institutions that have been ongoing since September 2012.
2. AGENDA
About 2012 Global Security Report
Key Findings & Trends
Attack Tools Trend
Recommendations
3. Information Resources
• Industry Security Survey • ERT Cases
– External survey – Internal survey
– 179 participants – Unique visibility into attack
– 95.5% are not using behavior
Radware DoS mitigation – 95 selected cases
solutions • Customer identity remains
undisclosed
ERT gets to see attacks in
real-time on daily basis
3
4. AGENDA
About 2012 Global Security Report
Key Findings & Trends
Attack Tools Trend
Recommendations
5. Organizations Bring a Knife to a Gunfight
• “Someone who brings a knife to a gun fight”
– Organizations who do prepare for the fight, but do not
understand its true nature
• Organizations today are like that
– They do invest in security before the attack starts, and conduct
excellent forensics after it is over
– However, there is one critical blind-spot – they don't have the
capabilities or resources to sustain a long, complicated attack
campaign.
• Attackers target this blind spot!
5
6. Attacked in 2012
They had the budget.
They made the investment.
And yet they went offline.
6
21. AGENDA
About 2012 Global Security Report
Key Findings & Trends
Attack Tools Trend
Recommendations
22. HTTPS Based Attacks
• HTTPS based attacks are on the rise
• SSL traffic is not terminated by DDoS Cloud scrubbers or DDoS solutions
• SSL traffic is terminated by ADC or by the web server
• SSL attacks hit their target and bypass security solutions
22
24. Attacks Evade CDN Service
GET Legitimate requests
www.example.com are refused
Legitimate users
Internet Backend Webserver
• In recent cyber attacks, the CDN was easily bypassed
GET changing the page request in every Web
by
transaction
www.example.com/?[Random]
Botnet • These random request techniques forced CDNs to
“raise the curtain”
– All the attack traffic is disembarked directly to the
customer premise
– More difficult to mitigate attacks masked by CDN CDN service
24
25. Servers Enlisted to the Botnets Army
• In 2012 a dramatic change occurred in the DDoS
landscape
• Attackers build and activate Botnets of powerful servers to
achieve:
– Greater firepower - x100 higher bandwidth capacity vs. home PC
– Greater reliability - servers are always online
– Greater control – fewer machine to control vs. botnet of PCs
25
27. AGENDA
About 2012 Global Security Report
Key Findings & Trends
Attack Tools Trend
Recommendations
28. Attackers Are Well Prepared
• Attackers plan and run attacks on a regular basis
• Turning DDoS attacks into their profession
• Organizations face attacks a few times per year
• Too limited experience to build the required “know how”
28
29. Conclusions
• Today’s attacks are different:
– Carefully planned
– Last days or weeks
– Switching between attack vectors
• Organizations are ready to fight yesterdays’ attacks:
– Deploy security solutions that can absorb the first strike
– But when attacks prolong - they have very limited gunfire
– By the time they succeed blocking the first two attack vectors,
attackers switch to a third, more powerful one
29
30. Recommendations
• Acquire capabilities to sustain long attacks
• Train a team that is ready to respond to persistent attacks
• Deploy the most up-to-date methodologies and tools
• 24 x 7 availability to respond to attacks
• Deploy counterattack techniques to cripple an attack
30