Post on 29-Jul-2018
transcript
November 16, 2015
Fighting the Shadows: How to Stop Real-world Cybersecurity Application Threats That You Can’t See
Louis Scialabba
Carrier Solutions Marketing
Nov 2015
Topics
• What’s New in Cybersecurity
• An Attack Mitigation Network Architecture
o Building a Better Mousetrap
o Reference Use Cases
o A Case Study
o Summary
Security Report Update – What’s Trending?
The Rise of the Continuous Attack
No One is Immune - Unexpected Targets
Internet Pipe – 2014’s #1 Failure Point
Reflective Attacks – the Largest DDoS Headache
Application Attacks on the Rise
Hybrid Solutions are Gaining Ground
Cloud, IoT & SDN are Changing the Rules of the Game
Losing Sleep in the C-suite
3
Motivation Behind Attacks are Changing
4
Cyber Crime
Financial gain is the primary motive
Hactivism
Driven by ideological differences
Espionage
Gaining information for political, financial, competitive leverage
War
Damage/destroy centers of power;
military or non-military
No One is Immune – Unexpected Targets
Threats in new industries, organizational sizes and technology deployments
Healthcare and Education – unexpected targets now at risk
Gaming, Hosting and ISP companies – increased likelihood
Financial Services – the only industry to have a reduced risk
2014 Change from 2013
5
Why Should You Care?
Today more than ever, TIME IS MONEY
* Representing lost revenues from on SLA breach | Based on 99.9% availability
1 minute OUTAGE
-$11,000 loss per server
Annual cost of -$5,780,000
per server
Did You Know?
Attacks evenly split across network and application layers
Web-based attacks remain the single most common attack vector
– 1 in every 4 are HTTPS
Increase reflective attacks cause UDP attacks to increase
– From 7% in 2013 to 16% in 2014
Reflective attacks represent 2014’s single largest DDoS “headache”
10%
16%
6%
18%
Network 51%
TCP- Other UDP
IPv6 1% TCP-SYN Flood
ICMP
9%
23%
16%
Application 49%
VoIP 1% Web (HTTP/HTTPS)
SMTP DNS
Carrier Threats Lurking in the Shadows
Multi-Vectors Attacks
IPS/IDS
“Low & Slow” DoS attacks (e.g.Sockstress)
Large volume network flood attacks
Syn Floods
Network Scan
HTTP Floods
SSL Floods App Misuse
Brute Force
Cloud DDoS protection DoS protection Behavioral analysis IPS WAF SSL protection
Internet Pipe Firewall Load Balancer/ADC Server Under Attack SQL Server
9
XSS, CSRF SQL Injections
Attack Mitigation Architecture
Attack Mitigation Pillars
Detection Mitigation Operation Collection
How Can You Protect From Something You Don’t See?
12
Multilayer Detection is Critical!
Non-Radware Radware
Network Attacks Network Attacks
Application Attacks
Source IP-agnostic detection
Encrypted SSL-based attacks
Beyond HTTP (SMTP, FTP, SQL)
OpenFlow-based Detection
Encapsulated attacks
Application Attacks
DefensePro
Real-time attack mitigation device
providing layer 4-7 multi-attack
coverage
DefensePro
Real-time attack mitigation device
providing layer 4-7 multi-attack
coverage
Radware Mitigation Elements
DefenseFlow
Network-wide attack
detection and cyber
command and control
AppWall
Web Application Firewall (WAF)
providing full coverage of OWASP
top-10 threats
DefenseFlow
Network-wide attack
detection and cyber
command and control
AppWall
Web Application Firewall (WAF)
providing full coverage of OWASP
top-10 threats
Robust Data Collection
Multi-source collection ensuring 100% attack coverage
CheckPoint DDoS Protector
Cisco FirePower 9300
Radware Virtual & Physical Appliances L3-4-7 Collection
3rd Party Detection Devices (NetFlow, SIEM, …)
Radware Flow Collector
NetFlow
SDN Enabled Devices OpenFlow / Open Daylight
Command & Control
Behavior-Based vs. Rate-Based Detection
To prevent service-level impact of legit traffic
Behavior-Based Detection
Radware
Rate-Based Detection
Non-Radware
0.0%
50.0%
100.0%
SYN SYN-ACK ACK Data RST FIN-ACK
TCP Flag Distribution Analysis
0.0%
50.0%
100.0%
SYN SYN-ACK ACK Data RST FIN-ACK
TCP Flag Distribution Analysis
Rate-Invariant Behavioral Analysis
Rate Analysis
Flash Crowd
RST Flood Attack
Rate Analysis
16
Beyond Primitive Source IP Blocking
Smart traffic blocking based on Real-Time Signature incorporating multiple
parameters comparing to primitive source IP address blocking
Non-Radware
Source IP Address Only X.X.X.X
Radware
Signature with multiple parameters
Shortest Time to Mitigate via Synchronized Operation
Radware synchronized operation = real-time mitigation engagement.
Non-synchronized operation = up to 28 minutes delay
Attack Detection
Attack Mitigation
Synchronized Operation
Radware
Signature is synched to Mitigation Device
Attack Detection
Attack Mitigation
Non-Synchronized Operation
Non-Radware
Signature regenerated from scratch by
Mitigation Device
Real-Time Signature Generation vs. Manual
Real-Time Signature Generation
Radware
18 SECONDS
Manual Signature Generation
Non-Radware
30 MINUTES
Manual signature creation can take up to 30 minutes. Radware Real-Time Signature is generated in up to 18 seconds.
Automatic vs. Labor-Intensive Operation
Manual SoC analysis is required for every attack causing high investment in HR
Automatic Attack Blocking
Real-Time Signature Generation
Radware
Manual Attack Blocking
Manual Signature Generation
Non-Radware
Complete & Automatic Attack Lifecycle Management
Lower TCO
Less dependency on HR
New service provisioning
Automatic mitigation activation
Traffic diversion
Attack termination
Cyber Attack Protection In Action
Use Case 1 – 3rd Party NetFlow-Based Attack Detection
Service Provider Network Internet
3rd Party NetFlow-based Attack Detector
Protected Objects
Scrubbing Center
DefensePro
Attack detection by the NetFlow Attack Detector DefenseFlow configures DefensePro with Traffic baselines and diversion information DefenseFlow Diverts traffic for attack cleansing
Use Case 2 – Radware NetFlow-Based Attack Detection
Service Provider Network Internet
Radware Flow Collector
DefenseFlow detects the attack (behavioral analysis)
Protected Objects
Scrubbing Center
DefenseFlow exports to DefensePro traffic baselines and diversion information DefenseFlow diverts traffic for attack cleansing
DefensePro
Use Case 3 – OpenFlow-Based Attack Detection
Service Provider Network Internet
SDN Controller
Protected Objects
Scrubbing Center
DefensePro
DefenseFlow detects the attack (behavioral analysis) DefenseFlow configures DefensePro for attack information and traffic diversion DefenseFlow Diverts suspicious traffic for attack cleansing
Use Case 4 – Layer-7 Attack Detection
Service Provider Network Internet Protected Objects
Scrubbing Center
DefensePro Detects the Application Layer (L7) Attack and sync attack baseline to DefenseFlow Radware WAF and SSL Inspection can also be utilized for advanced web tier protection DefenseFlow configures DefensePro for attack information and traffic diversion DefenseFlow Diverts suspicious traffic for attack cleansing
DefensePro
Summary of Use Cases
Traffic Redirection Attack Detection Attack Mitigation
DefensePro
Case
NetFlow Attack Detector
NetFlow Telemetry
OpenFlow (SDN) Telemetry
BGP Redirection
BGP Redirection
SDN Redirection
27
DefensePro BGP Redirection
A Case Study
About Boston’s Children Hospital
25,000 inpatients each year and 557,000 visits
Ranked nationally in 10 pediatric specialties
200+ specialized clinical programs
Clinical operations dependent upon networked data and
devices
Shared ISP services across a network of 7 other
healthcare providers
Why Attack a Hospital?
Case Study #1 - Boston’s Children Hospital
Early 2014, custody dispute related to 15-year old in
BCH’s care
Turned over to Massachusetts protective services
Group claiming affiliation with Anonymous begin
threatening BCH
29
A Look Inside the Attack
30
Attack Vectors Involved and Identified
Infrastructure
UDP Fragmented Flood
DNS Reflection
UDP Flood (PPS)
IPS/IDS Internet Pipe Firewall Load Balancer/ADC Server Under Attack SQL Server
State
TCP Out Of State Flood
UDP Scan
Zero Payload attacks
Zero sequence number attacks
Invalid ACK number attacks
ICMP Flood
Application
Slowloris
SQL-Injection
XSS
Worm infection - Mydoom
SIPVicious - Scanning tool
Web-etc/passwd-Dir-Traversal
31
BCH Attack Analysis Summary
32
Duration Total duration of the attack was over a month Radware solution was deployed after attack started
Multi Vector Total of 15 different attack vectors in the same attack campaign As many as 6 different vectors were observed simultaneously Mixture of web attacks and DDoS attacks - common in Hacktivism related events
Mitigation Proactive planning - didn’t assume they weren’t a target Identified impacted assets and processes Enlisted outside, expert support
Anyone may be a target! An integrated solution is required Prepare a response plan
Learnings