10
ERT Active Attackers Feed Subscription: Under the Hood TECHNOLOGY OVERVIEW WHITEPAPER SHARE THIS WHITEPAPER
ERT Active Attackers Feed Subscription: Under the Hood
TECHNOLOGY OVERVIEW WHITEPAPER
SHARE THIS WHITEPAPER
TABLE OF CONTENTS
ÐÐ Introduction ................................................................................................................................................. 3
ÐÐ ERT Active Attackers Feed for Radware DefensePro ................................................................................. 3
ÐÐ A Deeper Look at the Source of Radware Intelligence ............................................................................... 4
Intelligence Source 1: Radware Cloud Security Services .................................................................. 4
Intelligence Source 2: Radware Global Deception Network .............................................................. 5
Intelligence Source 3: ERT Threat Research Center .......................................................................... 5
ÐÐ How The Radware Global Deception Network Works ................................................................................ 5
Radware Proprietary Botnet Detection Technology ........................................................................... 6
ERT Active Attackers Feed Generation .............................................................................................. 7
Additional Feeds from Radware: ERT SUS Feeds for Radware DefensePro and AppWall ................ 8
ÐÐ Summary ..................................................................................................................................................... 8
ERT Active Attackers Feed Benefits ................................................................................................... 9
ÐÐ About Radware ......................................................................................................................................... 10
ÐÐ Certainty Support ...................................................................................................................................... 10
ÐÐ Learn More ................................................................................................................................................ 10
ERT ACTIVE ATTACKERS FEED | WHITE PAPER 3
INTRODUCTIONIn today’s changing threat landscape, both the threats and mitigation solutions designed to stop them are rapidly evolving in variety and sophistication. Organizations face a challenge in implementing and orchestrating effective protection to identify and block incoming network traffic which is not welcome. It’s critical to turn away these malicious guests before they create havoc.
Due to the rise of easy-to-use attack tools and anonymous payment mechanisms, the motivation for attacks is expanding into new domains such as ransom and hacktivism; yet the growing need for security expertise necessary to protect an organization is in direct contrast to the shortage of expert security personnel available to handle the job. Even with the best protection devices and a knowledgeable staff, denial-of-service (DoS) attacks, ransom attacks and malware outbreaks are a major challenge to your business.
As threats evolve and become more complex, security needs to be managed by experts. The usage of ongoing threat intelligence updates is a key element Radware employs to keep customers ahead of the threat actors by employing Radware security expertise on an ongoing basis from afar.
The rise of sophisticated new botnets, and especially IoT based botnets as a result of vulnerable IoT devices and widely available DDoS-as-a-Service tools, require global threat intelligence to preemptively block known attackers before they start to engage and explore your organization’s network and critical assets.
Radware’s ERT Threat Research Center has created a unique threat intelligence feed that is specifically designed to prevent DDoS attackers from scouting and analyzing your organization’s network prior to an attack.
ERT ACTIVE ATTACKERS FEED FOR RADWARE DEFENSEPRORadware ERT Active Attackers Feed enhances the protection of applications and data centers by introducing a new preemptive protection layer on top of Radware’s Attack Mitigation Solution.
The feed supplies Radware DefensePro with a list of attackers that were recently involved in a DDoS attack, enabling the platform to preemptively block known DDoS attackers before they come anywhere near your assets and initiate an attack.
Radware’s ERT Threat Research Center is essentially an intelligence agency which provides the list of known and currently active felons. The ERT Active Attackers Feed focuses on unique, real-time intelligence that can provide preemptive protection against emerging DDoS-specific threats, including evolving IoT botnets and new DNS attack vectors.
Where is the Intelligence Coming From?The ERT Active Attackers Feed is an aggregation of multiple exclusive Radware data sources that are combined and correlated by Radware’s ERT Threat Research Center.
1. DDoS attackers intelligence data from Radware’s Cloud Security Services
2. Attackers actively engaged in malicious activity collected via Radware’s Global Deception Network
3. Proprietary botnet intelligence algorithms generated by Radware’s ERT Research that incorporates proprietary automatic botnet detection algorithms and manual research
ERT ACTIVE ATTACKERS FEED | WHITE PAPER 4
These sources are integrated together and scored in a big data cloud platform, creating a list of DDoS attackers that are currently active. The list is downloaded to Radware attack mitigation platforms enabling them to block attackers before an attack starts.
What About False Positives?Since an average DDoS attack session lasts one to three hours, the feed content is short-lived, allowing adaptation to changing sources and vectors. The feed is frequently updated to provide a relevant list of malicious, non-spoofed IPs that have been involved in DDoS activity within the past 24 hours. The short time of an average DDoS incident assures that a malicious, yet legitimate IP, will be cleared from the list after the attack has subsided.
How Does This Work With Radware’s Attack Mitigation Platforms?The feed enhances Radware’s Attack Mitigation Solution and extends the automated, real-time protection provided by Radware DefensePro, enabling preemptive blocking of attackers before they target your network. The DefensePro detection mechanism is tuned to detect traffic anomalies above a certain level and the new feed actively blocks traffic from known malicious sources before they’ve reached the threshold risk level or actually started an active attack campaign.
Figure 1: Multi-Layered Protection
A DEEPER LOOK AT THE SOURCE OF RADWARE INTELLIGENCEIntelligence Source 1: Radware Cloud Security Services Radware, as a global leader of application delivery and cyber security solutions, is in a unique position to provide meaningful and actionable threat intelligence for DDoS prevention.
Radware offers Cloud WAF and DDOS Protection Services worldwide via a global security network. This network consists of nine large scrubbing centers and additional cloud points of presence that span over 30 locations globally, including San Jose, CA; Ashburn, VA; Chicago, IL; Las Vegas, Nevada; Frankfurt, Germany; London, UK; Tokyo, Japan; Hong Kong; Seoul, Korea; Sydney, Australia; Johannesburg, South Africa; and Tel Aviv, Israel.
Radware’s cloud security network has 3.5Tbps of capacity, serving hundreds of customers globally and providing 24x7 DDoS attack mitigation and real-time data center and application security to our customers.
As DDoS and web attacks are launched and mitigated across Radware’s cloud security network, a real-time list of IP addresses that were validated as attackers in the past 24 hours is generated. This list is an important source of information for the ERT Active Attackers Feed as it provides an updated list of known DDoS attackers actively engaged in attacks.
YOURPROTECTEDNETWORK
RadwareDefenseProBlocking UnknownAttacks
ERT ActiveAttackers FeedBlocking KnownAttackers
ERT SUS(Security UpdateSubscription)Blocking KnownAttacks
ERT ACTIVE ATTACKERS FEED | WHITE PAPER 5
Intelligence Source 2: Radware Global Deception Network Radware’s Global Deception Network is a network of globally distributed sensors – honeypots - running services that attract bots engaged in malicious activity around the world. Such bots are attempting to compromise, abuse and hack into computers, create new botnets and launch DDoS attacks.
The deception network attracts hundreds of thousands of malicious IPs, generating millions of events on a daily basis. The automatic analysis algorithms provide insights and categorization of various types of malicious activity from port scanning and reconnaissance through password brute force attempts to DNS reflection attacks.
Radware proprietary and patented algorithms running on the deception network are used to catalog and identify new and emerging threat actors, including botnets, IoT bots and DNS attackers, as well as to analyze malicious behavior such as spoofing. Combining these creates a real time, non-spoofed IP list of malicious actors employing DDoS related behavior.
Intelligence Source 3: ERT Threat Research CenterThe Radware Emergency Response Team (ERT) is a group of security experts providing 24x7 proactive security support services for customers facing a DoS attack or malware outbreak. ERT security experts are experienced in fighting widely known, as well as emerging, single and multi-vector attacks and provide attack mitigation best practices. Radware’s trained professionals use their extensive knowledge of threats in order to develop and implement tools and technologies to generate protection from over 100 attack vectors on the network and application layers, including high-volume network attacks, low and slow, SYN floods, HTTP floods, invasive scans, SSL encryption, Brute Force, BGP table attacks and Session attacks.
Via machine learning and algorithmic research on statistical behaviors from Radware’s ERT databases, its Deception Network and Cloud Security Services, Radware security researchers are able to discover new attack vectors and identify the formation of new botnets prior to an attack outbreak.
Bring It All TogetherRadware generates a list of active DDoS attackers from its Cloud Security Services and its global network of cloud DDoS scrubbing centers. This data is correlated with malicious IP information captured and identified through Radware’s Deception Network and further validated via Radware’s ERT ongoing research. This continuous process enables Radware to provide active DDoS attackers information in real time.
Figure 2: ERT Active Attackers Feed Process
HOW THE RADWARE GLOBAL DECEPTION NETWORK WORKSThe Radware Deception Network is comprised of hundreds of globally distributed servers running a variety of services built to attract malicious traffic and categorize it using Radware propriety algorithms. The sensors capture network and application traffic that is then stored, enriched and analyzed within a centralized big data cloud repository.
#1 Robust DDoS Attack DataCollected from Radware’s CloudDDoS Scrubbing Centers
#3 Feed CreatedContiuous data correlation
#4 Feed Sent to DefenseProReady to block attackers
#2 Active AttackersIdentified from RadwareDeception Network
ERT Threat Research Center
ERT ActiveAttackers Feed
ERT ActiveAttackers Feed
ERT ACTIVE ATTACKERS FEED | WHITE PAPER 6
Data enrichment is done by applying proprietary algorithms for detection of botnets, by correlation with other security event information (such as information provided by Radware’s Cloud Security Services) and by the outcome of security research performed by the security researchers.
The proprietary algorithms are based on behavioral analysis mechanisms and traffic characterizations which are enhanced on an ongoing basis. The deception network breadth and span are continuously optimized and expanded to support identification of new and emerging threats and threat actors.
By monitoring the malicious network activity passing through hundreds of honeypots globally, analyzing the information using various types of algorithms and correlating it with different sources, Radware’s ERT Threat Research Center is able to identify trends and provide insights on active network attacks and emerging IoT botnets and other threats.
Inspecting malicious network traffic and behavioral characteristics of IP addresses allows for elimination of false positives while constantly improving IP identification and categorization.
By sending alerts whenever new botnet activity or an emerging trend is discovered, Radware is able to preemptively provide valuable threat intelligence insights of active or future attacks, traffic signatures for vulnerabilities and malware infection data in real time. This multi-source information enables Radware to provide a quality threat intelligence feed targeted for DDoS related functionality and leveraged by products such as DefensePro (in addition to other components of Radware’s Attack Mitigation Solution).
Figure 3: Radware’s Global Deception Network
Radware Proprietary Botnet Detection TechnologyHackers are well resourced and can establish large-scale botnets rapidly. It takes only 20 minutes for a newly connected device to become compromised.
Advanced command and control techniques enable attackers to activate and deactivate bots rapidly. This is used as a detection evasion mechanism. For example, setting a single bot activity below the thresholds of a behavioral detection system.
Radware Cloud Security PoP Regional Cloud Scrubbing Center Radware Regional HoneyPot Sensors
ERT ACTIVE ATTACKERS FEED | WHITE PAPER 7
Radware has developed patented technology for botnet detection. This technology clusters malicious sources into a botnet using behavioral analysis, statistics, trend detection and machine learning algorithms. The security researchers perform manual research regularly and more specific targeted research whenever the automatic alerting system surfaces new trends and botnets, often allowing new botnets and/or threats to be identified prior to an attack being launched.
Example: SatoriSatori is a Mirai variant spreading on ports 37215 and 52869.
On December 5, 2017, the ERT Threat Center reported a new version of Satori propagating rapidly on ports 37215 and 52869. Activity was noticed at the end of November and kept a low profile till its outbreak. The feed published by the ERT Security Research Threat Center in the 48 hours following the outbreak contained IPs actively involved in the outbreak.
Figure 4: Rapid propagation of Satori across IoT devices
ReaperReaper is another Miarai variant IoT botnet. It Infects IoT devices by exploiting nine IoT device vulnerabilities. It conducts scanning before delivering the payload. The first wave consists of SYN scans on TCP ports in the following order: 20480, 20736, 36895, 37151, 22528, 16671, 14340, 20992, 4135, 64288, 45090, 21248, 21504, 31775, 39455, 47115 and 42254.
The ERT Security Research Threat Center noticed the initial port scanning in September 2017 at a low volume until the scan outbreak in October.
Figure 5: Reaper’s emergence beings with massive port scanning
ERT Active Attackers Feed GenerationIP reputation threat intelligence is not something new, however Radware’s malicious IP generation is unique in that it targets active DDoS attackers rather than targeting SPAM sources or generic malware sites as do many other threat intelligence providers. The feed is updated to maintain high fidelity and validity of attackers.
IP reputation is fluid and adapting. An IP that is generally benign or even belongs to a customer can suddenly become actively involved in a DDoS attack. In such a case, and as long as the IP continues to “misbehave,” it should be blocked. However, once behavior has returned to normal, the IP should be allowed access. The balance is delicate: a false positive can result in a frustrated customer while a false negative can lead to a breach.
The ERT Threat Research Center publishes automatic malicious IP lists once every 30 minutes for consumption and utilization by Radware devices in the form of Radware subscription threat intelligence feeds. These feeds are subsets of the full malicious IP list that are filtered according to the specific threat intelligence feed’s usage. The ERT Active Attackers Feed is one such subscription.
HourlyNovember 22nd 2017, 00:00:00:000 - December 7th 2017, 00:00:00:000 –– Scaled to 3 hours
Coun
t
1,500
1,000
500
0
timestamp per hour2017-11-23:00:00 2017-11-25:00:00 2017-11-27:00:00 2017-11-29:00:00 2017-12-01:00:00 2017-12-03:00:00 2017-12-05:00:00
AutoSeptember 1st 2017, 11:56:28:134 - November 30th 2017, 11:56:28:134 ––
Coun
t
4,000
3,000
2,000
1,000
02017-09-10 2017-09-17 2017-09-24 2017-10-01 2017-10-08 2017-10-15 2017-10-22 2017-10-29 2017-11-05 2017-11-12 2017-11-19 2017-11-26
ERT ACTIVE ATTACKERS FEED | WHITE PAPER 8
The malicious IPs are collected from the Radware Deception Network and tagged according to their recorded activity, information correlated from the Radware Cloud Security Services and algorithmic analysis output. The tags are used in order to filter the malicious IP list and make sure each Radware subscription utilizes IPs that are relevant for the specific subscription functionality.
The IPs in the aggregated IP threat intelligence list are tagged using the following categories:
ÐÐ Denial-of-service attackers – IPs involved in floods, DNS reflection attacks, SYN floods, SSL renegotiation, HTTP and HTTPs floods, PDoS and SMTP attacks
ÐÐ Botnets – IPs of infected machines acting together under the control of a command & control entity
ÐÐ IoT botnets – IPs of infected IoT devices acting together under the command and control of a malicious actor
ÐÐ Scanners – IPs active in port scans, domain scans, reconnaissance, and password brute force
ÐÐ Web attacks – IPs that performed domain password brute force
ÐÐ Anonymous proxies – IP addresses of anonymization services, mainly The Onion Router (TOR) exit nodes
Each malicious IP is assigned a risk score by the system based on its entire behavioral analysis, its assigned tags and its traffic volume. The relevant Radware subscription service selects which score level should be blocked or allowed. The ERT Active Attackers Feed is generated as one of these Radware threat intelligence feeds using the denial-of-service attackers tag listed above.
The ERT Threat Research Center uses algorithms to verify that the published IPs are not spoofed, thereby further limiting the possibility of false positives. For example, if an IP is added to the list it is not an innocent bystander.
The method of generating the threat intelligence by the ERT Threat Research Center generates key benefits for the Radware threat intelligence feeds:
ÐÐ Automatic blocking of real-time IP-based threats with a high refresh rate of dynamic IP lists
ÐÐ Elimination of false positives - quick removal of IPs from the feed that are no longer considered malicious
ÐÐ Visibility into the malicious activity of the IP based on tagging categories
ÐÐ Understanding of IP risk level based on a proprietary scoring method
Additional Feeds from Radware: ERT SUS Feeds for Radware DefensePro and AppWallRadware’s weekly Security Update Subscriptions (SUS) provide the customer with new permanent signatures on a weekly basis or ad-hoc when an emergency attack wave is taking place. The feed is focused on signatures to block new vulnerabilities and attack tools that have been discovered recently. The signatures are created by Radware’s ERT Threat Research Center following security analysis of vulnerabilities and exploits. These signatures protect the customer networks from being attacked via newly discovered vulnerabilities regardless of their IP source.
See the Security Update Subscription (SUS) data sheet for further details.
SUMMARYRadware’s ERT Active Attackers Feed provides real-time intelligence that can protect against evolving threat actors as they are infected and contaminated by leveraging real-time attack data to deliver actionable information about active DDoS attackers.
Radware’s ERT Threat Research Center provides your organization with updated DDoS attacker information to complement Radware’s Attack Mitigation Solution by enabling real-time actionable intelligence. As a result, the ERT Threat Research Center serves as your organizations network intelligence agency.
ERT ACTIVE ATTACKERS FEED | WHITE PAPER 9
Radware’s DefensePro automatic protections are comprehensive and cover many scenarios and rely on quantitative behavioral analysis to determine anomaly detection in order to detect and block unknown zero-day attacks.
The ERT Active Attackers Feed is a critical preventive measure that complements DefensePro’s protection to protect an organization’s assets by shielding critical infrastructure against threat actors which are attacking enterprises around the globe.
This shield protects your organization’s network and assets before the attack hits. The combination of this preemptive shield with Radware’s signature mechanisms and behavioral analysis provides complete and comprehensive protection against today’s rapidly evolving threat landscape.
ERT Active Attackers Feed Benefits:
ÐÐ Preemptive protection against known DDoS attackers – an additional layer of protection to preemptively block attackers before they enter your network.
ÐÐ Real-time blocking of active attackers – monitors active threat-actors for minimal false positive operations. Immediately blocks IPs actively involved in DNS-based and IoT botnet DDoS attacks in the last 24 hours.
ÐÐ Utilizes proprietary algorithms correlating information from multiple Radware sources by leveraging algorithms to gather and correlate data from Radware’s Cloud Security Services, Global Deception Network & real-life attack data.
PREMPTIVE PROTECTIONagainst known DDoS attackers
Preemptively blocking attackersbefore they enter your network
Blocks IPs actively involved in DNS& IoT Botnet DDoS attacks in 24hrs
Cloud DDoS intelligence, globaldeception network & real-life attack data
ACTIVE ATTACKERSblocked in real-time
DATA CORRELATIONacross multiple Radware sources
ERT ACTIVE ATTACKERS FEED | WHITE PAPER 10
About RadwareRadware® (NASDAQ: RDWR), is a global leader of application delivery and cyber security solutions for virtual, cloud and software defined data centers. Its award-winning solutions portfolio delivers service level assurance for business-critical applications, while maximizing IT efficiency. Radware’s solutions empower more than 12,500 enterprise and carrier customers worldwide to adapt to market challenges quickly, maintain business continuity and achieve maximum productivity while keeping costs down. For more information, please visit www.radware.com.
Radware encourages you to join our community and follow us on: Facebook, Google+, LinkedIn, Radware Blog, SlideShare, Twitter, YouTube, Radware Connect app for iPhone® and our security center DDoSWarriors.com that provides a comprehensive analysis on DDoS attack tools, trends and threats.
Certainty SupportRadware offers technical support for all of its products through the Certainty Support Program. Each level of the Certainty Support Program consists of four elements: phone support, software updates, hardware maintenance, and on-site support. Radware also has dedicated engineering staff that can assist customers on a professional services basis for advanced project deployments.
Learn MoreTo learn more about how Radware’s integrated application delivery & security solutions can enable you to get the most of your business and IT investments, email us at [email protected] or go to www.radware.com.
This document is provided for information purposes only. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law. Radware specifically disclaims any liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document. The technologies, functionalities, services, or processes described herein are subject to change without notice.
©2018 Radware Ltd. All rights reserved. Radware and all other Radware product and service names are registered trademarks or trademarks of Radware in the U.S. and other countries. All other trademarks and names are property of their respective owners. The Radware products and solutions mentioned in this document are protected by trademarks, patents and pending patent applications. For more details please see: https://www.radware.com/LegalNotice/
