January 2014

AGENDA

Cyber Security Statistics

About the 2013 Report

Key Findings & Trends

Attack Tools Trends

Notable Attacks

Recommendations

DoS/DDoS – Most Common Cyber Attack

3

DDoS 28%

SQLi 23%

Defacement 17%

Account Hijacking

11%

Targeted attack (Various tools)

7%

DNS Hijacking 3%

Malware 3%

iFrame Injection 1%

Other 7%

Source: 2013 Cyber Attacks Trends, Hackmagedon

DoS/DDoS – Most Common Cyber Attack

4

DDoS 28%

SQLi 23%

Defacement 17%

Account Hijacking

11%

Targeted attack (Various tools)

7%

DNS Hijacking 3%

Malware 3%

iFrame Injection 1%

Other 7%

Source: 2013 Cyber Attacks Trends, Hackmagedon

28% of all cyber attacks in

2013 involved a

DoS/DDoS attack.

DDOS and Unplanned Outages in 2013

5 Source: “2013 Cost of Data Center Outages”, Ponemon Institute, Dec. 2013

0% 5% 10% 15% 20% 25% 30% 35%

Other

IT equipment failure

Generator failure

Water, heat or CRAC failure

Weather related

Cyber crime (DDoS)

Accidental/human error

UPS system failure

2010

2013

DDOS and Unplanned Outages in 2013

6 Source: “2013 Cost of Data Center Outages”, Ponemon Institute, Dec. 2013

0% 5% 10% 15% 20% 25% 30% 35%

Other

IT equipment failure

Generator failure

Water, heat or CRAC failure

Weather related

Cyber crime (DDoS)

Accidental/human error

UPS system failure

2010

201318% of unplanned outages

in 2013 were due to

DoS/DDoS attacks.

Root Causes of

Unplanned Outages

Cost of a DoS/DDoS Outage

7 Source: “2013 Cost of Data Center Outages”, Ponemon Institute, Dec. 2013

$0 $200 $400 $600 $800 $1,000 $1,200

Weather related

Generator failure

Water, heat or CRAC failure

UPS system failure

Cyber crime (DDoS)

IT equipment failure

2010

2013

Cost of a DoS/DDoS Outage

8 Source: “2013 Cost of Data Center Outages”, Ponemon Institute, Dec. 2013

$0 $200 $400 $600 $800 $1,000 $1,200

Weather related

Generator failure

Water, heat or CRAC failure

UPS system failure

Cyber crime (DDoS)

IT equipment failure

2010

2013$822,000 Cost of a single DoS/DDoS attack

that causes unplanned outage.

Cost of unplanned outage

AGENDA

Cyber Security Statistics

About the 2013 Report

Key Findings & Trends

Attack Tools Trends

Notable Attacks

Recommendations

Methodology and Sources

Security Industry Survey

– External survey

– 198 participants

– 93.8% are not using Radware

DoS/DDoS mitigation solution

Security Executive Survey

– External survey

– 15 participants

Radware’s Emergency Response

Team (ERT) 2013 Cases

– Unique visibility into attacks

behavior

– Attacks seen real-time on daily

basis

– More than 300 cases analyzed • Customer identity remains

undisclosed

10

AGENDA

Cyber Security Statistics

About the 2013 Report

Key Findings & Trends

Attack Tools Trends

Notable Attacks

Recommendations

The Unseen DoS/DDoS Attacks – Key Findings

• 60% of attacks result in service degradation

– Organizations’ attention is on the outage cases

– Web application slowness and degradation of service has devastating

outcomes

• ERT has identified a new set of attacks called “Web Stealth”

– Availability based attacks targeting the Web application

– Harder to detect by traditional network security and

DoS/DDoS mitigation tools

• Attackers shorten the time in takes them to bypass mitigation tools

12

13

Feb/July 2013

USA

Operation Ababil Targeting financial institutions

July 2013

Colombia

The Colombian

Independence Day Attack

March 2013

The Netherlands

Spamhaus The biggest DDoS attack ever

August 2013

Syria

Syrian Electronic Army

attacking US media outlets

November 2013

Ukraine & Baltic Countries

Operation “Opindependence”

June 2013

South Korea

South Korea governement

websites under attacks

DoS/DDoS Ring of Fire

14

Attack Risk Score

15

Radware DoS/DDoS Risk Score

S1 16

Attack Duration

Attack Vectors

Attack Complexity

Attack Length: Increasing Duration

17

DDoS Attacks are Not Singular Events

18

Attack Vectors: Increasing Complexity

19

Attackers Shorten Time to Bypass Mitigation Tools

20

“Peace” Period

Pre-attack

Phase

Post-attack

Phase

Pre-attack

Phase

Post-attack

Phase

2013 Attack Vectors

More than 50% of 2013 DDoS attacks

had more than 5 attack vectors. 21

2012 – 2013 Trend: Diversity of Attacks

22

Web Stealth Attacks

• More than HTTP floods

• Dynamic IP addresses

– High distributed attack

– Attacks using Anonymizers / Proxy

– Attacks passing CDNs

• Attacks that are being obfuscated by SSL

• Attacks with the ability to pass C/R

• Attacks that use low-traffic volume but saturate

servers’ resources

23

Attacks on Login Pages are

destructive

• Based on SSL

• No load-balancing yet

• Flood of Search requests will look legitimate

to network protection tools

• Creates resource saturation on app-server

Web Stealth Attacks

24

Bypassing CDN Protection B

ot

ne

t

E n t e r p r i s e

C D N

GET www.enterprise.com/?[Random]

25

Network Topology and DDoS Attacks

26

Server components that are likely to be attacked by DDoS attacks.

DDoS Attacks Results

27

Public attention

DDoS Attacks Results

28

Public attention

3.5%

Results of one-second delay in

Web page results

decrease in conversion rate

2.1% decrease in shopping cart size

9.4% decrease in page views

8.3% increase in bounce rate

Source: Strangeloop Networks, Case Study:

The impact of HTML delay on mobile business metrics, November 2011

Organizations are Adapting DDoS Mitigation Tools

29

Organizations are Adapting DDoS Mitigation Tools

30

Only 29% of organizations surveyed do

not have plans to deploy DDoS

mitigation tools in 2014.

AGENDA

Cyber Security Statistics

About the 2013 Report

Key Findings & Trends

Attack Tools Trends

Notable Attacks

Recommendations

HTTPS Based Attacks

32

• HTTPS based attacks are on the rise

• SSL traffic is not terminated by DDoS cloud scrubbers or DDoS solutions

• SSL traffic is terminated by ADC or web server

• SSL attacks hit their target and bypass security solutions

DNS Based Attacks

33

• Most frequently used attack vector

• Amplification affect

• Regular DNS replies: in DNS – a normal reply is 3-4 times larger than the

request

• Researched replies – can reach up to 10 times the original request

• Crafted replies – attacker compromises a DNS server and ensures

requests are answered with the maximum DNS reply message (4096

bytes) - amplification factor of up to 100 times

DNS Based Attacks – The Recursive Attack

34

Login Page Attacks

35

40% of organizations have been attacked by

Login Page attack in 2013.

Attacks on Login Pages are

Destructive

• Based on SSL

• No load-balancing yet

Web Stealth Attacks

36

Implications of Login Page Attacks

37

AGENDA

Cyber Security Statistics

About the 2013 Report

Key Findings & Trends

Attack Tools Trends

Notable Attacks

Recommendations

“Innocence of Muslims” Movie

July 12, 2012

“Innocence of Muslims”

trailer released on YouTube

September 11, 2012

World-wide protest against the movie resulting

in the deaths of 50 people

39

Operation Ababil Background

40

Operation Ababil

The cyber attack

is an act to stop

the movie

First targets • Bank of America

• NYSE

Group name is “Izz ad-din

Al qassam cyber fighters”

41

Operation Ababil Timeline

42

Operation Ababil Target Organizations

43

Financial Service Providers

Operation Ababil Attack Vectors

44

Overcoming HTTP Challenges

45

Script 302 Redirect

Challenge JS Challenge Special Challenge

Kamikaze Pass Not pass Not pass

Kamina Pass Not pass Not pass

Terminator Pass Pass Not pass

Operation Op Columbian

46

• Large scale cyber attack held on July 20,2013

• Colombian Independence

• Largest cyber attacks, ever

• Attack against 30 Colombian government websites

• Attacker: Columbian Hackers

• Known hacker collective group

• Group used Twitter to communicate

Government

Op Colombia Attack Vectors

47

Web Stealth

Directory traversal

Brute force

SQL Injection

Application

HTTP Flood

Network

SYN floods

UDP floods

ICMP floods

Spamhaus Attack

48

• Nine day volumetric attack

• Broke the ceiling of 100 GBPs

• Attack reached bandwidth of 300 GBPs

• Target: Anti-spam organization providing Internet service

• Attacker: CyberBunker and Sven Olaf Kamphuis

Internet Service Provider

Spamhaus Attack Vectors

49

AGENDA

Cyber Security Statistics

About the 2013 Report

Key Findings & Trends

Attack Tools Trends

Notable Attacks

Recommendations

DDoS Mitigation Selection Criteria

Time to protection

• The cost of a DDoS attack is significant

• The sooner the attack is over, the sooner the revenue loss

will stop

Attacks coverage

• Attackers are using a plethora of attack vectors

• More than 50% of attacks include more than 5 vectors

Single point of contact in case of attack

• Attacks are becoming longer and require manual

operations to mitigate

51

Recommendations

• Acquire capabilities to sustain long attacks

• Train a team that is ready to respond to persistent attacks

• Deploy the most up-to-date methodologies and tools

• 24/7 availability to respond to attacks

• Deploy counterattack techniques to cripple an attack

52

Thank You

www.radware.com