Radware’s Pascal Geenens walks us through 10 questions regarding the cyber security threat landscape, trends in the Darknet, motivations for attacks, and much more.
What is the defining trend for the 2017 threat landscape?
The Internet of Things (IoT). Everyone will remember the epic attacks against Krebs, OVH and Dyn last year. DDoS attacks with new historical volumes of up to and beyond 600Gbps performed by large armies of 100,000s of IoT devices. The Mirai botnet played a lead role in these attacks. Mirai was devised to target and infect IoT devices which have their telnet access open and which can be easily compromised through factory default credentials. The deplorable security posture of IoT devices such as IP cameras and DVRs provide for easy victims. The fault is not on the consumer or the end-users; some of the devices would not even allow a user to change the factory default credentials through the admin GUI or even allow disabling of the telnet service. While consumers are not aware of the dangers of deploying the new smart technology that are invading their homes, they are exposing themselves to cyber-attacks and cyber ransom campaigns, while at the same time participating in the large scale DDoS attacks against online businesses and corporations.
Still today, and I’m sure for next couple of months, we are discovering new strains of Mirai as well as new botnets that are using techniques introduced by Mirai. Only few days ago researchers found a Windows malware that is supposed to provide a helper function to accelerate the harvesting of new victims for Mirai botnets. The Windows malware does not expose any bot-like behavior, all it does is scan for new victims and report them to the scan and load service from the Mirai botnet.
Mid 2016, we saw a CCTV botnet that was comprised of 25,000 devices. Dyn reportedly was hit by 100,000 devices. We have evidence of a Darknet Jabber campaign that offered DDoS services through a botnet consisting of 400,000 devices, and in November of 2016 there was the attempt to infect 900,000 DT residential routers. At this growth rate, we cannot begin to imagine what sizes botnets will become as we move through 2017. One thing is sure, there is an army of zombies out there consisting of numerous IoT devices that are available 24/7 and that are the venerable targets for multiple botnets. The only limitation on the botnets is how they are defeated by their competing botnets. Devices are infected and re-infected, so there is effectively a war of the bots ongoing and IoT is the platform they are fighting on and for.
Analysts expect up to 20 billion, some say 50 billion, smart devices to be connected by 2020. At the rate the threat is growing and the growth rate of IoT devices, we cannot ignore this trend and we should all be aware of it and protect ourselves accordingly. At least until IoT manufacturers start implementing adequate security measures.
Not all is lost though. For example, on January 5th of this year the Federal Trade Commission filed a complaint against D-Link to take them to court, accusing them of having failed to take reasonable steps to secure its routers and IP cameras, potentially compromising sensitive customer information.
According to the complaint they filed, D-Link did not address well-known security flaws including hard-coded credentials, command injection flaws and mishandling of private signing keys for the firmware, among others.
We expect threats to be evolving as well. What we are seeing today is the first generation of IoT botnets. As hackers start to harness the power of their botnets, we expect to see much more sophisticated attacks at high volumes. Before the IoT botnet attackers took recourse by way of amplification to perform volumetric attacks, which limited their payload to single queries and specific protocols. As hackers get access to larger botnets they are not limited anymore by simple attack vectors and they can now launch very sophisticated attacks at high volumes.
We covered the threat landscape, what are trends in the Darknet for 2017? Any change in how hackers organize themselves and how they evolve?
The Darknet is a thriving and mature economy with vendors doing research and developing new innovative tools, service providers offering Darknet hosting and XaaS, combined with healthy consumer and customer ecosystem which pay and (ab)use the services offered for differing motivations.
Last year we have seen growing numbers of Booter and Stresser services or DDoS-for-hire on the Dark- as well as the Clearnet. Lately, more of those DDoS-for-hire platforms are built around IoT botnets. As dark vendors are competing, they innovate, automate and invest in better tools and better user experience. We even noticed the use of evaluation systems, allowing users to rate the service and provide feedback. This provides for a thriving dark economy with a high level of maturity.
In 2016, the Shenron attack tool provided access to botnets with a potential of 500Gbps DDoS traffic to customers for monthly prices ranging from $20 to $1,000 USD. The vDOS booter service had similar pricing and competed with Shenron, providing paying customers with the tools to launch high volume DDoS attacks against targets of their choice. In the case of the vDoS booter service, the two young owners made over $600,000 and have helped their customers to perform over 150,000 DDoS attacks in the course of two years. The vDoS owners were a victim of a hack themselves and their secrets were exposed publicly. These are two of the better known services on the Darknet because their owners have been arrested and their details exposed, but there are many, many more.
What are the motives behind attack campaigns? What drives hackers to continue to invest in tools or their customers pay for the use of DDoS services?
The number one motive by far is ransom, with Europe leading that statistic. Our 2016-2017 ERT threat report shows that ransom is the motivation behind 41% of the attacks worldwide and 49% of the attacks in Europe. Through the use of paying DDoS services, bad actors are devising ransom schemes that take businesses offline that do not pay up. The typical method of operating is sending the victim a message that a DDoS attack will take place at a specific time unless the victim pays a certain amount of Bitcoins. To provide proof of their capabilities, a lower volume, short-lived DDoS attack typically follows the message.
Other more sophisticated attacks, which are targeting intellectual property or corporate secrets, are making use of DDoS as a smokescreen to hide their intrusion and the exfiltration of data.
The rest of the motivations vary at similar prevalence across all companies, whether this is insider threat, hacktivism, competition, cyberwar or angry users.
The #1 motivator is and will be money!
How should people protect themselves against this growing number of DDoS ransom attacks?
The previously mentioned DDoS attacks are typically of volumetric nature. Volumetric attacks will saturate the internet links of the victim, requiring a cloud-based scrubbing service with an abundance of throughput, and distributed across the globe to mitigate as close as possible to the source of the problem. Radware provides always-on and on-demand Cloud DDoS Services with automatic or manual redirection of traffic through our cloud scrubbing centers across the world. On-demand services can be combined with our on-premise DDoS protection solution, which mitigates low and slow attacks and volumetric attacks that are not saturating the internet link.
Our ERT threat report indeed indicates that still 5 out of 6 businesses struggle daily with low profile DDoS attacks that are below 1Gbps but consume enough resources of the network and server infrastructure to result in poor service levels and customer experience. Low and slow attacks, even if they are not making the headlines, are a serious threat and should not be taken for granted. Our on-premise DDoS mitigation devices provide protection against any type of attack. Our behavioral detection algorithms are able to detect malicious traffic and differentiate the good from the bad, even in burst traffic conditions where there is a high volume of good traffic, the device still operates without false positives. Our automatic mitigation provides signatures to block malicious attacks without false positives within 18 seconds. When the attack is morphing, a feedback loop ensures the signature is adapted to the changing thread, providing continuous and automated protection. For total protection against all potential DDoS attacks, the on-premise DDoS mitigation is combined with a cloud service in an integrated hybrid solution. Through Radware’s unique defense messaging protocol, the on-prem and cloud mitigation solutions are continuously synchronized in terms of base lines and attack mitigation signatures. In the event of increasing volume in attack traffic, all traffic is redirected through the cloud scrubbing center and the mitigation takes effect immediately, while most competing solutions need to detect and learn the traffic patterns again from scratch before they effectively start mitigating.
The Dyn attack affected 6% of the Fortune 500 companies such as Amazon, Netflix, Twitter, CNN, Spotify… How can people protect themselves against these attacks?
Shortly after the Krebs and OVH attacks, a dark agent going by the name of Anna-Senpai published the source code for Mirai, the botnet used in the epic attacks against Krebs, OVH, Dyn and later also DT. We took advantage of the availability of this code to build our own botnet in our labs. We studied Mirai and its attacks carefully and provided detection signatures as early as November for our DefensePro products so that customers were protected from most of the Mirai attacks.
We didn’t stop there, and we changed Mirai to include new attack vectors that we expect attackers to add in the future, and we tested extensively with our solutions to find better ways to improve our detection and mitigation algorithms.
In the specific case of the Dyn attack, one of the original nine attack vectors used was the DNS water torture attack. DNS water torture is a difficult attack to mitigate without taking down a full domain or rate limiting requests in DNS servers. It affects organizations that host the authoritative DNS servers of a domain. For security reasons, organizations such as financial institutions prefer to host themselves their authoritative DNS servers and they should be provided with an adequate solution for this problem. This is why we worked on new ways to mitigate DNS attacks, which resulted in new patented technologies that will shortly be introduced in our DDoS mitigation solutions.
You mentioned DT, and most of us will remember the impact on the residential internet access when DT suffered from an attack by Mirai last year. Was this also a DDoS attack comparable to the Dyn attack?
The impact DT suffered was the result of a failed infection attempt. The Mirai code was adapted to use a new infection vector through a Remote Code Execution (RCE) vulnerability in the NTP server name field of residential routers through the TR-069 protocol. Routers such as the Eir D1000, the Zyxel AMG1302 and the D-Link DSL3780 were known to be vulnerable at the time. The takeover attempt failed, causing the routers to reboot and ultimately lead to 900,000 consumer devices losing internet connectivity. DT was very prompt on mitigating the issue through firmware updates to close the vulnerability. In some dark way, the outage was a blessing – imagine the infection succeeded without any interruption in service, we would be faced by a 900,000-device botnet… Now take into account the fact that these 900,000 consumer routers are less than 5% of the DT’s landline customers. You can image the threat we are facing.
Earlier this year the average volume of encrypted traffic surpassed the average of unencrypted volume according to Mozilla. In which ways does this affect the threat landscape and how should people protect themselves?
Yes, the internet is going dark, more and more traffic is being encrypted using SSL/TLS. Mass adoption of technologies is always followed closely by efforts to exploit it. SSL is no exception and has experienced a large number of highly publicized vulnerabilities. Beside the data compromising vulnerabilities, SSL DDoS and DoS attacks target the SSL handshake mechanism, send garbage data to the SSL server, or abuse functions related to the SSL encryption key negotiation process. SSL attacks are popular because they are asymmetric, each SSL session handshake consumes 15 times more resources from the server than it does from the client.
Furthermore, with the increase of encrypted traffic on the internet, cyber attackers have found a new channel through which they can mask and further complicate attack detection in both network and application level threats.
Existing attack mitigation solutions require real time visibility into traffic traveling through the network over encrypted outbound sessions where the organization may not have access to the server’s encryption keys. This challenge is especially relevant for data leakage prevention (DLP), intrusion prevention systems (IPS), and firewalls which normally do not have visibility into encrypted traffic, creating significant blind spots in the protection they provide. Furthermore, protecting inbound sessions requires each and every device that inspects the traffic to have the server’s private keys, which can pose a burden on the management of more complex perimeters. Radware provides the SSL Clarity Perimeter gateway solution, which is a centralized SSL offload solution equipped with SSL acceleration engines and optimized for the task. It integrates seamlessly with the different perimeter security devices, offering minimal latency and requiring only a single decryption and encryption step of the session while passing traffic through multiple inspection hops. Centralizing the SSL handling of traffic also minimizes the management and exposure of the server’s private keys to a single device. The same SSL Clarity Perimeter Gateway solution is able to overcome the issues of outbound sessions by effectively operating as a man-in-the-middle, masquerading as legitimate servers using dynamically generated server certificates based on a common corporate CA certificate that is trusted by the clients.
Radware also provides unique SSL capabilities for the mitigation of SSL denial of service attacks in the cloud, and on premise. When outsourcing a service in the cloud, most organizations are reluctant to provide visibility into clear traffic. Radware is the only vendor providing a solution based on SSL challenge/response, using dummy certificates to mitigate SSL renegotiation attacks without requiring access to the server’s private keys or having to decrypt the application’s traffic.
Besides the trends in threat landscape, what will be top of mind for security managers and CISOs this year?
The General Data Protection Regulation that will apply from May 25th, 2018 is top of mind in every CISO’s security strategy and budget for 2017. In January 2012, the European Commission proposed a comprehensive reform of the data protection rules in the EU. The General Data Protection Regulation (GDPR) is the largest reform in data protection law in the past 20 years. The objective of the new set of rules is to give back control to EU citizens over their personal data and to simplify the regulatory environment for business through making it consistent across EU member states. The regulation provides protection concerning the processing of personal data and the free movement of such data.
The GDPR is a whole new set of regulatory rules and measures to comply with and implement by any organization that controls or processes any form of personal data. Personal data is to be interpreted in the wide sense of the term and pertains to any information relating to an individual, whether it relates to his or her private, professional or public life and can be anything from a name, a picture, an email address, financial details, posts on social networks, or even a computer’s IP address. Not abiding to the GDPR will be met with enforced action including fines of up to € 20,000,000 or 4% of the annual worldwide revenue when facing a breach of the data protection rules. The GDPR includes provisions that promote accountability and governance that can be audited with non-compliance, leading to administrative fines of up to € 10,000,000 or 2% of annual worldwide revenue.
Whenever a company wants to trade or do business with one or several of the EU Member States, it will have to prove adequacy – in other words, its data protection standards would have to be equivalent to the EU’s GDPR starting in May 2018. This virtually makes GDPR a global, worldwide regulation affecting organizations and businesses around the globe.
For online businesses and cloud service providers, GDPR compliance means adherence to the principles of “Privacy by Design” and “Data Protection by Design” during the design, development, implementation and deployment of web applications or services, and any components or services associated with them. With the rapid adoption of cloud services there is a heightened concern with regard to the readiness of these applications and services. A recent study conducted by Symantec/Bluecoat shows that 98% of today’s cloud applications do not even come close to being GDPR-ready.
Based on recital 39 of the GDPR, personal data should be processed in a manner that ensures appropriate security and confidentiality, including preventing unauthorized access to or use of personal data and the equipment used for the processing. Recital 49 goes further by requiring the ability of a network or an information system to resist accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems. The recital literally says “This could, for example, include preventing unauthorized access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.”
Most businesses will face the urgent need for increasing protection on published applications and services on all topics and purposes of Data Leak Prevention, Access Control, Web-based Attack Prevention and Denial-of-Service prevention. Leading providers of cloud and on-premise Web Application and API Protection services as well as on-demand, always-on cloud and hybrid Denial-of-Service mitigation services do provide an adequate solution for this acute need. A fully managed WAF and DDoS Cloud service provides a fast route to check off one of the regulatory compliance boxes and a worry-free GDPR compliance strategy.
Now that we are on the topic of web applications, what are the trends and changes we might expect there?
The migration to the cloud continues and accelerates throughout 2017. As businesses move their core applications into the cloud, they find themselves in the position of having to secure them adequately. There are services provided by the cloud hosting providers, but most of them are sub-par in terms of breadth and depth and this is something we anticipated this year by launching our DDoS cloud solution integrated with AWS. Cloud WAF is another offering that allows our customers to manage their web application security without having two different vendors and technologies for on-prem and in the cloud applications. One of the major challenges of hybrid environments are the different security solutions for local and cloud applications and the management problem that is associated with this. Our Cloud WAF solution is based on the same technology we use in the data center, so policies can easily be migrated from and to the cloud, providing a seamless migration and experience for the customer.
The second trend is definitely DevOps. We are seeing more and more organizations adopting agile development and using Continuous Integration and Continuous Delivery pipelines to deliver better customer experience and have shorter lead times to provide for needs of their customers. Half of the organizations that participated in our ERT report survey in 2016 have to accommodate multiple application changes per week while some of our customers undergo multiple application changes per day. This kind of agility within applications breaks the positive security policies of traditional web application protections. There is a need for web application security solutions that integrate and dynamically adapt with the application. This movement of securing the DevOps chain has been coined DevSecOps by Gartner. Our WAF solution provides an adaptive positive security policy as well as closed loop integrations with DAST tools to provide adequate protection without false positives in agile environments, where the application changes multiple times a day.
To end our interesting discussion, what is your final advice for security managers and CISOs as they go into 2017?
Stay focused and be prepared. Build a protection strategy and develop an adequate incident response plan, don’t let yourself be taken by surprise!
Hackers are making extensive use of automation; they are using automation to orchestrate attacks from growing botnets and using it to create new, more sophisticated attacks that are changing over short periods of time, making them difficult to mitigate without automated mitigation solutions. The best way to fight automation is with automation! Make use of it to provide faster and better mitigation when under attack. Do not rely on manual signature crafting to provide attack mitigation; by the time the signature is in place, the attack will have morphed, requiring continual manual changes to the signature – and some attacks can go on like this for days! Only automatic signature generation and enforcement can provide adequate and timely mitigation.
Prepare for the IoT tornado! Do not wait to put in place DDoS protection solutions on-prem, on-demand, hybrid or always-on cloud until you are the target of a ransom attack. No one can be considered exempt from ransom DDoS attacks.
And finally, reduce the impact of cyber-attacks on your business by having an emergency response plan in place that allows you to restore operations quickly, and eliminate much of the costs associated with cyber-attacks. If you do not have an emergency response plan in place today, start planning for one right now!
Read the 2016–2017 Global Application & Network Security Report by Radware’s Emergency Response Team.
As the EMEA Cyber Security Evangelist for Radware, Pascal helps execute the company's thought leadership on today's security threat landscape. Pascal brings over two decades of experience in many aspects of Information Technology and holds a degree in Civil Engineering from the Free University of Brussels. As part of the Radware Security Research team Pascal develops and maintains the IoT honeypots and actively researches IoT malware. He discovered BrickerBot, provided the updated Hajime report and follows closely any development and new threats in the IoT landscape. Prior to Radware, Pascal worked with the largest EMEA cloud providers on their SDN and next gen data center strategies as a consulting engineer for Juniper. As an independent consultant Pascal architected sensor networks, automated and developed PLC systems and lead security infrastructure and software auditing projects. At the start of his career he was a regular presenter at IBM conferences for Perl and Unix kernel development.