main

Security

The Impact of GDPR One Year In

June 27, 2019 — by Radware0

gdpr1-960x540.jpg

Data breaches are expensive, and the costs are only going up.

Those reporting attacks that cost 10 million USD/EUR/GBP or more almost doubled from last year — from 7% in 2018 to 13% in 2019. Half of Radware’s C-Suite Perspectives survey respondents estimated that an attack cost somewhere between 500,001 and 9.9 million USD/EUR/GBP.

One Year In

Arguably, the General Data Protection Regulation (GDPR), which has been active in the European Union since May 2018, contributes to these rising costs.

Every EU state has a data protection authority (DPA) that is authorized to impose administrative fines for improper handling of data. Fines can go up to 4% of a company’s worldwide revenues for more serious violations. Article 83 of the GDPR requires that fines be “effective, proportionate and dissuasive.”

More than half of Radware’s 2019 C-Suite Perspective survey respondents from EMEA experienced a self-reported incident under the GDPR in the past 12 months.

In the largest fine to date, France levied a fine against Google for €50 million for lack of consent on advertisements. Germany fined Knuddels €20,000 for insufficiently securing user data, enabling hackers to steal user passwords. And a sports betting café in Austria received a €5,000 fine for unlawful video surveillance.

C-Suite Perspectives: From Defense to Offense — Executives Turn Information Security Into a Competitive Advantage

So far, DPAs have received almost 150,000 complaints about data handling. Most are about video surveillance and advertising calls or mailings, according to the EU Commission. While fines have not yet been imposed in many cases, the potential for significant penalties is there.

The takeaway? C-suite executives in all regions should not let the leniency of the first year of GDPR enforcement lull them into complacency. The threat of GDPR fines is just one risk facing organizations that experience a data breach.

The danger is very real.

Read “2019 C-Suite Perspectives: From Defense to Offense, Executives Turn Information Security into a Competitive Advantage” to learn more.

Download Now

Security

Cities Are Under Attack. Here’s Why.

June 25, 2019 — by Mark Taylor0

Ransomware-960x615.jpg

Greenville, North Carolina. Imperial County, California. Stuart, Florida. Cincinnati, Ohio. These are just a handful of cities and counties across the U.S. that have experienced crippling cyber attacks in recent months.

In 2019, local governments across the country have become the focus of attacks and face a growing threat of cyber attacks and escalating ransom demands. Indeed, ransomware is a pandemic in the United States, and hackers are increasingly going after larger targets instead of focusing on home computers, like most did five years ago.

[You may also like: Cities Paying Ransom: What Does It Mean for Taxpayers?]

The Vulnerabilities

Generally speaking, cities and municipalities are less prepared than companies to mitigate cyber attacks, due to limited resources and difficulty competing for cybersecurity talent. They are also increasingly reliant on technology to deliver city services. This, combined with aging computer systems, enlarges their attack surfaces.

And attackers are also getting more savvy. Per CSO Online, “There’s a constantly growing threat of exploitation either through investment from state-sponsored actors to the commoditization of very sophisticated attack techniques that are easy to use for inexperienced hackers. Ransomware isn’t new. It’s just how it’s been packaged up and how it’s being leveraged operationally by the hacker community.”

Why Cities and Municipalities?

Whether attacks on cities are increasing or merely just coming more to light now, it’s clear that they’re attractive targets for attackers.

This rationale is reinforced in Radware’s 2018-2019 Global Application & Network Security Report. According to the report, 52% of cyberattacks were motivated by financial or ransom purposes, far outpacing any other attack motivation. What’s more, government (cities and municipalities) are key targets, with 45% of government organizations being attacked on a daily or weekly basis.

[You may also like: How Cyberattacks Directly Impact Your Brand]

Simply put, the combination of constrained resources, data- and information-rich environments, countered by increasing automated attacks and attack types make cities and municipalities a high-value target for cyber criminals.

There’s no denying that in cities and municipalities, the pressure is on. Securing the constituent experience against cyberattacks is no longer just the responsibility of the IT department. Agencies need to implement security strategies–in every process and program–as if their very survival depends on them.

It only takes one data breach to compromise and expose constituent personal information or hobble critical services such as emergency response, public safety, air travel and more.

Recommendations

While it’s impossible to eliminate every risk or neutralize every threat, there are practical and minimal effort controls every city and municipality should consider. And tools alone don’t provide complete protection; a truly secure experience involves expert resources (threat intelligence), flexible deployment (cloud service), and agility or ease of use (fully managed).

[You may also like: Here’s How You Can Better Mitigate a Cyberattack]

When choosing the right security partner, which is critical for cities and municipalities, consider the following:

  • Evaluate protection for all web applications. Look for always-on and fully-managed services to protect both on-premise and cloud-based applications.
  • Evaluate risk from new DDoS attack types. Many organizations rely on their ISP and firewalls to detect and mitigate DDoS attacks. But DDoS attacks are growing and targeting applications, and application attacks are rarely detected by ISPs. 
  • Evaluate firewall DDoS protection. Attacks can fill state tables and bring down your firewall. 

The attack trends will persist in the foreseeable future, and all signs point to financial motivation gaining, thereby pushing attackers to try to profit from malicious malware. Of particular concern is the possibility of hackers investing their profits to leverage machine-learning capabilities to find ways to access and exploit resources in networks and applications.

Be prepared.

Download “Hackers Almanac” to learn more.

Download Now

BotnetsDDoS

Botnets: DDoS and Beyond

June 20, 2019 — by Daniel Smith0

botnets-960x540.jpg

Traditionally, DDoS is an avenue of profit for botherders. But today’s botnets have evolved to include several attack vectors other than DDoS that are more profitable. And just as any business-oriented person would do, attackers follow the money.

As a result, botherders are targeting enterprise and network software, since residential devices have become over saturated. The days of simple credentials-based attacks are long behind us. Attackers are now looking for enterprise devices that will help expand their offerings and assists in developing additional avenues of profit.

A few years ago, when IoT botnets became all the rage, they were mainly targeting residential devices with simple credential attacks (something the DDoS industry does not prevent from happening; instead we take the position of mitigating attacks coming from infected residential devices).

[You may also like: IoT Botnets on the Rise]

From Personal to Enterprise

But now that attackers are targeting enterprise devices, the industry must reevaluate the growing threat behind today’s botnets.

We now have to focus on not only protecting the network from external attacks but also the devices and servers found in a typical enterprise network from being infected by botnet malware and leveraged to launch attacks.

In a blog posted on MIT’s Technology Review titled, Inside the business model for botnets, C.G.J. Putman and colleagues from the University of Twente in the Netherlands detail the economics of a botnet. The article sheds some light on the absence of DDoS attacks and the growth of other vectors of attack generated from a botnet.

In their report, the team states that DDoS attacks from a botnet with 30,000 infected devices could generate around $26,000 a month. While that might seem like a lot, it’s actually a drop in the bucket compared to other attack vectors that can be produced from a botnet.

For example, C.G.J. Putman and Associates reported that a spamming botnet with 10,000 infected devices can generate $300,000 a month. The most profitable? Click fraud, which can generate over $20 million per month in profit.

[You may also like: Ad Fraud 101: How Cybercriminals Profit from Clicks]

To put that in perspective, AppleJ4ck and P1st from Lizard Squad made close to $600,000 over 2 years’ operating a stresser service called vDoS.

So let me ask this: If you are a botherder risking your freedom for profit, are you going to construct a botnet strictly for DDoS attacks or will you construct a botnet with more architecturally diverse devices to support additional vectors of profit?

Exactly. Botherders will continue to maximize their efforts and profitability by targeting enterprise devices.

Read the “IoT Attack Handbook – A Field Guide to Understanding IoT Attacks from the Mirai Botnet and its Modern Variants” to learn more.

Download Now

Security

Executives Are Turning Infosec into a Competitive Advantage

June 18, 2019 — by Anna Convery-Pelletier0

cs7-960x584.jpg

Companies are more connected to their customers now than ever before.  After spending billions to digitally transform themselves, organizations have exponentially increased the number of touchpoints as well as the frequency of communication they have with their customer base. 

Thanks to digital transformation, organizations are more agile, flexible, efficient, and customer-centric. However, with greater access to customers comes an equal measure of increased vulnerability. We have all seen the havoc that a data breach can wreak upon a brand; hackers are the modern-day David to the Goliaths of the Fortune 1000 world. As a result, we have experienced a fundamental shift in management philosophy around the role that information security plays across organizations. The savviest leaders have shifted from a defensive to offensive position and are turning information security into a competitive market advantage.

Each year, Radware surveys C-Suite executives to measure leadership sentiment around information security, its costs and business impacts.  This year, we studied the views and insights from 263 senior leaders at organizations primarily with revenue in excess of 1 billion USD/EUR/GBP around the world. Respondents represented 30% financial services, 21% retail/hospitality, 21% telecom/service provider, 7% manufacturing/distribution, 7% computer products/services, 6% business services/consulting, and 9% other.

This year’s report shines a spotlight on increased sophistication of management philosophy for information security and security strategy. While responsibility for cybersecurity continues to be spearheaded by the CIO and CISO, it is also being shared throughout the entire C-Suite.

[You may also like: How Cyberattacks Directly Impact Your Brand]

In fact, 72% of executives responding to our survey claimed that it’s a topic discussed in every board meeting. 82% of responding CEOs reported high levels of knowledge around information security, as did 72% of non-technical C-Suite titles – an all-time high! Security issues now influence brand reputation, brand trust, and consumer trust, which forces organizations to infuse information security into core business functions such as customer experience, marketing and business operations.

All with good reason. The average cost of a cyberattack is now roughly $4.6M, and the number of organizations that claim attacks cost them more than $10M has doubled from 2018 to 2019.

Customers are quite aware of the onslaught of data breaches that have affected nearly every industry, from banking to online dating, throughout the past ten years. Even though many governments have passed many laws to protect consumers against misuse of their data, such as GDPR, CASL, HIPPA, Personally Identifiable Information (PII), etc., companies still can’t keep up with the regulations. 

[You may also like: The Costs of Cyberattacks Are Real]

Case in point: 74% of European executives report they have experienced a data breach in the past 12 months, compared to 53% in America and 44% in APAC. Half (52%) of executives in Europe have experienced a self-reported incident under GDPR in the past year.  

Consumer confidence is at an all-time low. These same customers want to understand what companies have done to secure their products and services and they are willing to take their business elsewhere if that brand promise is broken. Customers are increasingly taking action following a breach. 

[You may also like: How Do Marketers Add Security into Their Messaging?]

Reputation management is a critical component of organizational management. Savvy leaders recognize the connection between information security and reputation management and subsequently adopted information security as a market advantage.

So How Do Companies Start to Earn Back Trust?

These leaders recognize that security must become part of the brand promise. Our research shows that 75% of executives claim security is a key part of their product marketing messages. 50% of companies surveyed offer dedicated security products and services to their customers. Additionally, 41% offer security features as add-ons within their products and services, and another 7% are considering building security services into their products.

Balancing Security Concerns with Deployment of Private and Public Clouds

Digital transformation drove a mass migration into public and private cloud environments.  Organizations were wooed by the promise of flexibility, streamlined business operations, improved efficiency, lower operational costs, and greater business agility. Rightfully so, as cloud environments have largely fulfilled their promises.

[You may also like: Excessive Permissions are Your #1 Cloud Threat]

However, along with these incredible benefits comes a far greater risk than most organizations anticipated. While 54% of respondents report improving information security is one of their top three reasons for initiating digital transformation processes, 73% of executives indicate they have had unauthorized access to their public cloud assets.  What is more alarming is how these unauthorized access incidents have occurred.

The technical sophistication of the modern business world has eroded the trust between brands and their customers, opening the door for a new conversation around security. 

Leading organizations have already begun to weave security into the very fabric of their culture – and it’s evidenced by going to market with secure marketing messages (as Apple’s new ad campaigns demonstrate), sharing responsibility for information security across the entire leadership team, creating privacy-centric business policies and processes, making information security and customer data-privacy part of an organization’s core values, etc.  The biggest challenges organizations still face is in how best to execute it, but that is a topic for another blog…

To learn more about the insights and perspectives on information security from the C-Suite, please download the report.

Read “2019 C-Suite Perspectives: From Defense to Offense, Executives Turn Information Security into a Competitive Advantage” to learn more.

Download Now

Botnets

What You Need to Know About Botnets

June 12, 2019 — by Radware0

BotNet.jpeg

Botnets comprised of vulnerable IoT devices, combined with widely available DDoS-as-a-Service tools and anonymous payment mechanisms, have pushed denial-of-service attacks to record-breaking volumes.

A single attack can result in downtime, lost business and significant financial damages. Understanding the current tactics, techniques and procedures used by today’s cyber criminals is key to defending your network.

Watch this latest video from Radware’s Hacker’s Almanac to learn more about Botnets and how you can help protect your business from this type of sabotage.

Download “Hackers Almanac” to learn more.

Download Now

Attack MitigationDDoSSecurity

DDoS Protection Requires Looking Both Ways

March 26, 2019 — by Eyal Arazi0

ddos-960x540.jpg

Service availability is a key component of the user experience. Customers expect services to be constantly available and fast-responding, and any downtime can result in disappointed users, abandoned shopping carts, and lost customers.

Consequently, DDoS attacks are increasing in complexity, size and duration. Radware’s 2018 Global Application and Network Security Report found that over the course of a year, sophisticated DDoS attacks, such as burst attacks, increased by 15%, HTTPS floods grew by 20%, and over 64% of customers were hit by application-layer (L7) DDoS attacks.

Some Attacks are a Two-Way Street

As DDoS attacks become more complex, organizations require more elaborate protections to mitigate such attacks. However, in order to guarantee complete protection, many types of attacks – particularly the more sophisticated ones – require visibility into both inbound and outbound channels.

Some examples of such attacks include:

Out of State Protocol Attacks: Some DDoS attacks exploit weaknesses in protocol communication processes, such as TCP’s three-way handshake sequence, to create ‘out-of-state’ connection requests, thereby drawing-out connection requests in order to exhaust server resources. While some attacks of this type, such as a SYN flood, can be stopped by examining the inbound channel only, others require visibility into the outbound channel, as well.

An example of this is an ACK flood, whereby attackers continuously send forged TCP ACK packets towards the victim host. The target host then tries to associate the ACK reply to an existing TCP connection, and if none such exists, it will drop the packet. However, this process consumes server resources, and large numbers of such requests can deplete system resources. In order to correctly identify and mitigate such attacks, defenses need visibility to both inbound SYN and outbound SYN/ACK replies, so that they can verify whether the ACK packet is associated with any legitimate connection request.

[You may also like: An Overview of the TCP Optimization Process]

Reflection/Amplification Attacks: Such attacks exploit asymmetric responses between the connection requests and replies of certain protocols or applications. Again, some types of such attacks require visibility into both the inbound and outbound traffic channels.

An example of such attack is a large-file outbound pipe saturation attack. In such attacks, the attackers identify a very large file on the target network, and send a connection request to fetch it. The connection request itself can be only a few bytes in size, but the ensuing reply could be extremely large. Large amounts of such requests can clog-up the outbound pipe.

Another example are memcached amplification attacks. Although such attacks are most frequently used to overwhelm a third-party target via reflection, they can also be used to saturate the outbound channel of the targeted network.

[You may also like: 2018 In Review: Memcache and Drupalgeddon]

Scanning Attacks: Large-scale network scanning attempts are not just a security risk, but also frequently bear the hallmark of a DDoS attack, flooding the network with malicious traffic. Such scan attempts are based on sending large numbers of connection requests to host ports, and seeing which ports answer back (thereby indicating that they are open). However, this also leads to high volumes of error responses by closed ports. Mitigation of such attacks requires visibility into return traffic in order to identify the error response rate relative to actual traffic, in order for defenses to conclude that an attack is taking place.

Server Cracking: Similar to scanning attacks, server cracking attacks involve sending large amounts of requests in order to brute-force system passwords. Similarly, this leads to a high error reply rate, which requires visibility into both the inbound and outbound channels in order to identify the attack.

Stateful Application-Layer DDoS Attacks: Certain types of application-layer (L7) DDoS attacks exploit known protocol weaknesses or order to create large amounts of spoofed requests which exhaust server resources. Mitigating such attacks requires state-aware bi-directional visibility in order to identify attack patterns, so that the relevant attack signature can be applied to block it. Examples of such attacks are low-and-slow and application-layer (L7) SYN floods, which draw-out HTTP and TCP connections in order to continuously consume server resources.

[You may also like: Layer 7 Attack Mitigation]

Two-Way Attacks Require Bi-Directional Defenses

As online service availability becomes ever-more important, hackers are coming up with more sophisticated attacks than ever in order to overwhelm defenses. Many such attack vectors – frequently the more sophisticated and potent ones – either target or take advantages of the outbound communication channel.

Therefore, in order for organizations to fully protect themselves, they must deploy protections that allow bi-directional inspection of traffic in order to identify and neutralize such threats.

Read “The Trust Factor: Cybersecurity’s Role in Sustaining Business Momentum” to learn more.

Download Now

Security

The Intersections between Cybersecurity and Diversity

March 20, 2019 — by Kevin Harris0

diversity-960x640.jpg

Cybersecurity and diversity are high-value topics that are most often discussed in isolation. Both topics resonate with individuals and organizations alike.

However, the intersections between cybersecurity and diversity are often overlooked. As nations and organizations seek to protect their critical infrastructures, it’s important to cultivate relationships between the two areas. Diversity is no longer only a social awareness and morality initiative; it is a core element of defending critical infrastructures.

Communities Need to Play a Greater Role in Cybersecurity

Technology careers typically pay more than other careers, providing a pathway to a quality lifestyle. With multiple entry points into the technology field — including degrees, apprenticeships and industry certifications — there are ways that varying communities can take part in technology careers, especially in cybersecurity. For instance, communities can improve cybersecurity education for women, minorities and home users.

Workforce Gaps Involving Women and Minorities Weakens Cybersecurity Defenses

Limited awareness and exposure to cybersecurity education often creates an opportunity gap for minorities and women. Failing to incorporate underserved populations limits the talent and size of our cybersecurity workforce. Without an all-inclusive cyber workforce, our critical infrastructure will have a talent gap, introducing additional system vulnerabilities.

To rectify this problem, communities must implement permanent efforts to ensure that children attending schools in underserved districts have access to technology and courses. That will better prepare them to become cyber workers.

[You may also like: Battling Cyber Risks with Intelligent Automation]

This infusion of technology talent helps to protect our nation’s vital digital assets. Organizations must make their recruitment and retention practices more inclusive. Ideally, they should provide opportunities to individuals who are either trained or are willing to undergo training to have a pathway to a successful career.

Additionally, higher education institutions should find ways to ensure that minorities and women have the support they need as they progress through their technology degrees. In addition, universities and colleges can offer cybersecurity faculty and mentors who can help these groups prepare for meaningful careers.

Cybersecurity Training Must Be Improved for Home Users

Another intersection of cybersecurity and diversity is at the user level. Most cybersecurity discussions center on the protection of government or corporate systems. Organizations spend significant portions of their budgets to prepare for and protect against cyberattacks.

Unfortunately, home users are often left out of such conversations; they are not considered part of any holistic cyber defense plan. With the large number of home users with multiple devices, the vulnerabilities of home systems provide hackers with easy attack opportunities.

[You may also like: The Costs of Cyberattacks Are Real]

Consequently, attackers access and compromise home devices, which allows them to attack other systems. In addition, these hackers can mask their true location and increase their computing power. They can then carry out their attacks more efficiently.

Compromising an individual’s personal device presents additional opportunities for attackers to access that person’s credentials as well as other sensitive workplace data. However, strong organization policies should dictate what information can be accessed remotely.

To increase home users’ threat awareness level, organizations should develop training programs as a part of community involvement initiatives. Vendors should strengthen default security settings for home users and ensure that home security protections are affordable and not difficult to configure.

[You may also like: Personal Security Hygiene]

Organizational Cultures Need to Emphasize that All Employees are Cyber Defenders

Diversity and cybersecurity also intersect at the organizational culture level. Regardless of whether or not organizations have an information systems security department, companies must foster the right type of security-minded workplace culture. All employees should be aware that they are intricate components in protecting the organization’s critical digital assets.

Educational institutions can support this effort by incorporating cyber awareness training across disciplines. This will give all graduates — regardless of their degrees — some exposure to cyber risks and their role in protecting digital assets.

[You may also like: 5 Ways Malware Defeats Cyber Defenses & What You Can Do About It]

Cybersecurity and Diversity Should Work Together, Not in Silos

Cybersecurity and diversity will continue to be important topics. The focus, however, should be on discussing the importance of their mutual support, rather than functioning in two separate silos. Improving our cyber defenses requires the best of all segments of our society, which includes minorities, women and home users.

Read “The Trust Factor: Cybersecurity’s Role in Sustaining Business Momentum” to learn more.

Download Now

Cloud Security

Are Your DevOps Your Biggest Security Risks?

March 13, 2019 — by Eyal Arazi0

apikey-960x720.jpg

We have all heard the horror tales: a negligent (or uniformed) developer inadvertently exposes AWS API keys online, only for hackers to find those keys, penetrate the account and cause massive damage.

But how common, in practice, are these breaches? Are they a legitimate threat, or just an urban legend for sleep-deprived IT staff? And what, if anything, can be done against such exposure?

The Problem of API Access Key Exposure

The problem of AWS API access key exposure refers to incidents in which developer’s API access keys to AWS accounts and cloud resources are inadvertently exposed and found by hackers.

AWS – and most other infrastructure-as-as-service (IaaS) providers – provides direct access to tools and services via Application Programming Interfaces (APIs). Developers leverage such APIs to write automatic scripts to help them configure cloud-based resources. This helps developers and DevOps save much time in configuring cloud-hosted resources and automating the roll-out of new features and services.

[You may also like: Ensuring Data Privacy in Public Clouds]

In order to make sure that only authorized developers are able to access those resource and execute commands on them, API access keys are used to authenticate access. Only code containing authorized credentials will be able to connect and execute.

This Exposure Happens All the Time

The problem, however, is that such access keys are sometimes left in scripts or configuration files uploaded to third-party resources, such as GitHub. Hackers are fully aware of this, and run automated scans on such repositories, in order to discover unsecured keys. Once they locate such keys, hackers gain direct access to the exposed cloud environment, which they use for data theft, account takeover, and resource exploitation.

A very common use case is for hackers to access an unsuspecting cloud account and spin-up multiple computing instances in order to run crypto-mining activities. The hackers then pocket the mined cryptocurrency, while leaving the owner of the cloud account to foot the bill for the usage of computing resources.

[You may also like: The Rise in Cryptomining]

Examples, sadly, are abundant:

  • A Tesla developer uploaded code to GitHub which contained plain-text AWS API keys. As a result, hackers were able to compromise Tesla’s AWS account and use Tesla’s resource for crypto-mining.
  • WordPress developer Ryan Heller uploaded code to GitHub which accidentally contained a backup copy of the wp-config.php file, containing his AWS access keys. Within hours, this file was discovered by hackers, who spun up several hundred computing instances to mine cryptocurrency, resulting in $6,000 of AWS usage fees overnight.
  • A student taking a Ruby on Rails course on Udemy opened up a AWS S3 storage bucket as part of the course, and uploaded his code to GitHub as part of the course requirements. However, his code contained his AWS access keys, leading to over $3,000 of AWS charges within a day.
  • The founder of an internet startup uploaded code to GitHub containing API access keys. He realized his mistake within 5 minutes and removed those keys. However, that was enough time for automated bots to find his keys, access his account, spin up computing resources for crypto-mining and result in a $2,300 bill.
  • js published an npm code package in their code release containing access keys to their S3 storage buckets.

And the list goes on and on…

The problem is so widespread that Amazon even has a dedicated support page to tell developers what to do if they inadvertently expose their access keys.

How You Can Protect Yourself

One of the main drivers of cloud migration is the agility and flexibility that it offers organizations to speed-up roll-out of new services and reduce time-to-market. However, this agility and flexibility frequently comes at a cost to security. In the name of expediency and consumer demand, developers and DevOps may sometimes not take the necessary precautions to secure their environments or access credentials.

Such exposure can happen in a multitude of ways, including accidental exposure of scripts (such as uploading to GitHub), misconfiguration of cloud resources which contain such keys , compromise of 3rd party partners who have such credentials, exposure through client-side code which contains keys, targeted spear-phishing attacks against DevOps staff, and more.

[You may also like: Mitigating Cloud Attacks With Configuration Hardening]

Nonetheless, there are a number of key steps you can take to secure your cloud environment against such breaches:

Assume your credentials are exposed. There’s no way around this: Securing your credentials, as much as possible, is paramount. However, since credentials can leak in a number of ways, and from a multitude of sources, you should therefore assume your credentials are already exposed, or can become exposed in the future. Adopting this mindset will help you channel your efforts not (just) to limiting this exposure to begin with, but to how to limit the damage caused to your organization should this exposure occur.

Limit Permissions. As I pointed out earlier, one of the key benefits of migrating to the cloud is the agility and flexibility that cloud environments provide when it comes to deploying computing resources. However, this agility and flexibility frequently comes at a cost to security. Once such example is granting promiscuous permissions to users who shouldn’t have them. In the name of expediency, administrators frequently grant blanket permissions to users, so as to remove any hindrance to operations.

[You may also like: Excessive Permissions are Your #1 Cloud Threat]

The problem, however, is that most users never use most of the permissions they have granted, and probably don’t need them in the first place. This leads to a gaping security hole, since if any one of those users (or their access keys) should become compromised, attackers will be able to exploit those permissions to do significant damage. Therefore, limiting those permissions, according to the principle of least privileges, will greatly help to limit potential damage if (and when) such exposure occurs.

Early Detection is Critical. The final step is to implement measures which actively monitor user activity for any potentially malicious behavior. Such malicious behavior can be first-time API usage, access from unusual locations, access at unusual times, suspicious communication patterns, exposure of private assets to the world, and more. Implementing detection measures which look for such malicious behavior indicators, correlate them, and alert against potentially malicious activity will help ensure that hackers are discovered promptly, before they can do any significant damage.

Read “Radware’s 2018 Web Application Security Report” to learn more.

Download Now

Attack Types & VectorsBotnetsSecurity

IoT Expands the Botnet Universe

March 6, 2019 — by Radware0

AdobeStock_175553664-960x607.jpg

In 2018, we witnessed the dramatic growth of IoT devices and a corresponding increase in the number of botnets and cyberattacks. Because IoT devices are always-on, rarely monitored and generally use off-the-shelf default passwords, they are low-hanging fruit for hackers looking for easy ways to build an army of malicious attackers. Every IoT device added to the network grows the hacker’s tool set.

Botnets comprised of vulnerable IoT devices, combined with widely available DDoS-as-a-Service tools and anonymous payment mechanisms, have pushed denial-of-service attacks to record-breaking volumes. At the same time, new domains such as cryptomining and credentials theft offer more opportunities for hacktivism.

Let’s look at some of the botnets and threats discovered and identified by Radware’s deception network in 2018.

JenX

A new botnet tried to deliver its dangerous payload to Radware’s newly deployed IoT honeypots. The honeypots registered multiple exploit attempts from distinct servers, all located in popular cloud hosting providers based in Europe. The botnet creators intended to sell 290Gbps DDoS attacks for only $20. Further investigation showed that the new bot used an atypical central scanning method through a handful of Linux virtual private servers (VPS) used to scan, exploit and load malware onto unsuspecting IoT victims. At the same time, the deception network also detected SYN scans originating from each of the exploited servers indicating that they were first performing a
mass scan before attempting to exploit the IoT devices, ensuring that ports 52869 and 37215 were open.

[You may also like: IoT Botnets on the Rise]

ADB Miner

A new piece of malware that takes advantage of Android-based devices exposing debug capabilities to the internet. It leverages scanning code from Mirai. When a remote host exposes its Android Debug Bridge (ADB) control port, any Android emulator on the internet has full install, start, reboot and root shell access without authentication.

Part of the malware includes Monero cryptocurrency miners (xmrig binaries), which are executing on the infected devices. Radware’s automated trend analysis algorithms detected a significant increase in activity against port 5555, both in the number of hits and in the number of distinct IPs. Port 5555 is one of the known ports used by TR069/064 exploits, such as those witnessed during the Mirai-based attack targeting Deutsche Telekom routers in November 2016. In this case, the payload delivered to the port was not SOAP/HTTP, but rather the ADB remote debugging protocol.

Satori.Dasan

Less than a week after ADB Miner, a third new botnet variant triggered a trend alert due to a significant increase in malicious activity over port 8080. Radware detected a jump in the infecting IPs from around 200 unique IPs per day to over 2,000 malicious unique IPs per day. Further investigation by the research team uncovered a new variant of the Satori botnet capable of aggressive scanning and exploitation of CVE-2017-18046 — Dasan Unauthenticated Remote Code Execution.

[You may also like: New Satori Botnet Variant Enslaves Thousands of Dasan WiFi Routers]

The rapidly growing botnet referred to as “Satori.Dasan” utilizes a highly effective wormlike scanning mechanism, where every infected host looks for more hosts to infect by performing aggressive scanning of random IP addresses and exclusively targeting port 8080. Once a suitable target is located, the infected bot notifies a C2 server, which immediately attempts to infect the new victim.

Memcached DDoS Attacks

A few weeks later, Radware’s system provided an alert on yet another new trend — an increase in activity on UDP port 11211. This trend notification correlated with several organizations publicly disclosing a trend in UDP-amplified DDoS attacks utilizing Memcached servers configured to accommodate UDP (in addition to the default TCP) without limitation. After the attack, CVE2018-1000115 was published to patch this vulnerability.

Memcached services are by design an internal service that allows unauthenticated access requiring no verification of source or identity. A Memcached amplified DDoS attack makes use of legitimate third-party Memcached servers to send attack traffic to a targeted victim by spoofing the request packet’s source IP with that of the victim’s IP. Memcached provided record-breaking amplification ratios of up to 52,000x.

[You may also like: Entering into the 1Tbps Era]

Hajime Expands to MikroTik RouterOS

Radware’s alert algorithms detected a huge spike in activity for TCP port 8291. After near-zero activity on that port for months, the deception network registered over 10,000 unique IPs hitting port 8291 in a single day. Port 8291 is related to a then-new botnet that exploits vulnerabilities in the MikroTik RouterOS operating system, allowing attackers to remotely execute code on the device.

The spreading mechanism was going beyond port 8291, which is used almost exclusively by MikroTik, and rapidly infecting other devices such as AirOS/Ubiquiti via ports: 80, 81, 82, 8080, 8081, 8082, 8089, 8181, 8880, utilizing known exploits and password-cracking attempts to speed up the propagation.

Satori IoT Botnet Worm Variant

Another interesting trend alert occurred on Saturday, June 15. Radware’s automated algorithms alerted to an upsurge of malicious activity scanning and infection of a variety of IoT devices by taking advantage of recently discovered exploits. The previously unseen payload was delivered by the infamous Satori botnet. The exponential increase in the number of attack sources spread all over the world, exceeding 2,500 attackers in a 24-hour period.

[You may also like: A Quick History of IoT Botnets]

Hakai

Radware’s automation algorithm monitored the rise of Hakai, which was first recorded in July. Hakai is a new botnet recently discovered by NewSky Security after lying dormant for a while. It started to infect D-Link, Huawei and Realtek routers. In addition to exploiting known vulnerabilities to infect the routers, it used a Telnet scanner to enslave Telnet-enabled devices with default credentials.

DemonBot

A new stray QBot variant going by the name of DemonBot joined the worldwide hunt for yellow elephant — Hadoop cluster — with the intention of conscripting them into an active DDoS botnet. Hadoop clusters are typically very capable, stable platforms that can individually account for much larger volumes of DDoS traffic compared to IoT devices. DemonBot extends the traditional abuse of IoT platforms for DDoS by adding very capable big data cloud servers. The DDoS attack vectors supported by DemonBot are STD, UDP and TCP floods.

Using a Hadoop YARN (Yet-Another-Resource-Negotiator) unauthenticated remote command execution, DemonBot spreads only via central servers and does not expose the wormlike behavior exhibited by Mirai-based bots. By the end of October, Radware tracked over 70 active exploit servers that are spreading malware
and exploiting YARN servers at an aggregated rate of over one million exploits per day.

[You may also like: Hadoop YARN: An Assessment of the Attack Surface and Its Exploits]

YARN allows multiple data processing engines to handle data stored in a single Hadoop platform. DemonBot took advantage of YARN’s REST API publicly exposed by over 1,000 cloud servers worldwide. DemonBot effectively harnesses the Hadoop clusters in order to generate a DDoS botnet powered by cloud infrastructure.

Always on the Hunt

In 2018, Radware’s deception network launched its first automated trend-detection steps and proved its ability to identify emerging threats early on and to distribute valuable data to the Radware mitigation devices, enabling them to effectively mitigate infections, scanners and attackers. One of the most difficult aspects in automated anomaly detection is to filter out the massive noise and identify the trends that indicate real issues.

In 2019, the deception network will continue to evolve and learn and expand its horizons, taking the next steps in real-time automated detection and mitigation.

Read “The Trust Factor: Cybersecurity’s Role in Sustaining Business Momentum” to learn more.

Download Now

Attack Types & VectorsBotnets

Attackers Are Leveraging Automation

January 31, 2019 — by Radware0

automation-960x681.jpg

Cybercriminals are weaponizing automation and machine learning to create increasingly evasive attack vectors, and the internet of things (IoT) has proven to be the catalyst driving this trend. IoT is the birthplace of many of the new types of automated bots and malware.

At the forefront are botnets, which are increasingly sophisticated, lethal and highly automated digitized armies running amok on corporate networks. For example, hackers now leverage botnets to conduct early exploitation and network reconnaissance prior to unleashing an attack.

The Mirai botnet, which was made famous by its use in the 2016 attack on DNS provider Dyn, along with its subsequent variants, embodies many of these characteristics. It leverages a network-scanning and attack architecture capable of identifying “competing” malware and removing it from the IoT device to block remote administrative control. In addition, it leverages the infamous Water Torture attack to generate randomized domain names on a DNS infrastructure. Follow-up variants use automation to allow the malware to craft malicious queries in real time.

[You may also like: A Quick History of IoT Botnets]

Modern-day malware is an equally sophisticated multi-vector cyberattack weapon designed to elude detection using an array of evasion tools and camouflage techniques. Hackers now leverage machine learning to create custom malware that defeats anti-malware defenses. One example is Generative Adversarial Network algorithms
that can bypass black-box machine-learning models. In another example, a cybersecurity company adapted Elon Musk’s OpenAI framework to create forms of malware that mitigation solutions couldn’t detect.

Automation for Detection and Mitigation

So how does a network security team improve its ability to deal with these increasingly multifarious cyberattacks? Fight fire with fire. Automated cybersecurity solutions provide the data-processing muscle to mitigate these advanced threats.

Executives clearly understand this and are ready to take advantage of automation. According to Radware’s C-Suite Perspectives: Trends in the Cyberattack Landscape, Security Threats and Business Impacts report, the vast majority of executives (71%) report shifting more of their network security budget into technologies that employ machine learning and automation. The need to protect increasingly heterogeneous infrastructures, a shortage in cybersecurity talent and increasingly dangerous
cyberthreats were indicated as the primary drivers of this fiscal shift.

In addition, the trust factor is increasing. Four in 10 executives trust automated systems more than humans to protect their organization against cyberattacks.

[You may also like: Looking Past the Hype to Discover the Real Potential of AI]

Traditional DDoS solutions use rate limiting and manual signature creation to mitigate attacks. Rate limiting can be effective but can also result in a high number of false positives. As a result, manual signatures are then used to block offending traffic to reduce the number of false positives. Moreover, manual signatures take time to create because identifying offending traffic is only possible AFTER the attack starts. With machine-learning botnets now breaching defenses in less than 20 seconds, this hands-on strategy does not suffice.

Automation and, more specifically, machine learning overcome the drawbacks of manual signature creation and rate-limiting protection by automatically creating signatures and adapting protections to changing attack vectors. Machine learning leverages advanced mathematical models and algorithms to look at baseline network parameters, assess network behavior, automatically create attack signatures and adapt security configurations and/or policies to mitigate attacks. Machine learning transitions an organization’s DDoS protection strategy from manual, ratio- and rate-based protection to behavioral-based detection and mitigation.

The Final Step: Self-Learning

A market-leading DDoS protection solution combines machine-learning capabilities with negative and positive security protection models to mitigate automated attack vectors, such as the aforementioned DNS Water Torture attacks made notorious by Mirai. By employing machine learning and ingress-only positive protection models, this sort of an attack vector is eliminated, regardless of whether the protected DNS infrastructure is an authoritative or a recursive DNS.

The final step of automated cybersecurity is automated self-learning. DDoS mitigation solutions should leverage a deep neural network (DNN) that conducts post-analysis of all the generated data, isolates known attack information and feeds those data points back into the machine learning algorithms. DNNs require massive amounts of storage and computing power and can be prohibitively expensive to house and manage within a privately hosted data center.

[You may also like: Are Application Testing Tools Still Relevant with Self Learning WAFs?]

As a result, ideally a DNN is housed and maintained by your organization’s DDoS mitigation vendor, which leverages its network of cloud-based scrubbing centers (and the massive volumes of threat intelligence data that it collects) to process this information via big data analytics and automatically feed it back into your organization’s DDoS mitigation solution via a real-time threat intelligence feed.This makes the input of thousands of malicious IPs and new attack signatures into an automated process that no SOC team could ever hope to accomplish manually.

The result is a DDoS mitigation system that automatically collects data from multiple sources and leverages machine learning to conduct zero-day characterization. Attack signatures and security policies are automatically updated and not reliant on a SOC engineer who is free to conduct higher-level analysis, system management and threat analysis.

Automation is the future of cybersecurity. As cybercriminals become more savvy and increasingly rely on automation to achieve their mischievous goals, automation and machine learning will become the cornerstone of cybersecurity solutions to effectively combat the onslaught from the next generation of attacks. It will allow organizations to improve the ability to scale network security teams, minimize human errors and safeguard digital assets to ensure brand reputation and the customer experience.

Read the “2018 C-Suite Perspectives: Trends in the Cyberattack Landscape, Security Threats and Business Impacts” to learn more.

Download Now