The following is a Q&A with Daniel Smith, an information security researcher for Radware’s Emergency Response Team. He focuses on security research and risk analysis for network and application based vulnerabilities. Daniel’s research focuses in on Denial-of-Service attacks and includes analysis of malware and botnets. As a white-hat hacker, his expertise in tools and techniques helps Radware develop signatures and mitigation attacks proactively for its customers.
This blog discusses active research from Radware’s ERT research team regarding a DDoS for Ransom campaign.
This is a preliminary report and will be updated accordingly.
Last month on Friday, May 12th a global incident related to a ransomware variant named WannaCry broke out, targeting computers around the world. Everything from personal computers to corporate and university networks were affected by this campaign. The campaign spread across networks leveraging a recently disclosed vulnerability in Microsoft SMB service. On March 14th 2017, Microsoft released MS17-010, a security update, that addressed and patched six CVEs. Five were remote code executions and the sixth was related to information disclosure.
In April 2017, we conducted a global survey of C-suite executives. All respondents represent organizations with at least $250 million (or the equivalent) in annual revenue. Our goal: to understand their greatest challenges, threats and opportunities when it comes to cyber security.
Every year Radware sets forth predictions in our annual security report called Radware’s Global Application and Network Security report and, we might add, have achieved a very substantial track record of forecasting how the threat landscape will evolve. After all, it is fun to predict what may happen over the course of a year in security. The industry moves so fast and while some things do stay the course, it only takes one small catalyst to spark a new direction that nobody could have predicted.
Over the last few days, Radware’s Security Research Groups have been monitoring a global incident related to a ransomware variant named WannaCrypt, also known as WannaCry, WanaCrypt0r and wcry. On the morning of Friday May 12th, a ransomware campaign began targeting computers around the world. Once a computer was infected, a worm replicated itself across the network, targeting other computers as well. Worms use a computer network to propagate to other machines and infect them with the malicious payload.
Key Takeaways from Cisco Live Berlin 2017
Digital Transformation is the Core of Every Business
2016-2017 introduced the era of Digital Transformation. Digital transformation is the change associated with the application of digital technology in all aspects of human society. Digital transformation inherently enables new types of innovation and creativity to increase business competency rather than simply going paperless.
Ruba Borno PhD, Vice President Cisco Growth Initiatives, shared Cisco’s vision that the only future-proofed solution for digital transformation is a next-generation secure network. Security is no longer static, and securing all the organization’s access points is no simple task. IoT, mobile work force, cloud applications and increased sophistication of attackers and attack methods require better preparation. Organizations need to fundamentally change how they build, manage and secure networks.
Digital transformation was the apparent theme across this year’s Cisco Live Berlin. With security becoming the key enabler for any organization IT investment, this paper covers the key trends in securing the digital transformation, along with new solutions announcements covered at Cisco Live Berlin 2017.
Attackers Are Relentless; Defenders Are Tired
Attackers have infinite time to plan their next attack: choose a victim, gather intelligence, select the right attack tools, test them, coordinate an attack and then launch the attack at their convenience. There are plenty of attack tools available at the Clearnet and the Darknet, and there are plenty of opportunities to strike again and again – till success.
Defenders, on the other hand, have to overcome every attack attempt. They do not have a second chance. They have limited budget, their job is at stake, and they need to keep up with education, training, selecting the right solutions and maintaining an effective security posture.
This is where the difference between detection and protection becomes critical. To protect against attacks you need first to detect that you are under attack. Security solutions often focus on shortening the time to detect. Yet, they also need to shorten the time to protect – this is where automation becomes important. Solutions that automate more stages of the attack lifecycle will be more successful in dealing with the more dynamic, automated attacks organizations experience today.
Ransomware Becomes a Major Threat
I urge you to watch ransomware – an anatomy of an attack. This video, played at multiple Cisco Live sessions, provides an insight to an attacker’s daily work. It is about the details. The attacker does not need to develop any tool or software. They only need to select the right tools from an endless variety and use them smartly.
DDoS attacks have also joined the mix of ransom attacks by slowing down organization operations and even completely shutting down their online presence.
What can you do against ransomware? Although widely discussed during multiple sessions at Cisco Live Berlin 2017, I have not seen a solution that is truly designed to address this threat. Cisco speakers discussed a multi-layered security approach where they highlighted some capabilities in their solutions that can help improve a business security posture against the ransom threat.
What can you do to fight this threat? As always, prevention is the key. And prevention is about education, education and again – education. Attackers lure employees to open unsolicited mails, download software updates and harness multiple social engineering techniques. You need to be more suspicious and ask yourself if this is a safe operation beforehand.
DDoS Attacks Are On the Rise
We know how to protect endpoints – desktops, laptops and other mobile devices. We know how to protect our enterprise network. We use firewalls, intrusion prevention systems, anti-virus, anti-malware and other perimeter network security solutions.
What we do not know is how to protect infrastructure against DDoS attacks. Data centers, service providers and cloud providers are all vulnerable to network flood attacks. The recent Dyn attack and the celebrity Mirai botnet are clear reminders that we need to get ready.
IoT is a real threat. We are adding 1 million devices per hour to the internet and the majority of them are directly accessible with no or limited security measures. A 1 terabit-per-second DDoS attack is expected this year 2017.
We need to think differently. DDoS attacks are not a problem of specific organizations. It is a problem of the community. Attack mitigation should start at the service providers’ network and leverage to the enterprise data center. It should be more simple and manageable.
Effective Security: Keep It Simple
Digitization has created unprecedented growth opportunities. With more than 50 billion connected devices estimated by 2020 (According to Cisco), business leaders are questioning how new digital trends will impact their business — but so are the active adversaries seeking to profit from well-organized cybercrime operations. As the attack surface continues to expand, so has the need for a more effective approach to security.
According to Cisco, a typical organization deploys some 50 different security devices and solutions in their network and data centers. Every new solution contributes an incremental level of security; however, it increases network complexity exponentially. The challenge of effective security is not what to secure, but how to manage it?
The answer is keeping it simple. Security that is integrated, automated and simple to manage will be foundational to the success of digital businesses as they work to deliver protection from the network to the mobile user and the cloud — wherever employees work and data resides.
Did I mention automation? David Ulevitch, VP Cisco Security Business Group, discussed automation. His view is that the only way to win the cyber war is through automation: let the machines run the machines.
This is the path to effective security. It’s a continuous process, not a one-time effort.
Cloud Is the Secret Weapon
The secret weapon in our security toolbox is the cloud. Why? Here are few arguments:
a) Cloud offers elastic and unlimited resources. You can use compute and storage for data collection and analytics to look at user behavior. This helps you make the right security decision per user, per transaction or per location.
b) Cloud offers the ideal management and control for all enterprise applications – on premises and in the cloud.
Look for cloud as an integrated solution. If the vendor offers you APIs – move on. You do not have the time or the resources to use APIs.
ACI at New Heights
I recall John Chamber’s keynote from Cisco Live 2015, where he admitted that Cisco was late in identifying the SDN (Software-Defined Network) market. John promised that Cisco was going to fix that. Indeed Cisco introduced its flavor for software-defined networking called Application Centric Infrastructure (ACI). ACI is Cisco’s foundation for the Software Defined Data Center (SDDC) initiative.
At the event, Cisco announced that it further expands ACI – turning it from a pure data center solution to a multi-site solution. Cisco introduced multiple data-center automation tools, further empowered its ACI ecosystem with more than 65 technology partners and launched a new ACI marketplace so users can share their ACI applications and blueprints.
Why Cisco leaders believe that ACI will win the SDDC market? Because it is application-centric and introduces operational simplicity. Did I mention automation?
Read the 2016–2017 Global Application & Network Security Report by Radware’s Emergency Response Team.
Radware’s Pascal Geenens walks us through 10 questions regarding the cyber security threat landscape, trends in the Darknet, motivations for attacks, and much more.
Education, freedom and knowledge. These are the pillars for higher learning, but have often been used to describe some open source projects and services that have the potential to be abused by those that are not so innocent. Over the last two years, tools like stressers, Remote Administration Tools (RAT) and ransomware have been published under these pretenses, but do they serve a legitimate purpose? These projects have set off an international debate in the information security community and many wonder if they should be available to the public. Often the justification for these projects is that they are intending to show the potential risks so they can be used to prevent infections or reduce potential damage. With stressers, they claim that the services are to be used to improve and test security products and to understand attack behavior targeting their network. But are they?
It has long been known that if you want to participate in the Darknet marketplaces, you’ll need to exchange your money into Bitcoin. Bitcoin was written by someone using the alias Satoshi Nakamoto in 2008 as an anonymous and decentralized currency. We’ve written in the past about how to buy Bitcoin. Today, for various reasons, we are seeing it become mainstream.
Ransom attacks on companies are becoming big business. Many businesses say they will not pay, but when attacked, find that they do. But how do they pay? Bitcoin. Just like having insurance policies, companies are now investing in keeping Bitcoin around for business continuity against DDoS attacks as well as Malware CryptoLocker and Data Extortion attacks.