sign in sign up
<<
Home , Anonymous (hacker group), Attack patterns, Jigsaw (ransomware), Mirai (malware), Operation Newscaster, Poodle

TABLE OF CONTENTS

01 Executive Summary • Top Level Findings • Threat Landscape Trends

02 Methodology and Sources • Information Security Industry Survey • Radware Emergency Response Team Cases

03 Threat Landscape • Anatomy of a : Profiles, Motivations & Tools of the Trade • Business Concerns of Cyber-Attacks • Cyber-Attack Ring of Fire • Attack Vector Landscape

04 Emerging Perils • The Bottom Line: The Rise of Cyber Ransom • Friend Turned Enemy: SSL-Based Cyber-Attacks • of Threats: IoT and the Economics of DDoS Protection • Evolve and Adapt: Why DevOps is Raising the Bar for Security Solutions

05 Third-Party Viewpoints • From the Corner Office: Views from a Chief Information Security Officer • From the Frontlines: How a Multinational Bank Handled a Ransom Threat and SSL-Based Attack • See Through the DDoS Smokescreen to Protect Sensitive Data • Adaptive Security: Changing Threats Require a New Security Paradigm

06 Building a Cyber-Resilient Business • Calculating the Cost of a Cyber-Attack • Planning a Cyber Security Strategy

07 Cyber Security Predictions • Radware’s Cyber Security Prediction Report Card • What’s on the Horizon – Four Predictions for 2017

08 Respondent Profile

09 Credits • Authors • Advisory Board 01 EXECUTIVE SUMMARY

What do cyber-attacks have in common with hurricanes, tornados and earthquakes? All are realities in our world. No matter how common or uncommon they may be, failing to prepare for any of them will lead to costs that could be unbearable—or worse.

Radware’s annual Global Application & Report is designed for the entire security community and will help in understanding the following:

• The threat landscape—who the attackers are, their motives and tools • Potential impact on your business, including associated costs of different cyber-attacks • How your preparedness level compares to other organizations • Experiences of organizations in your industry • Emerging threats and how to protect against them • Predictions for 2017

In addition to outlining the findings and analysis of our 2016 security industry survey, this report reflects our Emergency Response Team’s (ERT) in-the-trenches experiences fighting cyber-attacks and offers advice for organizations planning for cyber-attack protection in 2017. It also incorporates perspectives of third-party service providers. This report offers a detailed review of:

• Known and common attacks of the past year (that is, what most people are attempting to secure against) • Known and uncommon attacks (that is, what top-performing organizations attempt to address—security incidents akin to the natural disasters cited above) • Unknown attack forecast (that is, what has yet to demonstrate itself with evidence but is VERY “forecastable”)

RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 3 Top-Level Findings can be detected only through intelligent automation. 98% of Organizations Experienced Attacks in 2016 Non-Volumetric DoS: Alive and Kicking Analysis: Cyber-attacks became a way of life for Despite astonishing volumes, neither the number of nearly every organization in 2016. This trend will victims nor the frequency of attacks has grown. Most continue in 2017. non-volumetric DDoS attacks are in relatively lower volumes, with 70% below 100Mbps. Rate-based IoT Botnets Open the 1TBps Floodgates security solutions continue to fall short, requiring Analysis: This exemplifies why preparing for companies to rethink their security strategy and “common” attacks is no longer enough. This event embrace more sophisticated solutions. Without those introduced sophisticated vectors, such as GRE floods upgrades, there is a good chance an organization will and DNS water torture. experience, yet lack visibility into service degradation.

Cyber-Ransom Proves Easiest, Most Increased Attacks Against Lucrative Tool for Cybercriminals Governmental Institutions Analysis: Almost all ransom events have a different 2016 brought a new level of politically affiliated cyber attack vector, technique or angle. There are hundreds protests. While the U.S. presidential election was in of encrypting types, many of which were the spotlight, the media reported on a different developed and discovered this year as part of the hype. almost weekly. These incidents happened across the Also, DDoS for ransom groups are professionals who globe, with regimes suffering from cyber-attacks due to leverage a set of network and application attacks to alleged corruption or perceived injustices. demonstrate their intentions and power. SSL-Based Attacks Continue to Grow Cyber-Attacks Cost Almost Although 39% report suffering an SSL-based attack, Twice What You May Think only 25% confidently state they can mitigate it. Analysis: Most companies have not come up with a precise calculation of the losses associated with a DDoS Attacks Are Becoming Shorter cyber-attack. Those who have quantified the losses Burst attacks are increasing thanks to their estimate the damage at nearly double the amount effectiveness against most mitigation solutions. compared to those who estimate. Uncrossed Chasm? Security Strategy Stateful Devices: #1 Point of Failure Evolves More Slowly Than It Should Analysis: Common IT devices, including firewalls, While continue to develop new attack tools application delivery controllers and intrusion protection and techniques, 40% of organizations do not have an systems, now represent the greatest risk for an incident response plan in place. Seventy percent do outage. Consequently, they require a dedicated attack- not have cyber-insurance. And despite the prevalence mitigation solution to protect them. of , only 7% keep on hand. What’s more, 75% of companies do not employ hackers in Threat Landscape Trends their security teams, and 43% say they could not cope Data Leakage + SLA Impact with an attack campaign lasting more than 24 hours. Are Top Concerns Data leakage and service level impact often come Threats never stand still. together, with a DDoS attack serving as a smokescreen that distracts IT teams so data can be infiltrated. Neither can you.

Mirai Rewrites the Rules Radware encourages you to use our findings and As the first IoT open-source , is changing analysis as you design security strategies against the rules of real-time mitigation and makes security cyber-attacks and work to reduce the costs associated automation a must. It isn’t just that IoT botnets can with them. Apply these insights to understand the real facilitate sophisticated L7 attack launches in high and meaningful changes that have occurred to the volumes. The fact that Mirai is open- threat landscape, to explore potential changes to your means hackers can potentially mutate and customize investments in protection strategies, and to look ahead it—resulting in an untold variety of new attack tools that to how possible threats may evolve into real attacks.

4 RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 02 METHODOLOGY AND SOURCES

Combining statistical research and frontline experience, this report identifies trends that can help educate the security community. It draws information from the following sources: Information Security Industry Survey The quantitative data source is an industry-wide survey conducted by Radware. This year’s survey had 598 individual respondents representing a wide variety of organizations around the world. The study builds on prior years’ research, collecting vendor-neutral information about issues that organizations faced while planning for and combating cyber-attacks.

On average, responding organizations have annual revenue of USD $1.9 billion and about 3,000 employees. Ten percent are large organizations with at least USD $5 billion in annual revenue. Respondents represent more than 12 industries, with the largest number coming from the following: professional services and consulting (15%), high tech products and services (15%), banking and financial services (12%) and education (9%). The survey provides global coverage—with 44% of respondents from North America, 26% from Europe and 20% from Asia. Additionally, 44% of the organizations conduct business worldwide. Radware Emergency Response Team Case Studies Radware’s Emergency Response Team (ERT) is composed of dedicated security consultants who actively monitor and mitigate attacks in real time. The ERT provides 24x7 security services for customers facing cyber- attacks or malware outbreaks. As literal “first responders” to cyber-attacks, ERT members have successfully dealt with some of the industry’s most notable hacking episodes. This team provides knowledge and expertise to mitigate the kinds of attacks that an in-house security team may never have handled. Throughout the report, ERT members highlight how these front-line experiences fighting cyber-attacks provide deeper forensic analysis than surveys alone or academic research.

RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 5 THREAT LANDSCAPE 03

Anatomy of a Hacker: Profiles, Motivations & Tools of the Trade

Hacking used to require a distinct set of skills and capabilities. These days, attack services are bought and sold via marketplaces on the Clearnet and —a phenomenon that’s closing the gap between skilled and amateur hackers and fueling an exponential increase in threats.

Thanks to the growing array of online marketplaces, it’s now possible to wreak havoc even if you know virtually nothing about computer programming or networks. As attack tools and services become increasingly easy to access, the pool of possible attackers—and possible targets—is larger than ever. While many hacktivists still prefer to enlist their own digital “armies,” some are discovering that it’s faster and easier to pay for DDoS-as-a- Service than to recruit members or build their own botnet. Highly skilled, financially-motivated hackers can be invaluable resources to hacktivists seeking to take down a target.

By commoditizing hacktivist activities, hacking marketplaces have also kicked off a dangerous business trend. Vendors are now researching new methods of attack and incorporating more efficient and powerful vectors into their offerings. Already some of the marketplaces offer a rating system so users can provide feedback on the tools. Ultimately, this new economic system will reach a steady state—with quality and expertise rewarded with a premium.

6 RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 Profiles in Hacking - Who’s Participating in Today’s Hacking Community?  Consumers This is the largest segment—and the one driving the rapid growth of attack marketplaces. These are low or non-skilled hacktivists who pay to participate in an operation. Without the knowhow for do-it-yourself campaigns, they spend $20 to $200 per month on attack services that give them access to an easy-to-use attack portal.

 Hackers These are the hackers who have the wherewithal to carry out their own attacks and spearhead hacktivist operations. They have a good enough understanding of networking and programming to write their own attack programs, as well as build their attack platforms by exploiting cloud and trusted services. Given their skills, hackers are not constrained by an attack time limit or power. Consequently, they are capable of launching sustained, long-term attacks against their targets, sometimes at very high volumes.

 Vendors This segment is home to hackers who have realized they can generate a great profit by providing attack services to consumers. As in any economic system, higher quality or sophistication yields greater returns and forces improvement. Some vendors are selling enough services to generate more than $100,000 a year. AppleJ4ck, the vendor behind vDoS, the DDoS-for-hire service1, allegedly made $600,000 in just two years before being arrested.

What Motivates Hacking? In previous reports, Radware has used Richard Clarke’s acronym—C.H.E.W. (, , Espionage, Warfare)—to categorize the origins of cyber risk. Now we introduce P.E.D. (Profit, Evasion, Disruption) as an acronym for the three core motivations reflecting the evolution of the hacker community:

 Profit Not surprisingly, money is the primary motivation in the attack marketplace. Those who want to commit a crime—but don’t know how to execute—will always pay someone to do it for them. And with demand outpacing supply, this is one crime that pays. Stressers—services orchestrating the generation of massive amounts of traffic—are known to bring in more than $100,000 a year. Vendors offering application exploits can generate thousands of dollars from selling one exploit on the Darknet.

 Evasion The ability to evade detection is one of the most important capabilities a vendor offers to his or her business and clients. Vendors are highly motivated to stay on top of the market. After all, detection or mitigation of their services will cost them customers and profits. Thus, vendors continually research and discover new attack methods to help their clients bypass mitigation techniques and take down their targets undetected.

 Disruption This represents one of the primary motivators for hacktivist groups. Hacktivists are motivated to disrupt their target’s operations and/or reputation; vendors thrive by investing in researching and discovering new attack vectors. A vendor offering the most disruptive power for the lowest price will stand to do more business than his or her competition.

1 http://www.newsbtc.com/2016/09/18/professional-ddos-service-vdos-offline-two-arrested/

RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 7 Tools of the Trade The 2016 toolkit has been passed around a number of operations. It provides attack tools with a simple, easy-to-use graphical user interface (GUI). Using these tools requires little knowledge as they are often accompanied by instruction videos posted to YouTube.

Most tools offer basic TCP, UDP and HTTP attack vectors with slight variations. Some enable the attacker • Anonymous DoSer to customize options—including packet size, randomized data, threads and sockets per thread—in the • Anonymous Ping Attack tools. While low and slow attacks are not prevalent in the • BlackOut popular 2016 toolkits, HTTP attacks are a popular vector. • BlackBurn When an operation is underway, hackers can easily bypass • ByteDoS mitigation solutions and overwhelm server resources with simple POST/GET floods that appear to be legitimate traffic. • FireFlood • Generic DDoS Attacks as a Service • GoodBye Denial of service (DoS) attacks have come a long way • HOIC since the days of LOIC and other GUI-based tools. Today, hackers are abandoning “old school” GUI and script tools • LOIC and opting to pay for attacks via stresser services. They no • XOIC longer need to acquire technical expertise or tools; instead, • Pringle DDoS they can simply engage attack services to carry out an • rDoS attack on their behalf. •Unknown DoSer Many notorious DDoS groups—including , New World Hackers and PoodleCorp—have entered the DDoS-as- a-Service business, monetizing their capabilities in peacetime by renting their powerful stresser services. Groups sometimes use their tools against high-profile targets to showcase and promote their attack services. As the point of entry continues to decrease, novice attackers can carry out larger, more sophisticated assaults. For just $19.99 a month, an attacker can run 20-minute bursts for 30 days using a number of attack vectors, such as DNS, SNMP and SSYN, and slow GET/POST application-layer DoS attacks.

A prime example of a DDoS-as-a-service can be Shenron—the second-generation stresser service from Lizard Squad. Shenron prices used to range from $19.99 to $999.99 a month for access to the attack network. Each package includes a specific attack time—ranging from 20 minutes to five hours. Shenron’s network strength claims the ability to launch attack sizes up to 500Gbps. It offers customers different attack vectors, including two UDP attacks, DNS and SNMP, along with a TCP attack method (SSYN). Business Concerns of Cyber-Attacks What are the motivations behind cyber-attacks? What kinds of solutions are being used to mitigate such incidents and the impact on a business? What are organizations doing to better prepare for future attacks? Radware surveyed security leaders to understand the business concerns associated with cyber-attacks. Almost 600 businesses shared their perception of the contemporary cyber security state of the union. They have expressed their experiences, expectations, fears and predictions.

Gathering the valuable feedback, Radware has identified areas of excellence, areas that require improvement and advice for how organizations can better protect their business operations.

8 RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 Concerns Attack Motivations The year 2016 saw an explosive rise in extortion threats, which eclipsed most 4 out of 5 businesses other types of cyber-attacks. Fifty-six percent of organizations reported being were impacted by a the victim of a cyber-ransom attack and 41% of organizations mark ransom cyber-attack as the greatest cyber threat facing their organization (versus 25% in 2015).

In 2015, 50% claimed not to know the motivation behind cyber-attacks, versus 2016 when 89% could actually tell what is behind the attacks they experienced. This is a significant improvement that implies that security practitioners are dedicating more resources to visibility and investigation. Understanding is a good start to planning a security strategy.

The primary motivations—political/hacktivism and competition—have remained consistent in recent years. For the fifth consecutive year, political hacktivism holds the second spot in the survey, accounting for 27% of known attack motivations, with competition retaining the number four position at 26%. Two new threats introduced this year are insider threats and cyberwar (state- and -sponsored cyber-attacks, as well as attacks organizations suffer as a result of geopolitical tensions). Both are a main concern in the Asia-Pacific region, where one out of three indicate cyberwar and two out of five indicate an insider-threat as possible motivation to launch an attack against them.

50% 41% 40% % 30% 27 26% 26% % 24 % 21% 20% 20 11% 10%

0 Ransom Insider Threat Political Competition Cyberwar Angry User No Attacks Motive Unknown Figure 1: Which motives are behind any cyber-attacks your organization experienced?

Attack Impact Most often the impact on an 5% Other organization’s infrastructure from a cyber-attack is service degradation, mentioned by 15% Outage 57% of the participants. In today’s interconnected, digital era, service degradation can negatively impact the end-user experience, followed by lower conversion rates, lower brand equity and significant financial losses. Fewer reported having a 57% 22% Service complete outage impact due to No Impact Degradation a cyber-attack, and one in five continued to say that attacks had no impact on their infrastructure. Figure 2: Typically, what is the impact of a cyber-attack on your infrastructure?

RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 9 0% 10% 20% 30% 40% 33% Weakness Against Volumetric/Pipe Saturation 28% DDoS Attacks 27% Network Attacks More than one-fourth feel vulnerable 28% % to attacks on volumetric/pipe sat- DNS Attacks 23 % uration, network attacks, and DNS 27 % HTTPS/SSL Attacks 26 attacks, similar to 2015. 23%

% Don’t Know/Not Sure 22 Organizational Approach 23% % to Tradeoffs Prolonged Attack Campaigns 21 23% Organizations today are required 19% HTTP Attacks to make tradeoffs between 22%

% protecting assets and providing a Low-and-Slow 20 2015 % smooth, blocking-free experience 17 None 8% to customers. With a mean of 4.8 2016 on a 10-point scale, it appears that organizations have a balanced Figure 3: Where, if at all, do you think you have a weakness against DDoS attacks? approach between maintaining a strong security posture/policy versus avoiding false positives, which usually results in blocking 100% legitimate customers. The mean is % higher for companies with less than 10 10,000 employees. 90% 7% 1 - Maintaining Strong Experiences 80% % Security at All Costs Frequency 12 2 Approximately one-quarter of 70% respondents experienced attacks 3 on a daily or weekly basis in the 14% last year, but a similar number 60% 4 experienced attacks only once or twice a year. Those in banking/ 50% financial services have experienced 5 % more daily/weekly attacks than 23 those in most other verticals. 40% 6 Government and civil service institutions seem to be suffering 7 30% % the most, with 46% being attacked 11 on a weekly basis. One out of four 8 reported daily attacks—twice the 20% 10% worldwide average. 9

10% % 8 10 - Avoiding False 3% Positives at All Costs 1 out of 7 businesses % 0 3 fight cyber-attacks

on a daily basis Figure 4: On a scale of 1-10, what is your organizational approach to the tradeoff between avoiding false positives (i.e. blocking legitimate users) and maintaining a strong security policy to prevent data breaches?

10 RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 Attack Types Radware also inquired about the types of cyber-attacks that organizations Malware & Bots 50% experienced in 2016. Malware and Socially Engineered Threats % bots were cited as the #1 attack vector (, Fraud) 39 organizations faced in 2016, as they DDoS 34% come in various forms and can fulfill % different missions. One out of three Web Application Attacks 31 reported being subjected to a DDoS Ransomware 30% attack. A significant proportion also reported incidents with phishing (39%, Advanced Persistent Threat 16% a decline compared to 57% in 2015). None of the Above % The more significant finding: only 2% of 2 respondents did not experience any form 0% 10% 20% 30% 40% 50% of these attacks. In other words, 98% of organizations were hit by cyber-attacks Figure 5: What type of attack have you experienced? in the past year—underscoring that there is simply no escaping these threats.

Duration Almost half of survey participants said that, on average, security threats lasted up to three hours. Attacks lasting longer than a week declined in 2016—continuing the trend from 2015, when perpetrators began to use shorter burst attacks and to do so repetitively.

2014 2015 2016 50% 46% 41% 40% 33% % 30% 28 27% 23% 23% % 20% % 17 16% 13% 15 10% 10% % 10% 9 7% 3% 0 Up to 3 hours 3 hours to 12 hours Up to 1 day 1 day up to 1 week 1 week up to 1 month Over a month

Figure 6: What is the average security threat your organization experienced?

When looking at maximum (versus average) duration, 10% of respondents suffered attack campaigns that lasted longer than a month.

2014 2015 2016 50%

40% % 33% % % 32 30% 28 29 % 26 25% 24% % % % 20% % 17 19 19 % 17 14 % % 12 12 10% 10% 7%

0 Up to 3 hours 3 hours to 12 hours Up to 1 day 1 day up to 1 week 1 week up to 1 month Over a month

Figure 7: What is the maximum security threat your organization experienced?

RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 11 Preparedness When asked if their organization is prepared to fight cyber-attacks, respondents indicated that there are still many attack vectors they’re not ready to fight. While two-thirds of the respondents feel they are extremely/very well prepared to safeguard against malware, such as worms and viruses, and more than half (55%) feel prepared for DDoS and Web application attacks, the majority of organizations doubt their ability to fight off advanced persistent threats (APT), ransom attacks and social engineering.

Overall, preparedness has remained consistent compared to 2015.

Malware (Worms, Viruses) 20% 46% 29% 4% 2 % Extremeley Well Prepared DDoS 16% 39% 28% 12% 6% Very Well Prepared Web Application Attacks 14% 41% 31% 10% 4%

Somewhat Prepared Socially Engineered Threats % % % % % (Phishing, Fraud) 12 37 35 12 4

Ransomware 12% 35% 36% 12% 5% Not Very Prepared

Advanced Persistent Threat % % % % % 11 32 35 16 6 Not Prepared at All

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Figure 8: How prepared is your organization to safeguard itself from the following cyber-attacks?

Preparedness Across Regions Overall, North American respondents feel more confident concerning cyber-threats, with significant differences compared to Europe and APAC when it comes to DDoS or APTs.

70% TOTAL % Malware (Worms, Viruses) 66% 65 65% 61% TOTAL % DDoS 55% 47 55% 60% TOTAL Web Application Attacks % 55% 52 51% 50% Socially Engineered Threats TOTAL % 49% 47 (Phishing, Fraud) 53% North America 52% TOTAL Ransomware % 47% 48 41% 53% Europe TOTAL % Advanced Persistent Threat 43% 38 36% 0% 10% 20% 30% 40% 50% 60% 70% APAC Figure 9: Preparedness to face different types of cyber threats by region

Preparedness Across Business Sectors With the lowest score in each category, education is the most vulnerable vertical. Technology companies are the leaders, adopting the right security controls and policies to counter different threats. Surprisingly, more than 40% of financial services institutions are still exposed to various cyber-threats.

Vertical High Tech Prof. Retail/ Banking & Products & Services & Wholesale/ Govt./Civil Financial Extremely/Very Well Prepared Total Services Consulting Media Online Service Services Education Malware & Bots (Worms, Viruses, Spam) 66% 78% 74% 70% 68% 63% 58% 50% Distributed Denial of Service (DDoS) 55% 56% 53% 61% 46% 59% 51% 43% Web Application Attacks (SQLi, XSS, Defacement) 55% 59% 54% 58% 59% 59% 57% 37% Social Engineering (Phishing, Fraud) 49% 51% 56% 58% 46% 54% 47% 28% Ransomware 47% 56% 48% 52% 49% 37% 51% 20% Advanced Persistent Threat 43% 54% 46% 52% 43% 39% 38% 28%

Figure 10: Preparedness to face different types of cyber threats by industry/vertical

12 RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 Radware asked respondents how long can they effectively cope with a cyber-attack campaign. Fifty-seven percent can withstand an attack for up 24 hours. In other words, two out of five companies cannot defend themselves against longer campaigns.

30% % 22 % % % % 20% 16 19 17 18 % 10% 7

0 Up to 3 hours 3 hours to 12 hours Up to 1 day 1 day up to 1 week 1 week up to 1 month More than/ Over a month Figure 11: How long can you effectively fight a round-the-clock attack campaign?

Other 2% 2% Don’t Know/None 12% Obstacles Lack of C-Level Awareness With such a diverse threat 27% landscape, it’s no wonder many Too Little Manpower organizations still admit they may not be properly prepared to face 17% What is your Unsuitable/Outdated major obstacle certain attack vectors. Radware Technologies when it comes to inquired about the cause of this countering deficiency and discovered one- cyber-attacks? fourth of security experts said their biggest obstacle was not enough manpower and a similar percentage 20% (one-fifth) point at insufficient 20% Missing Budgets Lack of Expertise budgets or a lack of expertise. Figure 12: What is your major obstacle when it comes to countering cyber-attacks?

Hybrid Protection for Denial-of-Service Attacks Seventy-eight percent use some type of DDoS protection solution, leaving 22% of organizations relying solely on firewall/next-generation firewalls for security. 41% indicate their company uses a combination of on-premise DDoS protection with a cloud-based DDoS protection service (such as always-on cloud-based service, on-demand cloud-based service, CDN solution, or ISP-based or clean link service).

Consistent with results from the past three years, half of respondents are currently using only a premise-based DDoS protection solution to guard against cyber-attacks. Seventy-five percent are managing it internally. Two out of five are using a cloud-based solution or a clean link service or CDN-based DDoS/filtering.

The results underscore the reality that the larger the company, the greater the likelihood to use multiple solutions.

Premise-based DDoS Protection 50% 23% 28% Currently Using ISP or Clean Link Service 40% 21% 39%

CDN based DDoS/Filtering % % % 39 25 37 Planning to Add Always-on Cloud Based Service 31% 26% 43%

On-demand Cloud Based Service % % % 30 27 43 Neither

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Figure 13: Which solutions does your organization use against cyber-attacks?

RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 13 Solutions for More than 90% of businesses employ a solution to secure Web applications. The most frequently cited solutions being used for application security: on-premise Web application firewalls (66 percent) and security tests, such as penetration testing and DAST/SAST (54%). In addition, WAF is becoming increasingly popular, with three- quarters indicating they use a WAF (cloud, on-premise or both). That marks 20% year-over-year growth, as just 63% were using a WAF in 2015. Only one out of five use hybrid WAF protection for application security.

70% 66% 60% 54% 50% 40% 35% % 30% 28 23% 20% % 10% 8 3% 0 On-premise Security Secure Coding Cloud-based Run-time Application Other None Web Application Tests Tech & Code Web Application Self Protection Firewall Scanning Firewall (RASP) Figure 14: Which solution does your organization use for application security?

Looking Ahead Compared to 2016, the cyber security community seems more pessimistic about what to expect in 2017. Nineteen percent of respondents expect a 30% increase in the number of attacks in 2017. That’s almost 50% growth compared to the 13% who expected an increase in attacks in 2016.

% 30 % 2014 2015 2016 30% % 28 26 % % % 24 24 23 % 21 % 20% % 19 17 % % 15 %14 12 % % 10 % 10% 9 8 7% % % 4 4 % % 2 1% 3 0 Less than 5% 5-9% 10-19% 20-29% 30-39% 40-49% 50% or more

Figure 15: What percent do you anticipate the number of cyber-attacks to increase over the next 12 months?

2016 underscores the conflict businesses face when being forced to fight on two fronts simultaneously. While the right hand is protecting sensitive data, the left hand must maintain service availability at all times, mitigating threats at the perimeter. Cyber-Attack Ring of Fire The Cyber-Attack Ring of Fire maps vertical markets based on the likelihood that organizations in these sectors will experience cyber-attacks. The Ring of Fire reflects five risk levels. As sectors move closer to the red center, such organizations are more likely to experience denial-of-service and other cyber-related attacks at a higher frequency than the others.

14 RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 Mitigation calculations should move in LIKELIHO lockstep with risk level. When this does not LOW OD happen, the likelihood of a cyber-attack resulting in a network outage or service LIKE degradation increases. Organizations in IUM LIHO ED OD Technology the verticals marked with a red arrow M Companies are wise to take swift action—adjusting cyber-attack detection and mitigation LIKELIH H OO strategies to address the new risk IG D H level from threat actors. Service Providers Education There have been changes to Health the Ring of Fire since last year. Government Gaming Telecom, government institutions Financial and gaming companies stay at the center of likelihood while the financial Retail services industry has moved toward the center. Retail, education and healthcare industries remain stable, but technology companies are actually moving away from the center. Energy and Energy & Utility utility companies remain in the low risk level due to tighter security. In addition to industry, company size can be a predictor of likelihood to be attacked. The larger the 2016 Change from 2015 business, the greater the chance. Indeed, Figure 16: Cyber-Attack Ring of Fire organizations with more than $1 billion in revenue or 10,000 employees experienced TCP and UDP floods on a daily or weekly basis.

Vertical Professional High Tech Banking & Retail/ Services & Products & Financial Government/ Wholesale/ Media/ Total Consulting Services Services Education Civil Service Online Telecom Daily/Weekly 28% 13% 18% 28% 26% 46% 19% 24% Daily 14% 5% 12% 14% 15% 27% 14% 15% Weekly 13% 8% 5% 15% 11% 20% 5% 9% Monthly 17% 14% 24% 16% 20% 12% 19% 12% 1-2 a Year 28% 34% 25% 28% 31% 24% 27% 45% Never 13% 21% 16% 14% 4% 12% 19% 9% Unknown 14% 18% 16% 14% 19% 5% 16% 9%

Figure 17: How often have you experienced cyber-attacks in the past 12 months?

Industries at High Likelihood for Attacks Financial Services The financial services industry suffered 44 million cyber-attacks in 2016, making it the most targeted industry. It was threatened by a number of factors, including: • Complex attacks from abroad, usually generated by hacktivists • Third-party security challenges, such as application exploits • Mobile and connected devices (IoT)

RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 15 In 2016, Anonymous launched OpIcarus. What started as a simple protest against the Bank of England and the New York Stock Exchange quickly escalated into a full-fledged, multi-phase DDoS operation targeting the International Monetary Fund, central banks and global stock exchanges. In parallel, numerous Bitcoin marketplaces, such as Bitfinex, DAO and Ethereum, came under attack. Bitfinix, a Bitcoin exchange company, lost $70 million in one day due to a security breach of multiple wallets. There was also the SWIFT vulnerability that resulted in an $81 million heist from the Central Bank of Bangladesh. This success encouraged the perpetrators to repeat the attack, reportedly capturing close to $1 billion.

Government & Civil Service In 2016, government services were targeted by various threats, including hacktivism, terrorism and state- sponsored attacks. Attacks on government sites are not always politically motivated; many are launched to help attackers gain notoriety and/or publicly shame the government, government officials, state and local offices and individuals.

Anonymous operations like OpKillingBay often target government sites hoping to attract their attention and force them to enact a ban against the fishing season. Other operations, such as OpRight2rest, OpGaston, and OpLGBT, are also launched directly at the government, government officials, state and local offices and individuals as a reaction to a political event or ruling. These attacks can quickly escalate to target not only government but also the families of government employees, thereby crossing the line and making their involvement a controversial action.

The presidential election served as fodder for a number of attacks targeting presidential candidates and business holdings entities outside of the election. Both Republican and Democratic candidates were the targets of a number of DDoS attacks. These attacks are not only originated by hacktivists and protesters, but can be the result of an alleged activity of foreign states. In addition to the United States presidential election, the Philippines Election Commission was breached this year over the integrity of the election and the electronic voting systems. The group Lulzsec Pilipinas hacked and dumped the voter database. Another notorious incident was the series of attacks taking down the Australian census website2.

Service Providers – ISP, Cloud, Colocation, Hosting Internet Service Providers (ISPs) find themselves not only the primary but also the secondary targets from massive DoS campaigns. The aim: partial or full disruption of the target’s online business operations. Attackers tend to target companies directly with network and application floods. However, when the volume exceeds the infrastructure capacity, they begin to create trouble for the “neighborhood” as the network pipes become saturated. In other cases, when mitigation is in place, attackers will target the upstream provider in an attempt to block legitimate traffic from reaching the targeted destination.

In 2016, several high-volume attacks targeted the gaming industry and directly and indirectly impacted ISPs. Some of these attacks were so large that they did not make it to the target destination, as the pipes become too small. Thus, if there was no scrubbing mechanism, the saturation resulted in a complete network outage. In addition, in 2016 many ISPs were subject to a phony DDoS for ransom campaign perpetrated by fake cyber- ransom groups portraying themselves as notorious DDoS groups like Armada Collective, Lizard Squad and New World Hackers.

Web and cloud service providers faced an increased likelihood of being attacked compared to 2015, and are now the target of a global cyber-campaign that has stricken several Web and cloud hosting companies. Since the beginning of February 2016, an ongoing cyber-assault has targeted hosting providers across the UK; it was later expanded to include similar companies in various countries. These hosting providers suffered long-term outages affecting the business operations of their enterprise customers. They also suffered major reputation damage—even though some of these attacks were related to their clients’ controversial content or websites.

2 Australian census attacked by hackers

16 RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 Gaming For the gaming industry, large-scale DDoS attacks resulting in network outages and service degradation have become everyday occurrences. The main motivation is simply the thrill of disrupting game play and tournaments. A secondary driver: trolling crucial moments when gamers are trying to take advantage of game specials and bonus points. When attackers cripple the network during these events, users become very angry and often take to social media to smear the company. Consequently, companies suffer an immediate impact on brand equity. Meanwhile, if the attack does not reach the target, it often takes down the upstream provider—resulting in widespread outages.

Attackers mainly target servers to prevent users from logging into the game or upstream providers to prevent gameplay itself. Attackers are using a wide variety of tools, such as DDoS-as-a-Service or their own custom botnets like Mirai. For as little as $19.99 a month, an attacker can run 20-minute burst attacks for 30 days. Using these tools, attackers can gain powerful access to vectors like DNS, SNMP, SSYN and GET/POST application layer.

Industries at Medium Likelihood for Attacks Retail When a retailer comes under DDoS attack, the result is immediate revenue loss since the outage prevents customers from purchasing items. In Switzerland this year, the website for Swiss Federal Railway (SBB) and two of the country’s largest retailers, Coop and Migros, had their websites taken down, preventing customers from accessing their sites. These DDoS attacks on retailers are often a smokescreen (see the chapter: Through the DDoS Smokescreen to Protect Sensitive Data) for more sinister acts like DDoS for ransom or large-scale data breaches targeting payment systems. In the Swiss incidents, no data was affected. However, attackers will often look for large corporations with massive quantities of data and payment information and then use a denial-of- service attack to distract security systems so they can infiltrate the network and steal personal information.

Health The value of medical records in the dark market now exceeds the value of credit card information. Consequently, the healthcare industry found itself at the center of cyber-attacks—putting at risk not only patient data but also the credibility of the system and the Health Insurance Portability and Accountability Act (HIPAA). Several data leakage incidents have been reported, many caused by an actor named “The Dark Overlord,” who published hospital databases on the Darknet. In parallel, Anonymous hacked into the database of multiple Turkish hospitals and medical institutions, allegedly in retaliation for a series of attacks on U.S. hospitals in the form of ransomware earlier this year. The most famous was the one against Hollywood Hospital, which ended up paying $17,000 in ransom in 2016. Ransomware has proven very profitable for cybercriminals, especially when it encrypts medical records needed in real time.

Education This year the educational system came under fire as vendors on the Darknet began offering school hacking services. In 2016, 444 school networks in Japan went offline as a result of a massive cyber-attack. Hacking services found on the Darknet make it increasingly easy for non-hackers to carry out an attack or cause damage to a school’s resources. In addition, a potential attacker can rent a botnet or a stresser service for as little as $20 in Bitcoin and launch the attack themselves. In most cases, it’s either a student looking to delay a test or manipulate the registration process or a personal attack against the school by a student or staff member. Whatever the reason, the outcome is the same: an individual’s act results in turmoil for the institution.

Industries at Low Likelihood for Attacks Energy & Utility For energy and utility companies, the threat landscape remains stable due to the segregation of these companies’ networks. Even so, this industry remains a valid target for hackers, especially given the environmental damage these entities allegedly cause.

RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 17 In 2016, Radware witnessed a number of energy companies targeted by both hacktivist and state-sponsored groups. For example, Anonymous targeted a number of state-sponsored mining companies for damaging a sacred Tibetan mountain. Meanwhile, HakDefNet was the first company to identify a series of state-sponsored attacks targeting the Ukrainian power grid during the country’s elections. Throughout 2016, there were a number of attacks launched against backers of the Dakota Access Pipeline Project (DAPL) currently under construction in the United States. Despite requests from local tribes to stay away, Anonymous announced its support for the NoDAPL protesters and began posting personal details of officials involved with the pipeline project and threatening employees and families of those involved. In addition to the , Anonymous also launched DDoS attacks against Energy Transfer and other organizations involved with the project.

Technology Companies Due to the nature of these businesses, they are very aware of the technological risks in the digital world. In addition, they have the right personnel and expertise to fight cyber-attacks. They also tend to be early adopters in testing new tools, exploits and mitigation mechanisms. Successfully hitting these companies requires a higher hacker skillset—a challenge many hackers are keen to accept.

Attack Vector Landscape Combining the experience of Radware’s ERT and responses to this year’s Security Industry Survey, this chapter reviews the attack vectors that proved popular in 2016. Caused the Application vs. Network Attacks Experienced Most Damage At first glance, the 2016 research indicates a (NET) Network 64% 46% balance between application and network attacks. TCP-SYN Flood 40% 26% This represents a dramatic change from last year’s UDP 33% 11% survey, which showed a significant increase in ICMP 32% 9% network-based attacks. In 2016, about two-thirds of TCP-Other 29% 10% respondents reported having faced either network- IPv6 16% 6% or application-based attacks. Further analysis (NET) Application 63% 58% reveals that while network and application attacks (Subnet) Web 50% 35% occur at a similar frequency, application-based HTTP 42% 24% attacks cause a larger impact. That’s especially true HTTPS 36% 19% of Web attacks followed by TCP-SYN floods. DNS 37% 19% SMTP 31% 14% Hackers now launch multi-vector, blended VoIP 9% 4% campaigns that include higher-volume network IPv4 44% 16% vectors alongside more sophisticated application Other 3% 3% vectors. Thus, while the top attack types reported None 20% NA by respondents are more likely to be network- based attacks, the threat of application attacks remains very real. Figure 18: Type of attack vector experienced in 2016 and which caused the most damage

Top Trends within Vertical TELECOM PRO SVCS TECH FINANCE EDU GOV’T RETAIL HEALTH Application: Application: Application: Most Harmful 65% Network: Application: Network: Application: Application: 50% 57% Attack Types Network: 61% 61% 61% 54% 66% Network: Network: 63% 50% 50%

Figure 19: Impact of attack vectors by business sectors

18 RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 Frequency of Attacks This year, Radware also explored attack frequency. More than one-quarter of respondents reported daily and weekly attacks in the past 12 months. Affecting just 9% of organizations, attacks over VoIP were the most infrequent; even so, the incidence of attacks over VoIP tripled from 2015 to 2016.

% % 2015 2016 30% 29 28

% 20% 18 % % % 17 16 % 15 14% % % % 14 11% 13 12 13 10%

0 Daily Weekly Monthly Once or Twice a Year Never Unknown Figure 20: How often have you experienced cyber-attacks in the past 12 months?

More than one-quarter of respondents reported daily and weekly attacks via TCP-SYN flood, TCP-Other, ICMP and UDP-flood attacks in the past year. The most infrequent attack was on IPv6 networks, although daily/weekly attacks in 2016 were higher than in 2015.

100% 100%

Don’t Know % Don’t Know 90% % 90% % 18 % % % % 24 % % 24 26 26 26 26 28% 29% 26 27 37% 80% 80% % Never 8 Never

70% % 70% % 8% 14 16 % % % % % % 17 17 17 18 % % 18 18 Annually 18 18 Annually 60% 60% % % 12 8 % % 8 % % % % 7 % 50% 9 9 9 50% % % 9 7 % % 7 7 29 12 Quarterly % % Quarterly % 11 14 % % % % % 11 10 10 11 9 % % 10 40% 40% 9 11 % % % 9 10 % % % 13 % % 12 11 12% 10 Monthly 9 % 16 Monthly 30% 7% 30% 10% 12 % % 12 % % % 7 % 12 % 20% % % 12 11 20% 15 13 14 13 % 12% 7% Weekly 14 Weekly 24% 10% % 10% % % % 7 % 18 18 % % % 16 17 % % 14 13 13 13 11% 13 6% Daily Daily 0 0 TCP-SYN UDP-Flood ICMP IPv6 TCP-Other HTTPS HTTP DNS SMTP Login Malware, App. Vulnerability Flood Flood Page Phishing Exploitations (SQL Injection, XSS, CSRF)

Figure 21: How often have you experienced the Figure 22: How often have you experienced the following application following network attacks in the last year? attacks in the last year?

The application with the highest attack frequency is malware and phishing, with two in five participants experiencing it on a daily/weekly basis. This rate is consistent with our findings in 2015. About a quarter of respondents experienced other application attacks daily or weekly.

About half of all respondents indicated that they did not experience any reflected amplification attacks this year. Roughly 30% said they had suffered from a reflected amplification attack but were able to mitigate the attacks. In 2016, Radware’s Emergency Response Team (ERT) observed DNS attacks mainly targeting A and AAAA records. In addition to DNS, the ERT also observed 256,925 NTP monlist floods.

Multi-Vector Attacks Hackers continue to move away from single vector attacks as advanced persistent DDoS campaigns become the norm. Attackers are still using burst attacks in an attempt to defeat mitigation processes. In 2016, Radware witnessed the rise of massive 1Tbps botnets using TCP attack vectors versus amplified and reflected vectors. In addition, attackers are exploring new techniques, such as GRE encapsulation, in hopes of bypassing ACL limitations.

RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 19 Ransom-based attacks were also a top attack vector; two in five experienced a ransomware attack in the past year. Of those surveyed, 39% reported being affected by ransomware while 17% received a ransom not as part of a RDoS campaign (see the chapter: The Bottom Line: The Rise of Cyber Ransom).

Thirty-nine percent of organizations report having experienced an SSL- or TLS-based attack. This represents continuous growth of 10% year-over-year, with 35% reporting the same in 2015 (see the chapter: Friend Turned Enemy: SSL-Based Cyber-Attacks).

Network Attacks Prevalence TCP-SYN Flood UDP ICM TCP (Other) IPv6 1 40% 33% 32% 31% 6%

In 2016, 64% of organizations experienced attacks on their network infrastructure. Of those that experienced a network-based attack, 40% experienced a TCP-SYN flood, followed by UDP (33%) and TCP-Other (29%). Thirty-two percent of respondents experienced an ICMP attack and 16% experienced an IPv6 attack.

TELECOM PRO SVCS TECH FINANCE EDU GOV’T RETAIL HEALTH* ICMP: TCP-Other: TCP-Other: ICMP: 19% 34% TCP-SYN Fl: MOST 21% TCP-Other: 12% TCP-Other: TCP-Other: ICMP: 11% FREQUENT UDP Flood: 13% TCP-Other: 19% 13% 32% ICMP: UDP Flood: NETWORK 19% ICMP: 11% UDP Flood: ICMP: TCP-SYN Fl: 11% 18% ATTACK TYPES TCP-SYN Fl: 12% TCP-SYN Fl: 19% 13% 29% TCP-Other: (Daily) 18% 9% TCP-SYN Fl: UDP Flood: 11% ICMP: 17% 18% 24% MOST TCP-SYN Fl: IPv4: IPv4: IPv4: TCP-SYN Fl: FREQUENT 53% 43% 41% IPv4: IPv4: 51% 32% Ipv4: NETWORK UDP: TCP-SYN Fl: TCP-SYN Fl: 51% 46% TCP-SYN Fl: IPv4: 53% ATTACK 48% 38% 40% 46% 27% VECTORS

Figure 23: Most frequent network attack types Application Sixty-three percent of respondents experienced application-based attacks during the year. Forty-two percent indicated that they experienced an HTTP flood; 36% experienced an HTTPS flood.

TELECOM PRO SVCS TECH FINANCE EDU GOV’T RETAIL HEALTH* MalPhshRns: MalPhshRns: MalPhshRns: MalPhshRns: MalPhshRns: MOST MalPhshRns: 24% 14% MalPhshRns: 33% 32% 30% Login Page: FREQUENT 21% SMTP: Login Page: 26% Login Page: SMTP: Login Page: 18% APPLICATION SMTP: 16% 22% 13% SMTP: 17% 27% 19% SMTP: ATTACK TYPES Login Page: Login Page: App Exploit: 24% SMTP: Login Page: SMTP: 18% (Daily) 16% 20% 12% 17% 27% 19% MOST FREQUENT Web: 55% Web: 61% Web: 55% Web: 44% Web: 58% Web: 50% SMTP: 32% Web: 41% APPLICATION DNS: 35% DNS: 49% DNS: 46% DNS: 33% DNS: 46% SMTP: 39% Web: 30% DNS: 41% ATTACK SMTP: 32% SMTP: 44% VECTORS

Figure 24: Most frequent application attack types

New Attack Tools This year we have seen several tools released in association with Anonymous campaigns. These tools are often released in closed networks for members of a specific operation to use during the campaign. In some cases, they may be released publicly as free-to-use tools—a ploy to generate more support for the operation. These tools are simple denial-of-service scripts or pre-packaged scripts in simple graphical user interfaces (GUIs). Attackers have also been observed using these script tools in cloud environments in an attempt to generate larger attacks from trusted sources.

20 RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 GUI – Anonymous DDoS (DDoS.exe) Anonymous released a custom GUI tool for the 2016 Summer Olympics in Rio. This tool is capable of launching a TCP PSH+ACK flood through . A PSH+ACK flood sends a TCP packet with the PUSH and ACK bits set to one. This method triggers the victim’s system into unloading all data in the TCP buffer and sends an acknowledgement when completed. In addition to the tool, the group also published instructions on how to use the tool on .

Scripts – SadAttack and Saphyra

Figure 25: Anonymous DDoS tool for the Olympics SadAttack and Saphyra are both HULK—that is, HTTP Unbearable Load King variants. Both tools obfuscate the source client by changing the user agent and referrer for every request. Ghost Squad hackers have loaded both scripts with additional user agents and referrers pointing to a number of prelisted websites. Hackers also have been seen modifying these scripts by adding user agents and referrers points. By randomly changing the user agent and referrer—and using Keep-Alive to maintain the connection—an attack can easily bypass caching methods and hit the server directly with these tools.

Cloud – Attacks from VPSes In 2016, Radware has witnessed a number of hackers using cloud services to launch denial-of-service attacks. Hackers are using cloud platforms to load attack scripts and launch their assaults. One of the reasons attackers are using these services is because

Figure 26: SadAttack.py most organizations leverage cloud infrastructure for mission-critical business operations. That makes it very difficult to block communications with cloud services. In just an hour, an attacker can not only setup their tools on a VPS, but also access their toolset from mobile devices via SSH. Attack clouds provide hackers with more bandwidth and computing power, allowing them to easily scale their operation and attacks far beyond their home lab capabilities. The cost to conduct these attacks is much cheaper when conducting large-volume attacks versus renting a stresser service. Hackers were identified using Cloud Services to conduct attacks leveraging SadAttack and Saphyra. One hacker eventually shared a screenshot of how he leveraged a cloud instance to conduct several attacks for a number of operations, including OpIcarus, an Anonymous operation targeting the financial sector.

Figure 27: Saphyra.py

RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 21 Figure 28: Attacker using Google Cloud in combination with SadAttack and Saphyra

10Gbps to 50Gbps 3% 4% Above 50Gbps

Attack Size: Does It Matter? 10% In 2016, fewer than one in 10 server attacks qualified 1Gbps to 10Gbps as extra-large (10Gbps or higher). Seven in 10 of the biggest server attacks were below 100Mbps, and 13% 100Mbps 50% 50% were 10Mbps or less. The number of attacks to 1Gbps 10Mbps that were 100Mbps or less was stable, while there or Less 20% was an increase in attacks 10Mbps or less and fewer 10Mbps to attacks 10Mbps to 100Mbps. Those ranging from 100Mbps 10Gbps to 50Gbps decreased from 8% in 2015 to 3% in 2016. Figure 29: What are the three biggest cyber- attacks you have suffered by bandwidth?

Despite the record-breaking volumes we’ve seen in 2016, non-volumetric DDoS is still prevalent. This denial-of-service technique is still proven to be very efficient in exhausting network and server resources. Moreover, a non-volumetric attack can evade detection mechanisms and consume bandwidth and resources without the target knowing—affecting service-level quality.

Three in five respondents report a cyber-attack that is 10 70% % 63 million packets-per-second (PPS) or less, and about one- 60% fifth indicated they suffered an attack between 10 million

50% PPS and 100 million PPS. The number of attacks that were 100 million PPS or less increased from 76% in 2015 to 40% 82% in 2016. Those with 10 million PPS or less were up,

30% too—increasing from 50% in 2015 to 63% in 2016. % 20% 19 % 10% 10 Combining firewall, IPS and load balancers, 5% % 3 we learn that stateful devices fail when 0 10M or 10M to 100M to 1B to 10B & at least 36% of attacks hit. They simply Less 100M 1B 10B Above cannot handle all kinds of cyber-attacks, Figure 30: What are the three biggest cyber-attacks you and a dedicated attack mitigation solution is have suffered by PPS? required to maintain availability at all times.

22 RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 04 EMERGING PERILS

The Bottom Line: The Rise of Cyber Ransom The 2016-2017 Global Application & Network Security Survey revealed that ransom attacks are by far the most prevalent threat—growing from 25% of attacks in 2015 to 41% in 2016. What’s driving the increase? Quite simply, cyber ransom can be a highly lucrative “business.” It is faster, easier and cheaper than ever to execute this form of extortion, which gives its victims a very short window to respond before suffering what could be a devastating disruption to systems and day-to-day operations.

50% 41% 40% % 30% 27 26% 26% % 24 % 21% 20% 20 11% 10%

0 Ransom Insider Threat Political Competition Cyberwar Angry User No Attacks Motive Unknown

Figure 31: Which of the following motives are behind any cyber-attacks your organization experienced?

RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 23 Overview of Cyber Ransom Extortion isn’t a new concept. Nor is ransomware, which has been on the scene for nearly a quarter century. One of the first examples was called Aids Info Disk or PC Cyborg Trojan. This would encrypt all of the filenames on the “C” drive—rendering the PC unusable. Once a PC was infected, the malware would demand that a payment of $189 be sent to a post office box somewhere in Panama. In time, the Aids Info Disk Trojan’s creator was arrested and charged with 11 counts of blackmail. Today’s ransom attacks have Antivirus software makers eventually learned how to detect this two primary “flavors”: category of malware and were able to quickly block them. For years, these defenses worked. However, the growing popularity of virtual Ransomware – Attackers currencies has made ransomware a lucrative opportunity for cyber- typically use malware to criminals. These criminals no longer request payments to a PO encrypt critical data, making box. These days, they tell victims that if they ever want to see their it unusable until the user information again, they must make a payment to a hacker via Bitcoin. complies with instructions to Of course, the only sure thing is that the money will be taken. make a payment via Bitcoin. One of the latest varieties to Ransomware 39% emerge is Ransom32, which is ransomware as-a-service % Ransom Denial of Service (RDoS) 17 that gives cyber criminals a jumpstart on holding victims’ None 32% information hostage. Don’t Know/Not Sure 19% DDoS for ransom (aka 0% 10% 20% 30% 40% 50% RDoS) – in which attackers Figure 32: 49% of companies suffered at least one ransom attempt in 2016 send their target a letter that threatens a DDoS attack at a Primary Actors certain day and time unless To date, RDoS attacks have been carried out primarily by these groups: the organization makes a payment (usually $2,000 to Armada Collective $10,000) via Bitcoin. Often Armada Collective is arguably the best known—and most imitated— hackers will launch a small- gang of cybercriminals. With a typical ransom demand of 10 to 200 scale attack as a preview of Bitcoin (about $3,600 to $70,000), this gang often accompanies its what could follow. ransom notes with a short “demo” or “teaser” attack. When time for payment expires, Armada Collective takes down the victims’ data centers with traffic volumes typically exceeding 100Gbps. (Radware has firsthand experience with these criminals, who waged an RDoS attack against ProtonMail in 2015). Apparent copycats have begun using the Armada Collective name; one early tactic involved attempted extortion of about $7.2 million from three Greek banks.

DD4BC This cybercriminal group, whose name is an acronym for “distributed denial of service for Bitcoin,” started launching Bitcoin extortion campaigns in mid-2014. Initially targeting the online gambling industry, DD4BC has since broadened targets to include financial services, entertainment and other high-profile companies.

24 RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 ezBTC Squad Instead of using messages, this group of cybercriminals is using as the vehicle for delivering its RDoS threats. Others are following suit.

Kadyrovtsy Named after the elite forces of the Kadyrov administration in Chechnya, this is one of the newest groups to emerge on the RDoS scene. It recently threatened two Polish banks and a Canadian media company. The group even launched demo assaults (15-20Gbps) to prove its competence, much like the infamous Armada Collective.

RedDoor RedDoor issued its first threats in March 2016. Per the “standard,” these criminals use an anonymous email service to send messages demanding a ransom of 3 Bitcoin. Targeted businesses have just 24 hours to wire the payment to an individual Bitcoin account.

Beware the Copycats “Copycats” are compounding the RDoS headaches. These players are issuing fake letters—hoping to turn quick profits with minimal effort. Here are useful tips to detect a fake ransom letter:

1. Assess the request. The Armada Collective normally requests 20 Bitcoin. Other campaigns have been asking for amounts above and below this amount. Fake hackers typically request different amounts of money. In fact, low Bitcoin ransom letters are most likely from fake groups who are hoping their price point is low enough for someone to pay rather than seek help from professionals. 2. Check the network. Real hackers prove their competence by running a small attack while delivering a ransom note. If there is a change in network activity, the letter and the threat are probably genuine. 3. Look for structure. Real hackers are well organized. Fake hackers, on the other hand, don’t link to a website, and they lack official accounts. 4. Consider other targets. Real hackers tend to attack many companies in a single sector. Fake hackers are less focused, targeting anyone and everyone in hopes of making a quick buck.

Likely Targets: Who Will CAVE? What do cybercriminals look for when considering ransom targets? The acronym CAVE highlights the four areas criminals will assess when choosing which people and companies to target:

Culture An organization’s culture can make it more or less likely to be targeted by cybercriminals. The two key factors: cultural views on paying versus not paying and the organization’s overall appetite for risk. Some organizations are afraid to go public about a breach or simply aren’t interested in a public “fight.” Very private, risk-averse organizations may represent strong candidates for an RDoS or ransomware attack. Similarly, those with a pay-up culture—who are quick to send funds to % “make it go away”—often earn a reputation as such. 50% 49 That can result in new attacks from other cyber- % 40% 39 crime groups. 35% 30% Assets At the end of the day, cyber “ransomers” are out for 20% profits. For their threats to be effective, the target must have some digital asset—business or personal 10% data, interface or communication—that is critical to the individual’s life or the organization’s operations. 0 Those digital assets are what the criminals will Europe APAC North America attempt to hold hostage to maximize their reward. Figure 33: Distribution of cyber-ransom attacks by geography

RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 25 Vulnerability Cybercriminals need a way to lock down assets, making them unavailable to users. In general, they can do so in two primary ways: either by encrypting data at some level or by denying access by taking hostage an element of the information technology delivery chain. Either way, criminals need to spot a key vulnerability—such as an exploit or engineering assumption left unprotected. Ideally, cybercriminals will seek vulnerabilities that are present across a large number of organizations. Such vulnerabilities can be highly lucrative, giving criminals the ability to standardize on a technique and repeat it on a mass scale.

Expertise Criminals aren’t looking for expertise—they’re looking for a lack of it. Indeed, they’re more likely to focus on organizations or people lacking the resources to hire professionals; those with few or modest investments in IT security support; and those who lack knowledge of cyber-ransom techniques and how best to respond.

Preparedness Only 7% of security industry survey respondents indicated they keep Bitcoin at hand as part of their emergency response plan. Prof. High Tech Banking & Retail/ Services & Products & Financial Govt./Civil Wholesale/ Media/ Extremely/Very Well Prepared Consulting Services Services Education Service Online Telecom Ransomware 48% 56% 51% 20% 37% 49% 52%

Figure 34: Distribution of cyber-ransom attacks across verticals

For more on this topic, see Radware’s ebook, Cyber Ransom Survival Guide: The Growing Threat of Ransomware and RDoS – and What to Do About It

Friend Turned Enemy: SSL-Based Cyber-Attacks Secure Socket Layer (SSL) and other commercialized technologies provide an essential foundation for e-commerce and secure online communication. But the 2014 discovery of the Heartbleed3 vulnerability— followed by news of POODLE4—tarnished SSL’s reputation and led many IT experts to dub it the most vulnerable technology in widespread use. Many are migrating to new, more secure versions of SSL, and ultimately, a replacement protocol, (TLS). However, neither the story nor the threats are over.

Increasingly, attackers are using the SSL protocol to and further complicate attack traffic and malware detection in both network and application-level threats. Challenges posed by encrypted traffic are poised to get worse, as Gartner has noted: “The continued growth of SSL/TLS traffic will be amplified by the adoption of HTTP 2.0. It creates a new attack surface for malware infection, data exfiltration and call back communication.”5 According to Netcraft, use of SSL by the top one million websites has increased by more than 48% over the past two years.6 As the percentage of inbound and outbound traffic increases, so does the effectiveness of encryption as a smokescreen for hackers.

Recent surveys show that on average, 25% to 35% of enterprise communication sent through a LAN and WAN infrastructure is SSL-encrypted traffic.7 In certain verticals, such as finance or medical, it can reach as high as 70% due to the information being communicated. SSL technology continues to improve the security it provides, with longer, more complex keys used to encrypt data.

3 ://security.radware.com/ddos-threats-attacks/threat-advisories-attack-reports/-/ 4 https://security.radware.com/ddos-threats-attacks/threat-advisories-attack-reports/sslv3-/ 5 “Security Leaders Must Address Threats From Rising SSL Traffic” Gartner Research, January 8, 2015 6 https://news.netcraft.com/archives/2014/01/03/january-2014-web-server-survey.html 7 http://www.networksasia.net/article/3-reasons-ssl-encryption-gives-false-sense-security.1424935771

26 RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 Types of SSL Attacks More Frequent and More Virulent Yes No DDoS and advanced Web application attacks continue to plague 100% businesses as they move to more online operations. With both 90% types of attacks, those leveraging encrypted traffic as an attack 80% vector are on the rise. This increase is further challenging many 70% % incumbent solutions for detecting and mitigating cyber threats. 65% 61 Most do not actually inspect SSL traffic, as it requires decrypting 60% the encrypted traffic. In Radware’s latest industry survey, 39% 50% of respondents confirmed they have been targeted by SSL or 40% encrypted vectors—a 10% increase compared to the prior year. 30% Only one in four businesses reported feeling protected against % SSL flood attacks. 20% 35% 39 10% SSL-based attacks take many forms. Among them: 0 2015 2016

• Encrypted SSL floods. These attacks are similar in nature to Figure 35: Have you experienced an standard, non-encrypted SYN flood attacks in that they seek to SSL-based attack this year? exhaust the resources in place to complete the SYN-ACK handshake. Encrypted SSL floods complicate the challenge by encrypting traffic and forcing resource use of SSL handshake resources. Moving to TLS 1.2 Many security policy bodies and compliance • SSL renegotiation. These attacks work by initiating a programs are moving toward implementation regular SSL handshake and then immediately requesting the of the TLS 1.2 protocol. The PCI Council renegotiation of the encryption key. The tool continuously originally set a June 2016 deadline8 for repeats this renegotiation request until all server resources have migration from SSL to TLS 1.2. However, it been exhausted. had to delay the requirement until June 2018 due to implementation challenges among • HTTPS floods. These attacks generate floods of encrypted many merchants. HTTP traffic, often as part of multi-vector attack campaigns. Compounding the impact of “normal” HTTPS floods, encrypted Indeed, the migration will create some HTTP attacks add the burden of encryption and decryption short- and long-term challenges. Just the mechanisms. process of identifying all relevant system components is resource intensive for already • Encrypted Web application attacks. Multi-vector time-strapped teams. Further, many will face campaigns also increasingly leverage non-DoS, Web challenges in maintaining interoperability application logic attacks. By encrypting the traffic that with older versions of software and browsers these attacks, they often pass undetected through both DDoS still used by some customers. and Web application protections. Meanwhile, encryption technology continues to evolve in terms of the length and Complicating Detection, Stressing Mitigation complexity of keys used. While these provide SSL and encryption are highly effective at protecting the integrity stronger security, they also bring tradeoffs in of legitimate communications. Unfortunately, they are equally terms of requiring greater computing power effective at obfuscating many attributes that help determine if and being more complex to manage—a trend traffic is malicious or legitimate. Identifying attack traffic within Radware expects to continue. encrypted traffic flows is akin to finding a needle in a haystack— in the dark. Most cyber-attack solutions struggle to identify 8 https://blog.pcisecuritystandards.org/migrating-from-ssl-and-early-tls potentially malicious traffic from encrypted traffic sources and to isolate that traffic for further analysis (and potential mitigation). SSL attacks offer attackers another advantage: the ability to

RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 27 put significant computing stress on the network and application infrastructures they target. The process of decrypting and re-encrypting SSL traffic increases the requirements of processing the traffic—in many cases beyond the functional performance of devices used for attack mitigation. Most devices are inline, stateful and unable to handle SSL encrypted attacks, making them vulnerable to SSL floods. Fewer still can be deployed out of path—a necessity for providing protection while limiting the impact on legitimate users.

Many solutions that can do some level of decryption tend to rely on limiting the rate of request, which results in legitimate traffic being dropped and effectively completes the attack. Finally, many solutions require the customer to share actual server certificates. That requirement complicates implementation and certificate management and forces customers to share private keys for protection in the cloud.

Visibility into encrypted traffic isn’t the only challenge related to SSL/TLS. When surveyed about the ability of existing security solutions to decrypt, inspect and re-encrypt traffic, most are similarly working blind. Specifically, 75% of industry practitioners doubt their security solutions provide full encrypted attack protection.9 According to Gartner, less than 20% of organizations decrypt inbound traffic at the network perimeter; less than half inspect encrypted traffic leaving the network. Further, more than 90% with public websites decrypt inbound Web traffic (often through a Web Application Firewall); however, many of the encrypted attack vectors are doing their damage before traffic gets this deep into the network or application infrastructure.10

Cloud Complexity Traditional data center environments aren’t the only place where encrypted traffic creates challenges of visibility and security. As volumetric attacks that saturate Internet pipes or overwhelm data center resources continue to grow, many are turning to cloud-based attack mitigation solutions.

Cloud-based services vary in capabilities but generally allow an attack target to rely on purpose-built resources outside of its network to scrub traffic—that is, removing attack traffic and returning what’s legitimate. However, rerouting encrypted traffic to a third party creates a new set of challenges related to private key management and coordination. On one hand, decryption by the cloud DDoS provider is necessary to provide protection from encrypted threats (some providers simply pass encrypted traffic along to the customer). On the other, enabling a third party to decrypt traffic by sharing private keys sometimes means the customer must coordinate any certificate management changes with the cloud DDoS provider. It also means potential loss of end-user data privacy and confidentiality.

Given these challenges, organizations looking to handle volumetric attacks within encrypted traffic flows need to identify vendors with the ability to support wildcard certificates that do not need to match the server certificates. This does two things. First, it eliminates the need to share private keys with the cloud DDoS vendor, which will be against most organizations’ security policies. Second, it dramatically reduces the administrative burden for coordinating changes and updates to the server certificates and also eliminates the additional risk of exposing server certificates to the network perimeter.

Encrypted Attack Protection: ‘Keys’ to Success SSL is both a blessing and a curse: blessing because it solves the privacy problem and secures the communication of sensitive information; curse because it creates new blind spots and vulnerabilities into an enterprise IT infrastructure. To address SSL challenges, implement a strategy that considers the following:

• Visibility. Aim to decrypt and re-encrypt SSL sessions to enable security inspection of both clear and encrypted traffic while maintaining privacy of content en-route. • Service chaining. Any SSL inspection solution needs to be able to selectively forward traffic to one or more security solutions.

9 “Security Leaders Must Address Threats From Rising SSL Traffic” Gartner Research, January 8, 2015 10 “Security Leaders Must Address Threats From Rising SSL Traffic” Gartner Research, January 8, 2015

28 RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 • Flexible traffic inspection. How can a solution support efficiency while inspecting encrypted traffic that’s masquerading as clear traffic? It must dynamically define filters that intercept and open traffic for inspection— even if it flows through non-standard TCP ports (such as HTTPS port 443). • Security. To avoid turning the SSL traffic inspection solution into a target itself, a solution must not perform like a proxy or have its own IP address. • Scalability. As the amount of traffic/SSL traffic continuously grows, SSL traffic inspection solutions must seamlessly scale to reduce or eliminate the need for forklift upgrades. • High availability. To avoid downtime due to outages in the security solution, the SSL traffic inspection solution should always ensure traffic is forwarded to the fastest-responding available security servers, automatically bypassing out-of-service servers. Internet of Threats: IoT Botnets and the Economics of DDoS Protection 2016 brought a long-feared DDoS threat to fruition: cyber-attacks were launched from multiple connected devices turned into botnets. These attacks are propelling us into the 1Tbps DDoS era. What follows is a closer look at what happened—and what to do now.

Notable Attacks  June 28, 2016: PCWorld reports that “25,000 digital video recorders and CCTV cameras were compromised and used to launch distributed denial-of-service (DDoS) attacks, flooding its targets with about 50,000 HTTP requests per second.”11 Though impressive and startling, this attack said nothing about what was still to come.

 September 20, 2016: Around 8:00 pm, KrebsOnSecurity.com becomes the target of a record-breaking 620Gbps12 volumetric DDoS attack from a botnet designed to take the site offline.

 September 21, 2016: The same type of botnet is used in a 1Tbps attack targeting the French Web host OVH.13 A few days later, the IoT botnet source code goes public—spawning what would become the “marquee” attack of the year.

 October 21, 2016: , a U.S.-based DNS provider that many Fortune 500 companies rely on, is attacked by the same botnet in what is publicly known as a “water torture” attack (see below). The attack renders many services unreachable and causes massive connectivity issues—mostly along the East Coast of the United States.

The Appeal of (IoT) Devices For hackers, IoT devices are attractive targets for several reasons:

• IoT devices usually fall short when it comes to endpoint protection implementation.

• Unlike PCs and servers, there are no regulations or standards for secure use of IoT devices. Such regulations help ensure secured configurations and practices. Among them: changing default and implementing access control restrictions (for example, to disable remote access to administrative ports).

• IoT devices operate 24x7 and can be in use at any moment.

According to Radware’s survey, 55% of security professionals indicated that they believe Internet of Things complicates mitigation or detection requirements.

11 http://www.pcworld.com/article/3089346/security/thousands-of-hacked-cctv-devices-used-in-ddos-attacks.html 12 https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/ 13 https://twitter.com/olesovhcom/status/779297257199964160

RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 29 Increases the Attack Surface 52% Complicates Mitigation Requirements 38%

Increases Detection Requirements 37%

Increases the Sophistication % of the Attack Itself 33

Has No Effect 17%

0% 10% 20% 30% 40% 50% 60%

Figure 36: IoT threat impact as perceived by cyber security professionals

Different Attack Vectors Mirai Under the Microscope As an open-source attack program, Mirai is fueling justifiable fears that hackers will create countless customizations and evolutions of the tool. To help understand the risks, Radware’s security research team conducted a thorough study of the infamous botnet.

We can all thank a user named “Anna-senpai” for publishing the Mirai source code to a public and easily accessible forum. In short order, the code spread to numerous locations, including several GitHub repositories, where hackers began taking a closer look. Since then, the Mirai botnet has been infecting hundreds of thousands of IoT devices—turning them into a “ army” capable of launching powerful volumetric DDoS attacks. Security researchers estimate that there are millions of vulnerable IoT devices actively taking part in these coordinated attacks. Figure 37: Infection map provided by botnets researcher @MalwareTechBlog

In a surprising departure from previous record-holding amplification attacks, attackers did not use DNS and NTP. Instead, these attacks consisted mainly of TCP-SYN, TCP-ACK and TCP-ACK + PSH along with HTTP and non- amplified UDP floods. In the case of KrebsOnSecurity, the biggest chunk of attack traffic came in the form of GRE, which is highly unusual.14 In the OVH attack, more than 140,000 unique IPs were reported in what seemed to be a SYN and ACK flood attack followed by short bursts over 100Gbps each over a four-day period.15

Outstanding Attack Vectors GRE Flood Attack Generic routing encapsulation (GRE) is a tunneling type protocol developed by Cisco. GRE mainly encapsulates data packets and routes them through the tunnel to a destination network that de-encapsulates the payload packets. Sending many GRE packets with large amounts of encapsulated data may lead to resource consumption, with the victim attempting to de- encapsulate them until exhaustion.

Figure 38: The bot sends GRE packets with encapsulated UDP packet containing 512 bytes of random data 14 https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/ 15 https://twitter.com/olesovhcom/status/779297257199964160

30 RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 TCP STOMP Attack Consider this akin to the classic ACK flood attack— with a twist. Most network security solutions will easily block simple botnets as they send large volumes of ACK packets. Thus, Mirai starts with the ACK flood only after gaining a legitimate sequence number by completing the TCP connection process. By receiving a sequence number, Mirai raises the Figure 39: A function creates a GRE packet and includes it within a odds of bypassing network security solutions. GRE flood attack

DNS Water Torture Attack With this technique, the attacker sends a pre- crafted DNS query to the service provider’s DNS server. The malicious DNS query contains random string concatenated previous to the victim’s domain (for example, xxxyyyy.www.VictimDomain.com). The DNS server will repeatedly attempt to get an answer from the authoritative name server with no success. Sending different false strings with the victims’ domain name will eventually increase the DNS Figure 40: Menu of all Mirai’s attack vectors server’s CPU utilization until it is no longer available.

What follows is a concise overview of how Mirai operates: 1. Connects to victim machines via a brute-force attack against Telnet servers, using 60+ factory default credentials of BusyBox.16 2. Every infected device locks itself against additional bots. 3. Mirai sends the victim’s IP and credentials to a centralized ScanListen service. 4. The new victim then helps in harvesting new bots, spawning a self-replicating pattern. 5. Once all devices are ready, Mirai launches the attack.

What makes Mirai so powerful? Consider that: 1. Setup is fast and easy; in fact, it can be completed within an hour. 2. Distribution is rapid. The infection recurrence mechanism leads to exponential growth in the botnet’s size. In fact, perpetrators can have a botnet of 100,000+ infected devices in 24 hours. 3. Leveraging an efficient Communicating Sequential Processes (CSP) design, this distributed micro-service architecture allows for scalable control of bots and attack execution in very large botnets. 4. This piece of malware has a low detection rate. It is very difficult to retrieve samples because the malicious code lives in the device’s memory and is wiped out once the device is restarted. 5. Mirai also offers configurable attack features, including the ability to specify packet size, randomize packet size, use Tos/idnt/ttl in IP header, force the source and destination ports and use TCP urg/ack/psh.rst/syn/fin.

Figure 41: Mirai’s HTTP flood program creates huge 80MB POST requests

6. The malware is able to recognize DDoS protection solutions and adjust the attack accordingly.

16 https://en.wikipedia.org/wiki/BusyBox

RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 31 Figure 42: Mirai tries to bypass DDoS protection

Open-Source Attack Tools Open Pandora’s Box The act of leaking or flat-out releasing source code of advanced hacking tools isn’t new. It has happened numerous times, especially with high-profile and advanced malware families, such as , Citadel, Carberp and SpyEye, which have been responsible for losses measuring in the hundreds of millions of dollars. Once dangerous tools are released to the public, they can be download—and modified and enhanced—by anyone.

Figure 43: “I made my money, there’s lots of eyes looking at IOT now” –Anna-senpai

As security reporter Brian Krebs wrote, “Miscreants who develop malicious software often dump their source code publicly when law enforcement investigators and security firms start sniffing around a little too close to home.”

That can fuel copycats—and “enhanced” copycats. Radware performed a quick test to see how easy or difficult it would be for an average hacker to take the now open-sourced Mirai source code and extend its capabilities with a new, advanced attack vector.

Figure 44: Mirai 1.0 source code showing attack vectors including UDP, DNS, SYN, GRE, HTTP

32 RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 To do this, we considered implementing several advanced attacks that are NOT currently implemented These advanced Layer-7 attacks in the original Mirai source code, such as: combined with the massive size 1. SSL attacks and scale of IoT botnets are 2. Layer-7 HTTP attacks with JavaScript support indeed very dangerous. 3. HTTP 2.0 support

From there, we began our experiment. We were able to acquire the Mirai source code in a matter of minutes on GitHub. Compiling the bot binary and building it for the x86 platform took five minutes and did not require any programming skills.

In less than an hour, we have managed to integrate another open-source attack tool called thc-ssl-dos, which can be used to launch SSL RENEGOTIATION attacks against Web servers. With some elementary coding skills, we slightly modified the code to stress Figure 45: Radware obtains the Mirai source code from one of servers that do not allow SSL renegotiation by rapidly the GitHub repositories and builds the attack bot binary establishing a new TCP connection on each SSL handshake.

Benchmarking Our Code We performed some basic benchmarking of our new Create Your Own Botnet Within an Hour attack vector capabilities against a target low-end 1. Download the Mirai code from GitHub (5 minutes) server (Intel Xeon E3-1245V2, 16gb RAM) running Nginx 2. Compile the bot binary (5 minutes) 1.10 Web server (built with OpenSSL 1.0.2g). The client 3. Integrate other open-source attack tools used to launch these attacks was sitting on a different (50 minutes) remote server, with a latency of ~15 milliseconds roundtrip time.

Figure 46: We can see that during “peacetime,” the server CPU usage is very low (4 cores, 8 threads)

Figure 47: But when we launch an SSL attack using our “improved” Mirai bot, our server starts to get “busy” handling the incoming SSL connections

RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 33 Figure 48: Running as few as two simultaneous attacks now puts our server under real stress at nearly 100% CPU on all cores

In our test landscape, we have observed that a single instance of our new Mirai code is capable of generating 350 SSL connections per second, which takes 50% of our server CPU resources. Multiple instances easily bring the server to full CPU utilization—dramatically hurting system performance and availability.

For large enterprises with high-end backend servers, load balancers, proxies and the like, 350 SSL connections per second is negligible. However, if we extrapolate this value to 100,000 instances—or even 1,000,000 instances—the resulting numbers are large enough to take down, in theory, every major website.

Of course, we need to remember that an IoT device is running on very low power and with limited CPU/network capabilities. Even so, if we take a factor of x1,000, then an IoT botnet with 20,000 zombies will generate an attack that is 20 times higher than the one we have measured.

The Economics of Botnets While much has been discussed around Mirai, IoT, “the rise of the machines” and other catchy buzz-phrases, we believe one of the most disruptive changes is the new economics model of IoT botnets.

Not so long ago, hackers were investing a great deal of money, time and effort to scan the Internet for vulnerable servers, build their army of zombie bots and then safeguard it against other hackers who might also want to claim ownership of them. All the while, hackers would keep continual watch for new infection targets that could join their zombie army.

Things have changed: Now we see millions of vulnerable devices sitting with default credentials. Bot masters— the authors and owners of the botnets—do not even bother to secure their bots after infection. After all, as Mirai demonstrates, it does not even persist infection to disk, so a simple device reboot brings it back to a clean and healthy state.

Nevertheless, this will not prevent re-infection. As we now know, it takes less than six minutes to scan the entire IPv4 space—and the time-to-infection of vulnerable devices is constantly dropping. It is now estimated to take less than an hour.

For a bot master, gaining control of powerful servers with 1Gbit cards or 10Gbit cards was considered to be the ultimate goal—the “Holy Grail.” Sometimes a hacker would pay hundreds of dollars every month for it. Often he or she would gain illegal access to it and work very diligently to hide it from others. And finding these servers— then gaining access and maintaining exclusive control—was and still is difficult and expensive.

Now with IoT botnets, we see a different picture. Instead of spending months of effort and hundreds of dollars to control a few powerful servers and several hundred infected PCs, bot masters can take control over millions of IoT devices with near zero cost.

34 RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 What Now? To date, the number of connected devices is estimated at 6 billion, while the estimated Internet user count is just 3.5 billion (though expected to grow to 13 billion by 2020).17 This shift points to a different economy—and requires changes in thought and action.

The botnet attacks of 2016 also underscore the need to move beyond IoT security as an afterthought. IoT platforms and devices need to be designed—from the ground up—to be secure. Right now it is far too simple to victimize IoT devices; all it takes is telnet and a limited list of factory default usernames and passwords to generate botnets of unimaginable proportions. And this is only the beginning.

Reducing the potential impact of IoT botnets should be a combined effort by all IoT stakeholders: 1. “Smart appliances” manufacturers need to be mindful of producing resilient products with robust security components. 2. To protect enterprise customers, network carriers need the ability to detect and manage traffic that originates from such devices. 3. Enterprise customers should understand that when making a security investment to protect their infrastructure and assets, they need to be able to protect not only against today’s threats, but also against those that will arise in the next three to five years.

The bottom line: The effort and money we’ve been expending to build defenses is no longer proportional to attackers’ investments. It is time to review the attack landscape, re-evaluate the architecture of defense mechanisms and consider how best to defend against higher-order-of-magnitude attacks. Evolve and Adapt: Why DevOps is Raising the Bar for Security Solutions Agile development practices and DevOps are reshaping how organizations work. They’re fueling tighter collaboration between IT and the business—and enabling frequent changes to systems and processes. The upside: organizations can more quickly capitalize on emerging opportunities and challenges. The downside: it’s harder than ever to stay secure. In an environment of continuous integration and delivery, how can security keep pace?

As organizations work to drive higher IT and organizational performance, many are embracing agile and DevOps methodologies. These approaches emphasize strong connection between IT and the business and focus on continual improvements. They also strive to speed up delivery while improving quality, security and business outcomes.

For its 2016 State of DevOps Report, Puppet Labs surveyed 4,600 technical professionals. In analyzing the results, Puppet identified three types of organizations: • High IT performers, which complete multiple deployments per day • Medium IT performers, which deploy between once a week and once a month • Low IT performers, which deploy once per month or less frequently

The study found that high IT performers deploy 200 times more frequently than low IT performers. Further, their lead times are 2,555 times faster and recovery times are 24 times faster than their low-performing counterparts. It would be tempting to assume that frequent deployments could lead to higher failure rates. However, one of the study’s surprising findings is that high IT performers have three times lower failure rates. These high IT performers also spend 22% less time on unplanned work and rework—reflecting a high level of quality.18

According to another industry study, 20% of organizations emerged as advanced adopters of DevOps.19 Similarly, in Radware’s latest survey, 18% of respondents told us they deploy application changes to production at least once a day, suggesting that they are high IT performers.

The trend is clear: agile development practices and DevOps have become mainstream. What does it mean for security?

17 http://www.internetlivestats.com/internet-users/ 18 https://puppet.com/company/press-room/releases/puppet-2016-state-devops-report-addresses-most-pressing-issues-devops 19 Assembling the DevOps survey by Freeform Dynamic

RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 35 Bridging the Gap While DevOps offers tangible advantages in terms of improved quality and speed to market, it introduces complications for implementing and auditing security controls. Among the issues: constantly changing assets, continuous deployments and a breakdown in traditional segmentation of duties. Indeed, how best to integrate security into DevOps remains a pressing challenge for all stakeholders. And while security objectives should be prioritized alongside other business goals, in reality implementations often fall short.

Chalk it up to a number of traditional security tools and controls that are at odds with agile and DevOps methodologies. These include:

• Penetration testing. On average, it takes several weeks 19% to test, produce and assess the report, and then implement Low Degree 27% necessary security changes in development and production. High Degree That cadence is clearly at odds with the pace of deployments in a DevOps model. • Web Application Firewall (WAF). Initial implementation cycles can take weeks, while security policy modifications can take even longer—often requiring manual changes. Four out of five organizations report at least a medium degree of manual work to try and optimize their WAF. 54% Medium Degree • Code analysis methodologies. A medium-sized enterprise Figure 49: What level of manual tuning does your application can take days just to scan. The results of such a application security solution require? scan may reveal issues that require additional time to remediate.

Radware’s security industry survey underscores the prevalence of these traditional tools, with 75% of respondents using WAF. One-fourth said they only use one method to secure their applications (most often on-premise WAF or penetration testing) and 66% reported relying on multiple tools and controls.

Hallmarks of High Security Performance When integration and delivery are continuous, security needs to be as well. Yet traditional security solutions are not designed to keep up with the speed and complexity driven by DevOps methodologies. The key is an adaptive security service that allows the IT organization to addresses two fundamental challenges: • Keeping pace with evolving threats. An adaptive security service can detect and mitigate newly evolved threats by using a “positive” security model. In other words, the service should heuristically identify legitimate traffic—and treat all other traffic as suspect. This approach is in stark contrast to traditional “negative” models, which focus on blocking traffic that matches known attack signatures. Given the pace at which signatures emerge and change, the “negative” model is more likely to miss the latest threats. Another key capability: the ability to block attackers and spammers based on their real identity. This requires use of IP-agnostic device fingerprinting versus of IP addresses, which are continually obfuscated by attackers. • Keeping pace with evolving assets. An adaptive security service should automatically detect new application domains, analyze potential vulnerabilities and automatically assign optimal protection policies. This should be followed by automatic identification of any changes in these applications as they are continuously integrated by developers. Automation should also support testing for newly introduced vulnerabilities, as well as patching application protections in real time to mitigate them.

Look for a continuous security delivery service that integrates detection tools, such as Dynamic Application Security Testing (DAST), with mitigation/blocking controls, such as WAFs. This combination provides immediate resolution of newly introduced vulnerabilities via automated real-time patching, as described above. Automated independent security controls with self-adjusting rules and policies can assist in conducting scans that focus on the application zones that have been changed. That saves time and accelerates detection of vulnerabilities.

Given the rate and pace of change in both external threats and internal applications, now is the time for a new paradigm for security services. Insist on a service that has been designed for agile development environments and that adapts the protections of evolving Web applications, thereby delivering effective protection at every stage of the development lifecycle.

36 RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 05 THIRD-PARTY VIEWPOINTS

From the Corner Office: Views from a Chief Information Security Officer Contributed by the CISO of a top-five US carrier

Top Attack Trends in 2016

1. First and foremost, we’ve seen our network—and the networks we monitor and protect—experience a tenfold increase in the volume of DDoS attacks. In August 2015, we had a little over 5,000 attacks. In July 2016, it was 55,000 attacks that we could identify. Last year, 70% to 80% of attacks were less than a minute—mostly “white noise” events (a.k.a. “hit-and-run DDoS” or “burst attacks”). This year, we’ve seen attacks falling into the one- to five-minute duration, causing random business disruptions.

2. We’ve also experienced a tremendous spike in malicious use of messaging protocols being tweaked to carry out attacks—including MMS (Multimedia Messaging Service), SMS (Short Message Service) and traditional email into these numbers. More than 99% of the total volume in our environment we identified as being malicious or otherwise inappropriate to deliver to the customer.

3. The third trend is a large increase in mobile-specific ransomware activity targeting the two largest platforms: Android and Apple. We believe most of that activity is originating in a foreign country and being delivered via third-party app stores.

Size, Scope and Sophistication of Attacks Volume. Across all categories of attacks, we’ve seen a large uptick in the total volume transfer that occurred. I’m not referring to gigs per second but the total volume. We saw our largest category of 500GB or higher have a four-fold increase. So in addition to a spike in burst attacks, we are also seeing longer-lasting attacks that are presenting more data.

RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 37 Vectors. When it comes to vectors, attacks generally fall into three common protocols: NTP, DNS and CharGEN. Others may be used occasionally, but these are the three we see most commonly. Of those three, we’ll see for two or three months that DNS will be most common, and then it switches to CharGEN. There’s no clear pattern, which makes it hard to predict—just that the majority of attacks will use a common protocol and then it will change.

Sophistication. Attacks are also growing in sophistication. That holds true more so based on what we’ve seen with mobile-originating attacks. There’s been a sharp increase in malware targeting Android devices and then leveraging them for DDoS events. Many of those malware packages we’ve identified weren’t written specifically for DDoS events. It’s typically ad clicking or some other purpose, but we’ve seen some very advanced malware being leveraged for DDoS.

Best Practices in Managing Security We have a third party that serves as our Tier 1 Security Operations Center (SOC), the traditional security analyst team that looks at everything as if through a magnifying glass. They’re the first ones expected to receive the alarm out of our event management system.

We’re safeguarding thousands of apps—applications in our own corporate environments, applications for our enterprise customers and more than 20 million subscribers ranging from hotspots with connected Windows and devices to Android and Apple devices. We lean on our vendor’s Emergency Response Team and Advanced Services group to help us validate an appropriate implementation of our security policies. These are high-value devices so we want to ensure we’re getting maximum value for those dollars, and those teams help us achieve that.

One of the first things I do every morning is go to our dashboards, which display alarms and DDoS trends in an executive view. Our SOC is looking at metrics on a 24x7 basis and our manager and director levels are looking at these dashboards daily. We’ve established five severity categories for attacks and each is further broken down by event or total volume transfer. Our goal is to provide the business with the complete story.

If an event falls into one of our two highest-severity categories (we average one highest-severity event per week Attacks and techniques and one to four second-highest-severity events per day), we have an incident management process that is initiated. First, change daily. You need we immediately notify various members of our security and flexible solutions and broader carrier/technology organization. Second, we take a deep dive into the threat intelligence. Was the attack part the ability to make of something broader—geopolitical, script event, collateral adjustments just as damage? Third, we present our findings as they pertain to any potential impact it may have caused. We provide per- frequently to protect the incident analysis and, if needed, we have different thresholds business. Pull those levers in place on when and how to communicate. The bottom line: we’re analyzing each and every event in some manner, to keep pace with ever- and thanks to how our security architecture has been built changing threats to your and how we manage our IP space, determine who was targeted. Generally speaking, nine out of 10 events target our applications and networks. customers and the rest target our corporate assets.

On a daily basis, I am asked the question, “Why?” I don’t have a quantified response other than a gut feeling. However, those feelings are reassured and backed by our program development and threat intelligence. We leverage a series of tools to identify that attacks are increasing. We’re now pretty confident that more and more advanced malware is being produced targeting the Android platform in particular.

38 RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 Black Friday: From Crisis to Confidence When we first deployed a DDoS protection solution back in 2010, we actually had it on the network in a monitor- and-alert mode because at that time we didn’t see a great enough risk to justify putting those devices inline as a permanent configuration. We would have them inline as we identified specific risks. A number of times we were referenced in a campaign, so we placed those devices inline during that high-risk period and then pulled them back out. But several years ago, we made the decision to place them inline.

On Black Friday 2015—the busiest retail day of the year—we were the target of a large attack. I was able to send an email to our senior execs letting them know that it had occurred and we blocked it with a 100% effective rate. That was a big win for our security team.

You simply cannot paint a broad brush in architecture and platforms. You may protect 99 of 100 apps, but if that one app might be business critical, you still failed. Not all code development has the same level of quality or standards, and we’ve had to take that in account. Regardless of size or industry, an organization will have a reasonable, if not definitive, population of assets it’s trying to protect. Solutions must have a broad range of coverage—focusing not just on traditional network protocol protections but also offering high quality in session management and all the various techniques, like hold-down timers and HTTP protections.

When I have an incident, I have a very high level of confidence that when I engage Radware’s ERT, I’m getting support from some of the world’s leading cyber security experts.

Above all, I tell people that if they feel they are at increased risk for DDoS attacks, they should not underestimate the level of commitment required for maintaining these platforms. Attacks and techniques change daily. You need flexible solutions and the ability to make adjustments just as frequently to protect the business. Pull those levers to keep pace with ever-changing threats to your applications and networks. From the Frontlines: How a Multinational Bank Handled a Ransom Threat and SSL-Based Attack Contributed by Senior Network Architect, EMEA multi-national banking group In this contributed piece, the Network Architect shares his notable experiences protecting this financial services organization’s network perimeter from cyber security threats during the past 12 months.

Managing the Ransom Reality Cyber ransom is a growing threat across industries, and we have experienced this phenomenon firsthand. In November of 2015, our organization received a typical ransom email from the Armada Collective, which was quickly followed by a teaser flood attack that the bank proactively mitigated. We actually detected and mitigated the teaser flood attack before we discovered the email, which had been sent to an unattended mailbox while the company was closed. With a hybrid DDoS mitigation solution in place, the flood attack had no impact and was immediately diverted to a scrubbing center for cleanup.

Our organization is geographically separated from the rest of the world. This has implications on both the organization’s ability to protect itself (for instance, in terms of latency in times of diversion) and also limits the ability of hackers to use volumetric attacks; hackers can’t get even half a terabyte of traffic here. For us, a teaser attack may bring 300 megabytes of traffic. As a safety precaution, when we receive a flood attack and ransom note, we divert network traffic to the scrubbing center of our DDoS mitigation vendor, Radware, before the ransom payment deadline. We believe that hackers executing the ransom attack will observe the traffic being diverted and will realize the futility of launching a teaser attack. We also believe that it sends a clear signal to Armada Collective and other ransom groups. By taking powerful and decisive action, we send the message that we won’t be victimized.

In April of 2016, we received another ransom email purporting to be from Lizard Squad. Because we communicate frequently with our local banking risk management association, we learned that the were from a copycat. Since we identified it as a hoax, we decided not to divert traffic. However, we did receive a small teaser attack and relied on Radware’s Emergency Response Team of experts for support.

RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 39 Facing the Camouflaged Traffic Flood Since the beginning of 2016, the diversity of attack vectors has increased and the bank has experienced a four- fold increase in burst attacks. At the same time, attacks lasting more than an hour are decreasing. The trend seems to be shifting toward very short, “hit and run” assaults.

Yet not all attacks are burst attacks. In September 2016, we received an attack that was relatively small (only 2-3 Gbps) but lasted over four hours and gradually evolved in several stages. First, we noticed that some of the attacks were ping-back attacks. We experienced attacks of 16,000 SYN connections which were mitigated via our on-premise DDoS protection appliance. After the Half-SYN attack, there was an HTTP flood with about 2,000 sources in the attack, which was also successfully mitigated. However, we had difficulty mitigating the full HTTPS flood attack. It was the first time we experienced an encrypted attack, highlighting the need for dedicated protection against encrypted attacks that leverage SSL standards to evade security controls.

Normally the bank faces UDP fragmented attacks followed by a DNS reflective attack. In this case, we were hit with a typical SSL attack that we were not prepared to mitigate. Typically attacks only last three to four minutes and immediately follow each other, but this SSL attack lasted an hour and a half, putting our defenses under tremendous stress because of the computing resources the attack consumed. In fact, we generated so much response load that it pushed our outbound connection to its limit; it tripled our usual throughput.

Lessons Learned 1. The benefits of behavioral analysis over rate-limiting analysis. In the past, the bank tested a DDoS mitigation solution that leveraged rate-limiting technology and discovered that using behavioral analysis provided a significant advantage. Since it doesn’t block legitimate traffic, it enables us to maintain our service levels. 2. The importance of time to mitigation. By having the ability to develop attack signatures in real time, we have been able to mitigate attacks in as little as 20 seconds. Our traffic pattern during the day is heavy and at night it’s quieter, so we had to do some fine tuning to reflect different behavioral traffic patterns at different times of the day. 3. The advantages of a single vendor hybrid DDoS protection solution. The baseline on our perimeter and the baseline on the Radware scrubbing center are now identical. As a result, we can mitigate attacks faster versus another solution that would have to reanalyze traffic in the cloud again, or require a lot of manual tuning to reach the same protection level. 4. Let the experts deal with attacks. Because we are backed by Radware’s Emergency Response Team, we can focus on our daily tasks knowing that we can rely on their expertise within seconds. It means the bank isn’t required to have that expertise in- house, which is important since the attack landscape is always evolving. Access to this level of expertise should be part of any response and business-continuity strategy. Our networking team preferred no form of Border Gateway Protocol (BGP) on-ramping or off-ramping. Nor did they want a security application that would interfere with any routine decisions. We suggested leveraging Radware’s Cloud DDoS Protection and a flow monitor that is deployed out-of-path so the bank’s IT security team only engages with larger attacks that cross certain bandwidth thresholds. That all takes time and short, low-bandwidth attacks could “fly under the radar.” With the behavioral engine, we can detect smaller, shorter attacks. With another DDoS mitigation solution, we would never have detected those attacks.

Tips for Financial Service Security Professionals In this part of the world, there is a belief that hard-to-detect attacks do not represent a critical threat, but for a bank, nothing could be further from the truth. We feel the most effective way to protect our organization’s infrastructure in the event of an attack is to have protection installed in-line. This eliminates the need to analyze events and reroute traffic and eliminates any infrastructure obstacles to successfully mitigating an attack. There’s increased visibility because the solution is always on. With automated attack mitigation—including behavioral analysis that delivers continuous visibility and forensics—we’ll never be left vulnerable to evolving DDoS attacks. Detect where you can; mitigate where you should.

40 RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 See Through the DDoS Smokescreen to Protect Sensitive Data Contributed by Paul Mazzucco, CISO, TierPoint DDoS attacks can be costly and risky. TierPoint is witnessing a growing trend of using such attacks as the means to another, potentially more devastating, end: stealing sensitive data. Call this new breed of attack the “DDDoS”—deceptive distributed denial-of-service. For two recent examples, look to attacks on Carphone Warehouse and Linode. By bombarding Carphone Warehouse with online traffic, hackers were able to steal the personal and banking details of 2.4 million people. Similarly, cloud provider Linode suffered more than 30 DDoS attacks that appeared to be a ruse to divert attention away from a breach of user accounts.

With these “DDDoS” attacks, cybercriminals distract business and IT resources to pursue larger objectives. The most recent Radware security industry survey shows that a growing number of security leaders are aware of escalating threats.

These are true concerns. DDoS as a smokescreen isn’t new. Yet, as with so many cyber security trends, its rise can be traced to financial motives. The value of stolen data in the dark market intrigues potential cyber- delinquents to find ways to get access to it. The Darknet offers a marketplace for capturing that value. Consider the following based on research by McAfee: • Average estimated price for stolen credit and debit cards: $5 to $30 in the United States, $20 to $35 in the United Kingdom, $20 to $40 in , $21 to $40 in Australia and $25 to $45 in the European Union • Bank login credentials for a bank account with a $2,200 balance: $190 • Patient Health Information (PHI): $500 to $1,800 depending on patient age and insurance coverage • Login credentials for online payment services, such as PayPal: $20 to $50 for account balances from $400 to $1,000; $200 to $300 for balances from $5,000 to $8,00020

Why Attacks Succeed Lack of preparedness for DDoS detection and mitigation is a boon to cybercriminals. Indeed, about two-thirds of businesses are still mitigating attacks with tools not designed for DDoS. Traditional firewalls, Web application firewalls, switches, routers and ISP-based protection solutions are unlikely to save a business from a DDoS attack. In fact, firewalls often create bottlenecks and accelerate outages. Unfortunately, due to inappropriate DDoS mitigations in place, organizations expose themselves not only to DDoS but also to other data-theft oriented attacks that arrive in conjunction with the DDoS attack. The unintended consequence? Companies not only suffer data leakage and reputation loss; the human and technological resources involved in rectifying the situation are at least doubled.

TierPoint observations and experience point to these as the most common vectors for DDoS smokescreen attacks: • Encrypted/non-volumetric attacks. This includes protocol attacks, such as SYN floods, fragmented packet attacks and Pings of Death. These types of attacks consume actual server and/or firewall resources. Such resource starvation attacks use service calls to the IP stack, such as TCP-SYN requests and calls to the underlying authentication or , to tie up and eventually overwhelm system memory and computing processes. • Application-layer attacks. These include Slowloris and zero-day DDoS attacks, as well as DDoS attacks targeting Apache, Windows or openBSD vulnerabilities. Built around seemingly legitimate and innocuous requests, these attacks aim to crash the Web server. Their magnitude is measured in requests per second. • Volumetric attacks. These include User Datagram Protocols (UDP) floods, ICMP flood and other spoofed-packet floods. The goal: to saturate the bandwidth of the attacked site. Magnitude is measured in bits per second.

20 TierPoint’s sources for all of these data points. Source: http://newsroom.mcafee.com/press-release/mcafee-labs-report-reveals-prices-stolen-data-dark-web

RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 41 Mounting a Defense 100% % Given their reach and impact, DDoS attacks are no longer an % 14 90% 18 % issue for just the security team or IT department. Such attacks— 23 80% particularly when used as a smokescreen for more nefarious tactics—are now an executive and board-level concern: 70% 60% TierPoint is witnessing a growing percentage of organizations 50% % turning to hybrid IT solutions to address security risks and 82% 86 40% 77% concerns. This approach incorporates a mix of cloud and 30% managed security services with products and services employed 20% at a business’s own data center. 10%

An example is an organization combining a mitigation appliance 0 Total U.S. U.K. and a mitigation service. While the appliance blocks attacks at the application layer, a cloud-based service scrubs higher volumes of malicious traffic. In the financial services industry, 45% of Yes No institutions have already adopted this approach. Figure 50: Security and the C-Suite: Threats and Opportunities, Radware, 2016 As the stakes get higher—and the “smoke” grows thicker—TierPoint advises organizations to solidify a strategic DDoS detection and mitigation plan before an attack takes place. This includes understanding your risk profile and tolerance as well as determining the right balance of managed security services and security solutions administered internally. Adaptive Security: Changing Threats Require a New Security Paradigm Contributed by Enterprise Security & Risk Management, Tech Mahindra As organizations continue to embrace the digital evolution, a growing number of assets are being connected to the Internet. In fact, most organizations are now using cloud-based applications to power operations. With this shift, IT infrastructures have become more distributed. Applications are now accessible from anywhere and personal devices are being used to conduct business. Together, these realities have blurred the boundaries of the traditional network perimeter.

Attackers operate under a host of motivations—from hacktivism to monetary gain. No matter their intent, attackers benefit from the trend toward distributed IT, which increases the threat surface. Gone are the days when bolt-in and “afterthought” security architectures were sufficient. Static firewalls and intrusion detection or prevention solutions (IDS/IPS) woven around the asset simply cannot provide adequate protection. That’s because static firewalls and IDS/IPS leverage a model whereby they are fed known attack & protocol behavior and are not aware about the assets they protect. They are not cognizant of network behavior and are unable to protect against emerging attacks. If those approaches don’t work, what does? Tech Mahindra believes there is a need to realign security architecture by focusing on ensuring application availability and preserving user experience while protecting applications from both volumetric DDoS attacks and exploitation of vulnerabilities. In designing such a strategy, there are two important prerequisites for success:

1. Know Your Assets. This includes components such as web and mobile interfaces, databases, development and test cycles, operating systems, where applications are being deployed, by whom and from where the infrastructure is being accessed. Understanding these variables is an important requirement for reducing the attack surface within the environment.

2. Map Your Risks and Take Steps To Reduce Them. Often attack activity goes unnoticed for a significant periods of time. Thus, it’s crucial to understand attackers: how attacks have evolved over time, which direct

42 RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 and indirect strategies an attacker might unleash against assets, and the hacker’s “mindset” to help in identifying attacks that may have gone undetected and thwarting future attacks.

With applications being updated frequently, development and test cycles have shortened, and workloads have become dynamic. In many organizations, time-to-market pressures, lack of resources and lack of awareness and focus on security converge to create security gaps in applications. As a result, it has become critically important that security be highly adaptable—with continuous adjustments to address fast-changing applications and threats. With an adaptive security approach, an organization can establish an effective security architecture for mitigating threats—both known and unknown.

Tech Mahindra’s View on Adaptive Security At Tech Mahindra, we see three key building blocks for adaptive security:

1. Continuous Proactive Assessment. Adaptive security requires continuous assessment of an organization’s infrastructure and applications. Continuous assessment via manual and automated tools generates a security baseline that can be tracked and improved upon. With applications as key attack targets, the assessment must also evaluate the application development phase, thereby preventing vulnerabilities from creeping into the production environment. Recent attacks originated in IoT devices have illustrated the danger of device manufacturers failing to consider potential risks and vulnerabilities within their devices. Just as manufacturers are being held to higher standards, so should application developers. Incorporating security right from the start will help identify any vulnerabilities during the development stage so that sufficient controls, such as secure communication, authentication and authorization, can be integrated. In other words, when new code or a new application is deployed into production, it must pass through these security assessments.

2. Situational Awareness. Adaptive security must continually evolve at run time to address ever-changing application and user behaviors. Contextual information from continuous monitoring is a key input for an effective adaptive security strategy. With this approach, the security architecture is not entirely dependent on the traditional signature-based threat information but is instead based on real-time situational awareness. Continuously evolving security requires complete awareness of the assets being protected—such as the core network, applications and endpoints—and user behaviors related to those assets. If new code or a new application is deployed, the architecture detects the change and fine tunes the policies vis-à-vis any new vulnerabilities. Volumetric DDoS attacks are a constant threat to online IT assets, with attackers typically merging malicious traffic with benign traffic (sometimes even using encrypted protocols). Thus, the ability to analyze traffic behavior and recognize user traffic patterns using various parameters, together with maximum detection accuracy, is key to dropping only malicious traffic and preventing any service degradation.

3. Automation. When organizations deploy best-of-breed security solutions, these solutions almost always operate in silos. Automation in security can enable organizations to design a security architecture where security functions coordinate with each other, share information and respond dynamically to attacks. For example, adaptive defense mechanisms can use signaling or other forms of messaging between security controls; they can auto-learn new attack patterns; and they can accelerate time to mitigation through real- time creation of protection. Ultimately, automation is about prevention versus detection—and it empowers organizations to secure themselves at the speed of attacks. Automation in security can enable siloed security modules to work as a synchronized system—operating with minimal intervention and significantly improving both incident response time and resource consumption. Just as dynamic business environments lead organizations to adapt, so does the threat landscape. With distributed, heterogeneous information architectures, application protection can no longer count on static models, but rather must include advanced mechanisms like real-time auto-learning and self-updating to provide seamless and continuous protection of an organization’s most critical digital assets.

Tech Mahindra Security Service Portfolio includes Security Consulting, Identity Access Management, Application Security, Infrastructure Security and Threat Management. We continuously help our customers in their journey towards the mature security posture. Tech Mahindra’s global partnership with Radware for on premise and cloud-based security solution is in line with the continuously adaptive security approach.

RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 43 BUILDING A CYBER-RESILIENT 06 BUSINESS

View cyber-attacks like parasites: not always visible, not always felt, but with plenty of potential to affect your operational efficiencies, service level agreements, and computing resources. All of those impacts bring potentially high costs. Do everything you can to understand the potential impact and build an effective incident response team so you can rein in these “parasites” and limit damage to your business. Calculating the Cost of Cyber-Attacks Despite the prevalence of cyber-attacks, Radware’s 2016 industry survey reveals that the vast majority of the world’s security experts (73%) have not devised a formula for calculating the financial impact of the attacks they suffer. Rather, they rely on estimates. Unfortunately, those estimates tend to be significantly lower than the findings of those who calculate actual costs. Most security experts (54%) estimate the impact of each cyber- attack at less than $100,000; only 12% estimated the cost of an attack to be $1 million or more (see Figure 51).

60% 54% 50%

40%

30% % 20% 17 10% % 10% 8 6% 2% 2% 2% 0 Less than 100,001 - 250,001 - 500,001 - 1.1M - 3M 3.1M - 5M 5.1M - 10M 10M + 100,000 250,000 500,000 1M USD/EUR USD/EUR USD/EUR USD/EUR USD/EUR

Figure 51: How much do you believe an attack costs your business?

44 RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 Interestingly, the survey found significant differences in estimates based on the geographic location of the business. Nearly 80% of European businesses think an attack does not cost them more than $250,000. Their counterparts in Asia put forth a much higher average: $1.25 million per attack. U.S.-based respondents fell somewhere in the middle, estimating the cost of attacks at 33% more than security professionals in Europe but $500,000 less than those in APAC.

0 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

North America % % % % % 2%2%2% (A) 52 8 B 18 10 7

Europe % % % % % % (B) 63 AC 15 8 9 2 112

APAC % % % % % % % 1% (C) 47 16 10 11 5 3 6

<100K 100K-250K 250.1K-500K 500.1K-1M 1.1M-3M 3.1M-5M 5.1M-10M 10M+

Figure 52: Differences in estimates across geographies

Similarly, this year’s survey uncovered differences across business sectors. While educational institutions continue to underestimate attack costs, healthcare, government and technology organizations are well aware of the risks. Indeed, such organizations provide estimates that are five times higher than education respondents’ estimates. For healthcare and government, this better understanding of risk may be associated with the sensitive nature of the information under their care. Respondents from retailers provided an above-average estimate of $800,000 per attack. After all, retailers depend on optimal service availability to run their operations; once hit with an attack, losses are immediate. Surprisingly, financial services organizations provide a relatively moderate estimate of just $500,000 per attack.

$1,200,000

$1,000,000

$800,000

$600,000

$400,000

$200,000

$0 Government Healthcare Tech Professional Retail Telecom Finance Education Services Figure 53: Estimated cyber-attack cost by sector

Those organizations that do calculate monetary consequences of attacks cite a number of factors that they take into consideration. For at least half, reputational damage and online revenue loss are factors. Other drivers include SLA fees, legal damage, compliance and processing of unwanted traffic. 60% 54% 49% % 50% 47 % % 43 43 41% 40%

30%

20%

10% 5%

0 Financial Impact of Online Revenue SLA Fees Legal Damages Compliance Processing of Unwanted Other Reputational Damage Loss from Users Fees Attack Traffic

Figure 54: Which of the following does the calculation for cost of attacks include/factor?

RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 45 The average cost among businesses that calculate the Calculate the Real impact of a cyber-attack is almost double the estimate of Cost of a Cyber-Attack other businesses: $1.1 million versus $620,000. Businesses Reputational damage that actually quantify their costs reported potential losses of + online revenue loss more than a $1 million dollars at double the rate of the + SLA fees + legal damage guessers (18% versus 9%). As expected, the findings showed + compliance costs a strong correlation between the size of an enterprise and the + handling bad traffic reported losses. = Actual cost of a cyber-attack

The survey findings point to some interesting variations by vertical market. Among them: higher likelihood for 1200 underestimating by the education and media sectors, a 1100 tendency by government security professionals to believe 1000 that cyber-attacks cost as much as $1 million, and tech and Thousands professional services companies reporting the highest amounts, 800 followed by government and financial services entities. 620 600

The bottom line? Cyber-attacks are more expensive than many 400 organizations assume, making them a significant blind spot. By more accurately understanding and precisely calculating all of 200 the financial impacts, security teams can make a stronger case for funding—and use that funding to prepare more effectively 0 Calculating Guessing and become a cyber-resilient business. Figure 55: Average attack cost

Vertical Professional High Tech Banking & Retail/ Services & Products & Financial Government/ Wholesale/ Media/ Total Consulting Services Services Education Civil Service Online Telecom Less than 100,000 54% 54% 57% 50% 74% 44% 54% 70% 100,001 - 250,000 17% 21% 10% 18% 17% 20% 14% 12% 250,001 - 500,000 10% 7% 9% 14% 4% 12% 11% 9% 500,001 - 1M 8% 8% 12% 7% 4% 10% 11% 3% 1.1M - 3M 6% 2% 4% 9% 2% 2% 3% 6% 3.1M - 5M 2% 3% 1% 1% 0% 5% 3% 0% 5M - 10M 2% 1% 1% 1% 0% 5% 5% 0% 10M+ 2% 4% 5% 0% 0% 2% 0% 0%

Figure 56: How much do you believe an attack costs your business? Planning a Cyber-Combat Strategy In addition to querying security experts about quantifying cyber-attack costs, Radware also inquired about how organizations currently respond to such incidents. Forty percent of global respondents still lack a formal incident response plan. That’s a dangerous shortcoming. After all, cyber-attacks by definition disrupt “business as usual.” How can you plan what to do if you don’t know which resources will be available at the moment of attack?

Of course, not all attacks are created equal. For many organizations, dealing with a certain threshold of low-level attacks has become commonplace. But some actually cause serious disruptions that pose a potential threat to the business—and must be handled immediately. How can you tell which is which?

46 RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 Step 1 – Map Your Risks You may be spending significantly on penetration testing and the latest technology for endpoint protection all the way down to BYOD mobile phones. Even so, you may be overlooking critical gaps. Think about everything. Use a bidirectional process where you draw your organization from the inside out, understanding your current information security architecture and looking for vulnerabilities. Consider who might want to hurt you, why and what means they may have to do so. These actors may include hacktivists, ransomers, competitors or even disgruntled insiders or customers.

Step 2 – Understand the Impact Some costs can be easily added to the equation: What’s the cost of a minute of downtime? An hour? Are there any legal fees or compliance fines you would face if compromised? What would be the daily cost of investigating an attack (factor in-house labor as well as the costs of executives’ attention and technology partner services)?

Other financial impacts are harder to pin down. A prime example is reputational impact, which can vary depending on the severity of the attack and how much time your organization spends in the headlines.

Step 3 – Prioritize Critical Missions After estimating the different impacts, it becomes easier to determine what is essential for the organization to continue functioning. Prioritize business procedures and processes, engaging executive management both for their input as well as their endorsement and resource allocation. As much as possible, use key performance indicators to help measure the efficiency of the incident response plan.

Step 4 – Choose Your Squad Once you have defined the critical processes, identify the dedicated personnel to run them. The incident response plan cannot be the sole purview of the cyber security team; other key players in the organization must also know how to orchestrate critical missions when enmeshed in a crisis. For the information security aspects of the breach, your team must include the best security experts in the organization. They should not only know how best to configure the product, but also know how to think like a hacker.

The “textbook” incident response team has system administrators who are very familiar with IT resources and how to backup data; network administrators who know network protocols and can dynamically reroute traffic; and information security personnel who know how to thoroughly track and trace security issues as well as perform post-mortem analysis of compromised systems.

Radware’s industry survey reveals that one-third of organizations have an incident response team with proven technology talents. Another fifth say their team has experts with a long track record in IT security. Another fifth told us they have a mixture of hackers, experts and tech talent. Alarmingly, a similar percentage 21% Don’t Have an reports having no incident In-house IR Team 34% response team at all. In terms of Tech Talents experience and within Organization Those with a combination of all skills, which of the three—tech, security and hacker following statements expertise—were most likely to best describes your report having experienced and incident response successfully mitigated attacks. 19% team? Those who are solely white- Mixture of All Three hat hackers indicated that they experienced these attacks but 5% 21% did not mitigate them. White Hat Hackers Experts in IT Security Figure 57

RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 47 Although it may not always be possible, strive for personnel redundancy within your incident response team. If depth in core areas is not applicable to your organization, cross-train whenever possible. For any organization, entrusting the “key” to data safety and integrity to a single individual puts the entire enterprise at extreme risk.

Step 5 – Test, Revise, Adapt An incident response plan is never “complete.” After all, the threat landscape is dynamic. So is every business and its network, information and collection of vendors it relies on to support operations. When a crisis occurs, there is no room for error; your response must be rapid and decisive. To meet that high standard, routinely stage “emergencies” and practice responding to them. In doing so, your organization will develop a methodology that fosters speed and accuracy while minimizing the impact of unavailable resources and potential damage should an actual crisis occur. These simulations should involve not only the cyber security response team but also those responsible for the communications plan, along with your technology partners, service providers and relevant executive leaders. ER Plan Total No 40% Yes 60% Conducting post-event data collection/analysis 53% Keeping a hard copy of emergency procedures 52% Email notifications for customers and partners 51% Regularly practicing possible scenarios w/DMs and key personnel 43% Using a SIEM system for alerts and classification 42% Setting a war room with security experts at immediate call 40% Auto synchronization with DRC to protect data 32% External communication via social media and/or company’s website 29% A remotely triggered black hole (RTBH)/traffic diversion 23% Keeping Bitcoin on hand in the event of ransom attacks 7% Other 4%

Figure 58: Do you have a cyber security emergency response plan? If yes, which of the following practices does your plan include?

If you are relying solely on in-house resources for incident response, practice is even more crucial. This year’s survey found that most respondents turn to in-house emergency response teams when they need to mitigate a cyber-attack. Companies in APAC are more likely than those in North America and Europe to rely on security vendors (50% versus 30% and 24%, respectively).

In-house Emergency response Team 68% Service Provider 39%

Security Vendor 32%

3rd Party Consultant/Expert 27%

Other 3%

0% 10% 20% 30% 40% 50% 60% 70%

Figure 59: Who do you turn to when you are under attack for cyber-attack mitigation?

In security, it is generally wise to invest in prevention over detection. With cyber-attacks likely to impact every business in some capacity, preparation is a major step toward mitigating successfully and minimizing the financial, reputational and legal havoc an attack can wreak.

48 RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 07 CYBER SECURITY PREDICTIONS: LOOKING BACK AT 2O16, PEERING AHEAD TO 2O17

2016: What a year! IoT threats became a reality and somewhat paradoxically spawned the first 1TBs DDoS—the largest DDoS attack in history. Radware predicted these and other 2016 events in the 2015–2016 Global Application and Network Security Report. Since initiating this yearly report, we have built a solid track record of successfully forecasting how the threat landscape will evolve. While some variables stay the course, the industry moves incredibly quickly, and it takes just one small catalyst to spark a new direction that nobody could have predicted.

Let’s take a look back at how our predictions fared in 2016—and then explore what Radware sees on the horizon for 2017.

RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 49 Radware’s Cyber Security Prediction Report Card Did We Get Prediction for 2016 Current Status It Right? Advanced Persistent Denial of APDoS is an attack technique that leverages multi-vector attack campaigns targeting Service (APDoS) as Standard various layers of the victim’s IT infrastructure. The majority of today’s cyber-attacks Operating Procedure are now multi-vector. • 2016 was the year of cyber-ransom, with 56% of companies reporting being Continued Rise of Ransom threatened. While we predicted that cloud companies would be the main targets, it Denial of Service (RDoS) turns out that ransomware affected just about every type of business. • The United States and the European Union reached the “Privacy Shield” agreement Privacy as a Right in May of 2016, followed by a debate about whether or not it accurately reflects the (Not Just a Regulation) morals of personal privacy.21 • More Laws Governing Under new U.S. Federal Communications Commission (FCC) rules in favor of online Sensitive Data privacy, consumers may forbid Internet providers from using and selling their data.22 • The Internet of Zombies Everyone’s talking about the Mirai IoT botnet and its record-breaking volumes. • Arrival of Permanent “Very slowly” turned out to be the operative words. While we have a few examples in Denial-of-Service (PDoS) Attacks 2016, we foresee this threat gaining momentum in 2017. (Albeit Very Slowly) • SSL-based attacks grew 10% year over year. Yet encrypting traffic to and from Growing Encryption to cloud applications requires additional resources, including overcoming the certificate and from Cloud Applications management challenge. • Figure 60 – Radware’s Cyber Security Prediction Scorecard What’s on the Horizon – Four Predictions for 2017 For years there has been talk about the imminent threat of a dire cyber-attack that cripples society as we know it. There’s even a TV show about what it might look like. But what are the actual possibilities for such an occurrence? What follows are some very plausible cyber-attack profiles and scenarios for the upcoming year. Read them for pleasure—and preparation.

Prediction 1: Rise of Permanent Denial of Service (PDoS) for Data Center and IoT Operations Imagine a fast moving bot attack designed not to collect data but rather to completely prevent a victim’s technology from functioning. Sounds unlikely, but it’s possible. Permanent denial-of-service (PDoS) attacks have been around for a long time; however, this type of attack shows itself spectacularly to the public only from time to time.

Also known loosely as “phlashing” in some circles, PDoS is an attack that damages a system so badly that it requires replacement or reinstallation of hardware. By exploiting security flaws or misconfigurations, PDoS can destroy the firmware and/or basic functions of system. It is a contrast to its well-known cousin, the DDoS attack, which overloads systems with requests meant to saturate resources through unintended usage.

One method PDoS leverages to accomplish its damage is via remote or physical administration on the management interface of the victim’s hardware, such as routers, printers or other networking hardware. In the case of firmware attacks, the attacker may use vulnerabilities to replace a device’s basic software with a modified, corrupt or defective firmware image—a process which when done legitimately, is known as flashing. This “bricks” the device, rendering it unusable for its original purpose until it can be repaired or replaced. Other attacks include overloading the battery or power systems.

Examples include: • An article published by Help Net Security detailed a new USB exploit that, when inserted into a computer, can render the machine bricked. According to Help Net, the latest PDoS USB attack “when plugged into a computer … draws power from the device itself. With the help of a voltage converter, the device’s capacitors are charged to 220V, and it releases a negative electric surge into the USB port.”23

21 http://arstechnica.com/tech-policy/2016/02/privacy-shield-doomed-from-get-go-nsa-bulk-surveillance-waved-through/ 22 https://www.washingtonpost.com/news/the-switch/wp/2016/10/27/the-fcc-just-passed-sweeping-new-rules-to-protect-your-online-privacy/ 23 https://www.helpnetsecurity.com/2015/10/15/usb-killer-20-a-harmless-looking-usb-stick-that-destroys-computers/

50 RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 • An article in Dark Reading highlighted PhlashDance, a tool uncovered by HP Labs. PhlashDance finds vulnerabilities in often forgotten firmware and binaries that sit locally on computing devices. The risk occurs when a device hasn’t been properly and upgraded. The article states that “remotely abusing firmware update mechanisms with a phlashing attack, for instance, is basically a one-shot attack. Phlashing attacks can achieve the goal of disrupting service without ongoing expense to the attacker; once the firmware has been corrupted, no further action is required for the DOS condition to continue.”24

• Recent safety hazard incidents of the Samsung Note 725 are stoking concerns about devices that can be intentionally set on fire. There have been numerous test cases of malware and bots overheating devices, causing them to physically distort or worse. These attacks, bundled into a cyber-attack, could have devastating and lasting effects beyond what we commonly think about in the world of the “nuisance” DDoS attack.

Prediction 2: Telephony DoS (TDoS) Will Rise in Sophistication and Importance, Catching Many by Surprise Cutting off communications during crisis periods would impede first responders’ situational awareness, exacerbate suffering and pain, and potentially increase loss of life. A new cyber era could consist of multiple components—including a physical attack with a corresponding cyber-attack targeting the communications systems that first responders use to contain and minimize damage.

Can the day be far away where a terrorist attack is magnified by an effective outage of first responders’ communication platforms? If you doubt the feasibility, review this bulletin.26 It was issued in 2013 by public safety organizations asking for assistance in cracking a TDoS attack against 911 systems.

Prediction 3: Ransom Attacks Become More Segmented, More Real and More Personal Radware predicts that cyber-ransomers extend their reach beyond companies. In 2017, ransom attacks could get personal.

Hackers target personal implanted health devices. Imagine if your life depended on an implanted defibrillator or other medical device. Now imagine if such a device were hacked and held for ransom. The idea of hacking defibrillators is not science fiction. Cyber ransom is the fastest-growing motive and technique in cyber- attacks. Can a marriage between the two be far off? For those unfamiliar with these risks and U.S. Government- issued warnings in this category, please refer to the FDA’s Advice to Medical Device Manufacturers, a summary of FBI & DHS alerts on Internet of Things and these warnings on cyber ransom.

Public transportation held hostage. In many ways, cyber ransoming a public transportation system is the ultimate hack—empowering attackers to hold a community hostage for financial or criminal gain. If you live in , the United States or many other countries, you may have grown accustomed to railway or airline workers striking and wreaking havoc on the communities around them.

From trains and planes to buses and automobiles, our entire system of transportation is becoming more automated. This automation is meant to provide us with increased safety, improved reliability and higher efficiencies. But is it really providing those things? If you have been following cyber security threats to public transportation as closely as we have, you likely know there have already been many attacks—some of which have distinguished themselves as harbingers of future attack categories. (In case you missed it, a recent Radware post shares four real-world examples that help illustrate the problem.)

Just as other forms of transportation face increased threats, so does the aviation industry. Like water, terror threats in aviation tend to take the path of least resistance. Via external analyses and documented evidence, we now know that the aviation sector is vulnerable to cyber-attacks. How long will it be until terror strikes evolve in the aviation industry—as they have around the world—to the cyber front? If you have responsibility for any aspect of these areas, please don’t be a bystander. Be proactive about onboarding controls and saving lives.

24 http://www.darkreading.com/permanent-denial-of-service-attack-sabotages-hardware/d/d-id/1129499?print=yes 25 https://www.cnet.com/news/why-is-samsung-galaxy-note-7-exploding-overheating/ 26 http://psc.apcointl.org/2013/03/15/updated-bulletin-tdos-attacks/

RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 51 If transportation systems are vulnerable, could ransoming of these systems be far behind? If so, what would politicians pay for a return to operations and safety for their constituencies? Does “pay-for-play” government behavior reward the pursuit of future combinations of terrorism and crime?

Military devices ransomed. Military branches have long been heavy technology users. They have also had a technology procurement model based on an outdated approach and xenophobic buying behavior. In a world of commercial-off-the-shelf (COTS) products, goods are procured fairly at will. Will these COTS packages—frequently made with large numbers of foreign components—be the small pebbles that undermine the operational capabilities of the world’s largest military forces? Seemingly innocuous cameras, sensors and other IoT devices pervade the military—but are just as rife with security issues as any on the planet. Once demonstrable vulnerabilities are validated, how much would a government pay to regain control of weapons or other crucial resources?

Prediction 4: The Darknet Goes Mainstream Many people live two or more lives: one life in flesh and blood, the other life or lives in various online avatars, which are essential for highly functioning citizenry. These avatars span health, finances, education, love interests and more. Today the Darknet offers easy, affordable access to terrorize or otherwise alter someone’s personal for financial or other benefits. What, exactly, do we mean? Here are a few examples of what 2017 could bring: • Compromised surveillance systems available for rent, enabling someone to see through another person’s cameras • Access to FBI files and lawsuit information • Access to emails and computer systems of people going through a divorce, as well as teachers’ personal communications or lawyers’ strategic documents and communications • Personal medical records or previous criminal activity or misdemeanors

In the face of these frightening prospects, who is the definitive source of who we are, and how do we reconcile file/record issues? Before you answer, picture yourself in a job interview. You provide one set of information about your educational history; a report from your school serves up conflicting data. Who rules the day?

This analogy can be extended to numerous scenarios. The common thread: that your online avatar now represents and requires high security and fidelity in order for you to function properly in society. In light of that, one of the single most personalized acts of terror that can occur is a wide-scale loss, alteration or deletion of records—with no reconstitution capability. This should strike fear in us all.

Is the Best Behind Us? The conclusion we draw from all of these predictions: if growth in attack surfaces, techniques and means continues into 2017, then the best years of security of our systems may be behind us. As we move forward into 2017, Radware views these as key questions to explore: • With physical terror playing such a major role in global strife, how could cyber security sabotage NOT be far behind? • Given the threat landscape, what controls/testing can be performed to ensure that the public risk is abated through proactive measures—and that private scenarios are regulated so that we can trust our Internet avatar system as we trust our financial system? Given the evolution of threats and the importance of the sanctity and trustworthiness of online systems, government needs to step in and provide something akin to a Federal Bureau of Cyber Security with a separate and distinct charter. This agency’s role would be equivalent to the physical Secret Service in numerous ways. However, its operating space and domain would be one with the ghostly characteristics of computer warfare. In defending the citizenry, this agency would need to cover freedoms of press and speech overall.

No matter when or how the government responds, each organization has a responsibility to be aware and prepared. Radware urges you to contemplate how our 2017 predictions could affect your organization and the people you serve—then work to devise appropriate strategies and controls for mitigating the risks.

52 RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 RESPONDENT 08 PROFILE

In September of 2016, Radware conducted a survey of the security community and collected 598 responses, almost double the number of responses to the 2015 survey. The survey was sent to a wide variety of organizations globally and was designed to collect objective, vendor-neutral information about issues organizations faced while planning for and combating cyber-attacks. All responder profile information is listed below. Please note that not all answers add to 100%, as some responders may have skipped the question.

17% 19% I am the top IT Other executive at my business unit or location

Which best describes you and your role at work?

27% My manager reports directly to the top IT executive at business unit or location 37% I report directly to the top IT executive at my business unit or location Figure 61: Role within organization

RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 53 Which best describes your title within your organization? 30% 24% 19% % 20% 17 15% % 10% 8 % 6 % % 5 5 2% 0 Manager/ Security Network CIO/CTO Operational EVP/Senior CSO/CISO Director Other Supervisor Engineer Engineer Engineer VP/VP

Figure 62: Title within organization

20% 23% 10,000 or More Less than 100

41% In total, how many What is the 44% Country-wide employees are Worldwide scope of your 14% currently working in organization’s 3,000-9,999 your organization? business? 17% 100-499

13% 1,000-2,999 15%Region-wide 11% 500-999

Figure 63: Number of employees in organization Figure 64: Geographic scope of business

Which best describes your company’s industry?

Professional Services & Consulting 15% High Tech Products & Services 15% Banking & Financial Services 12% Education % 3% Other 9 Central/South America 8% Government & Civil Service 7% 20% APAC Retail & Wholesale Trade, Online 6% Media & Communications 6% Carrier & Telecommunication 4% Manufacturing 3% Europe 26% Regions Energy and Utilities 3% represented Healthcare and Pharmaceuticals 3% Automotive, Transportation 2% Other 2%

0% 10% 20% 44%North America

Figure 65: Industries represented Figure 66: Regions represented

54 RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 CREDITS 09

Authors Advisory Board Carl Herberger Daniel Smith Shira Sagiv VP Security Solutions ERT Researcher Director, Security Product Marketing Radware Radware Radware

Michael Groskop Zeev Ravid Liron Machluf Director, Web Application Products Security Research Architect Director, ERT Radware Radware Radware

Ben Desjardins Paul Mazzucco Haim Zelikovsky Director, Security Solutions Marketing CISO VP Cloud Business Radware TierPoint Radware

Ben Zilberman Enterprise Security and Yotam Ben-Ezra Manager, Security Product Marketing Risk Management Team CTO Office - Director of Security Innovation Radware Tech Mahindra Radware

Carolyn Muzyka Director, Marketing Communications Radware

Colin Beasty Manager, Content Marketing Radware

About the Authors Radware (NASDAQ: RDWR), is a global leader of application delivery and cyber security solutions for virtual, cloud and software defined data centers. Its award-winning solutions portfolio delivers service level assurance for business- critical applications, while maximizing IT efficiency. Radware’s solutions empower more than 10,000 enterprise and carrier customers worldwide to adapt to market challenges quickly, maintain business continuity and achieve maximum productivity while keeping costs down.

About the Emergency Response Team (ERT) Radware’s ERT is a group of dedicated security consultants who are available around the clock. As literal “first responders” to cyber-attacks, Radware’s ERT members gained extensive experience by successfully dealing with some of the industry’s most notable hacking episodes, providing the knowledge and expertise to mitigate the kind of attack a business’s security team may never have handled.

For More Information Please visit www.radware.com for additional expert resources and information and our security center DDoSWarriors. com that provides a comprehensive analysis on DDoS attack tools, trends and threats. Radware encourages you to join our community and follow us on: Facebook, Google+, LinkedIn, Radware Blog, SlideShare, Twitter, YouTube, Radware Connect app for iPhone®.

RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 55 © 2017 Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are registered trademarks of Radware in the U.S. and other countries. All other trademarks and names are the property of their respective owners. www.radware.com