TABLE OF CONTENTS 01 Executive Summary • Top Level Findings • Threat Landscape Trends 02 Methodology and Sources • Information Security Industry Survey • Radware Emergency Response Team Cases 03 Threat Landscape • Anatomy of a Hacker: Profiles, Motivations & Tools of the Trade • Business Concerns of Cyber-Attacks • Cyber-Attack Ring of Fire • Attack Vector Landscape 04 Emerging Perils • The Bottom Line: The Rise of Cyber Ransom • Friend Turned Enemy: SSL-Based Cyber-Attacks • Internet of Threats: IoT Botnets and the Economics of DDoS Protection • Evolve and Adapt: Why DevOps is Raising the Bar for Security Solutions 05 Third-Party Viewpoints • From the Corner Office: Views from a Chief Information Security Officer • From the Frontlines: How a Multinational Bank Handled a Ransom Threat and SSL-Based Attack • See Through the DDoS Smokescreen to Protect Sensitive Data • Adaptive Security: Changing Threats Require a New Security Paradigm 06 Building a Cyber-Resilient Business • Calculating the Cost of a Cyber-Attack • Planning a Cyber Security Strategy 07 Cyber Security Predictions • Radware’s Cyber Security Prediction Report Card • What’s on the Horizon – Four Predictions for 2017 08 Respondent Profile 09 Credits • Authors • Advisory Board 01 EXECUTIVE SUMMARY What do cyber-attacks have in common with hurricanes, tornados and earthquakes? All are realities in our world. No matter how common or uncommon they may be, failing to prepare for any of them will lead to costs that could be unbearable—or worse. Radware’s annual Global Application & Network Security Report is designed for the entire security community and will help in understanding the following: • The threat landscape—who the attackers are, their motives and tools • Potential impact on your business, including associated costs of different cyber-attacks • How your preparedness level compares to other organizations • Experiences of organizations in your industry • Emerging threats and how to protect against them • Predictions for 2017 In addition to outlining the findings and analysis of our 2016 security industry survey, this report reflects our Emergency Response Team’s (ERT) in-the-trenches experiences fighting cyber-attacks and offers advice for organizations planning for cyber-attack protection in 2017. It also incorporates perspectives of third-party service providers. This report offers a detailed review of: • Known and common attacks of the past year (that is, what most people are attempting to secure against) • Known and uncommon attacks (that is, what top-performing organizations attempt to address—security incidents akin to the natural disasters cited above) • Unknown attack forecast (that is, what has yet to demonstrate itself with evidence but is VERY “forecastable”) RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 3 Top-Level Findings can be detected only through intelligent automation. 98% of Organizations Experienced Attacks in 2016 Non-Volumetric DoS: Alive and Kicking Analysis: Cyber-attacks became a way of life for Despite astonishing volumes, neither the number of nearly every organization in 2016. This trend will victims nor the frequency of attacks has grown. Most continue in 2017. non-volumetric DDoS attacks are in relatively lower volumes, with 70% below 100Mbps. Rate-based IoT Botnets Open the 1TBps Floodgates security solutions continue to fall short, requiring Analysis: This exemplifies why preparing for companies to rethink their security strategy and “common” attacks is no longer enough. This event embrace more sophisticated solutions. Without those introduced sophisticated vectors, such as GRE floods upgrades, there is a good chance an organization will and DNS water torture. experience, yet lack visibility into service degradation. Cyber-Ransom Proves Easiest, Most Increased Attacks Against Lucrative Tool for Cybercriminals Governmental Institutions Analysis: Almost all ransom events have a different 2016 brought a new level of politically affiliated cyber attack vector, technique or angle. There are hundreds protests. While the U.S. presidential election was in of encrypting malware types, many of which were the spotlight, the media reported on a different breach developed and discovered this year as part of the hype. almost weekly. These incidents happened across the Also, DDoS for ransom groups are professionals who globe, with regimes suffering from cyber-attacks due to leverage a set of network and application attacks to alleged corruption or perceived injustices. demonstrate their intentions and power. SSL-Based Attacks Continue to Grow Cyber-Attacks Cost Almost Although 39% report suffering an SSL-based attack, Twice What You May Think only 25% confidently state they can mitigate it. Analysis: Most companies have not come up with a precise calculation of the losses associated with a DDoS Attacks Are Becoming Shorter cyber-attack. Those who have quantified the losses Burst attacks are increasing thanks to their estimate the damage at nearly double the amount effectiveness against most mitigation solutions. compared to those who estimate. Uncrossed Chasm? Security Strategy Stateful Devices: #1 Point of Failure Evolves More Slowly Than It Should Analysis: Common IT devices, including firewalls, While hackers continue to develop new attack tools application delivery controllers and intrusion protection and techniques, 40% of organizations do not have an systems, now represent the greatest risk for an incident response plan in place. Seventy percent do outage. Consequently, they require a dedicated attack- not have cyber-insurance. And despite the prevalence mitigation solution to protect them. of ransomware, only 7% keep Bitcoin on hand. What’s more, 75% of companies do not employ hackers in Threat Landscape Trends their security teams, and 43% say they could not cope Data Leakage + SLA Impact with an attack campaign lasting more than 24 hours. Are Top Concerns Data leakage and service level impact often come Threats never stand still. together, with a DDoS attack serving as a smokescreen that distracts IT teams so data can be infiltrated. Neither can you. Mirai Rewrites the Rules Radware encourages you to use our findings and As the first IoT open-source botnet, Mirai is changing analysis as you design security strategies against the rules of real-time mitigation and makes security cyber-attacks and work to reduce the costs associated automation a must. It isn’t just that IoT botnets can with them. Apply these insights to understand the real facilitate sophisticated L7 attack launches in high and meaningful changes that have occurred to the volumes. The fact that Mirai is open-source code threat landscape, to explore potential changes to your means hackers can potentially mutate and customize investments in protection strategies, and to look ahead it—resulting in an untold variety of new attack tools that to how possible threats may evolve into real attacks. 4 RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 02 METHODOLOGY AND SOURCES Combining statistical research and frontline experience, this report identifies trends that can help educate the security community. It draws information from the following sources: Information Security Industry Survey The quantitative data source is an industry-wide survey conducted by Radware. This year’s survey had 598 individual respondents representing a wide variety of organizations around the world. The study builds on prior years’ research, collecting vendor-neutral information about issues that organizations faced while planning for and combating cyber-attacks. On average, responding organizations have annual revenue of USD $1.9 billion and about 3,000 employees. Ten percent are large organizations with at least USD $5 billion in annual revenue. Respondents represent more than 12 industries, with the largest number coming from the following: professional services and consulting (15%), high tech products and services (15%), banking and financial services (12%) and education (9%). The survey provides global coverage—with 44% of respondents from North America, 26% from Europe and 20% from Asia. Additionally, 44% of the organizations conduct business worldwide. Radware Emergency Response Team Case Studies Radware’s Emergency Response Team (ERT) is composed of dedicated security consultants who actively monitor and mitigate attacks in real time. The ERT provides 24x7 security services for customers facing cyber- attacks or malware outbreaks. As literal “first responders” to cyber-attacks, ERT members have successfully dealt with some of the industry’s most notable hacking episodes. This team provides knowledge and expertise to mitigate the kinds of attacks that an in-house security team may never have handled. Throughout the report, ERT members highlight how these front-line experiences fighting cyber-attacks provide deeper forensic analysis than surveys alone or academic research. RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 5 THREAT LANDSCAPE 03 Anatomy of a Hacker: Profiles, Motivations & Tools of the Trade Hacking used to require a distinct set of skills and capabilities. These days, attack services are bought and sold via marketplaces on the Clearnet and Darknet—a phenomenon that’s closing the gap between skilled and amateur hackers and fueling an exponential increase in threats. Thanks to the growing array of online marketplaces, it’s now possible to wreak havoc even if you know virtually nothing about computer programming or networks. As attack