The Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving Theatre

© Radware, Inc. 2014
The Art of Cyber War
Strategies in a rapidly evolving theatre
July 2014

The Art of War is an ancient Chinese military treatise attributed to Sun Tzu,
a high-ranking military general, strategist and tactician. It is commonly
known to be the definitive work on military strategy and tactics, and for the
last two thousand years has remained the most important military
dissertation in Asia. It has had an influence on Eastern and Western military
thinking, business tactics, legal strategy and beyond. Leaders as diverse as
Mao Zedong and General Douglas MacArthur have drawn inspiration from
the work.
Many of its conclusions remain valid today in the cyber warfare era.
2© Radware, Inc. 2014

Variation of Tactics 九變
The Army on the March 行軍
Illusion & Reality 虛實
The Use of Intelligence 用間
Laying Plans 始計

Attack Vectors: Increasing Complexity

Individual Servers
Malicious software
installed on hosts and
servers (mostly located
at Russian and east
European universities),
controlled by a single
entity by direct
communication.
Examples:
Trin00, TFN, Trinity
Botnets
Stealthy malicious
software installed
mostly on personal
computers without the
owner’s consent;
controlled by a single
entity trough indirect
channels (IRC, HTTP)
Examples:
Agobot, DirtJumper,
Zemra
Voluntary Botnets
Many users, at times
as part of a Hacktivist
group, willingly share
their personal
computers. Using
predetermined and
publicly available attack
tools and methods,
with an optional remote
control channel.
Examples:
LOIC, HOIC
New Server-based
Botnets
Powerful, well
orchestrated attacks,
using a geographically
spread server
infrastructure. Few
attacking servers
generate the same
impact as hundreds of
clients.
20121998 - 2002 1998 - Present 2010 - Present
不戰而屈人之兵，善之善者也
To subdue the enemy without fighting is the acme of skill

Current prices on the Russian underground market:
Hackingcorporatemailbox: $500
Winlockerransomware: $10-$20
Unintelligentexploitbundle: $25
Intelligentexploitbundle: $10-$3,000
Basiccrypter(forinsertingroguecodeintobenignfile): $10-$30
SOCKSbot(togetaroundfirewalls): $100
HiringaDDoSattack: $30-$70/day,$1,200/month
Botnet: $200for2,000bots
DDoSBotnet: $700
ZeuSsourcecode: $200-$250
Windowsrootkit(forinstallingmaliciousdrivers): $292
HackingFacebookorTwitteraccount: $130
HackingGmailaccount: $162
Emailspam: $10peronemillionemails
Emailscam(usingcustomerdatabase): $50-$500peronemillionemails

Attack Length: Increasing Duration

Sophistication
20132010 2011 2012
• Duration: 3 Days
• 4 Attack Vectors
• Attack target: Visa, MasterCard
• 5 Attack Vectors
• Attack target: HKEX
• More than 7 Attack vectors
• Attack target: Vatican
• Duration: 7 Months
• Multiple attack vectors
• Attack target: US Banks
故善战者，立于不败之地
The good fighters of old first put themselves beyond the possibility of defeat

知彼知己，百戰不殆
If you know the enemy and know yourself, you need not fear the result of a hundred battles
Notable DDoS Attacks in the Last 12 Months

Battlefield: Columbia Government On-line Services
Cause: Columbian Independence
Battle: A large scale cyber attack held on July 20th - Columbian
Independence Day - against 30 Colombian government websites.
Result: Most web sites were either defaced or shut down completely
for the entire day of the attack.
行軍: Columbia

Attackers: Columbian Hackers
• A known hacker collective group suspected as being responsible
for several other cyber attacks in Colombia during 2012-13. The
group was supported by sympathizers use Twitter to communicate.
Motivation: Ideological
• Anti-government stance claiming to stand for “freedom, justice
and peace.” Mantra: “We are Colombian Hackers, to serve the
people.”
行軍: Columbia

行軍: Columbia
Web application attacks:
• Directory traversal – web application attack to get access to
password files that can be later cracked offline.
• Brute force attacks on pcAnywhere service – looking for weak
password protected accounts enables attackers to gain remote access
to victim servers.
• SQL Injection attacks – web application attacks to gain remote
server access.
• Web application vulnerability scanning
• Application attacks: we have mainly seen HTTP Flood attacks
Network DDoS attacks:
• SYN floods, UDP floods, ICMP floods
• Anomalous traffic (invalid TCP flags, source port zero, invalid
L3/L4 header)
• TCP port scans

行軍: Operation Ababil
Battlefield: U.S. Commercial Banks
Cause: Elimination of the Film “Innocence of Muslims”
Battle: Phase 4 of major multi-phase campaign – Operation Ababil –
that commenced during the week of July 22nd. Primary targets
included: Bank of America, Chase Bank, PNC, Union Bank,
BB&T, US Bank, Fifth Third Bank, Citibank and others.
Result: Major US financial institutions impacted by intensive and
protracted Distributed Denial of Service attacks.

Attackers: Cyber Fighters of Izz ad-Din al-Qassam
• Purported Iranian state sponsored acktavist collective said to be acting
to defend Islam
Motivation: Religious Fundamentalism
• “Well, misters! The break's over and it's now time to pay off.
After a chance given to banks to rest awhile, now the Cyber Fighters of
Izz ad-Din al-Qassam will once again take hold of their destiny.
As we have said earlier, the Operation Ababil is performed because of
widespread and organized offends to Islamic spirituals and holy issues,
especially the great prophet of Islam(PBUH) and if the offended film is
eliminated from the Internet, the related attacks also will be stopped.
While the films exist, no one should expect this operation be fully
stopped.
The new phase will be a bit different and you'll feel this in the coming
days.
Mrt. Izz ad-Din al-Qassam Cyber Fighters”

HTTP flood attacks:
• Cause web server resource starvation due to overwhelming number of page downloads.
Encrypted attacks:
• SSL based HTTPS GET requests generate a major load on the HTTP server by consuming 15x
more CPU in order to process the encrypted attack traffic.
Massive TCP and UDP flood attacks:
• Targeting both Web servers and DNS servers. Radware Emergency Response
Team tracked and mitigated attacks of up to 25Gbps against one of its
customers. Source appears to be Brobot botnet.
DNS amplification attacks:
• Attacker sends queries to a DNS server with a spoofed address that
identifies the target under attack. Large replies from the DNS servers,
usually so big that they need to be split over several packets, flood
the target.

Parastoo
Iranian Cyber Army
al Qassam Cyber Fighters
Parastoo
Iranian Cyber Army
al Qassam Cyber Fighters
22 Events
1 Event
2010 2011 2012 2013
Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul
Source: Analysis Intelligence
Event Correlation: Iranian Linked Cyber Attacks

Challenge & Response Escalations:
• Automatic Challenge mechanisms are employed by the Radware Attack
Mitigation System to discriminate between legitimate traffic and
attack tools
• Phase 4 attackers implemented advanced mechanisms that emulated
normal web browser users in order to circumvent mitigation tools
• Necessitated the implementation of increasingly sophisticated
challenge mechanisms that could not be supported by attack tools
S c r i p t
3 0 2
R e d i r e c t
C h a l l e n g e
J S
C h a l l e n g e
S p e c i a l
C h a l l e n g e
Kamikaze Pass Not pass Not pass
Kamina Pass Not pass Not pass
Terminator Pass Pass Not pass

Battlefield: Spamhaus
Cause: Corporate Ideological Differences
Battle: A nine-day assault that resulted in the largest
recorded volumetric Distributed Denial of Service
attack that peaked at over 300Gbps.
Result: Spamhaus actually went down but claimed to have
withstood the attack but only with the assistance
from companies such as CloudFlare and Google.
Given the scale of the attack and the techniques
used, concerns were expressed that the very fabric
of the internet could be compromised.
行軍: Spamhaus

行軍: Spamhaus
Attackers: CyberBunker?
• Provider of anonymous secure hosting services
Motivation: Retaliation against Spamhaus
• CyberBunker, a provider of secure and anonymous hosting services,
was blacklisted by Spamhaus, a non-profit anti-spamming
organization that advises ISPs. It was claimed that CyberBunker
was a 'rogue' host and a haven for cybercrime and spam
organizations. Spamhaus alleged that Cyberbunker, with the aid of
"criminal gangs" from Eastern Europe and Russia, launched a DDoS
attack against Spamhaus for “abusing its influence.”

行軍: Spamhaus
Attack Method:
• The attack started as an 10-80Gbps attack that was firstly
contained successfully, it started as a volumetric attack on
layer 3 and peaked to 75Gbps on March 20.
• During March 24-25 the attack grew to 100Gbps, peaking at
309Gbps.
• No Botnet in use. Attackers were using servers on networks that
allow IP spoofing in conjunction with open DNS resolvers.
• Miss-configured DNS resolvers – with no response rate limiting -
allow the amplification of the attack by the factor of 50!
• Nearly 25% of the networks are configured to allow spoofing
instead of employing BCP38…
• There are over 28 Million open resolvers in operation…

Battlefield: New York Times
Cause: Syrian Conflict
Battle: NYTimes Domain Name Server attack.
Result: New York Times website taken offline for almost
2 hours as domain was redirected to Syrian
Electronic Army servers.
行軍: New York Times

行軍: New York Times
Attackers: Syrian Electronic Army
• Hackers aligned with Syrian President Bashar Assad. Mainly targets
political opposition groups and western websites, including news
organizations and human rights groups.
Attacks: Spear Phishing & Directed DNS Attacks
• Phishing attacks on Melbourne IT, the New York Times DNS registrar.
• SEA hacked the NYT account and redirected the domain to its servers.

Internet
Pipe
Firewall IPS/IDS Load Balancer
(ADC)
Server SQL
Server
Internet
26%
25%
8%
11%
22%
8%
27%
24%
8%
4%
30%
5%
不可胜在己
Being unconquerable lies with yourself

不可胜在己
DoS Defense Component
Vulnerability
Exploitation
Network Flood
Infrastructure
Exhaustion
Target Exhaustion
Network Devices No No Some Some
Over-Provisioning No Yes, bandwidth Yes, infrastructure Yes, server & app.
Firewall & Network Equipment No No Some Some
NIPS or WAF Security Appliances Yes No No, part of problem No
Anti-DoS Box (Stand-Alone) No No Yes Yes
ISP-Side Tools No Yes Rarely Rarely
Anti-Dos Appliances (ISP Connected) No Yes Yes Yes
Anti-DoS Specialty Provider No Yes Yes Yes
Content Delivery Network No Yes Yes Limited

不可胜在己
Proportion of businesses relying on CDNs for DDoS Protection
70%

不可胜在己
Bypassing CDN Protection
Botnet
E n t e r p r i s e
C D N
GET www.enterprise.com/?[Random]

不可胜在己
Cloud protection limitations
Botnet
Volumetric attacks
Low & Slow attacks
SSL encrypted attacks
E n t e r p r i s e
C l o u d S c r u b b i n g

兵者詭道也
All warfare is based on deception
Threats: Universal DDoS Mitigation Bypass
Source: BlackHat USA 2013
Presenters: Nexusguard Ltd, NT-ISAC Bloodspear Labs
Goal: Defeat all known mechanisms for automatic
mitigation of DDoS attacks
Authors: Tony T.N. Miu, Albert K.T. Hui, W.L. Lee, Daniel
X.P. Luo, Alan K.L. Chung, Judy W.S. Wong
or CAPTCHA-based authentications being the most effective by
far. However, in our research weaknesses were found in a
majority of these sort of techniques.
We rolled all our exploits into a proof-of-concept attack tool,
giving it near-perfect DDoS mitigation bypass capability
against almost every existing commercial DDoS mitigation
solutions. The ramifications are huge. For the vast majority of
web sites, these mitigation solutions stand as the last line of
defense. Breaching this defense can expose these web sites'
backend to devastating damages.
We have extensively surveyed DDoS mitigation technologies
available on the market today, uncovering the countermeasure
techniques they employ, how they work, and

兵者詭道也
Tool: Kill ‘em All 1.0
• Harnesses techniques such as Authentication
Bypass, HTTP redirect, HTTP cookie and
JavaScript
• True TCP behavior, believable and random HTTP
headers, JavaScript engine, random payload,
tunable post authentication traffic model
• Defeats current anti-DDoS solutions that detect
malformed traffic, traffic profiling, rate
limiting, source verification, Javascript and
CAPTCHA-based authentication mechanisms
• Creators allege that the tool is technically
indistinguishable from legitimate human traffic
Tested: Arbor PeakFlow TMS, Akamai,
Cloudflare, NSFocus Anti-DDoS
System

兵之情主速
Speed is the essence of war
AttackDegreeAxis
Attack Area
Suspicious
Area
Normal
Area

兵之情主速
T H E S E C U R I T Y G A P
Attacker has time to bypass automatic mitigation
Target does not possess required defensive skills

兵之情主速

故兵貴勝，不貴久
What is essential in war is victory, not prolonged operations
• Envelope Attacks – Device Overload
• Directed Attacks - Exploits
• Intrusions – Mis-Configurations
• Localized Volume Attacks
• Low & Slow Attacks
• SSL Floods
Detection: Encrypted / Non-Volumetric Attacks

• Web Attacks
• Application Misuse
• Connection Floods
• Brute Force
• Directory Traversals
• Injections
• Scraping & API Misuse
Detection: Application Attacks

Attack Detection: Volumetric Attacks
• Network DDoS
• SYN Floods
• HTTP Floods

Attack Mitigation Network: Low & Slow, SSL Encrypted
Botnet
E n t e r p r i s e
H o s t e d D a t a
C e n t e r

Attack Mitigation Network: Application Exploits
Botnet
E n t e r p r i s e
H o s t e d D a t a
C e n t e r
Attack
signatures

Botnet
E n t e r p r i s e
H o s t e d D a t a
C e n t e r
Attack Mitigation Network: Volumetric Attacks

Botnet
H o s t e d D a t a
C e n t e r
E n t e r p r i s e
Attack
signatures

Botnet
H o s t e d D a t a
C e n t e r
E n t e r p r i s e

Don’t assume that you’re not a
target.
Draw up battle plans. Learn from the
mistakes of others.
没有战略，战术是之前失败的噪音
Tactics without strategy is the noise before defeat
目标
Target

Protecting your data is not the same
as protecting your business.
True security necessitates data
protection, system integrity and
operational availability.
可用性
Protection

You don’t control all of your critical
business systems.
Understand your vulnerabilities in the
distributed, outsourced world.
漏洞
Vulnerability

You can’t defend against attacks you
can’t detect.
The battle prepared business
harnesses an intelligence network.
检测
Detection

Don’t believe the DDoS protection
propaganda.
Understand the limitations of cloud-
based scrubbing solutions.
Not all networking and security
appliance solutions were created
equal.
宣传
Propaganda

Know your limitations.
Enlist forces that have expertise to
help you fight.
限制
Limitations

你准备好了吗?
Are You Ready?

Carl Herberger, VP Security Solutions, Radware
carl.herberger@radware.com
谢谢
Thank You

The Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving Theatre

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to The Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving Theatre

Similar to The Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving Theatre (20)

More from Radware

More from Radware (20)

Recently uploaded

Recently uploaded (20)

The Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving Theatre