Upload
arbor-networks
View
1.267
Download
7
Tags:
Embed Size (px)
Citation preview
DDoS and Malware Trends: Incident Response in the New Era of Targeted Attacks
Presented by: Gary Sockrider, Solutions Architect, Arbor Networks
We see things others can’t
Arbor Networks Cyber Security Summit
Attend any of the 6 live (or archived) webinars.
Arbor Networks Overview
90% Percentage of world’s Tier 1 service providers who are Arbor customers 107
Number of countries with Arbor products deployed
90 Tbps
Amount of global traffic monitored by the ATLAS security intelligence initiative right now!
#1
Arbor market position in Carrier, Enterprise and Mobile DDoS equipment market segments – 49% of total market [Infonetics Research Q1 2014]
Number of years Arbor has been delivering innovative security and network visibility technologies & products
14
$19B
2013 GAAP revenues [USD] of Danaher – Arbor’s parent company providing deep financial backing
100Gbps+ attacks in every month this year bar one. Peak attack sizes clearly higher this year.
2014 ATLAS Initiative : Anonymous Stats, World-Wide
Peak Attack Growth trend in Gbps
325.05
264.61
0
50
100
150
200
250
300
350
Peak Monthly Gbps of Attacks
5
The ATLAS initiative is the world’s most comprehensive Internet monitoring &
security intelligence system Anonymous within the over 290 participating ISPs sharing 90Tbps of peak IPv4 traffic
ATLAS intelligence is seamlessly integrated into Arbor products and services including real-time services, global threat intelligence and insight into key Internet trends. ASERT, Arbor’s Security Engineering and Research Team, also leverages ATLAS to provide expert commentary on security trends and to address significant Internet research questions.
DNS Reflection Amplification Attacks
More info @ openresolverproject.com
NTP Reflection Amplification Attacks
More info @ openNTPproject.org
Reflection / Amplification – Potential Impact Abbreviation Protocol Ports Amplification
Factor # of Abusable Servers
CHARGEN Character Generation Protocol
UDP / 19 18x - 1000x Tens of thousands (90K)
DNS Domain Name System
UDP / 53 160x Millions (27M)
NTP Network Time Protocol
UDP / 123 260x - 1000x Over One Hundred Thousand (128K)
SSDP Simple Service Discovery Protocol
UDP/1900 20x – 83x Millions (2M)
SNMP Simple Network Management Protocol
UDP / 161 880x Millions (5M)
2014 ATLAS Initiative : Anonymous Stats, World-Wide SSDP Reflection Attacks with source port 1900 (SSDP)
appear to be growing rapidly. Only 3 events tracked in the whole of Q2,
29506 tracked in Q3.
Top Target countries are: US : 19.3% France : 10% Denmark : 7.4%
Most popular target ports: 80 (HTTP) : 58.7% 53 (DNS) : 4.1% 27015 (Steam) : 3.4%
3 events over 100Gb/sec so far, one in combination with NTP reflection. Two of which target port 1337
(Leet, hacker term)
Percentage of events, Source Port 1900 (SSDP)
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
July August September
All
>10G
>100G
Application Layer Attacks
Simple Attack Tools
• No need to install tool, just visit Webpage with JS code • Stand-alone JavaScript version • Lacks some of the features of regular LOIC
Attack Tools To Go
• Mobile version of LOIC • DDoS from anywhere!
Professional DDOS Services
CDNs
Mobile Carriers
Service Providers
SaaS
Cloud Providers
Enterprise Perimeter
Mobile WiFi
Employees
Corporate Servers
Remote Offices
Internal Apps
Can’t see global
external attack traffic
Can’t withstand a direct attack
Need to understand and
stop internal attack traffic
Problem Fueling $1Billion+ In Security Spend Global Traffic Visibility Availability Protection Internal Traffic Visibility
Malware Is An Ecosystem, Not Just a Sample or Simple Signature
Malware Attack Vector
Malicious Site / Exploit
Kit
Command & Control /
RAT
Actions on Goals: Ransomware; DDoS; Data
Exfiltration; Espionage; Click Fraud; etc.
The Internet
Your PC
User / Victim
Exploit Dropper / Downloader
Crimeware
Worm/Regeneration
Config
Bot Agent (Zeus, etc.)
Actions within Network
Email, Compromised
Site, URLs, IRC, Etc.
If redirected
Updates, Assessment, Connectivity Check
Installs Malware
Updates, Status, Commands, Connectivity Check
Malware Package (Trojan)
Source: Emerging Threats Pro
BYOD and APT Trends
• Leverage vulnerabilities – JavaScript – Java applets – Compound Documents – Anything Adobe
How are threats getting through?
• Huge number of ‘ways in’ – Drive By Download – SPAM/Phishing – Watering Hole – USB
• Many threat vectors
– New AND Old – IPS / AV Limited coverage – Patching lag
0102030405060
Threats On Corporate Network
So, how do we get ‘better’ at this?
• Actionable Threat Intelligence – Use the expertise within vendors, integrators to
maximize your effectiveness
• Broad Visibility – Monitor within your network, not just at the perimeter
Deep Visibility & Context – Full packet capture and threat detection at key network
locations
Improved Workflow – Invest in solutions that fit into an Incident Response
workflow and enable personnel and processes
ATLAS: Global Threat Intelligence
Active Threat Level Analysis System Peakflow SP
ISP Network
PEAKFLOW SP
ISP Network DARKNET
ATLAS SENSOR
ISP Network DARKNET
ATLAS SENSOR
ATLAS DATA CENTER ATLAS sensors are deployed in global internet
darknet space to discover and classify scan and exploit activity
290+ service providers share 90 Tbps of data on detected attacks and monitored traffic.
ASERT analyzes combined data, malware and attack tools and converts into actionable intelligence for use within Arbor’s Pravail and Peakflow solutions
1 2
Peakflow SP Peakflow SP
3
Hong Kong Voting Site Suffers Massive DDoS Attack Before Civil Referendum
Google Ideas partners with Arbor ASERT
How ATLAS data turns actionable
Honeypots & SPAM Traps
ATLAS
Security Community
Millions of Samples
DDoS Family
300K Malware samples/day
Sandbox of Virtual Machines run malware (look for botnet C&C, files, network behavior)
Report and PCAP stored in database
“Tracker” DDoS Attack Auto-classification and analysis every 24 hrs
ASERT Situational Threat Brief: 2014-10 Threat Actors Associated with Recent Gaming Industry Attacks
AIF Policy
Broad Visibility - Flow
Leverage Flow technologies for • Cost-effective, scalable visibility • Layer 3/4 picture of internal network Understand who talks to who, when and how much • Develop a model of normal network / user
behavior • Build policy/visibility around user-identity Correlate • With actionable threat intelligence Detect suspicious or malicious activities wherever they occur
Deep Visibility & Context – Packet Capture
Use high-speed packet capture for deeper visibility • Monitor for specific threats at
network / data-centre edge(s) • Full-fidelity storage of forensic data
for interactive, retrospective analysis • Investigate scope of compromise /
kill chain
Correlate (continuously) • With actionable threat intelligence
Continuous Correlation
• Real-time and historical (continuous) analysis with updated threat intelligence - ‘CCTV’ for your network – Pause/Play/Rewind
• Load full signature sets with no risk of it affecting network / application
performance • RESTORE CONTEXT!
Month 1 Traffic Month 2 Traffic Month 3 Traffic
Zero Day attack here
Intelligence update without signature for the Zero Day attack
Intelligence updates INCLUDING signature for the Zero Day attack
Detection capability updates occur at different times. Stored traffic can be correlated with updated threat intelligence
All Traffic Correlated - Zero Day not found
All Traffic Correlated - Zero Day FOUND
Now that Zero Day attack has been identified, the attack timeline can be established
Improved Workflow
Put the power back in the hands of the analysts • Network & Threat Visibility, in context • Improve the Incident Response workflow
– Make drastic improvements to Detection/Analysis – Enhance Containment, Eradication and Recovery timelines
Technology should enable personnel & process investment • Regardless of how many you have or skillset
PROTECT
Provide surgical mitigation and forensic capabilities.
React
ANALYZE
Situational Awareness. Augment detected
events with relevant context
Prioritize
Comprehensive monitoring and threat
detection
IDENTIFY
Arbor Cloud (ATLAS)
Pravail Availability Protection System
Pravail Security Analytics
& Network Security Intelligence
See and stop the threat anywhere
Stop the threat
See the threat lurking inside the enterprise
CDNs
Mobile Carriers
SaaS
Cloud Providers
Enterprise Perimeter Mobile
WiFi
Employees
Remote Offices
Threat Dashboard
Arbor’s Solutions Bridge the Gaps
Internal Apps
Service Providers
Corporate Servers
Cyber Intrusion Kill Chain – An Integrated Approach to Visualize and Stop Today’s Threats
Recon Weaponize Delivery Exploit Install C2 Actions
Java Adobe Internet Explorer Etc.
Scan Social Media
Email / Drive-by-Download
Trojan / Malware / Spyware
IRC HTTP(S) DNS
Click Fraud, Exfiltrate Data, Bitcoin Mining, DDoS, etc.
Pravail Security Analytics (SA)
Pravail Network Security Intelligence (NSI)
Pravail APS
Inject Payload into PDF or Word doc
APS
Arbor’s Unique Value & Sustainable Differentiation
DDoS Leadership – 50%+ of Market (Availability)
Advanced Threat Leadership (Security) Arbor Cloud
Cloud Signaling 90Tbps Visibility
Good traffic Malicious traffic & malware
Arbor Advantage Arbor is the only security-focused company that can connect Carrier and Enterprise network visibility to provide availability and security solutions for today’s constantly changing networks.
Public Clouds
Corporate Networks
Mobile Carrier
Private Clouds
Service Provider
Mobile User/ Attacker
Internal Employee
Our Mission Empowering customers to see and secure their business through connected global networks.
NSI SA
Mobile SP SP/TMS
ATLAS/ASERT SP/TMS SA
APS SA
APS SA
Arbor Network-Wide Product Portfolio
Arbor Networks’ Product Portfolio
Arbor’s Enterprise Solution Portfolio
• Deep and Wide Internal Visibility • Global External Visibilty • Cloud Based Solutions • Big Data Analytics