DDoS and Malware Trends: Incident Response in the New Era of Targeted Attacks

Presented by: Gary Sockrider, Solutions Architect, Arbor Networks

We see things others can’t

Arbor Networks Cyber Security Summit

Attend any of the 6 live (or archived) webinars.

Arbor Networks Overview

90% Percentage of world’s Tier 1 service providers who are Arbor customers 107

Number of countries with Arbor products deployed

90 Tbps

Amount of global traffic monitored by the ATLAS security intelligence initiative right now!

#1

Arbor market position in Carrier, Enterprise and Mobile DDoS equipment market segments – 49% of total market [Infonetics Research Q1 2014]

Number of years Arbor has been delivering innovative security and network visibility technologies & products

14

$19B

2013 GAAP revenues [USD] of Danaher – Arbor’s parent company providing deep financial backing

100Gbps+ attacks in every month this year bar one. Peak attack sizes clearly higher this year.

2014 ATLAS Initiative : Anonymous Stats, World-Wide

Peak Attack Growth trend in Gbps

325.05

264.61

0

50

100

150

200

250

300

350

Peak Monthly Gbps of Attacks

5

The ATLAS initiative is the world’s most comprehensive Internet monitoring &

security intelligence system Anonymous within the over 290 participating ISPs sharing 90Tbps of peak IPv4 traffic

ATLAS intelligence is seamlessly integrated into Arbor products and services including real-time services, global threat intelligence and insight into key Internet trends. ASERT, Arbor’s Security Engineering and Research Team, also leverages ATLAS to provide expert commentary on security trends and to address significant Internet research questions.

DNS Reflection Amplification Attacks

More info @ openresolverproject.com

NTP Reflection Amplification Attacks

More info @ openNTPproject.org

Reflection / Amplification – Potential Impact Abbreviation Protocol Ports Amplification

Factor # of Abusable Servers

CHARGEN Character Generation Protocol

UDP / 19 18x - 1000x Tens of thousands (90K)

DNS Domain Name System

UDP / 53 160x Millions (27M)

NTP Network Time Protocol

UDP / 123 260x - 1000x Over One Hundred Thousand (128K)

SSDP Simple Service Discovery Protocol

UDP/1900 20x – 83x Millions (2M)

SNMP Simple Network Management Protocol

UDP / 161 880x Millions (5M)

2014 ATLAS Initiative : Anonymous Stats, World-Wide SSDP Reflection Attacks with source port 1900 (SSDP)

appear to be growing rapidly. Only 3 events tracked in the whole of Q2,

29506 tracked in Q3.

Top Target countries are: US : 19.3% France : 10% Denmark : 7.4%

Most popular target ports: 80 (HTTP) : 58.7% 53 (DNS) : 4.1% 27015 (Steam) : 3.4%

3 events over 100Gb/sec so far, one in combination with NTP reflection. Two of which target port 1337

(Leet, hacker term)

Percentage of events, Source Port 1900 (SSDP)

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

July August September

All

>10G

>100G

Application Layer Attacks

Simple Attack Tools

• No need to install tool, just visit Webpage with JS code • Stand-alone JavaScript version • Lacks some of the features of regular LOIC

Attack Tools To Go

• Mobile version of LOIC • DDoS from anywhere!

Professional DDOS Services

CDNs

Mobile Carriers

Service Providers

SaaS

Cloud Providers

Enterprise Perimeter

Mobile WiFi

Employees

Corporate Servers

Remote Offices

Internal Apps

Can’t see global

external attack traffic

Can’t withstand a direct attack

Need to understand and

stop internal attack traffic

Problem Fueling $1Billion+ In Security Spend Global Traffic Visibility Availability Protection Internal Traffic Visibility

Malware Is An Ecosystem, Not Just a Sample or Simple Signature

Malware Attack Vector

Malicious Site / Exploit

Kit

Command & Control /

RAT

Actions on Goals: Ransomware; DDoS; Data

Exfiltration; Espionage; Click Fraud; etc.

The Internet

Your PC

User / Victim

Exploit Dropper / Downloader

Crimeware

Worm/Regeneration

Config

Bot Agent (Zeus, etc.)

Actions within Network

Email, Compromised

Site, URLs, IRC, Etc.

If redirected

Updates, Assessment, Connectivity Check

Installs Malware

Updates, Status, Commands, Connectivity Check

Malware Package (Trojan)

Source: Emerging Threats Pro

BYOD and APT Trends

• Leverage vulnerabilities – JavaScript – Java applets – Compound Documents – Anything Adobe

How are threats getting through?

• Huge number of ‘ways in’ – Drive By Download – SPAM/Phishing – Watering Hole – USB

• Many threat vectors

– New AND Old – IPS / AV Limited coverage – Patching lag

0102030405060

Threats On Corporate Network

So, how do we get ‘better’ at this?

• Actionable Threat Intelligence – Use the expertise within vendors, integrators to

maximize your effectiveness

• Broad Visibility – Monitor within your network, not just at the perimeter

Deep Visibility & Context – Full packet capture and threat detection at key network

locations

Improved Workflow – Invest in solutions that fit into an Incident Response

workflow and enable personnel and processes

ATLAS: Global Threat Intelligence

Active Threat Level Analysis System Peakflow SP

ISP Network

PEAKFLOW SP

ISP Network DARKNET

ATLAS SENSOR

ISP Network DARKNET

ATLAS SENSOR

ATLAS DATA CENTER ATLAS sensors are deployed in global internet

darknet space to discover and classify scan and exploit activity

290+ service providers share 90 Tbps of data on detected attacks and monitored traffic.

ASERT analyzes combined data, malware and attack tools and converts into actionable intelligence for use within Arbor’s Pravail and Peakflow solutions

1 2

Peakflow SP Peakflow SP

3

Hong Kong Voting Site Suffers Massive DDoS Attack Before Civil Referendum

Google Ideas partners with Arbor ASERT

How ATLAS data turns actionable

Honeypots & SPAM Traps

ATLAS

Security Community

Millions of Samples

DDoS Family

300K Malware samples/day

Sandbox of Virtual Machines run malware (look for botnet C&C, files, network behavior)

Report and PCAP stored in database

“Tracker” DDoS Attack Auto-classification and analysis every 24 hrs

ASERT Situational Threat Brief: 2014-10 Threat Actors Associated with Recent Gaming Industry Attacks

AIF Policy

Broad Visibility - Flow

Leverage Flow technologies for • Cost-effective, scalable visibility • Layer 3/4 picture of internal network Understand who talks to who, when and how much • Develop a model of normal network / user

behavior • Build policy/visibility around user-identity Correlate • With actionable threat intelligence Detect suspicious or malicious activities wherever they occur

Deep Visibility & Context – Packet Capture

Use high-speed packet capture for deeper visibility • Monitor for specific threats at

network / data-centre edge(s) • Full-fidelity storage of forensic data

for interactive, retrospective analysis • Investigate scope of compromise /

kill chain

Correlate (continuously) • With actionable threat intelligence

Continuous Correlation

• Real-time and historical (continuous) analysis with updated threat intelligence - ‘CCTV’ for your network – Pause/Play/Rewind

• Load full signature sets with no risk of it affecting network / application

performance • RESTORE CONTEXT!

Month 1 Traffic Month 2 Traffic Month 3 Traffic

Zero Day attack here

Intelligence update without signature for the Zero Day attack

Intelligence updates INCLUDING signature for the Zero Day attack

Detection capability updates occur at different times. Stored traffic can be correlated with updated threat intelligence

All Traffic Correlated - Zero Day not found

All Traffic Correlated - Zero Day FOUND

Now that Zero Day attack has been identified, the attack timeline can be established

Improved Workflow

Put the power back in the hands of the analysts • Network & Threat Visibility, in context • Improve the Incident Response workflow

– Make drastic improvements to Detection/Analysis – Enhance Containment, Eradication and Recovery timelines

Technology should enable personnel & process investment • Regardless of how many you have or skillset

PROTECT

Provide surgical mitigation and forensic capabilities.

React

ANALYZE

Situational Awareness. Augment detected

events with relevant context

Prioritize

Comprehensive monitoring and threat

detection

IDENTIFY

Arbor Cloud (ATLAS)

Pravail Availability Protection System

Pravail Security Analytics

& Network Security Intelligence

See and stop the threat anywhere

Stop the threat

See the threat lurking inside the enterprise

CDNs

Mobile Carriers

SaaS

Cloud Providers

Enterprise Perimeter Mobile

WiFi

Employees

Remote Offices

Threat Dashboard

Arbor’s Solutions Bridge the Gaps

Internal Apps

Service Providers

Corporate Servers

Cyber Intrusion Kill Chain – An Integrated Approach to Visualize and Stop Today’s Threats

Recon Weaponize Delivery Exploit Install C2 Actions

Java Adobe Internet Explorer Etc.

Scan Social Media

Email / Drive-by-Download

Trojan / Malware / Spyware

IRC HTTP(S) DNS

Click Fraud, Exfiltrate Data, Bitcoin Mining, DDoS, etc.

Pravail Security Analytics (SA)

Pravail Network Security Intelligence (NSI)

Pravail APS

Inject Payload into PDF or Word doc

APS

Arbor’s Unique Value & Sustainable Differentiation

DDoS Leadership – 50%+ of Market (Availability)

Advanced Threat Leadership (Security) Arbor Cloud

Cloud Signaling 90Tbps Visibility

Good traffic Malicious traffic & malware

Arbor Advantage Arbor is the only security-focused company that can connect Carrier and Enterprise network visibility to provide availability and security solutions for today’s constantly changing networks.

Public Clouds

Corporate Networks

Mobile Carrier

Private Clouds

Service Provider

Mobile User/ Attacker

Internal Employee

Our Mission Empowering customers to see and secure their business through connected global networks.

NSI SA

Mobile SP SP/TMS

ATLAS/ASERT SP/TMS SA

APS SA

APS SA

Arbor Network-Wide Product Portfolio

Arbor Networks’ Product Portfolio

Thank You Gary Sockrider

gsockrider@arbor.net

We see things others can’t

Arbor’s Enterprise Solution Portfolio

• Deep and Wide Internal Visibility • Global External Visibilty • Cloud Based Solutions • Big Data Analytics