Upload
radware
View
573
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Stock exchanges are constantly targeted by cyber attacks. This presentation discusses several real life attacks cases studies discussing attack vectors, motivations, impacts and mitigation techniques.
Citation preview
Session ID:
Session Classification:
Ziv GadotRadware
HT-R33
Intermediate
Stock Exchanges in the Line of Fire – Morphology of Cyber Attacks
► NYSE Euronext[1]
► NASDAQ OMX Group[2]
► Hong Kong Stock Exchange[3]
► TMX Group[4]
► BATS Global Markets[5]
► Chicago Board Options Exchange[6]
► Bursa Malaysia[7] ► Tel Aviv Stock Exchange[8] ► Tadawul (Saudi Arabia)[9]
Publicly Known Attacks on Stock Exchanges
Top 10
Downtime
► It is Too Easy to Cause Impact► ‘Attack Campaign’ - Morphology► Resolution:
Transition from a 2-phase security approach to a 3-phase security approach
Agenda
2 Case Studies
Case Study IDay I
Day I
10:51 Attack begins: - UDP flood- HTTP flood- FIN+ACK flood- Empty connection flood
Target: Stock Exchange News SiteProtection: PartialImpact: Heavy
4 hour outage to News SiteCollateral damage to other sites
13:30 Noon trading opens, but trade is closed for several companies 16:00 Trading ends for the dayEvening Mitigation equipment is deployed and configured
Attacks halted (temporarily)
Network Impact Sever Business Impact Sever
Day I
hour hour
Day I – Attack Vectors
Attack Vector
Confirmed Measurement
UDP Flood 44 MbpsHTTP Flood 40K Concurrent Con.Empty Connection Flood 5.2K PPSFIN+ACK 4 Mbps
Pipe Satur-ation
FW CPU100%
Web Server Outage
X X
X X
X X
X X
Day I : Media Coverage
“Attack on stock exchange triggers
halt in trade”
“Stock exchange hit by hackers”
Enormous Negative Psychological Impact
Stock exchange environment Malicious attack campaign
The Media Impact
1 Stock Exchange = 5 Banks = 5 Government Sites
Case Study IDay 2
Day 2
08:00 Additional mitigation actionsOrganization is concerned of false-positive
10:36 Attack begins: HTTP FloodTarget: Stock Exchange News Site Protection: Connection Rate Limit + Temp ACLImpact: 10-15 minutes slowness/outage
Network Impact LowBusiness Impact None
Day 2
“Stock exchange IT have been working
intensively to resolve all issues”
“Experts successfully implemented a
protection against the attacks”“Additional
measures were taken such as a redundant
New Site”
Case Study IDay 3
Day 3
08:00 Security configuration is enforced (“War Time” configuration)10:36 Attack begins: HTTP Flood
Target: Stock Exchange News Site Protection: Connection limit Temp ACL
Network Impact NoneBusiness Impact None
Day 3
Legitimate traffic monitoring
TCP connection flood detection and mitigated immediately
Day 3
13:32 Attack begins: UDP Flood (Two minutes after the noon trading begins) Target: Stock Exchange Mews Site Protection:
- Behavioral technologies (primary)
- Connection Limit - Blacklisting
Impact: NoneForensic: Attacker IP detected (eventually led to arrest)
Network Impact NoneBusiness Impact None
Attack begins but quickly mitigated
Case Study IWeek 2
► Stock Exchange remains in highest alert► Eventually there were no serious
attacks ► Protect additional networks ► Forensic process (with police) ► Arrests
Week 2
It is Too Easy to Cause Impact
Static ContentStatic Content
Trade/Financial AnnouncementsTrade/Financial Announcements
HTTP Flood Impact
Trading API
HTTP Flood
Firewall L3 Router
Psychological Impact
TradeDisruption
Internet Pipe
Trade/Financial AnnouncementsTrade/Financial Announcements
Static ContentStatic Content
UDP Flood Impact
Trading API
UDP Flood
Firewall L3 Router
Psychological Impact
TradeDisruption
Internet Pipe
Trading API
Trade/Financial AnnouncementsTrade/Financial Announcements
Static ContentStatic Content
L3 Router Internet Pipe
SYN Flood Impact
Trading API
SYN Flood
Firewall
Psychological Impact
TradeDisruption
Trading API
2010 – no Real Protection
Stock Exchange
HTTP Flood
UDP Flood
SYN Flood
Protection
2011 – Protection Deployed
HTTP Flood
Stock Exchange
SYN Flood
UDP Flood
Protection
Stock Exchange
2012 – Protection Enforced
HTTP Flood
UDP Flood
SYN Flood
Slow Rate Flood
Image Download Flood
Attackers will eventually find
the weakest link!
Protection
Political/Hacktivist’s Bull’s Eye - Ideal
Political/Hacktivist’s Bull’s Eye (Realistic)
Political/Hacktivist’s Bull’s Eye - Realistic
Case Study 2Israel Cyber Attack Jan 2012
January 3Saudi hacker 0xOmar leaks tens of thousands Israeli credit card numbers and other personal sensitive information.
January 16 Early Morning0xOmar and the Pro-Palestinian “Nightmare” hacker group sends an email to the Jerusalem Post, threatens to attack EL-AL website.9:30 AMEL-AL, Tel Aviv Stock Exchange, and several banks are attacked and are unavailable for hours.
January 17 Israeli hacker group “IDF-Team” retaliates by attacking Saudi and UAE’s Stock Exchanges websites.
January 18 Additional Israeli websites were targeted.
Case Study 2
LegitimateBypass CDN
CDN - False Sense of Security
Attack Directly
CDN
► “HTTP Dynamic GET Request Flood”► Requests for invalid random parameter evades CDN
service
TASE Attack (Estimated)
Attack Vector 2
Pragma: no-cache
► HTTP Dynamic Flood► HTTP Static Flood► UDP Flood► SYN Flood► UDP Fragmented Flood
Attack Vector Summary
‘Attack Campaign’ - Morphology
Attack Campaign Morphology
MitigationContinued
Service Disruption
Test FireHeads Up Attack Begins
Reconnaissance
Automatic Mitigation
Attack Ends Forensic
Manual Mitigation
New Attack Vectors
Service Disruption
Resolution: Transition from a 2-phase security approach to a 3-phase security approach
2-Phase Security Model
“Peace” Period
Pre-attack Phase
Post-attack Phase Pre-attack Phase
Time
AttackPeriod
Automatic Mitigation(no time for human interaction)
AttackPeriod
“Peace” Period
3-Phase Security Model
“Peace” Period
Pre-attack Phase
Attack Period
THE SECURITY GAPAttacker has time to bypass automatic mitigation.
Defenders have no skill/capacity to sustain it.
“Peace” Period
Post-attack Phase
Industry Security SurveyHow much did your organization invest in each
of the following security aspects in the last year?
Before During After
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
Procedures
Human skills
Equipment
Radware 2012 Global Application and Network Security Report
THE SECURITY GAPAttacker has time to bypass automatic mitigation.
Defenders have no skill/capacity to sustain it.
Be prepared for prolonged attacks!
3-Phase Security
“Peace” Period
Pre-attack Phase
Attack Period
“Peace” Period
Post-attack Phase
Response Team
Response Team
Response Team
24x7x365Trained
Experienced
Active Mitigation
RT Intel
Counterattack
Summary
► It is Too Easy to Cause an Impact► ‘Attack Campaign’ - Morphology► Resolution:
Transition from a 2-phase security approach to a 3-phase security approach
Summary
Q & A
Ziv GadotRadware [email protected]
► Radware 2012 Global Application and Network Security Report
► Radware 2011 Global Application and Network Security Report
► Cyber War Rooms: Why IT Needs New Expertise To Combat Today's Cyberattacks - Avi Chesla
Additional Reading