Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Akamai Security Roundtable for Financial Servic...

Zoe Latchford
September 28, 2016
0
170

Akamai Security Roundtable for Financial Services - slide deck

Zoe Latchford

September 28, 2016
Tweet

More Decks by Zoe Latchford

See All by Zoe Latchford
Akamai Public Sector Roundtable
zlatchfo
0
54
BT Credential Abuse and Customer Identity and Access Management Event
zlatchfo
0
190
BT and Akamai Beat the Bots Event
zlatchfo
0
280
Designing for Doomsday
zlatchfo
0
58
"Hack Yourself First" Workshop Slide Deck, Feb 2019
zlatchfo
0
110
BT and Akamai Competitive Edge Track Day
zlatchfo
0
36
Akamai Cloud Security Summit_London_June 2018
zlatchfo
0
160
Akamai and CTI Protect and Perform Breakfast Briefing
zlatchfo
0
100
Akamai Williams F1 Experience
zlatchfo
0
210

Featured

See All Featured
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
33
1.9k
10 Git Anti Patterns You Should be Aware of
lemiorhan
655
59k
Unsuck your backbone
ammeep
668
57k
How STYLIGHT went responsive
nonsquared
95
5.2k
Fashionably flexible responsive web design (full day workshop)
malarkey
405
65k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
26
2.1k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
10
720
Building Your Own Lightsaber
phodgson
103
6.1k
A designer walks into a library…
pauljervisheath
204
24k
Reflections from 52 weeks, 52 projects
jeffersonlam
346
20k
RailsConf 2023
tenderlove
29
900

Transcript

  1. ©2016 AKAMAI | FASTER FORWARDTM Akamai Security Roundtable for Financial

    Services 27 September 2016

  2. ©2016 AKAMAI | FASTER FORWARDTM Threat Landscape, 2016 Paul Fearns,

    Senior Enterprise Security Architect

  3. ©2016 AKAMAI | FASTER FORWARDTM Cyber Attacks on the rise

    for FS

  4. ©2016 AKAMAI | FASTER FORWARDTM Industrialization

  5. ©2016 AKAMAI | FASTER FORWARDTM Monetization

  6. ©2016 AKAMAI | FASTER FORWARDTM Automated bots on the rise

  7. ©2016 AKAMAI | FASTER FORWARDTM Grow revenue opportunities with fast,

    personalized web experiences and manage complexity from peak demand, mobile devices and data collection.

  8. ©2016 AKAMAI | FASTER FORWARDTM ©2016 AKAMAI | FASTER FORWARDTM

    4,919 attacks 363 Gbps DDoS Size and Frequency over time

  9. ©2016 AKAMAI | FASTER FORWARDTM ©2016 AKAMAI | FASTER FORWARDTM

    • Combination of vectors for mega-attacks: Hybrid Botnet • 1/3 of the times NTP is used in combination with other vectors • NTP: Malicious actors using NTP-APM attack tool. We expect NTP-APM attacks to grow faster than DNS attacks in the next few quarters • Multidomain DNS reflection attacks showed up for the first time ever • TFTP floods. Started slow last quarter but growing now. We expect to see more (amplification factor x35) Types of attacks. Why are they important

  10. ©2016 AKAMAI | FASTER FORWARDTM ©2016 AKAMAI | FASTER FORWARDTM

    • May: Campaign against gaming industry • More single vector attacks: malicious actors (not very qualified) launching rogue attacks. We expect this trend to revert in the future Types of attacks. More findings

  11. ©2016 AKAMAI | FASTER FORWARDTM ©2016 AKAMAI | FASTER FORWARDTM

    Q2-2015 Q3-2015 Q4-2015 Q1-2016 Q2-2016 from 29% (AVG. last 4 quarters) Source of attacks

  12. ©2016 AKAMAI | FASTER FORWARDTM ©2016 AKAMAI | FASTER FORWARDTM

    50+% of customers are attacked within a year How frequently are companies attacked (if they are attacked) ?

  13. ©2016 AKAMAI | FASTER FORWARDTM ©2016 AKAMAI | FASTER FORWARDTM

    It is Not all Doom and Gloom! • Void Extortion were not successful • The value of NTP amplification attacks has been reduced. b/c ‘Monlist’ query patched • Hacker known as “Guccifer” was caught

  14. ©2016 AKAMAI | FASTER FORWARDTM ©2016 AKAMAI | FASTER FORWARDTM

    0 100 200 300 400 0 100 200 300 400 Series 1 15:30 15:45 16:00 16:15 16:30 16:45 17:00 17:15 End – 16:47 GMT First peak – 16:26 GMT 94.9 Gbps, 19.4 Mpps Second peak – 16:40 GMT 363 Gbps, 57 Mpps Start – 16:24 GMT Spotlight: 363 Gbps Attack

  15. ©2016 AKAMAI | FASTER FORWARDTM ©2016 AKAMAI | FASTER FORWARDTM

    1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 • 11 attack events over 34 weeks • Attack vectors include: ACK flood, DNS flood, FIN flood, NTP flood, PUSH flood, SYN flood, TCP Anomaly, TCP flood, UDP flood, UDP fragment 32 Gbps • UDP fragment • DNS flood • NTP flood 7 Gbps • UDP fragment • DNS flood 7 Gbps • UDP fragment • DNS flood .3 Gbps • ACK flood .2 Gbps • SYN flood .2 Gbps • ACK flood • FIN flood • TCP Anomaly 7 Gbps • UDP fragment • DNS flood 2 Gbps • UDP fragment • NTP flood .4 Gbps • ACK flood .2 Gbps • UDP flood 1 Gbps • DNS flood 363 Gbps • SYN flood • UDP fragment • PUSH flood • TCP flood • DNS flood • UDP flood History: Attack Campaign

  16. ©2016 AKAMAI | FASTER FORWARDTM ©2016 AKAMAI | FASTER FORWARDTM

    12 Mpps 15 Mpps 5 Mpps 15 Mpps 3 Mpps 7 Mpps 363 Gbps, 57 Mpps DDoS attack targeting large European media company Six vectors including DNS reflection, SYN, PUSH, TCP, and UDP floods, UDP fragment Kaiten STD Botnet: targeting networking devices in SOHO and IoT devices List of recommendations available in the Threat Advisory 76 Gbps 94 Gbps 33 Gbps 98 Gbps 18 Gbps 44 Gbps Ashburn Frankfurt Hong Kong London San Jose Tokyo Scrubbing Centers in Action

  17. ©2016 AKAMAI | FASTER FORWARDTM ©2016 AKAMAI | FASTER FORWARDTM

    1816 1538 1105 951 499 480 470 390 295 Vietnam Brazil Columbia Taiwan Mexico China India Russia Thailand Top 10 Countries by Source IP SOURCE COUNTRIES

  18. ©2016 AKAMAI | FASTER FORWARDTM ©2016 AKAMAI | FASTER FORWARDTM

    What Can You Do • Review your playbook with IT and Security staff • Proactively Identify Critical Services • Keeping a current network diagram, IT infrastructure and assets inventory • Ensure all critical staff is either available or has designated backup • Keep IT management in the loop (corporate dealings, political overtones,…) • Closely monitor social netowork/blog activity about your company • Check corporate-sponsored, blogs, etc., for inflammatory postings • Don’t ignore mails, texts, etc., about extorsion and threaten • Alert Law Enforcement • Avoid paying ransoms • Stay in close contact with your security provider SOC

  19. ©2016 AKAMAI | FASTER FORWARDTM Grow revenue opportunities with fast,

    personalized web experiences and manage complexity from peak demand, mobile devices and data collection.

  20. ©2016 AKAMAI | FASTER FORWARDTM ©2016 AKAMAI | FASTER FORWARDTM

    Disclaimer • SOTI analysis exludes traffic from commercial web vulnerability scanning: • Shellshock has been removed (it is typically scanning activity)

  21. ©2016 AKAMAI | FASTER FORWARDTM ©2016 AKAMAI | FASTER FORWARDTM

    Data about 5 attack vectors 23% HTTPS 77% HTTP

  22. ©2016 AKAMAI | FASTER FORWARDTM ©2016 AKAMAI | FASTER FORWARDTM

    Brazil as the Top Source Country for Web Attacks Campaign against hotel industry

  23. ©2016 AKAMAI | FASTER FORWARDTM ©2016 AKAMAI | FASTER FORWARDTM

    Evolution of Top Attack Source Countries 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Q2-2015 Q3-2015 Q4-2015 Q1-2106 Q2-2106 US Brazil Germany Russia China Rest

  24. ©2016 AKAMAI | FASTER FORWARDTM ©2016 AKAMAI | FASTER FORWARDTM

    Targets for Web Application Attacks

  25. ©2016 AKAMAI | FASTER FORWARDTM ©2016 AKAMAI | FASTER FORWARDTM

    Bot Traffic Q1-2016 Q2-2016

  26. ©2016 AKAMAI | FASTER FORWARDTM Thank you Questions?

  27. Security Round table Michael Gooding

  28. ©2016 AKAMAI | FASTER FORWARDTM Michael Gooding: Performance Specialist 1.

    Caching 2. Mobile 3. API’s 4. HTTP/2 5. Images

  29. ©2016 AKAMAI | FASTER FORWARDTM 1. Caching

  30. ©2016 AKAMAI | FASTER FORWARDTM Avoid data theft and downtime

    by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Improve performance of your content – Cache content Cache is King Including API responses!!!

  31. ©2016 AKAMAI | FASTER FORWARDTM Avoid data theft and downtime

    by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Bandwidth is not the answer Faster mobile speeds 6.5 2 Mbps Average 4G Bandwidth UK 10 18 Mbps 2015 2020 2013 2014

  32. ©2016 AKAMAI | FASTER FORWARDTM Avoid data theft and downtime

    by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. BANDWIDT H LATENCY Bandwidth is not the answer More bandwidth isn’t a magic bullet for web performance 0 1 2 3 4 1 Mbps 2 Mbps 3 Mbps 4 Mbps 5 Mbps 6 Mbps 7 Mbps 8 Mbps 9 Mbps 10 Mbps 0 1 2 3 4 200ms 180ms 160ms 140ms 120ms 100ms 80ms 60ms 40ms 20ms Page load time against BANDWIDTH Page load time against LATENCY

  33. ©2016 AKAMAI | FASTER FORWARDTM Avoid data theft and downtime

    by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Improve performance of your content – Cache content

  34. ©2016 AKAMAI | FASTER FORWARDTM Avoid data theft and downtime

    by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. New Fast Purge creates more opportunity Beep Beep!!

  35. ©2016 AKAMAI | FASTER FORWARDTM 2. Mobile

  36. ©2016 AKAMAI | FASTER FORWARDTM How many years to reach

    7.2 billion? 3500 0 30

  37. ©2016 AKAMAI | FASTER FORWARDTM 11,500 babies born 80,500 smartphones

    activated 4 5

  38. ©2016 AKAMAI | FASTER FORWARDTM Mobile web is growing but

    is fragmented…

  39. ©2016 AKAMAI | FASTER FORWARDTM

  40. ©2016 AKAMAI | FASTER FORWARDTM Avoid data theft and downtime

    by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. All devices are not created equal 24,093 unique devices August 2015

  41. ©2016 AKAMAI | FASTER FORWARDTM Your smartphone is a 10

    year old desktop squished into your pocket “ “

  42. ©2016 AKAMAI | FASTER FORWARDTM Avoid data theft and downtime

    by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. All devices are not created equal 1.0 s 2.0 s 2.6 s 334ms 1003ms 1180ms 222ms 494ms Decode times 0.7 s 103ms

  43. ©2016 AKAMAI | FASTER FORWARDTM Avoid data theft and downtime

    by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Akamai can help your Mobile Websites with: •ACCELERATION Content delivery, Expedited rendering, Caching, Image / Route / Protocol optimization •REDUCED INFRASTRUCTURE Network traffic management, Network storage •SIMPLIFIED DEVELOPMENT Intelligence on end user device, location, browser

  44. ©2016 AKAMAI | FASTER FORWARDTM Cellular networks can be slow

    and congested

  45. ©2016 AKAMAI | FASTER FORWARDTM Mobile bandwidth fluctuates and unpredictable

    0 2 4 6 8 0 5 10 15 20 Mbps Measurement time (Hrs) Source: Akamai (Synthetic testing) 2 USERS 10 USERS 8 USERS NO USERS

  46. ©2016 AKAMAI | FASTER FORWARDTM Avoid data theft and downtime

    by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Akamai can help you via Cellular Networks CONTENT ACCELERATION REDUCED INFRASTRUCTURE Global deployment/access, platform deployment on the mobile core networks

  47. ©2016 AKAMAI | FASTER FORWARDTM Avoid data theft and downtime

    by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Radio Access Network Mobile Core Internet Akamai today Akamai future Carrier today What can Akamai do with Cellular Networks? End users Getting closer to end users

  48. ©2016 AKAMAI | FASTER FORWARDTM 3. API’s

  49. ©2016 AKAMAI | FASTER FORWARDTM Mobile Apps = API Calls

    + CONTENT

  50. ©2016 AKAMAI | FASTER FORWARDTM 115 Billion+ API Requests Per

    Day on Akamai

  51. ©2016 AKAMAI | FASTER FORWARDTM Speed Matters: Consumer Reaction to

    Slow Mobile Apps 40% 20% 30% 10% 0% Switch to a competitor’s app 34% Less likely to purchase 31% Negative brand perception 24% Source: Forrester 48 Percent of Businesses Increased Spending on Mobile Apps in 2014 Source: CDW

  52. ©2016 AKAMAI | FASTER FORWARDTM Avoid data theft and downtime

    by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Akamai can help your Mobile Apps with: • API OPERATIONS Metering, Throttling, Authorization/Authentication • API ACCELERATION Content acceleration, Route optimization, Protocol Optimization, Caching • API RESPONSE API Development, Conditional API routing at the edge • MEDIA SUPPORT Image optimization

  53. ©2016 AKAMAI | FASTER FORWARDTM 5.03 3.3 2.47 1.45 0

    1 2 3 4 5 6 Carrier WiFi App Response - North America Origin Akamai Seconds Proof Point: API Acceleration on Akamai North American Bank – Online Banking App +52% Performance Improvement over cellular +71% Performance Improvement over WiFi

  54. ©2016 AKAMAI | FASTER FORWARDTM Avoid data theft and downtime

    by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Embrace the network Mobile SDK to make real-time decisions at the edge based on true network performance

  55. ©2016 AKAMAI | FASTER FORWARDTM 4. H2

  56. ©2016 AKAMAI | FASTER FORWARDTM Grow revenue opportunities with fast,

    personalized web experiences and manage complexity from peak demand, mobile devices and data collection.

  57. ©2016 AKAMAI | FASTER FORWARDTM 5. Images

  58. ©2016 AKAMAI | FASTER FORWARDTM Evolution of Images on the

    Web Source: http://archive.org/web 1997 2016 2009 2004 • Explosion in images online • Diversity in endpoints • Mobile Internet Engagement Rich attractive images increase online engagement Diversity in devices and browsers introduce challenges Both challenge and opportunity for online business lie in mobile

  59. ©2016 AKAMAI | FASTER FORWARDTM 4 angles x 3 categories

    (main, zoom, thumbnail) x 4 formats (jpeg, WebP, j2k, jpgXR) X 2 aspect ratio x 3 qualities _____________ 288 images (files) per product * This does not include art direction or HD images Improve performance of your content - Images

  60. ©2016 AKAMAI | FASTER FORWARDTM I have a day job,

    what should I focus on? 1. Size 2. Quality 3. Format

  61. Image Manager | high quality | tailored to fit |

    light weight | less effort |

  62. ©2016 AKAMAI | FASTER FORWARDTM Image Manager example Original: 1355px

    q100 jpeg = 307Kb IM: 1355px q81 webp = 171Kb Original: 1355px q100 jpeg = 307Kb IM: 720px q83 jp2 = 62Kb 80% saving 44% saving

  63. ©2016 AKAMAI | FASTER FORWARDTM Summary 1. Caching remains the

    best defence against poor performance 2. The mobile landscape makes it hard to deliver 3. Optimise where you can to give yourself the best chance of good perf in poor conditions 4. Embrace a poor network

  64. Questions?

  65. SIRT Session, Lisa Beegle

  66. ©2016 AKAMAI | FASTER FORWARDTM

  67. ©2016 AKAMAI | FASTER FORWARDTM DDoS: Booter Sites

  68. ©2016 AKAMAI | FASTER FORWARDTM DDoS: Booter Sites

  69. ©2016 AKAMAI | FASTER FORWARDTM Emerging Trends Changes in several

    metrics indicated changes in the tools that booter/ stressor sites and botnets are using. Multi-vector attacks dropped 10 percentage points from the previous quarter, accounting for 49% of all attacks The increase in single-vector attacks seems to be the result of rogue attackers, with a single malicious actor running a particular attack tool alone. This trend is expected to revert to a greater instance of multi-vector attacks. Single-vector attacks observed so far typically carry a smaller punch than a multi-vector combination run from a booter framework. We also identified a trend in attacks greater than 300 Gbps. Where in the past these attacks were composed primarily of padded SYN And UDP flood payloads, the latest attacks contained other vectors, including reflection attacks. These attacks could indicate a new hybrid botnet that combines traditional attack tools spread on a wider scale. Web application attacks shifted this quarter. For the first time since this data was reported, the US fell to second as an attack source country. Instead, Brazil took the top spot due to a 197% increase in attacks. This quarter also posted new highs for sql injection (SQLi) and remote file inclusion (rfi) attacks with 7% and 57% increases over last quarter respectively. These web application attacks were also higher than in Q2 2015. DDoS Extortion Attempts / In recent months, there have been many news reports generated about attackers making extortion threats. It was a simple recipe. First, the attackers launched a burst of DDoS traffic. Then, they contacted the victim via email and demanded payment in exchange for a promise not to attack again. This demand was almost exclusively a request for bitcoins, in an attempt to avoid the money being traced back to the attackers. Shortly thereafter, copycats began making threats without launching any attacks. In a cursory examination of several extortion-related emails, we found the associated bitcoin wallets in each case had no recorded transactions. It appears that the targets were getting wise and not paying up. For the sake of clarity, this is not to say that all extortion attempts will be hand-waving actions with no substance — quite the contrary. Other attackers followed through on their extortion-related threats, making it difficult for any targeted organization to discern whether a threat is legitimate. This uncertainty reinforces the need for security controls to mitigate DDoS attacks.

  70. ©2016 AKAMAI | FASTER FORWARDTM DDoS: Multi-Vector Attacks

  71. ©2016 AKAMAI | FASTER FORWARDTM DDoS: Source Countries DDoS Attack

    Source Countries / China frequently appears as a top DDoS source country, a trend that continued this quarter with 56% of activity. Although China’s increase was large, when compared with Q2 2015, it represents a 75% decrease in sources. Much of this is due to the decrease in application layer attacks, which means fewer attacks can be confirmed as non-spoofed traffic. Also, UDP attacks, including reflection attacks, are not considered in this statistic. This quarter we saw Turkey end its streak as a top 10 source country for DDoS attacks, a trend that began in Q4 2015. After the us, in second place at 17%, the rest of the top 10 list was populated by countries seldom seen as DDoS sources. Taiwan (5%), Canada (4%), and Vietnam (4%) rounded out the top five. Canada appeared for the first time this quarter.

  72. ©2016 AKAMAI | FASTER FORWARDTM DDoS: Attacks by Target Repeat

    DDoS Attacks by Target / Akamai began looking at a new statistic in Q4 2015: the average number of attack events per customer. In looking back at Q1 2015, we saw an average of 15 attack events per customer, which climbed to 29 in Q1 2016 and fell slightly to 27 this quarter, as shown in Figure 2-12. One customer experienced 373 attack events this quarter, an average of four attacks per day. While most of these attacks were of relatively short duration and limited effect, the repeated hammering of the site was a serious threat to the organization. High value sites are attacked more frequently, because even a slight weakening in their defenses may reward the attacker with a significant return on the time spent. In general, we believe the increase in repeat attacks was driven by the use of stressor/booter botnets. Gaming companies continued to be the most popular target of repeat attacks, because even a minor degradation of their connectivity can greatly affect their audience of online gamers.

  73. ©2016 AKAMAI | FASTER FORWARDTM DDoS Attack Spotlight On June

    20, Akamai mitigated one of the largest confirmed DDoS attacks of the year on our routed network. The attack targeted a European media organization and was comprised of six DDoS attack vectors: SYN, UDP fragment, PUSH, TCP, DNS, and UDP floods. It peaked at 363 Gbps and 57 Mpps. The attack analysis identified a DNS reflection technique that abused a dnssec- configured domain. This attack technique generates an amplified response due to the requirements of the dnssec. During the past few quarters, Akamai observed and mitigated a large number of dns reflection and amplification DDoS attacks that abuse dnssec- configured domains. As with other DNS reflection attacks, malicious actors continued to use open DNS resolvers for their own purposes, effectively using these resolvers as a shared botnet.. The source domain was observed in DDoS attacks against customers in multiple industries. It was likely the work of malicious actors making use of a DDoS-for-hire service with purchased virtual private server (vps) services, public proxies, and legacy botnets. It appeared to have the ability to launch multiple simultaneous attack vectors, such as the ones used in this attack. Part of the SYN flood matched a signature from the Kaiten std botnet. Akamai SIRT has been investigating a malware variant of Kaiten std that specifically targets networking devices used in small-office and home-office (soho) environments and Internet of Things (IoT) devices. The malware has an extensive list of attack vectors and the capability to execute arbitrary commands and take full control of an infected system. The Kaiten std malware is packed with a custom packer/encoder to hinder analysis. It is compiled to run on multiple architectures (mips, arm, PowerPC, x86, x86_64) and uses a custom Internet relay chat (irc)-like communication protocol for command and control (C2) communications. The UDP flood could also have been generated by the Kaiten std botnet, a similar variant, or an entirely different botnet. The payload was too generic to draw a strong conclusion. This SYN flood can be identified by the length of its TCP headers and options.

  74. ©2016 AKAMAI | FASTER FORWARDTM DDoS Attack Spotlight

  75. ©2016 AKAMAI | FASTER FORWARDTM Reflection and Amplification Attacks: Analysis

    Reflection § Uses UDP packets with forged source headers § Attacker targets in intermediate server: DNS, NTP, etc. § Server replies to the forged source, sending traffic to the victim § Victim does not know the source of the attack Amplification § Attacker makes a query to the intermediate server § The query is small but the answer is large § The difference allows a small botnet to send lots of small queries and still hit with a lot of traffic

  76. ©2016 AKAMAI | FASTER FORWARDTM Web Application: Attack Vectors The

    majority of web application attacks continued to be conducted over http, with only 23% of attacks using https — a 7% drop from the previous quarter. It is likely that SQLi attacks are less common against encrypted portions of sites in large part because there are so many tempting targets on http pages. A large percentage of websites either don’t use https for their web traffic or use it only to safeguard certain sensitive transactions (such as login requests). However, https-based attacks still account for millions of attack alerts each quarter. Encrypting connections over https only affords protection to the data in flight. It does not provide any protection mechanisms for web applications, and attackers tend to shift to https to follow through on vulnerable applications.

  77. ©2016 AKAMAI | FASTER FORWARDTM Web Attacks: Top 10 Source

    Countries Top 10 Source and Target Countries / In Q2, Brazil was the main source of web application attacks for the first time since we’ve published the State of the Internet / Security Report, Brazil accounted for 25% of attack traffic, as shown in Figure 3-4. This is a 13% increase from last quarter, based largely on a series of attack campaigns in April against the hotel industry. The us was the second-largest source country at 23%, a huge drop from 43% in Q1. They were followed by Germany with 9% and Russia with 7%. The web application attacks we analyzed occurred after a TCP session was established. Due to the use of tools to mask the actual location, the attacker may not have been located in the country detected. These countries represent the IP addresses for the last hop observed.

  78. ©2016 AKAMAI | FASTER FORWARDTM Web Attacks: Industry Vertical All

    industries / Figure 3-7 lists the number of attack triggers observed for all industries we classified, followed by their percentage of attacks as a whole. Industries not included in Figure 3-6 are shown in red. This level of granularity is important for understanding future attack trends. For example, although the pharmaceutical/healthcare industry only accounted for 0.31% of web application attack triggers in Q2, the presence of 899,827 attack triggers still provides a valuable dataset for in-depth research. In fact, this number is three times higher than Q2 last year, showing this industry is being increasingly targeted. Medical records are extremely valuable in the black market. While other industries do not top the list, they still face substantial and unique risks. By examining them closely, we can see the beginnings of threats to come by analyzing trends over time observed within our platform.

  79. ©2016 AKAMAI | FASTER FORWARDTM Web Application Attack Spotlight Use

    of Anonymizing Services in Web Attacks / Organizations interested in attack attribution often wonder how much web attack traffic comes from anonymizing services. Determining the true origin of web application attacks, however, is challenging. Common sense implies that malicious actors would strive to anonymize their activities and masquerade their source traffic to prevent traceback efforts. For this report, Akamai’s Threat Research Team analyzed web attack traffic and quantified the usage of anonymizing services such as virtual private networks (VPNs) and proxies in web application layer attacks. In addition, we identified which attack types tend to be launched behind anonymizers, along with a distribution of the source and target countries of these attacks. Anonymizing services: Proxies and VPNs / Using the Internet anonymously requires techniques that reduce the footprint of the user, as well as the user’s identity and Internet client. Many online articles (e.g., The ultimate guide to staying anonymous and protecting your privacy online 2) describe how to obscure one’s online footprints, and most of them include one or more of the following approaches: 1. Delete browser cache and cookies regularly (or browse using incognito mode) 2. Block JavaScript and other client-side technologies that can be used for browser environment fingerprinting (e.g., html5 features, Flash, Silverlight) 3. Use an http proxy when applicable (with a high anonymity level) 4. Use the tor network (see the Q2 2015 State of the Internet / Security Report) 5. Use an anonymizing VPN service

  80. ©2016 AKAMAI | FASTER FORWARDTM Web Application Attack Spotlight About

    a third of the web attacks we observed originated from anonymizing VPN services and proxies, a ratio substantially higher than the 20% of all traffic to emerge from VPNs and proxies. Web attackers likely have two main reasons for using anonymizing services: • Anonymity: Hackers naturally prefer to perform their actions in a manner that will be untraceable to law enforcement organizations. • Bypassing geo-location restrictions: Many websites deploy geographical restrictions on the source IP address, blocking access from countries where they do not do business. We would like to note that while this discussion concentrated on malicious web activity, not all activity that is routed through proxies and VPNs is malicious. For example, many data mining services, business analytics, web scraping, and automated shopping bots also use anonymizing services, which allow them to load balance their activity and make it less detectable.

  81. ©2016 AKAMAI | FASTER FORWARDTM Common DDoS Attack Vectors •

    HTTP floods - GET and POST • SYN floods • Reflection floods - DNS, CHARGEN, NTP, SSDP SSYN (Static source port, static destination port) 23:03:23.724420 IP 103.118.197.139.1234 > 10.0.20.8.80: Flags [S], seq 0, win 5840, length 0 ESSYN (Random source port, user configurable destination port) 06:40:28.623796 IP x.x.x.x.3596 > y.y.y.y.1234: Flags [S], seq 3130007552, win 46080, options, length 0 XSYN (Random source port, user configurable destination port) 23:05:07.439638 IP 64.241.207.122.50027 > 10.0.20.8.80: Flags [S], seq 1616379904, win 0, length 0 Dominate (Random source port, user configurable destination port, extra flags set on each packet) 19:57:50.441872 IP x.x.x.x.22459 > y.y.y.y.80: SFRWE 243788352:243788354(2) ack 0 win 22992

  82. ©2016 AKAMAI | FASTER FORWARDTM Extortion attempts continue/ limited follow

    through Extortion occurs in two phases: Attack § The attacker will hit the target with a medium to large DDOS (3-6Gbps) Demand § The attacker demands payment to stop the attack and threatens additional attacks § Rise of bitcoin has enabled these attack as it allows for quick, anonymous payment. Demands are usually in bitcoins. § Some attackers are CDN aware and will launch direct-to-origin DDOS attacks, bypassing some defenses

  83. ©2016 AKAMAI | FASTER FORWARDTM Extortion Email --expert from the

    ransom letter-- "We'll begin attack on Tuesday 06-09-2016 8:00 p.m.!!!!!" "EXS" Attack!!! "EXS" We are a HACKER TEAM - Armada Collective 1 - We have checked your information security systems, setup is poor; the systems are very vulnerable and obsolete. 2 - We'll begin attack on Tuesday 06-09-2016 8:00 p.m.!!!!! 3 - We'll execute some targeted attacks and check your DDoS servers by the 10-300 Gbps attack power 4 - We'll run a security breach test of your servers through the determined vulnerability, and we'll gain the access to your databases. 5 - All the computers on your network will be attacked for Cerber - Crypto-Ransomware 6 - You can stop the attack beginning, if payment 1 bitcoin to bitcoin ADDRESS: 1BMfGb5r7jJCq685ijN5GKyXWByRKn8wHh 7 - If you do not pay before the attack 1 bitcoin, the price will increase to 20 bitcoins 8 - You have time to decide! Transfer 1 bitcoin to ADDRESS: 1BMfGb5r7jJCq685ijN5GKyXWByRKn8wHh Bitcoins e-money https://en.wikipedia.org/wiki/Bitcoin Bitcoins are very easy to use. Instruction: 1.You have to make personal bitcoin wallet. It is very easy. You can download and install bitcoin wallet to your PC. There are lots of reliable wallets, such as: https://multibit.org/ https://xapo.com/ But there are much easier options as well. You can make bitcoin wallet online, for example blockchain.info or coinbase.com and many others. You may also transfer money directly from exchanger or bitcoin ATM to the decryption address provided to you. 2. You can top up the credit on your bitcoin wallet in most convenient way: - To buy bitcoins in the nearest bitcoin ATM; refer to the address on a website: coinatmradar.com/countries/ - by means of credit card or different payment systems such as PayPal, Skrill, Neteller and others or by cash, for example: https://localbitcoins.com/buy_bitcoinshttps://exchange.monetago.comhttps://hitbtc.com/exchange How to make bitcoin wallet with Google for the additional information -------------------- 



  84. ©2016 AKAMAI | FASTER FORWARDTM Customers: What can you do

    Akamai Security Operations Center is open 24/7, and our vast cloud-based mitigation platform is ready to respond. However, there are some proactive steps you can take: • Review your playbook with IT and security staff to ensure you are prepared and know what to do in the event of an attack. • Stay in close contact with the Akamai SOC / Account Managers • Check the Akamai Community Security page / Luna Portal alerts for updates: https://community.akamai.com/community/security-research-and-intelligence

  85. Thank you !

  86. ©2016 AKAMAI | FASTER FORWARDTM Akamai Cloud Security Solutions OVERVIEW

    Paul Fearns Enterprise Security Architect

  87. ©2016 AKAMAI | FASTER FORWARDTM 2016 │ Bot Manager 1998

    │ Akamai founded 2003 │ Prolexic founded 2015 │ Client Reputation 2015 │ Managed WAF 2014 │ 321 Gbps DDoS 2014 │ Prolexic acquired 2014 │ KRS 2013 │ CSI 2011 │ 69 Mpps DDoS 2011 │ Kona Site Defender 2009 │ First cloud WAF 2009 │ Korea DDoS attacks 2008 │ Largest DDoS >80 Gbps 2007 │ Largest DDoS >50 Gbps 2004 │ Largest DDoS <10 Gbps 2003 │ Prolexic founded 2003 │ Site Shield introduced Helping secure web applications for OVER 18 YEARS

  88. ©2016 AKAMAI | FASTER FORWARDTM Grow revenue opportunities with fast,

    personalized web experiences and manage complexity from peak demand, mobile devices and data collection. 11 18 22 39 48 68 79 82 190 321 312 665 2 8 11 15 29 38 45 69 144 97 222 348 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 Gbps ©2016 AKAMAI | FASTER FORWARDTM Source: Akamai The importance of SCALE 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 Gbps

  89. ©2016 AKAMAI | FASTER FORWARDTM ©2016 AKAMAI | FASTER FORWARDTM

    January 5, 2014 A Kona customer reported an unknown attack and asked Akamai to investigate The importance of INTELLIGENCE

  90. ©2016 AKAMAI | FASTER FORWARDTM January 5, 2014 A Kona

    customer reported an unknown attack and asked Akamai to investigate GET /wp-content/wordtube-button.php?wpPATH=http://www.google.com/humans.txt? HTTP/1.1 Host: www.vulnerable.site User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) Analysis Remote file inclusion (RFI) attack against a WordPress application 2122 different RFI exploit attempts The importance of INTELLIGENCE

  91. ©2016 AKAMAI | FASTER FORWARDTM 2122 different RFI exploit attempts

    Analysis Remote file inclusion (RFI) attack against a WordPress application GET /wp-content/wordtube-button.php?wpPATH=http://www.google.com/humans.txt? HTTP/1.1 Host: www.vulnerable.site User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) 24,301 attacks in total Looking at Big Data Same attacker launched attacks against different sites 34 Attacker part of a 272 strong botnet that targeted 1696 different applications With 1,358,980 attacks The importance of INTELLIGENCE

  92. ©2016 AKAMAI | FASTER FORWARDTM Grow revenue opportunities with fast,

    personalized web experiences and manage complexity from peak demand, mobile devices and data collection. Scale │over 220,000 servers │seven scrubbing centers │thousands of name servers Distribution │120 countries │over 3,200 locations │more than 1,400 networks Resiliency │ automatic failover within network │ multiple networks for independent services Akamai Intelligent Platform Globally distributed cloud platform ©2016 AKAMAI | FASTER FORWARDTM

  93. ©2016 AKAMAI | FASTER FORWARDTM Grow revenue opportunities with fast,

    personalized web experiences and manage complexity from peak demand, mobile devices and data collection. DDoS │always-on │automated response WAF │proprietary rules engine │highly accurate │no performance impact Bot management │manage, not mitigate │customizable │granular visibility and reporting IP reputation │ hundreds of millions of IPs monthly │customize policies based on risk of attack Akamai Intelligent Platform Integrated web security ©2016 AKAMAI | FASTER FORWARDTM

  94. ©2016 AKAMAI | FASTER FORWARDTM Grow revenue opportunities with fast,

    personalized web experiences and manage complexity from peak demand, mobile devices and data collection. DDoS │people-driven response │customized mitigation │time-to-mitigate SLAs Data center │hundreds of applications │network infrastructure │Internet bandwidth Flexible deployment │always-on or on-demand │24x7 traffic monitoring Akamai Intelligent Platform Infrastructure protection ©2016 AKAMAI | FASTER FORWARDTM

  95. ©2016 AKAMAI | FASTER FORWARDTM Grow revenue opportunities with fast,

    personalized web experiences and manage complexity from peak demand, mobile devices and data collection. DDoS │ adaptive rate limiting │ white listing │ multiple redundant DNS clouds DNSSEC │ optional protection against DNS forgery │ Serve or Sign-and-Serve DNS experience │ high-performance DNS cloud │ zone apex mapping Akamai Intelligent Platform DNS protection ©2016 AKAMAI | FASTER FORWARDTM

  96. ©2016 AKAMAI | FASTER FORWARDTM Grow revenue opportunities with fast,

    personalized web experiences and manage complexity from peak demand, mobile devices and data collection. Akamai Intelligent Platform Akamai Intelligent Platform Cloud Security Intelligence Visibility │ 15-30% of global web traffic │ every Akamai customer Data │ 80 million WAF triggers per hour │ 600,000 log lines a second │ 20 TB new attack data daily Analysis │ dedicated threat research team │ 8,000 queries a day

  97. ©2016 AKAMAI | FASTER FORWARDTM Grow revenue opportunities with fast,

    personalized web experiences and manage complexity from peak demand, mobile devices and data collection. Akamai Intelligent Platform Akamai Intelligent Platform People │ 150+ SOC engineers │ 200+ technical certifications Experience │ 12+ years experience │ 40 to 50 attacks per week │ time-to-mitigate SLAs Locations │ Ft. Lauderdale │ Cambridge (US) │ Krakow │ Bangalore │ Tokyo 24x7 global security operations center

  98. ©2016 AKAMAI | FASTER FORWARDTM Grow revenue opportunities with fast,

    personalized web experiences and manage complexity from peak demand, mobile devices and data collection. People │ 200+ security-focused professional services staff Management │ security reviews │ ongoing configuration tuning │ tabletop attack drills Relationship │ customer success manager │ regular cadence meetings │ special events Akamai Intelligent Platform Security services and support

  99. ©2016 AKAMAI | FASTER FORWARDTM Cloud Security Solutions Why Akamai

    for security

  100. ©2016 AKAMAI | FASTER FORWARDTM Grow revenue opportunities with fast,

    personalized web experiences and manage complexity from peak demand, mobile devices and data collection. Over 220,000 servers Deployed in more than 3,200 locations and 1,400 networks in 120 countries A cloud platform with INTERNET SCALE ©2016 AKAMAI | FASTER FORWARDTM

  101. ©2016 AKAMAI | FASTER FORWARDTM Grow revenue opportunities with fast,

    personalized web experiences and manage complexity from peak demand, mobile devices and data collection. A cloud platform with INTERNET SCALE Seven global scrubbing centers High-capacity DDoS mitigation and in-region redundancy ©2016 AKAMAI | FASTER FORWARDTM

  102. ©2016 AKAMAI | FASTER FORWARDTM Grow revenue opportunities with fast,

    personalized web experiences and manage complexity from peak demand, mobile devices and data collection. A cloud platform with INTERNET SCALE Five global SOC locations 24x7 monitoring and attack response with local language support ©2016 AKAMAI | FASTER FORWARDTM

  103. ©2016 AKAMAI | FASTER FORWARDTM ©2016 AKAMAI | FASTER FORWARDTM

    4.6 Tbps 8.7 Tbps 13.0 Tbps 15.4 Tbps 26.0 Tbps 33.6 Tbps 35.7 Tbps 2010 2011 2012 2013 2014 2015 2016 A cloud platform that SCALES FOR YOU

  104. ©2016 AKAMAI | FASTER FORWARDTM 1549 259 Detected by WAF

    Detected by Client Reputation Case study: US national retailer Malicious IP addresses over 24 hour period 248 11 Benefiting from COLLECTIVE SECURITY

  105. ©2016 AKAMAI | FASTER FORWARDTM Attack Type Time-to-Mitigate (Typical) Time-to-Mitigate

    (SLA) UDP / ICMP floods 1 minute or less 5 minutes SYN floods 1 minute or less 5 minutes TCP flag abuses 1 minute or less 5 minutes HTTP GET / POST floods 10 minute or less 20 minutes DNS reflection 5 minute or less 10 minutes DNS attack 5 minute or less 10 minutes Commitment to SECURITY EXPERTISE
  106. None