| #CLOUDSEC Hoster under Attack ProtonMail - Switzerland Carl Herberger, Vice President, Security Solutions Radware handle
#CLOUDSEC A Look Into Attack Motives Remember “C.H.E.W.”—Richard Clarke Cyber Crime Financial gain is the primary motive Hactivism Driven by ideological differences Espionage Gaining information for political, financial, competitive leverage War Damage/destroy centers of power; military or non- military Lines are blurring... “multi-motive” attacks Ironically – Evidently the more “secure”, your data risks a cyberattack
#CLOUDSEC Motivation Behind Attacks are Changing Motivations are changing but still widely unknown Hacktivism is the main motive (over 1/3) Big increase in ransom as a motive (25% up from 16% last year) Source: Radware ERT Report 2015
#CLOUDSEC Comparing to 2014 Increased Attacks on Education and Hosting Most verticals stayed the same Education and Hosting – increased likelihood Growing number of “help me DDoS my school” requests Motivations varies for Hosting Some target end customers Some target the hosting companies 2015 Change from 2014 Source: Radware ERT Report 2015
#CLOUDSEC Longer, larger and more sophisticated attacks. Constant attacks on the rise. The Rise of the Continuous Attack In previous years - attacks that were considered “constant” never exceeded 6%. In % were considered “constant”. 52% of respondents felt they could fight a campaign for only one day or less. In 2014, 19% of attacks were considered “constant” Source: Radware ERT Report 2015
#CLOUDSEC Half of organizations experienced DDoS and Phishing attacks Almost half had Worm and Virus Damage One in ten have not experienced any of the attacks mentioned Over 90% Experienced Attacks in 2015 Source: Radware ERT Report 2015
#CLOUDSEC Ransom attacks against service providers Original ransom source from The Armada Collective Targets include ProtonMail, Neomailbox, VF , Hushmail, Fastmail, Zoho and Runbox. ProtonMail Ransom Attack
#CLOUDSEC Who is The Armada Collective? Background Either originating from DD4BC or acting as copy cat and using their methods. Focused on hosting providers, e-commerce, financial services primarily in Europe. Two companies we know already have been taken down. Strategy Customers will receive a ransom mail, asking for 30 bitcoins (5.600 € – €). Warning attack follows within minutes. If payment refused, attacks increase to up to 1TB Targeted - s sent to dedicated and named internal recipients Do their homework – if victim has strong DDoS protection, they will not go after it. Only attack when they can create real damage Attack Methods Current vectors are amplification attacks (NTP, RIP Reflection Amplification) Warning attacks up to 20GB Risk Effected organizations have short time to act and prepare Very high risk – aggressive and professional attackers Proven results with high volume and taking down companies
#CLOUDSEC Nov ProtonMail receives ransom from The Armada Collective, followed by DDoS attack that took them offline for 15 mins Nov Next DDoS attacks hits in the morning and by afternoon reached over 100G directly attacking the datacenter and ISP infrastructure ProtonMail under pressure decides to pay ransom but attacks continue from 2 nd source Nov ProtonMail continues to suffer from ongoing high volume, complex attacks from a second, unknown source Nov Radware’s Emergency Response Team implements its attack mitigation solution to protect ProtonMail. Service is restored shortly after. Nov Attacks continue at high volume of 30-50G at peaks during these days. Attacks are mitigated successfully by Radware. ProtonMail Attack Timeline Largest and most extensive cyberattack in Switzerland
#CLOUDSEC Persistent Denial of Service Attacks ProtonMail Attack – A Look Inside
#CLOUDSEC Nov 8th UDP flood SYN flood DDoS-NTP-reflection DDoS-DNS-reflection SYN-ACK Flood DDoS-tcp-urgent DDoS-tcp-zero-seq DDoS-chargen-reflected events Nov 9th UDP Flood – Reflective DNS TCP RST Flood ICMP Flood SYN Flood – HTTPS SYN Flood – HTTP Nov 10th UDP Flood – SSDP & NTP Reflection ICMP Flood TCP SYN Flood TCP Out-of-State Flood Nov 15th UDP flood DDoS-SSL TCP Out-of-Stat DDoS-udp- fragmented DDoS-NTP-reflection DDoS-DNS-reflection SYN-ACK FloodMinor ICMP flood/RST flood SYN flood Evolution of Attack Vectors by Day
#CLOUDSEC Long Attacks & Short Pulse Attacks
#CLOUDSEC ProtonMail worked with MELANI, Swiss federal government division Information exchanged with other companies also attacked Indentified 2 separate campaigns Volumetric attack targeting only the company’s IP addresses (by Armada Collective) More complex attack targeting weak points in the infrastructure of ProtonMail’s ISPs. Assessing the Attacks “This second phase has not been observed in any other recent attacks on Swiss companies and was technically much more sophisticated. This means that ProtonMail is likely under attack by two separate groups, with the second attackers exhibiting capabilities more commonly possessed by state-sponsored actors. It also shows that the second attackers were not afraid of causing massive collateral damage in order to get at us.” ProtonMail Blog
#CLOUDSEC The Multi-Vector Challenge Coordinated, specialized technologies IPS/IDS Large volume network flood attacks Syn Floods Network Scan HTTP Floods SSL Floods App Misuse Brute Force Cloud DDoS protection DoS protection Behavioral analysis IPS WAFSSL protection Internet PipeFirewall Load Balancer/ADC Server Under Attack SQL Server 18 XSS, CSRF SQL Injections “Low & Slow” DoS attacks (e.g.Slowloris)
#CLOUDSEC Hybrid DDoS Mitigation Solution Volumetric DDoS attack saturates internet pipe Cloud PerimeterLAN Attack Mitigation Device Attack is immediately detected and mitigated at the PerimeterAttack baseline is synchronized to Radware’s Cloud Scrubbing Center Defense Messaging Traffic is diverted and scrubbed in the cloud freeing the internet pipe ADC Radware Cloud Scrubbing
#CLOUDSEC Radware’s Security Solution Addressing the Multi-Vector Challenge 20 Centralized Management & Reporting APSolute Vision Web Application Firewall AppWall, Cloud WAF Service DoS protection Behavioral analysisIPSWAF SSL protection On-Demand Cloud DDoS On-Demand Cloud DDoS Service DefensePipe +1TB mitigation capacity Hybrid or Standalone Models Attack Mitigation Device DefensePro Throughput ranging 200Mbps – 300Gbps Radware Emergency Response Team 24x7 Security Experts
#CLOUDSEC Proactive Preparation and Planning is Key Lessons Learned - Successful Attack Mitigation Strategies Need for a solution with the widest coverage to protect from multi-vector attacks including protection from network and application based DDoS attacks. Monitor security alerts and examine triggers carefully. Tune existing polices and protections to prevent false positives and accurate detection. Consider a hybrid solution that integrates on-premise detection and mitigation with cloud-based protection - to block volumetric attacks. A cyber-security emergency response plan that includes an emergency response team and process in place. Identify areas where helped is needed from a third party. A single point of contact is crucial when under attack - it will help to divert internet traffic and deploy mitigation solutions. 21
Carl Herberger Radware Ltd handle