Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyber Attacks: No One Immune, Few Prepared: How ProtonMail survived a n Advanced Persistent DDoS attack Carl Herberger, VP Security Solutions.

Published byAnnabel Watts Modified over 8 years ago

Similar presentations

Presentation on theme: "Cyber Attacks: No One Immune, Few Prepared: How ProtonMail survived a n Advanced Persistent DDoS attack Carl Herberger, VP Security Solutions."— Presentation transcript:

1 Cyber Attacks: No One Immune, Few Prepared: How ProtonMail survived a n Advanced Persistent DDoS attack Carl Herberger, VP Security Solutions

2 THE GLOBAL EVENT FOR THE CLOUD AND SERVICE PROVIDER ECOSYSTEM No Pitch Presentation Policy Please help us produce more relevant content in the future by rating this session using our event app! Each presenter signs a speaker agreement certifying that their presentation will be educational and not a sales pitch. Attendees have a right to report speakers not adhering to the policy.

3 THE GLOBAL EVENT FOR THE CLOUD AND SERVICE PROVIDER ECOSYSTEM The stock market-1980 The stock market-2010 The rise of automation

4 THE GLOBAL EVENT FOR THE CLOUD AND SERVICE PROVIDER ECOSYSTEM Being a pilot 50 years ago Being a pilot today The rise of automation

5 THE GLOBAL EVENT FOR THE CLOUD AND SERVICE PROVIDER ECOSYSTEM The rise of automation Self delivering packages Self driving buses

6 THE GLOBAL EVENT FOR THE CLOUD AND SERVICE PROVIDER ECOSYSTEM “By 2018, the fastest-growing companies will have fewer employees than instances of smart machines” “Top Strategic digital Predictions.”- Gartner technology research, 2015

7 THE GLOBAL EVENT FOR THE CLOUD AND SERVICE PROVIDER ECOSYSTEM There are more things to attack and attack you

8 THE GLOBAL EVENT FOR THE CLOUD AND SERVICE PROVIDER ECOSYSTEM There are more sensitive things to attack

9 THE GLOBAL EVENT FOR THE CLOUD AND SERVICE PROVIDER ECOSYSTEM We’re seeing more attacks. No one is immune.

10 THE GLOBAL EVENT FOR THE CLOUD AND SERVICE PROVIDER ECOSYSTEM Over 90% Experienced Attacks in 2015 Half of organizations experienced DDoS and Phishing attacks Almost half had Worm and Virus Damage One in ten have not experienced any of the attacks mentioned 10 Q: What type of attack have you experienced?

11 THE GLOBAL EVENT FOR THE CLOUD AND SERVICE PROVIDER ECOSYSTEM Increased Attacks on Education and Hosting Comparing to 2014 Most verticals stayed the same Education and Hosting – increased likelihood Growing number of “help me DDoS my school” requests Motivations varies for Hosting Some target end customers Some target the hosting companies 2015 Change from 2014

12 THE GLOBAL EVENT FOR THE CLOUD AND SERVICE PROVIDER ECOSYSTEM Everyone Is a Target OpIcarus Financial Institutions Feb-June 2016 Web Hosting Companies under attack Feb-April 2016 India vs. Pakistan Conflict Goes Cyber Jan-May 2016 COMELEC Philippines Election Breach May 2016

13 THE GLOBAL EVENT FOR THE CLOUD AND SERVICE PROVIDER ECOSYSTEM DDoS Continues to Lead as Biggest Threat DDoS attacks and unauthorized access – the main causes which harm the organizations Q: In your opinion, which of the following cyber-attacks will cause your organization the most harm?

14 THE GLOBAL EVENT FOR THE CLOUD AND SERVICE PROVIDER ECOSYSTEM We’re seeing more sophisticated, automated attacks

15 THE GLOBAL EVENT FOR THE CLOUD AND SERVICE PROVIDER ECOSYSTEM Attacker Motivation is Shifting More than 50% increase in ransom as a motivator for attackers Motivation behind cyber- attacks is still largely unknown One-third cited political/hacktivism About a quarter referenced competition, ransom, or angry users Q: Which of the following motives are behind any cyber-attacks your organization experienced? Increase in Ransom as a Motive

16 THE GLOBAL EVENT FOR THE CLOUD AND SERVICE PROVIDER ECOSYSTEM Growth in Cyber-Warfare Attacks Army and Defense contractors are targeted primarily by nation state and affiliates of the nation state Political/Hacktivism and Espionage are primary motivations Attack vectors include: Malware and phishing campaigns Web defacement and takedowns DDoS and application based attacks Two Russian affiliated intelligence groups penetrated the US Democratic Nation Committee network. The group targeted the DNC network and had gained access for a year. (June 2016) South Korean Air Force website was recently shut down after “malignant code” was found in the site. (May 2016) Identities of an elite Swiss special forces army unit may have been revealed in a hack of a defense contractor. Swiss Defense Ministry was also hit, but attack was fended off. Russian hackers suspected. (Jan 2016) A group of four hackers have breached the official email servers belonging to the Bolivian Army, downloaded emails, and dumped some of the data online. (Feb 2016) 16

17 THE GLOBAL EVENT FOR THE CLOUD AND SERVICE PROVIDER ECOSYSTEM Burst Attacks on the Rise More than half of the three biggest attacks experienced lasted 1 hour or less Significant increase from the 27% in 2014 Another indication of increased automated attacks Q: What are the three biggest cyber-attacks you have suffered: Duration?

18 THE GLOBAL EVENT FOR THE CLOUD AND SERVICE PROVIDER ECOSYSTEM More than a third reported having experienced either a ransom attack or a SSL or TLS-based attack More than Third Experienced Ransom or SSL/TLS-Based Attacks Q: Have you experienced any ransom attacks this year Q: Have you experienced encrypted SSL or TLS-based attacks?

19 THE GLOBAL EVENT FOR THE CLOUD AND SERVICE PROVIDER ECOSYSTEM Network Attacks Application Attacks Similar Frequency for Network and Application Attacks 19 experienced Network attacks daily, weekly or monthly 38-42% experienced Application attacks daily, weekly or monthly 38-52%

20 THE GLOBAL EVENT FOR THE CLOUD AND SERVICE PROVIDER ECOSYSTEM How ProtonMail survived an Advanced Persistent DDoS (APDDoS) attack

21 THE GLOBAL EVENT FOR THE CLOUD AND SERVICE PROVIDER ECOSYSTEM Email Service Providers Under Attack  Ransom attacks against email service providers  Original ransom source from The Armada Collective  Targets include ProtonMail, Neomailbox, VFEmail, Hushmail, Fastmail, Zoho and Runbox

22 THE GLOBAL EVENT FOR THE CLOUD AND SERVICE PROVIDER ECOSYSTEM Who is The Armada Collective? Background Either originating from DD4BC or acting as copy cat and using their methods. Focused on hosting providers, e-commerce, financial services primarily in Europe. Two companies we know already have been taken down. Strategy Customers will receive a ransom mail, asking for 30 bitcoins (5.600 € – 8.400 €). Warning attack follows within minutes. If payment refused, attacks increase to up to 1TB Targeted - Emails sent to dedicated and named internal recipients Do their homework – if victim has strong DDoS protection, they will not go after it. Only attack when they can create real damage Attack Methods Current vectors are amplification attacks (NTP, RIP Reflection Amplification) Warning attacks up to 20GB Risk Effected organizations have short time to act and prepare Very high risk – aggressive and professional attackers Proven results with high volume and taking down companies

23 THE GLOBAL EVENT FOR THE CLOUD AND SERVICE PROVIDER ECOSYSTEM In Nov 2015 experienced back- to-back attacks initiated through a ransom request. Over the course of 7-10 days, experienced multiple attack vectors at high volume Radware deployed emergency service a few days into the campaign and was able to mitigate the attacks ProtonMail Ransom Attack Case Swiss-based encrypted email service provider

24 THE GLOBAL EVENT FOR THE CLOUD AND SERVICE PROVIDER ECOSYSTEM Nov. 3 2015Nov. 4 2015Nov. 5-7 2015Nov. 8 2015Nov. 9-15 2015 ProtonMail Attack Timeline Largest and most extensive cyberattack in Switzerland’s History Attacks continue at high volume of 30-50G at peaks during these days. Attacks are mitigated successfully by Radware Radware’s Emergency Response Team implements its attack mitigation solution to protect ProtonMail. Service is restored shortly after ProtonMail continues to suffer from ongoing high volume, complex attacks from a second, unknown source Next DDoS attacks hits in the morning and by afternoon reached over 100G directly attacking the datacenter and ISP infrastructure ProtonMail under pressure decides to pay ransom but attacks continue from 2 nd source ProtonMail receives ransom email from The Armada Collective, followed by DDoS attack that took them offline for 15 mins 24

25 THE GLOBAL EVENT FOR THE CLOUD AND SERVICE PROVIDER ECOSYSTEM ProtonMail Attack – A Look Inside Persistent Denial of Service Attacks

26 THE GLOBAL EVENT FOR THE CLOUD AND SERVICE PROVIDER ECOSYSTEM Evolution of Attack Vectors by Day Nov 9 th UDP flood SYN flood DDoS-NTP- reflection DDoS-DNS- reflection SYN-ACK Flood DDoS-TCP- urgent DDoS-TCP- zero-seq DDoS-chargen- reflected events UDP Flood – Reflective DNS TCP RST Flood ICMP Flood SYN Flood – HTTPS SYN Flood – HTTP UDP Flood – SSDP & NTP Reflection ICMP Flood TCP SYN Flood TCP Out-of- State Flood UDP flood DDoS-SSL TCP Out-of-Stat DDoS-udp- fragmented DDoS-NTP- reflection DDoS-DNS- reflection SYN-ACK Flood Minor ICMP flood/RST flood SYN flood Nov 8 th Nov 10 th Nov 11 th 26

27 THE GLOBAL EVENT FOR THE CLOUD AND SERVICE PROVIDER ECOSYSTEM Long Attacks & Short Pulse Attacks

28 THE GLOBAL EVENT FOR THE CLOUD AND SERVICE PROVIDER ECOSYSTEM Summary: What Can You Do? Preparedness is Key. Multi-layered solutions are a Must. Services are Important. Bet on Automation. It has become necessary to fight automated threats with automation technology. Cover the Blind Spot. Choose a solution with the widest coverage to protect from multi- vector attacks. Multi Layered Solution. Look for a single vendor, hybrid solution that can protect networks and applications for a wide range of attacks, and includes DoS protection, behavioral analysis, IPS, encrypted attack protection and web application firewall (WAF). Protect from Encrypted Attacks. SSL-based DDoS mitigation solution deployments must not affect legitimate traffic performance. Single point of contact is crucial when under attack - it will help to divert internet traffic and deploy mitigation solutions.

Download ppt "Cyber Attacks: No One Immune, Few Prepared: How ProtonMail survived a n Advanced Persistent DDoS attack Carl Herberger, VP Security Solutions."

Similar presentations

The Threat Landscape Jan 2013. 2013 Threat Report 2.

The Threat Landscape Jan Threat Report 2.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
Attackers Vs. Defenders: Restoring the Equilibrium Ron Meyran Director of Security Marketing January 2013.

Attackers Vs. Defenders: Restoring the Equilibrium Ron Meyran Director of Security Marketing January 2013.
Radware DoS / DDoS Attack Mitigation System Orly Sorokin January 2013.

Radware DoS / DDoS Attack Mitigation System Orly Sorokin January 2013.
©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Check Point DDoS Protector June 2012.

©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Check Point DDoS Protector June 2012.
Building Trust in Digital Online World Dr. Shekhar Kirani Vice President VeriSign India 5th June 2009 IBA Conference.

Building Trust in Digital Online World Dr. Shekhar Kirani Vice President VeriSign India 5th June 2009 IBA Conference.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Jak zwiększyć bezpieczeństwo i wysoką dostępność aplikacji wg

Jak zwiększyć bezpieczeństwo i wysoką dostępność aplikacji wg
© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.

© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.
Worldwide Infrastructure Security Report C F Chui, Arbor Networks.

Worldwide Infrastructure Security Report C F Chui, Arbor Networks.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.

Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.
2012 Infrastructure Security Report Darren Anstee, Arbor Solutions Architect 8 th Annual Edition.

2012 Infrastructure Security Report Darren Anstee, Arbor Solutions Architect 8 th Annual Edition.
Denial of Service Bryan Oemler Web Enhanced Information Management March 22 nd, 2011.

Denial of Service Bryan Oemler Web Enhanced Information Management March 22 nd, 2011.
Web Application Firewall (WAF) RSA ® Conference 2013.

Web Application Firewall (WAF) RSA ® Conference 2013.
It’s Not Just You! Your Site Looks Down From Here Santo Hartono, ANZ Country Manager March 2014 Latest Trends in Cyber Security.

It’s Not Just You! Your Site Looks Down From Here Santo Hartono, ANZ Country Manager March 2014 Latest Trends in Cyber Security.
Drew Reinders | GSEC Principal Solutions Engineer Defending Your Castle.

Drew Reinders | GSEC Principal Solutions Engineer Defending Your Castle.
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. State of Network Security.

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. State of Network Security.
Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.

Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.
Cloud Agility with Performance Bridging the Performance Gap for Virtual Network Infrastructure Paul Andersen Sr. Marketing Director.

Cloud Agility with Performance Bridging the Performance Gap for Virtual Network Infrastructure Paul Andersen Sr. Marketing Director.

Similar presentations

Ads by Google