stock exchanges in the line of fire-morphology of cyber attacks
DESCRIPTION
Stock exchanges are constantly targeted by cyber attacks. This presentation discusses several real life attacks cases studies discussing attack vectors, motivations, impacts and mitigation techniques.TRANSCRIPT
![Page 1: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/1.jpg)
Session ID:
Session Classification:
Ziv GadotRadware
HT-R33
Intermediate
Stock Exchanges in the Line of Fire – Morphology of Cyber Attacks
![Page 2: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/2.jpg)
► NYSE Euronext[1]
► NASDAQ OMX Group[2]
► Hong Kong Stock Exchange[3]
► TMX Group[4]
► BATS Global Markets[5]
► Chicago Board Options Exchange[6]
► Bursa Malaysia[7] ► Tel Aviv Stock Exchange[8] ► Tadawul (Saudi Arabia)[9]
Publicly Known Attacks on Stock Exchanges
Top 10
Downtime
![Page 3: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/3.jpg)
► It is Too Easy to Cause Impact► ‘Attack Campaign’ - Morphology► Resolution:
Transition from a 2-phase security approach to a 3-phase security approach
Agenda
2 Case Studies
![Page 4: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/4.jpg)
Case Study IDay I
![Page 5: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/5.jpg)
Day I
10:51 Attack begins: - UDP flood- HTTP flood- FIN+ACK flood- Empty connection flood
Target: Stock Exchange News SiteProtection: PartialImpact: Heavy
4 hour outage to News SiteCollateral damage to other sites
13:30 Noon trading opens, but trade is closed for several companies 16:00 Trading ends for the dayEvening Mitigation equipment is deployed and configured
Attacks halted (temporarily)
Network Impact Sever Business Impact Sever
![Page 6: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/6.jpg)
Day I
hour hour
![Page 7: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/7.jpg)
Day I – Attack Vectors
Attack Vector
Confirmed Measurement
UDP Flood 44 MbpsHTTP Flood 40K Concurrent Con.Empty Connection Flood 5.2K PPSFIN+ACK 4 Mbps
Pipe Satur-ation
FW CPU100%
Web Server Outage
X X
X X
X X
X X
![Page 8: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/8.jpg)
Day I : Media Coverage
“Attack on stock exchange triggers
halt in trade”
“Stock exchange hit by hackers”
![Page 9: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/9.jpg)
Enormous Negative Psychological Impact
Stock exchange environment Malicious attack campaign
The Media Impact
1 Stock Exchange = 5 Banks = 5 Government Sites
![Page 10: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/10.jpg)
Case Study IDay 2
![Page 11: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/11.jpg)
Day 2
08:00 Additional mitigation actionsOrganization is concerned of false-positive
10:36 Attack begins: HTTP FloodTarget: Stock Exchange News Site Protection: Connection Rate Limit + Temp ACLImpact: 10-15 minutes slowness/outage
Network Impact LowBusiness Impact None
![Page 12: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/12.jpg)
Day 2
“Stock exchange IT have been working
intensively to resolve all issues”
“Experts successfully implemented a
protection against the attacks”“Additional
measures were taken such as a redundant
New Site”
![Page 13: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/13.jpg)
Case Study IDay 3
![Page 14: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/14.jpg)
Day 3
08:00 Security configuration is enforced (“War Time” configuration)10:36 Attack begins: HTTP Flood
Target: Stock Exchange News Site Protection: Connection limit Temp ACL
Network Impact NoneBusiness Impact None
![Page 15: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/15.jpg)
Day 3
Legitimate traffic monitoring
TCP connection flood detection and mitigated immediately
![Page 16: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/16.jpg)
Day 3
13:32 Attack begins: UDP Flood (Two minutes after the noon trading begins) Target: Stock Exchange Mews Site Protection:
- Behavioral technologies (primary)
- Connection Limit - Blacklisting
Impact: NoneForensic: Attacker IP detected (eventually led to arrest)
Network Impact NoneBusiness Impact None
![Page 17: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/17.jpg)
Attack begins but quickly mitigated
![Page 18: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/18.jpg)
Case Study IWeek 2
![Page 19: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/19.jpg)
► Stock Exchange remains in highest alert► Eventually there were no serious
attacks ► Protect additional networks ► Forensic process (with police) ► Arrests
Week 2
![Page 20: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/20.jpg)
It is Too Easy to Cause Impact
![Page 21: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/21.jpg)
Static ContentStatic Content
Trade/Financial AnnouncementsTrade/Financial Announcements
HTTP Flood Impact
Trading API
HTTP Flood
Firewall L3 Router
Psychological Impact
TradeDisruption
Internet Pipe
![Page 22: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/22.jpg)
Trade/Financial AnnouncementsTrade/Financial Announcements
Static ContentStatic Content
UDP Flood Impact
Trading API
UDP Flood
Firewall L3 Router
Psychological Impact
TradeDisruption
Internet Pipe
Trading API
![Page 23: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/23.jpg)
Trade/Financial AnnouncementsTrade/Financial Announcements
Static ContentStatic Content
L3 Router Internet Pipe
SYN Flood Impact
Trading API
SYN Flood
Firewall
Psychological Impact
TradeDisruption
Trading API
![Page 24: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/24.jpg)
2010 – no Real Protection
Stock Exchange
HTTP Flood
UDP Flood
SYN Flood
Protection
![Page 25: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/25.jpg)
2011 – Protection Deployed
HTTP Flood
Stock Exchange
SYN Flood
UDP Flood
Protection
![Page 26: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/26.jpg)
Stock Exchange
2012 – Protection Enforced
HTTP Flood
UDP Flood
SYN Flood
Slow Rate Flood
Image Download Flood
Attackers will eventually find
the weakest link!
Protection
![Page 27: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/27.jpg)
Political/Hacktivist’s Bull’s Eye - Ideal
![Page 28: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/28.jpg)
Political/Hacktivist’s Bull’s Eye (Realistic)
Political/Hacktivist’s Bull’s Eye - Realistic
![Page 29: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/29.jpg)
Case Study 2Israel Cyber Attack Jan 2012
![Page 30: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/30.jpg)
January 3Saudi hacker 0xOmar leaks tens of thousands Israeli credit card numbers and other personal sensitive information.
January 16 Early Morning0xOmar and the Pro-Palestinian “Nightmare” hacker group sends an email to the Jerusalem Post, threatens to attack EL-AL website.9:30 AMEL-AL, Tel Aviv Stock Exchange, and several banks are attacked and are unavailable for hours.
January 17 Israeli hacker group “IDF-Team” retaliates by attacking Saudi and UAE’s Stock Exchanges websites.
January 18 Additional Israeli websites were targeted.
Case Study 2
![Page 31: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/31.jpg)
LegitimateBypass CDN
CDN - False Sense of Security
Attack Directly
CDN
![Page 32: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/32.jpg)
► “HTTP Dynamic GET Request Flood”► Requests for invalid random parameter evades CDN
service
TASE Attack (Estimated)
![Page 33: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/33.jpg)
Attack Vector 2
Pragma: no-cache
![Page 34: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/34.jpg)
► HTTP Dynamic Flood► HTTP Static Flood► UDP Flood► SYN Flood► UDP Fragmented Flood
Attack Vector Summary
![Page 35: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/35.jpg)
‘Attack Campaign’ - Morphology
![Page 36: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/36.jpg)
Attack Campaign Morphology
MitigationContinued
Service Disruption
Test FireHeads Up Attack Begins
Reconnaissance
Automatic Mitigation
Attack Ends Forensic
Manual Mitigation
New Attack Vectors
Service Disruption
![Page 37: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/37.jpg)
Resolution: Transition from a 2-phase security approach to a 3-phase security approach
![Page 38: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/38.jpg)
2-Phase Security Model
“Peace” Period
Pre-attack Phase
Post-attack Phase Pre-attack Phase
Time
AttackPeriod
Automatic Mitigation(no time for human interaction)
AttackPeriod
“Peace” Period
![Page 39: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/39.jpg)
3-Phase Security Model
“Peace” Period
Pre-attack Phase
Attack Period
THE SECURITY GAPAttacker has time to bypass automatic mitigation.
Defenders have no skill/capacity to sustain it.
“Peace” Period
Post-attack Phase
![Page 40: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/40.jpg)
Industry Security SurveyHow much did your organization invest in each
of the following security aspects in the last year?
Before During After
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
Procedures
Human skills
Equipment
Radware 2012 Global Application and Network Security Report
![Page 41: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/41.jpg)
THE SECURITY GAPAttacker has time to bypass automatic mitigation.
Defenders have no skill/capacity to sustain it.
Be prepared for prolonged attacks!
3-Phase Security
“Peace” Period
Pre-attack Phase
Attack Period
“Peace” Period
Post-attack Phase
Response Team
![Page 42: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/42.jpg)
Response Team
Response Team
24x7x365Trained
Experienced
Active Mitigation
RT Intel
Counterattack
![Page 43: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/43.jpg)
Summary
![Page 44: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/44.jpg)
► It is Too Easy to Cause an Impact► ‘Attack Campaign’ - Morphology► Resolution:
Transition from a 2-phase security approach to a 3-phase security approach
Summary
![Page 46: Stock Exchanges in the Line of Fire-Morphology of Cyber Attacks](https://reader034.vdocuments.us/reader034/viewer/2022051514/54b70e564a79596c528b4698/html5/thumbnails/46.jpg)
► Radware 2012 Global Application and Network Security Report
► Radware 2011 Global Application and Network Security Report
► Cyber War Rooms: Why IT Needs New Expertise To Combat Today's Cyberattacks - Avi Chesla
Additional Reading