top findings - radware 2015 - 2016 global application & network security report
TRANSCRIPT
Top Findings
Global Application & Network Security Report 2015-2016
Overview
The Report’s Purpose
3
5th Installment of Radware’s Global Application & Network Security Report
The Report’s Purpose Through firsthand & statistical research coupled with front-line experience, this
research identifies trends that can help educate the security community
Methodology & Sources
4
Key Findings
Key Findings
6
Growing Need for Security Automation
No One Immune Few Prepared
Shifts in Motives and Impact
Key Findings
7
No One Immune Few Prepared
Over 90% Experienced Attacks in 2015
Ring of Fire – Increased Attacks on Education and Hosting
Are You Ready? Preparedness for Cyber-Attacks Varies
Protection Gaps Identified Across the Board
Over 90% Experienced Attacks in 2015
Half of organizations experienced DDoS and Phishing attacks
Almost half had Worm and Virus Damage
One in ten have not experienced any of the attacks mentioned
9%
7%
15%
23%
25%
29%
34%
47%
50%
51%
0% 10% 20% 30% 40% 50% 60%
None of the above
Corporate/Geo-political Sabotage
Theft of Prop. Info./Intellectual Capital
Advanced Persistent Threat
Fraud
Criminal SPAM
Unauthorized Access
Worm and Virus Damage
Phishing
DDoS
8
Q: What type of attack have you experienced?
Increased Attacks on Education and Hosting
Comparing to 2014
Most verticals stayed the same
Education and Hosting – increased likelihood
Growing number of “help me DDoS my school” requests
Motivations varies for Hosting
- Some target end customers
- Some target the hosting companies 2015 Change from 2014
9
Are You Ready? Preparedness for Cyber-Attacks Varies
8%
9%
12%
14%
14%
20%
15%
15%
17%
29%
33%
33%
38%
38%
35%
44%
48%
47%
39%
41%
41%
36%
39%
30%
33%
32%
29%
20%
14%
12%
10%
7%
12%
7%
4%
6%
4%
3%
3%
2%
2%
3%
2%
1%
2%
0% 20% 40% 60% 80% 100%
Corporate/Geo-political Sabotage
Advanced Persistent Threat
Theft of Prop. Info./Intellectual…
Fraud
Phishing
DDoS
Criminal SPAM
Worm and Virus Damage
Unauthorized Access
Extremely well prepared
Very well prepared
Somewhat prepared
Not very prepared
Not prepared at all
10
Q.9: In your opinion, how prepared is your organization to safeguard itself from the following cyber-attacks?
Are You Ready? Preparedness for Cyber-Attacks Varies
11
8%
9%
12%
14%
14%
20%
15%
15%
17%
29%
33%
33%
38%
38%
35%
44%
48%
47%
39%
41%
41%
36%
39%
30%
33%
32%
29%
20%
14%
12%
10%
7%
12%
7%
4%
6%
4%
3%
3%
2%
2%
3%
2%
1%
2%
0% 20% 40% 60% 80% 100%
Corporate/Geo-political Sabotage
Advanced Persistent Threat
Theft of Prop. Info./Intellectual…
Fraud
Phishing
DDoS
Criminal SPAM
Worm and Virus Damage
Unauthorized Access
Extremely well prepared
Very well prepared
Somewhat prepared
Not very prepared
Not prepared at all
3 out of 5 respondents feel they are extremely/very well prepared to safeguard against Unauthorized Access and Worm and Virus Damage.
Q: In your opinion, how prepared is your organization to safeguard itself from the following cyber-attacks?
Are You Ready? Preparedness for Cyber-Attacks Varies
12
8%
9%
12%
14%
14%
20%
15%
15%
17%
29%
33%
33%
38%
38%
35%
44%
48%
47%
39%
41%
41%
36%
39%
30%
33%
32%
29%
20%
14%
12%
10%
7%
12%
7%
4%
6%
4%
3%
3%
2%
2%
3%
2%
1%
2%
0% 20% 40% 60% 80% 100%
Corporate/Geo-political Sabotage
Advanced Persistent Threat
Theft of Prop. Info./Intellectual…
Fraud
Phishing
DDoS
Criminal SPAM
Worm and Virus Damage
Unauthorized Access
Extremely well prepared
Very well prepared
Somewhat prepared
Not very prepared
Not prepared at all
Q: In your opinion, how prepared is your organization to safeguard itself from the following cyber-attacks?
3 out of 5 respondents are somewhat/not very prepared against APT and information theft
Are You Ready? Preparedness for Cyber-Attacks Varies
13
8%
9%
12%
14%
14%
20%
15%
15%
17%
29%
33%
33%
38%
38%
35%
44%
48%
47%
39%
41%
41%
36%
39%
30%
33%
32%
29%
20%
14%
12%
10%
7%
12%
7%
4%
6%
4%
3%
3%
2%
2%
3%
2%
1%
2%
0% 20% 40% 60% 80% 100%
Corporate/Geo-political Sabotage
Advanced Persistent Threat
Theft of Prop. Info./Intellectual…
Fraud
Phishing
DDoS
Criminal SPAM
Worm and Virus Damage
Unauthorized Access
Extremely well prepared
Very well prepared
Somewhat prepared
Not very prepared
Not prepared at all
Q: In your opinion, how prepared is your organization to safeguard itself from the following cyber-attacks?
The results are split evenly between those that are prepared and not prepared to protect from DDoS attacks
Protection Gaps - Across the Board
A true protection gap for most organizations today
Weaknesses spread evenly among all attack types
Volumetric and HTTPS/SSL protection lead the gap
22% 19% 20% 21%
23% 26% 27%
33%
0%
20%
40%
14
Q: Where, if at all, do you think you have a weakness against DDoS attacks?
Slowness Still Main Impact of Cyber Attacks
DDoS Remains Biggest Threat of all Cyberattack Categories
Increases in Ransom as a Motive for Cyber-attacks
Tangible Concerns Expand
Key Findings
15
Growing Need for Security Automation
No One Immune Few Prepared
Shifts in Motives and Impact
Slowness - Still the Main Impact
Impact on systems was mostly – slowness
Outage – not the impact in most cases – only 16% of the cases
About a third saw no impact on systems
Numbers are consistent with past years
Slowness, 46% No impact,
37%
Outage, 16%
16
Q: What are the three biggest cyber-attacks you have suffered: Affected System?
DDoS Continues to Lead as Biggest Threat
DDoS attacks and unauthorized access – the main causes which harm the organizations
0%
20%
40%
60%
Q: In your opinion, which of the following cyber-attacks will cause your organization the most harm?
Increase in Ransom as a Motive for Cyber-attacks
More than 50% increase in ransom as a motivator for attackers
Motivation behind cyber-attacks is still largely unknown
One-third cited political/hacktivism
About a quarter referenced competition, ransom, or angry users
18
34%
27%
16% 22%
69%
34%
27% 25% 25%
66%
0%
10%
20%
30%
40%
50%
60%
70%
2014
2015
Q: Which of the following motives are behind any cyber-attacks your organization experienced?
More than a third reported having experienced either a ransom attack or a SSL or TLS-based attack
Consistent with increased public interest and concerns over these types of attacks
37% 35%
63% 65%
0%
10%
20%
30%
40%
50%
60%
70%
Ransom Attacks SSL or TLS-based Attacks
Yes No
19
More than Third Experienced Ransom or SSL/TLS-Based Attacks
Q: Have you experienced any ransom attacks this year
Q: Have you experienced encrypted SSL or TLS-based attacks?
47%
21%
7% 5%
12%
3% 5%
26%
19%
11%
17%
22%
2% 6%
0%
25%
50%
2014 201547%
21%
7% 5%
12%
3% 5%
26%
19%
11%
17%
22%
2% 6%
0%
25%
50%
2014 2015
More Tangible Concerns from Cyber Attacks
Business Concerns Ranked 1st
Shift in concerns from reputation loss to serving customers and ensuring application SLA
20
Q: What are your business concerns if your organization is faced with a cyber-attack?
Reputation loss still cited as the biggest business concern but decreased significantly
More indicated being concerned about customer loss or service outage/limited availability
Key Findings
21
Growing Need for Security Automation
No One Immune Few Prepared
Shifts in Motives and Impact
Today’s existing solutions – frequently are multi-vendor and manual
Burst Attacks on the Rise
Adoption of Hybrid Solutions Continues to Grow
Beyond Network: Similar Frequency for Network & Application Attacks
Existing Solutions – Multiple and Manual
Over 80% of solutions require a medium to high degree of manual tuning
Less than 20% require a low degree and are considered mostly automatic
Multiple solutions used by almost all (91%)
Only 6% use only one solution against cyber-attacks
High degree,
24%
Medium degree,
58%
Low degree,
17%
Q: What degree of manual tuning or configuration does your current solution require?
22
Burst Attacks on the Rise
More than half of the three biggest attacks experienced lasted 1 hour or less
Significant increase from the 27% in 2014
Another indication of increased automated attacks
57%
36%
4% 2% 1%
0%
20%
40%
60%
1 hour or less 1 hour to 1 day 1 day to 1 week Over a week Constantly
2011 2012 2013 2014 2015
23
Q: What are the three biggest cyber-attacks you have suffered: Duration?
Adoption of Hybrid Solutions Continues to Grow
Significant increase in current and planned adoptions of Hybrid
41% are using a hybrid solution, double from the 21% in 2014
Another 44% are planning to adopt a hybrid solution, significant increase from 2014
21% 17%
41% 44%
0%
25%
50%
Currently using ahybrid solution
Planning to adopt ahybrid solution
2014
2015
~50% increase
*Hybrid solutions combine an on-premise DDoS and any cloud-based solution (always-on cloud based service / on-demand cloud based service / CDN solution / ISP-based or clean link service).
~60% increase
Company Size
29%
42% 37% 38%
55% 51%
0%
20%
40%
60%
Currently using ahybrid solution
Planning to adopt ahybrid solution
1K-10K >10K <1K
Revenue
35%
46% 49% 50%
0%
30%
60%
Currently using ahybrid solution
Planning to adopt ahybrid solution
>$1B <$1B
Adoption of Hybrid Solutions Continues to Grow
25
Company Size
29%
42% 37% 38%
55% 51%
0%
20%
40%
60%
Currently using ahybrid solution
Planning to adopt ahybrid solution
1K-10K >10K <1K
Revenue
35%
46% 49% 50%
0%
30%
60%
Currently using ahybrid solution
Planning to adopt ahybrid solution
>$1B <$1B
Adoption of Hybrid Solutions Continues to Grow
26
Companies with the highest revenue or most employees
are most likely to have a hybrid solution
Similar Frequency for Network and Application Attacks
27
21% 22% 24% 35%
23% 25% 23% 23% 25% 15%
24%
42% 37% 38% 11% 41% 38% 38% 38% 34% 52% 41%
19% 22% 22%
43% 17% 20% 22% 23% 25%
17% 20%
0%
20%
40%
60%
80%
100%
Rarely-Never
Daily / Weekly / Monthly
Don't know
Network Attacks Application Attacks
21% 22% 24% 35%
23% 25% 23% 23% 25% 15%
24%
42% 37% 38% 11% 41% 38% 38% 38% 34% 52%
41%
19% 22% 22%
43% 17% 20% 22% 23% 25%
17% 20%
0%
20%
40%
60%
80%
100%
Rarely-Never
Daily / Weekly / Monthly
Don't know
Network Attacks Application Attacks
Similar Frequency for Network and Application Attacks
28
21% 22% 24% 35%
23% 25% 23% 23% 25% 15%
24%
42% 37% 38% 11% 41% 38% 38% 38% 34% 52% 41%
19% 22% 22% 43%
17% 20% 22% 23% 25% 17% 20%
0%
20%
40%
60%
80%
100%
Rarely-Never
Daily / Weekly / Monthly
Don't know
Network Attacks Application Attacks
Similar Frequency for Network and Application Attacks
29
experienced Network attacks daily, weekly or monthly 38-42% experienced Application attacks
daily, weekly or monthly 38-52%
Case Studies
In Nov 2015 experienced back-to-back attacks
initiated through a ransom request.
Over the course of 7-10 days, experienced
multiple attack vectors at high volume
Radware deployed emergency service a few
days into the campaign and was able to
mitigate the attacks
ProtonMail Ransom Attack Case
31
Swiss-based encrypted email service provider
Nov. 3 2015 Nov. 4 2015 Nov. 5-7 2015 Nov. 8 2015 Nov. 9-15 2015
ProtonMail Attack Timeline Largest and most extensive cyberattack in Switzerland
Attacks continue at high volume of 30-50G at peaks during these days. Attacks are mitigated successfully by Radware
Radware’s Emergency Response Team implements its attack mitigation solution to protect ProtonMail. Service is restored shortly after
ProtonMail continues to suffer from ongoing high volume, complex attacks from a second, unknown source
Next DDoS attacks hits in the morning and by afternoon reached over 100G directly attacking the datacenter and ISP infrastructure ProtonMail under pressure decides to pay ransom but attacks continue from 2nd source
ProtonMail receives ransom email from The Armada Collective, followed by DDoS attack that took them offline for 15 mins
32
ProtonMail Attack – A Look Inside Persistent Denial of Service Attacks
0
10
20
30
40
50
60
ProtonMail Attack Volume, Mitigated by Radware Network Application
UDP Flood DNS Reflection
TCP RST Flood NTP Reflection
TCP-SYN SSDP
TCP Out-of-State HTTP/S SYN Flood
SYN-ACK
ICMP
33
Evolution of Attack Vectors by Day
Nov 9th
UDP flood
SYN flood
DDoS-NTP-reflection
DDoS-DNS-reflection
SYN-ACK Flood
DDoS-TCP-urgent
DDoS-TCP-zero-seq
DDoS-chargen-reflected events
UDP Flood – Reflective
DNS
TCP RST Flood
ICMP Flood
SYN Flood – HTTPS
SYN Flood – HTTP
UDP Flood – SSDP &
NTP Reflection
ICMP Flood
TCP SYN Flood
TCP Out-of-State
Flood
UDP flood DDoS-SSL
TCP Out-of-Stat DDoS-udp-fragmented
DDoS-NTP-reflection DDoS-DNS-reflection
SYN-ACK Flood Minor ICMP flood/RST flood
SYN flood
Nov 8th Nov 10th Nov 11th
34
Sophisticated attacks - bad bots programmed to “scrape” certain flights, routes and classes of tickets. Bots acting as faux buyers—continuously creating but never completing reservations on those tickets
Airline unable to sell the seats to real customers
Dynamic source-IP attacks so security protection could not differentiate between “good” and “bad” bots
Chose Radware’s WAF with fingerprinting technology to block dynamic IP attack
Leading US Airline Fingerprinting Case
35
Major US Airline
Looking Ahead
Seven Predictions for 2016
37
Prediction #6: Growing Encryption to and from
Cloud Applications
Prediction #4: More Laws Governing Sensitive Data
Prediction #1: APDoS as SOP (Standard Operating Procedure)
Prediction #3: Privacy as a Right (Not Just a Regulation)
Prediction #5: Arrival of Permanent Denial-of-
Service (PDoS) Attacks Prediction #7:
The Internet of Zombies
Prediction #2: Continued Rise of RansomDoS (RDoS)
Summary: What Can You Do?
Preparedness is Key. Multi-layered solutions are a Must. Services are Important.
Bet on Automation. It has become necessary
to fight automated threats with automation technology.
Cover the Blind Spot. Choose a solution with
the widest coverage to protect from multi-vector attacks.
Multi Layered Solution. Look for a single
vendor, hybrid solution that can protect networks and applications for a wide range of
attacks, and includes DoS protection,
behavioral analysis, IPS, encrypted attack protection and web application firewall (WAF).
Protect from Encrypted Attacks. SSL-based
DDoS mitigation solution deployments must not affect legitimate traffic performance.
Single point of contact is crucial when under
attack - it will help to divert internet traffic and deploy mitigation solutions.
38
http://www.radware.com/social/ert-report-2015/