DDos 2017 Report

TABLE OF
CONTENTS
01 Executive Summary
• Top Level Findings
• Threat Landscape Trends
02 Methodology and Sources

• Information Security Industry Survey
• Radware Emergency Response Team Cases
03 Threat Landscape
• Anatomy of a Hacker: Profiles, Motivations & Tools of the Trade
• Business Concerns of Cyber-Attacks
• Cyber-Attack Ring of Fire
• Attack Vector Landscape
04 Emerging Perils
• The Bottom Line: The Rise of Cyber Ransom
• Friend Turned Enemy: SSL-Based Cyber-Attacks
• Internet of Threats: IoT Botnets and the Economics of DDoS Protection
• Evolve and Adapt: Why DevOps is Raising the Bar for Security Solutions
05 Third-Party Viewpoints
• From the Corner Office: Views from a Chief Information Security Officer
• From the Frontlines: How a Multinational Bank Handled a Ransom Threat
and SSL-Based Attack
• See Through the DDoS Smokescreen to Protect Sensitive Data
• Adaptive Security: Changing Threats Require a New Security Paradigm
06 Building a Cyber-Resilient Business

• Calculating the Cost of a Cyber-Attack
• Planning a Cyber Security Strategy
07 Cyber Security Predictions

• Radware’s Cyber Security Prediction Report Card
• What’s on the Horizon – Four Predictions for 2017
08 Respondent Profile

09 Credits
• Authors
• Advisory Board
01 EXECUTIVE
SUMMARY
What do cyber-attacks have in common with hurricanes,

tornados and earthquakes? All are realities in our world. No
matter how common or uncommon they may be, failing to prepare for
any of them will lead to costs that could be unbearable—or worse.
Radware’s annual Global Application & Network Security Report is designed for the entire security community
and will help in understanding the following:
•
The threat landscape—who the attackers are, their motives and tools
•
Potential impact on your business, including associated costs of different cyber-attacks
•
How your preparedness level compares to other organizations
•
Experiences of organizations in your industry
•
Emerging threats and how to protect against them
•
Predictions for 2017
In addition to outlining the findings and analysis of our 2016 security industry survey, this report reflects our
Emergency Response Team’s (ERT) in-the-trenches experiences fighting cyber-attacks and offers advice for
organizations planning for cyber-attack protection in 2017. It also incorporates perspectives of third-party service
providers. This report offers a detailed review of:
• Known and common attacks of the past year (that is, what most people are attempting to secure against)
• Known and uncommon attacks (that is, what top-performing organizations attempt to address—security
incidents akin to the natural disasters cited above)
• Unknown attack forecast (that is, what has yet to demonstrate itself with evidence but is VERY “forecastable”)
RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 3

Top-Level Findings can be detected only through intelligent automation.
98% of Organizations Experienced
Attacks in 2016 Non-Volumetric DoS: Alive and Kicking
Analysis: Cyber-attacks became a way of life for Despite astonishing volumes, neither the number of
nearly every organization in 2016. This trend will victims nor the frequency of attacks has grown. Most
continue in 2017. non-volumetric DDoS attacks are in relatively lower
volumes, with 70% below 100Mbps. Rate-based
IoT Botnets Open the 1TBps Floodgates security solutions continue to fall short, requiring
Analysis: This exemplifies why preparing for companies to rethink their security strategy and
“common” attacks is no longer enough. This event embrace more sophisticated solutions. Without those
introduced sophisticated vectors, such as GRE floods upgrades, there is a good chance an organization will
and DNS water torture. experience, yet lack visibility into service degradation.
Cyber-Ransom Proves Easiest, Most Increased Attacks Against

Lucrative Tool for Cybercriminals Governmental Institutions
Analysis: Almost all ransom events have a different 2016 brought a new level of politically affiliated cyber
attack vector, technique or angle. There are hundreds protests. While the U.S. presidential election was in
of encrypting malware types, many of which were the spotlight, the media reported on a different breach
developed and discovered this year as part of the hype. almost weekly. These incidents happened across the
Also, DDoS for ransom groups are professionals who globe, with regimes suffering from cyber-attacks due to
leverage a set of network and application attacks to alleged corruption or perceived injustices.
demonstrate their intentions and power.
SSL-Based Attacks Continue to Grow
Cyber-Attacks Cost Almost Although 39% report suffering an SSL-based attack,
Twice What You May Think only 25% confidently state they can mitigate it.
Analysis: Most companies have not come up with
a precise calculation of the losses associated with a DDoS Attacks Are Becoming Shorter
cyber-attack. Those who have quantified the losses Burst attacks are increasing thanks to their
estimate the damage at nearly double the amount effectiveness against most mitigation solutions.
compared to those who estimate.
Uncrossed Chasm? Security Strategy
Stateful Devices: #1 Point of Failure Evolves More Slowly Than It Should
Analysis: Common IT devices, including firewalls, While hackers continue to develop new attack tools
application delivery controllers and intrusion protection
and techniques, 40% of organizations do not have an
systems, now represent the greatest risk for an
incident response plan in place. Seventy percent do
outage. Consequently, they require a dedicated attack-
not have cyber-insurance. And despite the prevalence
mitigation solution to protect them.
of ransomware, only 7% keep Bitcoin on hand. What’s
more, 75% of companies do not employ hackers in
Threat Landscape Trends their security teams, and 43% say they could not cope
Data Leakage + SLA Impact with an attack campaign lasting more than 24 hours.
Are Top Concerns
Data leakage and service level impact often come Threats never stand still.
together, with a DDoS attack serving as a smokescreen
that distracts IT teams so data can be infiltrated.
Neither can you.
Mirai Rewrites the Rules Radware encourages you to use our findings and
As the first IoT open-source botnet, Mirai is changing analysis as you design security strategies against
the rules of real-time mitigation and makes security cyber-attacks and work to reduce the costs associated
automation a must. It isn’t just that IoT botnets can with them. Apply these insights to understand the real
facilitate sophisticated L7 attack launches in high and meaningful changes that have occurred to the
volumes. The fact that Mirai is open-source code threat landscape, to explore potential changes to your
means hackers can potentially mutate and customize investments in protection strategies, and to look ahead
it—resulting in an untold variety of new attack tools that to how possible threats may evolve into real attacks.
4 RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017

02 METHODOLOGY
AND SOURCES
Combining statistical research and frontline experience, this report

identifies trends that can help educate the security community. It draws
information from the following sources:
Information Security Industry Survey

The quantitative data source is an industry-wide survey conducted by Radware. This year’s survey had 598
individual respondents representing a wide variety of organizations around the world. The study builds on prior
years’ research, collecting vendor-neutral information about issues that organizations faced while planning for
and combating cyber-attacks.
On average, responding organizations have annual revenue of USD $1.9 billion and about 3,000 employees. Ten
percent are large organizations with at least USD $5 billion in annual revenue. Respondents represent more than
12 industries, with the largest number coming from the following: professional services and consulting (15%),
high tech products and services (15%), banking and financial services (12%) and education (9%).
The survey provides global coverage—with 44% of respondents from North America, 26% from Europe and
20% from Asia. Additionally, 44% of the organizations conduct business worldwide.
Radware Emergency Response Team Case Studies

Radware’s Emergency Response Team (ERT) is composed of dedicated security consultants who actively
monitor and mitigate attacks in real time. The ERT provides 24x7 security services for customers facing cyber-
attacks or malware outbreaks. As literal “first responders” to cyber-attacks, ERT members have successfully
dealt with some of the industry’s most notable hacking episodes. This team provides knowledge and expertise to
mitigate the kinds of attacks that an in-house security team may never have handled. Throughout the report, ERT
members highlight how these front-line experiences fighting cyber-attacks provide deeper forensic analysis than
surveys alone or academic research.

THREAT LANDSCAPE 03
Anatomy of a Hacker:
Profiles, Motivations & Tools of the Trade
Hacking used to require a distinct set of skills and capabilities. These days,
attack services are bought and sold via marketplaces on the Clearnet
and Darknet—a phenomenon that’s closing the gap between skilled and
amateur hackers and fueling an exponential increase in threats.
Thanks to the growing array of online marketplaces, it’s now possible to wreak havoc even if you know virtually
nothing about computer programming or networks. As attack tools and services become increasingly easy to
access, the pool of possible attackers—and possible targets—is larger than ever. While many hacktivists still
prefer to enlist their own digital “armies,” some are discovering that it’s faster and easier to pay for DDoS-as-a-
Service than to recruit members or build their own botnet. Highly skilled, financially-motivated hackers can be
invaluable resources to hacktivists seeking to take down a target.
By commoditizing hacktivist activities, hacking marketplaces have also kicked off a dangerous business trend.
Vendors are now researching new methods of attack and incorporating more efficient and powerful vectors
into their offerings. Already some of the marketplaces offer a rating system so users can provide feedback on
the tools. Ultimately, this new economic system will reach a steady state—with quality and expertise rewarded
with a premium.

Profiles in Hacking - Who’s Participating in Today’s Hacking Community?
 Consumers
This is the largest segment—and the one driving the rapid growth of attack marketplaces. These are low
or non-skilled hacktivists who pay to participate in an operation. Without the knowhow for do-it-yourself
campaigns, they spend $20 to $200 per month on attack services that give them access to an easy-to-use
attack portal.
 Hackers
These are the hackers who have the wherewithal to carry out their own attacks and spearhead hacktivist
operations. They have a good enough understanding of networking and programming to write their own
attack programs, as well as build their attack platforms by exploiting cloud and trusted services. Given their
skills, hackers are not constrained by an attack time limit or power. Consequently, they are capable of
launching sustained, long-term attacks against their targets, sometimes at very high volumes.
 Vendors
This segment is home to hackers who have realized they can generate a great profit by providing attack
services to consumers. As in any economic system, higher quality or sophistication yields greater returns
and forces improvement. Some vendors are selling enough services to generate more than $100,000 a year.
AppleJ4ck, the vendor behind vDoS, the DDoS-for-hire service1, allegedly made $600,000 in just two years
before being arrested.
What Motivates Hacking?

In previous reports, Radware has used Richard Clarke’s acronym—C.H.E.W. (Cybercrime, Hacktivism,
Espionage, Warfare)—to categorize the origins of cyber risk. Now we introduce P.E.D. (Profit, Evasion, Disruption)
as an acronym for the three core motivations reflecting the evolution of the hacker community:
 Profit
Not surprisingly, money is the primary motivation in the attack marketplace. Those who want to commit a
crime—but don’t know how to execute—will always pay someone to do it for them. And with demand
outpacing supply, this is one crime that pays. Stressers—services orchestrating the generation of massive
amounts of traffic—are known to bring in more than $100,000 a year. Vendors offering application exploits can
generate thousands of dollars from selling one exploit on the Darknet.
 Evasion
The ability to evade detection is one of the most important capabilities a vendor offers to his or her business
and clients. Vendors are highly motivated to stay on top of the market. After all, detection or mitigation of
their services will cost them customers and profits. Thus, vendors continually research and discover new
attack methods to help their clients bypass mitigation techniques and take down their targets undetected.
 Disruption
This represents one of the primary motivators for hacktivist groups. Hacktivists are motivated to disrupt their
target’s operations and/or reputation; vendors thrive by investing in researching and discovering new attack
vectors. A vendor offering the most disruptive power for the lowest price will stand to do more business than
his or her competition.
1 http://www.newsbtc.com/2016/09/18/professional-ddos-service-vdos-offline-two-arrested/

Tools of the Trade
The Anonymous 2016 toolkit has been passed around
a number of operations. It provides attack tools with a
simple, easy-to-use graphical user interface (GUI). Using
these tools requires little knowledge as they are often
accompanied by instruction videos posted to YouTube.
Most tools offer basic TCP, UDP and HTTP attack

vectors with slight variations. Some enable the attacker
• Anonymous DoSer
to customize payload options—including packet size, tack
randomized data, threads and sockets per thread—in the • Anonymous Ping At
tools. While low and slow attacks are not prevalent in the • BlackOut
popular 2016 toolkits, HTTP attacks are a popular vector. • BlackBurn
When an operation is underway, hackers can easily bypass
• ByteDoS
mitigation solutions and overwhelm server resources with
simple POST/GET floods that appear to be legitimate traffic. • FireFlood
• Generic DDoS
Attacks as a Service • GoodBye
Denial of service (DoS) attacks have come a long way
• HOIC
since the days of LOIC and other GUI-based tools. Today,
hackers are abandoning “old school” GUI and script tools • LOIC
and opting to pay for attacks via stresser services. They no • XOIC
longer need to acquire technical expertise or tools; instead, • Pringle DDoS
they can simply engage attack services to carry out an
• rDoS
attack on their behalf.
•Unknown DoSer
Many notorious DDoS groups—including Lizard Squad, New
World Hackers and PoodleCorp—have entered the DDoS-as-
a-Service business, monetizing their capabilities in peacetime
by renting their powerful stresser services. Groups sometimes
use their tools against high-profile targets to showcase and
promote their attack services. As the point of entry continues
to decrease, novice attackers can carry out larger, more sophisticated assaults. For just $19.99 a
month, an attacker can run 20-minute bursts for 30 days using a number of attack vectors, such as DNS, SNMP
and SSYN, and slow GET/POST application-layer DoS attacks.
A prime example of a DDoS-as-a-service can be Shenron—the second-generation stresser service from Lizard
Squad. Shenron prices used to range from $19.99 to $999.99 a month for access to the attack network. Each
package includes a specific attack time—ranging from 20 minutes to five hours. Shenron’s network strength
claims the ability to launch attack sizes up to 500Gbps. It offers customers different attack vectors, including two
UDP attacks, DNS and SNMP, along with a TCP attack method (SSYN).
Business Concerns of Cyber-Attacks

What are the motivations behind cyber-attacks? What kinds of solutions are being used to mitigate such
incidents and the impact on a business? What are organizations doing to better prepare for future attacks?
Radware surveyed security leaders to understand the business concerns associated with cyber-attacks.
Almost 600 businesses shared their perception of the contemporary cyber security state of the union. They have
expressed their experiences, expectations, fears and predictions.
Gathering the valuable feedback, Radware has identified areas of excellence, areas that require improvement
and advice for how organizations can better protect their business operations.

Concerns
Attack Motivations
The year 2016 saw an explosive rise in extortion threats, which eclipsed most 4 out of 5 businesses
other types of cyber-attacks. Fifty-six percent of organizations reported being
were impacted by a
the victim of a cyber-ransom attack and 41% of organizations mark ransom
as the greatest cyber threat facing their organization (versus 25% in 2015).
cyber-attack
In 2015, 50% claimed not to know the motivation behind cyber-attacks, versus 2016 when 89% could actually
tell what is behind the attacks they experienced. This is a significant improvement that implies that security
practitioners are dedicating more resources to visibility and investigation. Understanding is a good start to
planning a security strategy.
The primary motivations—political/hacktivism and competition—have remained consistent in recent years. For
the fifth consecutive year, political hacktivism holds the second spot in the survey, accounting for 27% of known
attack motivations, with competition retaining the number four position at 26%. Two new threats introduced
this year are insider threats and cyberwar (state- and government-sponsored cyber-attacks, as well as attacks
organizations suffer as a result of geopolitical tensions). Both are a main concern in the Asia-Pacific region,
where one out of three indicate cyberwar and two out of five indicate an insider-threat as possible motivation to
launch an attack against them.
50%
40%
41%
30% 27% 26% 26% 24%
20%
20% 21%
10%
11%
0
Ransom Insider Threat Political Competition Cyberwar Angry User No Attacks Motive Unknown
Figure 1: Which motives are behind any cyber-attacks your organization experienced?
Attack Impact
Most often the impact on an 5% Other
organization’s infrastructure
from a cyber-attack is service
degradation, mentioned by 15%
Outage
57% of the participants. In
today’s interconnected, digital
era, service degradation can
negatively impact the end-user
experience, followed by lower
conversion rates, lower brand
equity and significant financial
losses. Fewer reported having a
57%
22% Service
complete outage impact due to No Impact Degradation
a cyber-attack, and one in five
continued to say that attacks had
no impact on their infrastructure.
Figure 2: Typically, what is the impact of a cyber-attack on your infrastructure?

0% 10% 20% 30% 40%
Weakness Against Volumetric/Pipe Saturation

28%
33 %
DDoS Attacks 27%

Network Attacks
More than one-fourth feel vulnerable 28%
to attacks on volumetric/pipe sat- DNS Attacks 23%
27%
uration, network attacks, and DNS
26%
attacks, similar to 2015. HTTPS/SSL Attacks
23%
Don’t Know/Not Sure

22%
Organizational Approach 23%
to Tradeoffs Prolonged Attack Campaigns 21%
23%
Organizations today are required
HTTP Attacks
19%
to make tradeoffs between 22%
protecting assets and providing a Low-and-Slow 20 %
2015
17%
smooth, blocking-free experience
None 8%
to customers. With a mean of 4.8 2016
on a 10-point scale, it appears

that organizations have a balanced Figure 3: Where, if at all, do you think you have a weakness against DDoS attacks?
approach between maintaining a
strong security posture/policy
versus avoiding false positives,
which usually results in blocking 100%
legitimate customers. The mean is
higher for companies with less than 10%
10,000 employees. 90%
7%
Experiences 1 - Maintaining Strong
80% Security at All Costs
Frequency 12%
2
Approximately one-quarter of
70%
respondents experienced attacks
3
on a daily or weekly basis in the 14%
last year, but a similar number 60%
4
experienced attacks only once or
twice a year. Those in banking/
50% 5
financial services have experienced
more daily/weekly attacks than 23 %
those in most other verticals. 40% 6

Government and civil service
institutions seem to be suffering 7
the most, with 46% being attacked
30% 11%
on a weekly basis. One out of four 8
reported daily attacks—twice the 20% 10%
worldwide average. 9
10% 8% 10 - Avoiding False

Positives at All Costs
1 out of 7 businesses 3 %
0 3%
fight cyber-attacks
on a daily basis Figure 4: On a scale of 1-10, what is your organizational approach to the
tradeoff between avoiding false positives (i.e. blocking legitimate users)
and maintaining a strong security policy to prevent data breaches?

Attack Types
Radware also inquired about the types
of cyber-attacks that organizations Malware & Bots 50%
experienced in 2016. Malware and Socially Engineered Threats
bots were cited as the #1 attack vector (Phishing, Fraud) 39%
organizations faced in 2016, as they DDoS 34%
come in various forms and can fulfill
different missions. One out of three Web Application Attacks 31%
reported being subjected to a DDoS Ransomware 30%
attack. A significant proportion also
reported incidents with phishing (39%, Advanced Persistent Threat 16%
a decline compared to 57% in 2015).
The more significant finding: only 2% of
None of the Above 2%
respondents did not experience any form 0% 10% 20% 30% 40% 50%
of these attacks. In other words, 98% of

organizations were hit by cyber-attacks Figure 5: What type of attack have you experienced?
in the past year—underscoring that there
is simply no escaping these threats.
Duration
Almost half of survey participants said that, on average, security threats lasted up to three hours. Attacks lasting
longer than a week declined in 2016—continuing the trend from 2015, when perpetrators began to use shorter
burst attacks and to do so repetitively.
2014 2015 2016
50%
46%
41%
40%
33%
30% 28% 27%
23% 23%
15% 17
%
20% 16%
13%
10%
10% 10% 9% 7%
3%
0
Up to 3 hours 3 hours to 12 hours Up to 1 day 1 day up to 1 week 1 week up to 1 month Over a month
Figure 6: What is the average security threat your organization experienced?
When looking at maximum (versus average) duration, 10% of respondents suffered attack campaigns that lasted
longer than a month.
2014 2015 2016
50%
40%
32% 33%
30% 28 % 29%
26% 25% 24%
20% 17% 17 % 19 %
19%
14 %
12% 12% 10%
10% 7%
0
Up to 3 hours 3 hours to 12 hours Up to 1 day 1 day up to 1 week 1 week up to 1 month Over a month
Figure 7: What is the maximum security threat your organization experienced?

Preparedness
When asked if their organization is prepared to fight cyber-attacks, respondents indicated that there are still
many attack vectors they’re not ready to fight. While two-thirds of the respondents feel they are extremely/very
well prepared to safeguard against malware, such as worms and viruses, and more than half (55%) feel prepared
for DDoS and Web application attacks, the majority of organizations doubt their ability to fight off advanced
persistent threats (APT), ransom attacks and social engineering.
Overall, preparedness has remained consistent compared to 2015.
Malware (Worms, Viruses) 20% 46% 29% 4% 2 %

Extremeley Well Prepared
DDoS 16 %
39
%
28 %
12 %
6 %
Very Well Prepared

Web Application Attacks 14% 41% 31% 10% 4%
Socially Engineered Threats Somewhat Prepared
(Phishing, Fraud) 12% 37% 35% 12% 4%
Ransomware 12% 35% 36% 12% 5% Not Very Prepared
Advanced Persistent Threat 11% 32% 35% 16% 6% Not Prepared at All
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Figure 8: How prepared is your organization to safeguard itself from the following cyber-attacks?
Preparedness Across Regions

Overall, North American respondents feel more confident concerning cyber-threats, with significant differences
compared to Europe and APAC when it comes to DDoS or APTs.
70%
TOTAL
Malware (Worms, Viruses) 66% 65%
65%
61%
TOTAL
DDoS 55% 47%
55%
60%
TOTAL
Web Application Attacks 52%
55%
51%
Socially Engineered Threats 50%

TOTAL
49% 47%
(Phishing, Fraud) 53%
North America
52%
TOTAL
Ransomware 48%
47%
41%
53% Europe
TOTAL
Advanced Persistent Threat 43% 38%
36%
0% 10% 20% 30% 40% 50% 60% 70% APAC
Figure 9: Preparedness to face different types of cyber threats by region
Preparedness Across Business Sectors

With the lowest score in each category, education is the most vulnerable vertical. Technology companies are the
leaders, adopting the right security controls and policies to counter different threats. Surprisingly, more than 40%
of financial services institutions are still exposed to various cyber-threats.
Vertical
High Tech Prof. Retail/ Banking &
Products & Services & Wholesale/ Govt./Civil Financial
Extremely/Very Well Prepared Total Services Consulting Media Online Service Services Education
Malware & Bots (Worms, Viruses, Spam) 66% 78% 74% 70% 68% 63% 58% 50%
Distributed Denial of Service (DDoS) 55% 56% 53% 61% 46% 59% 51% 43%
Web Application Attacks (SQLi, XSS, Defacement) 55% 59% 54% 58% 59% 59% 57% 37%
Social Engineering (Phishing, Fraud) 49% 51% 56% 58% 46% 54% 47% 28%
Ransomware 47% 56% 48% 52% 49% 37% 51% 20%
Advanced Persistent Threat 43% 54% 46% 52% 43% 39% 38% 28%
Figure 10: Preparedness to face different types of cyber threats by industry/vertical

Radware asked respondents how long can they effectively cope with a cyber-attack campaign. Fifty-seven
percent can withstand an attack for up 24 hours. In other words, two out of five companies cannot defend
themselves against longer campaigns.
30%
22% 19%
20% 16% 17% 18%
10% 7%
0
Up to 3 hours 3 hours to 12 hours Up to 1 day 1 day up to 1 week 1 week up to 1 month More than/
Over a month
Figure 11: How long can you effectively fight a round-the-clock attack campaign?
Other 2% 2% Don’t Know/None

12%
Obstacles Lack of C-Level Awareness
With such a diverse threat 27%
landscape, it’s no wonder many Too Little Manpower
organizations still admit they may
not be properly prepared to face 17% What is your
Unsuitable/Outdated major obstacle
certain attack vectors. Radware Technologies when it comes to
inquired about the cause of this countering
deficiency and discovered one- cyber-attacks?
fourth of security experts said their
biggest obstacle was not enough
manpower and a similar percentage 20%
(one-fifth) point at insufficient 20% Missing Budgets
Lack of Expertise
budgets or a lack of expertise.
Figure 12: What is your major obstacle when it comes to countering cyber-attacks?
Hybrid Protection for Denial-of-Service Attacks

Seventy-eight percent use some type of DDoS protection solution, leaving 22% of organizations relying solely
on firewall/next-generation firewalls for security. 41% indicate their company uses a combination of on-premise
DDoS protection with a cloud-based DDoS protection service (such as always-on cloud-based service, on-demand
cloud-based service, CDN solution, or ISP-based or clean link service).
Consistent with results from the past three years, half of respondents are currently using only a premise-based
DDoS protection solution to guard against cyber-attacks. Seventy-five percent are managing it internally. Two out
of five are using a cloud-based solution or a clean link service or CDN-based DDoS/filtering.
The results underscore the reality that the larger the company, the greater the likelihood to use multiple solutions.
Premise-based DDoS Protection 50% 23% 28% Currently

Using
ISP or Clean Link Service 40% 21% 39%
CDN based DDoS/Filtering 39% 25% 37% Planning

to Add
Always-on Cloud Based Service 31% 26% 43%
On-demand Cloud Based Service 30% 27% 43% Neither
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Figure 13: Which solutions does your organization use against cyber-attacks?

Solutions for Application Security
More than 90% of businesses employ a solution to secure Web applications. The most frequently cited solutions
being used for application security: on-premise Web application firewalls (66 percent) and security tests, such
as penetration testing and DAST/SAST (54%). In addition, WAF is becoming increasingly popular, with three-
quarters indicating they use a WAF (cloud, on-premise or both). That marks 20% year-over-year growth, as just
63% were using a WAF in 2015. Only one out of five use hybrid WAF protection for application security.
70% 66%
54%
60%
50%
40%
35%
30% 28%
23%
20%
10% 8%
3 %
0
On-premise Security Secure Coding Cloud-based Run-time Application Other None
Web Application Tests Tech & Code Web Application Self Protection
Firewall Scanning Firewall (RASP)
Figure 14: Which solution does your organization use for application security?
Looking Ahead
Compared to 2016, the cyber security community seems more pessimistic about what to expect in 2017.
Nineteen percent of respondents expect a 30% increase in the number of attacks in 2017. That’s almost 50%
growth compared to the 13% who expected an increase in attacks in 2016.
30%28% 2014 2015 2016

30% 26%24% 24 23% %
%
21 19%
20% 17 %
15%12%14%
9% 10% 8%
10% 7%
4% 4% 2
% 3%
1 %
0
Less than 5% 5-9% 10-19% 20-29% 30-39% 40-49% 50% or more
Figure 15: What percent do you anticipate the number of cyber-attacks to increase over the next 12 months?
2016 underscores the conflict businesses face when being forced to fight on two fronts simultaneously. While
the right hand is protecting sensitive data, the left hand must maintain service availability at all times, mitigating
threats at the perimeter.
Cyber-Attack Ring of Fire

The Cyber-Attack Ring of Fire maps vertical markets based on the likelihood that organizations in these sectors
will experience cyber-attacks. The Ring of Fire reflects five risk levels. As sectors move closer to the red center,
such organizations are more likely to experience denial-of-service and other cyber-related attacks at a higher
frequency than the others.

Mitigation calculations should move in
L I KE L I HOO D
lockstep with risk level. When this does not LOW
happen, the likelihood of a cyber-attack
resulting in a network outage or service
degradation increases. Organizations in M L I KEL I HO
DIU OD Technology
the verticals marked with a red arrow ME
Companies
are wise to take swift action—adjusting
cyber-attack detection and mitigation IKELIHO
HL O
strategies to address the new risk IG
D
H
level from threat actors. Service
Providers
Education
There have been changes to Health
the Ring of Fire since last year. Government Gaming
Telecom, government institutions
Financial
and gaming companies stay at the
center of likelihood while the financial
Retail
services industry has moved toward
the center. Retail, education and
healthcare industries remain stable,
but technology companies are actually
moving away from the center. Energy and Energy & Utility
utility companies remain in the low risk
level due to tighter security. In addition to
industry, company size can be a predictor
of likelihood to be attacked. The larger the 2016 Change from 2015
business, the greater the chance. Indeed, Figure 16: Cyber-Attack Ring of Fire
organizations with more than $1 billion in
revenue or 10,000 employees experienced TCP and UDP floods on a daily or weekly basis.
Vertical
Professional High Tech Banking & Retail/
Services & Products & Financial Government/ Wholesale/ Media/
Total Consulting Services Services Education Civil Service Online Telecom
Daily/Weekly 28% 13% 18% 28% 26% 46% 19% 24%
Daily 14% 5% 12% 14% 15% 27% 14% 15%
Weekly 13% 8% 5% 15% 11% 20% 5% 9%
Monthly 17% 14% 24% 16% 20% 12% 19% 12%
1-2 a Year 28% 34% 25% 28% 31% 24% 27% 45%
Never 13% 21% 16% 14% 4% 12% 19% 9%
Unknown 14% 18% 16% 14% 19% 5% 16% 9%
Figure 17: How often have you experienced cyber-attacks in the past 12 months?
   Industries at High Likelihood for Attacks

Financial Services
The financial services industry suffered 44 million cyber-attacks in 2016, making it the most targeted industry. It
was threatened by a number of factors, including:
• Complex attacks from abroad, usually generated by hacktivists
• Third-party security challenges, such as application exploits
• Mobile and connected devices (IoT)

In 2016, Anonymous launched OpIcarus. What started as a simple protest against the Bank of England and
the New York Stock Exchange quickly escalated into a full-fledged, multi-phase DDoS operation targeting
the International Monetary Fund, central banks and global stock exchanges. In parallel, numerous Bitcoin
marketplaces, such as Bitfinex, DAO and Ethereum, came under attack. Bitfinix, a Bitcoin exchange company,
lost $70 million in one day due to a security breach of multiple wallets. There was also the SWIFT vulnerability
that resulted in an $81 million heist from the Central Bank of Bangladesh. This success encouraged the
perpetrators to repeat the attack, reportedly capturing close to $1 billion.
Government & Civil Service

In 2016, government services were targeted by various threats, including hacktivism, terrorism and state-
sponsored attacks. Attacks on government sites are not always politically motivated; many are launched to
help attackers gain notoriety and/or publicly shame the government, government officials, state and local
offices and individuals.
Anonymous operations like OpKillingBay often target government sites hoping to attract their attention and
force them to enact a ban against the fishing season. Other operations, such as OpRight2rest, OpGaston,
and OpLGBT, are also launched directly at the government, government officials, state and local offices
and individuals as a reaction to a political event or ruling. These attacks can quickly escalate to target not
only government but also the families of government employees, thereby crossing the line and making their
involvement a controversial action.
The United States presidential election served as fodder for a number of attacks targeting presidential
candidates and business holdings entities outside of the election. Both Republican and Democratic candidates
were the targets of a number of DDoS attacks. These attacks are not only originated by hacktivists and
protesters, but can be the result of an alleged activity of foreign states. In addition to the United States
presidential election, the Philippines Election Commission was breached this year over the integrity of the
election and the electronic voting systems. The group Lulzsec Pilipinas hacked and dumped the voter database.
Another notorious incident was the series of attacks taking down the Australian census website2.
Service Providers – ISP, Cloud, Colocation, Hosting

Internet Service Providers (ISPs) find themselves not only the primary but also the secondary targets from
massive DoS campaigns. The aim: partial or full disruption of the target’s online business operations. Attackers
tend to target companies directly with network and application floods. However, when the volume exceeds
the infrastructure capacity, they begin to create trouble for the “neighborhood” as the network pipes become
saturated. In other cases, when mitigation is in place, attackers will target the upstream provider in an attempt to
block legitimate traffic from reaching the targeted destination.
In 2016, several high-volume attacks targeted the gaming industry and directly and indirectly impacted ISPs.
Some of these attacks were so large that they did not make it to the target destination, as the pipes become
too small. Thus, if there was no scrubbing mechanism, the saturation resulted in a complete network outage.
In addition, in 2016 many ISPs were subject to a phony DDoS for ransom campaign perpetrated by fake cyber-
ransom groups portraying themselves as notorious DDoS groups like Armada Collective, Lizard Squad and New
World Hackers.
Web and cloud service providers faced an increased likelihood of being attacked compared to 2015, and are
now the target of a global cyber-campaign that has stricken several Web and cloud hosting companies. Since
the beginning of February 2016, an ongoing cyber-assault has targeted hosting providers across the UK; it was
later expanded to include similar companies in various countries. These hosting providers suffered long-term
outages affecting the business operations of their enterprise customers. They also suffered major reputation
damage—even though some of these attacks were related to their clients’ controversial content or websites.
2 Australian census attacked by hackers

Gaming
For the gaming industry, large-scale DDoS attacks resulting in network outages and service degradation have
become everyday occurrences. The main motivation is simply the thrill of disrupting game play and tournaments.
A secondary driver: trolling crucial moments when gamers are trying to take advantage of game specials and
bonus points. When attackers cripple the network during these events, users become very angry and often take
to social media to smear the company. Consequently, companies suffer an immediate impact on brand equity.
Meanwhile, if the attack does not reach the target, it often takes down the upstream provider—resulting in
widespread outages.
Attackers mainly target authentication servers to prevent users from logging into the game or upstream providers
to prevent gameplay itself. Attackers are using a wide variety of tools, such as DDoS-as-a-Service or their own
custom botnets like Mirai. For as little as $19.99 a month, an attacker can run 20-minute burst attacks for 30
days. Using these tools, attackers can gain powerful access to vectors like DNS, SNMP, SSYN and GET/POST
application layer.
  Industries at Medium Likelihood for Attacks

Retail
When a retailer comes under DDoS attack, the result is immediate revenue loss since the outage prevents
customers from purchasing items. In Switzerland this year, the website for Swiss Federal Railway (SBB) and two
of the country’s largest retailers, Coop and Migros, had their websites taken down, preventing customers from
accessing their sites. These DDoS attacks on retailers are often a smokescreen (see the chapter: Through the
DDoS Smokescreen to Protect Sensitive Data) for more sinister acts like DDoS for ransom or large-scale data
breaches targeting payment systems. In the Swiss incidents, no data was affected. However, attackers will often
look for large corporations with massive quantities of data and payment information and then use a denial-of-
service attack to distract security systems so they can infiltrate the network and steal personal information.
Health
The value of medical records in the dark market now exceeds the value of credit card information. Consequently,
the healthcare industry found itself at the center of cyber-attacks—putting at risk not only patient data but also
the credibility of the system and the Health Insurance Portability and Accountability Act (HIPAA). Several data
leakage incidents have been reported, many caused by an actor named “The Dark Overlord,” who published
hospital databases on the Darknet. In parallel, Anonymous hacked into the database of multiple Turkish
hospitals and medical institutions, allegedly in retaliation for a series of attacks on U.S. hospitals in the form
of ransomware earlier this year. The most famous was the one against Hollywood Hospital, which ended up
paying $17,000 in ransom in 2016. Ransomware has proven very profitable for cybercriminals, especially when it
encrypts medical records needed in real time.
Education
This year the educational system came under fire as vendors on the Darknet began offering school hacking
services. In 2016, 444 school networks in Japan went offline as a result of a massive cyber-attack. Hacking
services found on the Darknet make it increasingly easy for non-hackers to carry out an attack or cause damage
to a school’s resources. In addition, a potential attacker can rent a botnet or a stresser service for as little as
$20 in Bitcoin and launch the attack themselves. In most cases, it’s either a student looking to delay a test
or manipulate the registration process or a personal attack against the school by a student or staff member.
Whatever the reason, the outcome is the same: an individual’s act results in turmoil for the institution.
 Industries at Low Likelihood for Attacks

Energy & Utility
For energy and utility companies, the threat landscape remains stable due to the segregation of these
companies’ networks. Even so, this industry remains a valid target for hackers, especially given the
environmental damage these entities allegedly cause.

In 2016, Radware witnessed a number of energy companies targeted by both hacktivist and state-sponsored
groups. For example, Anonymous targeted a number of state-sponsored mining companies for damaging a
sacred Tibetan mountain. Meanwhile, HakDefNet was the first company to identify a series of state-sponsored
attacks targeting the Ukrainian power grid during the country’s elections. Throughout 2016, there were a number
of attacks launched against backers of the Dakota Access Pipeline Project (DAPL) currently under construction
in the United States. Despite requests from local tribes to stay away, Anonymous announced its support for
the NoDAPL protesters and began posting personal details of officials involved with the pipeline project and
threatening employees and families of those involved. In addition to the Doxing, Anonymous also launched
DDoS attacks against Energy Transfer and other organizations involved with the project.
Technology Companies
Due to the nature of these businesses, they are very aware of the technological risks in the digital world. In
addition, they have the right personnel and expertise to fight cyber-attacks. They also tend to be early adopters
in testing new tools, exploits and mitigation mechanisms. Successfully hitting these companies requires a higher
hacker skillset—a challenge many hackers are keen to accept.
Attack Vector Landscape

Combining the experience of Radware’s ERT and responses to this year’s
Security Industry Survey, this chapter reviews the attack vectors that
proved popular in 2016.
Caused the
Experienced Most Damage
Application vs. Network Attacks
(NET) Network 64% 46%
At first glance, the 2016 research indicates a
TCP-SYN Flood 40% 26%
balance between application and network attacks.
This represents a dramatic change from last year’s UDP 33% 11%
survey, which showed a significant increase in ICMP 32% 9%
network-based attacks. In 2016, about two-thirds of TCP-Other 29% 10%

respondents reported having faced either network- IPv6 16% 6%
or application-based attacks. Further analysis (NET) Application 63% 58%
reveals that while network and application attacks (Subnet) Web 50% 35%
occur at a similar frequency, application-based HTTP 42% 24%
attacks cause a larger impact. That’s especially true HTTPS 36% 19%
of Web attacks followed by TCP-SYN floods. DNS 37% 19%
SMTP 31% 14%
Hackers now launch multi-vector, blended VoIP 9% 4%
campaigns that include higher-volume network
IPv4 44% 16%
vectors alongside more sophisticated application
Other 3% 3%
vectors. Thus, while the top attack types reported
None 20% NA
by respondents are more likely to be network-
based attacks, the threat of application attacks
Figure 18: Type of attack vector experienced in 2016 and which
remains very real. caused the most damage
Top Trends
within Vertical TELECOM PRO SVCS TECH FINANCE EDU GOV’T RETAIL HEALTH
Application: Application: Application:
Most Harmful 65% Network: Application: Network: Application: Application: 50% 57%
Attack Types Network: 61% 61% 61% 54% 66% Network: Network:
63% 50% 50%
Figure 19: Impact of attack vectors by business sectors

Frequency of Attacks
This year, Radware also explored attack frequency. More than one-quarter of respondents reported daily and
weekly attacks in the past 12 months. Affecting just 9% of organizations, attacks over VoIP were the most
infrequent; even so, the incidence of attacks over VoIP tripled from 2015 to 2016.
2015 2016
30% 29%28%
20% 18% 17% 16%14%

15%14%
11 13
%
% 12%13%
10%
0
Daily Weekly Monthly Once or Twice a Year Never Unknown
Figure 20: How often have you experienced cyber-attacks in the past 12 months?
More than one-quarter of respondents reported daily and weekly attacks via TCP-SYN flood, TCP-Other, ICMP
and UDP-flood attacks in the past year. The most infrequent attack was on IPv6 networks, although daily/weekly
attacks in 2016 were higher than in 2015.
100% 100%
90% Don’t Know 90% 18% Don’t Know

24% 24% 26%
26% 26% 26% 28% 29% 26% 27%
37 %
80% 80%
Never 8% Never
70%
14 % 70%
16 % 8%
17% 17% 18% 18% 18% 17%
Annually 18% 18% Annually
60% 60% 12%
8%
7% 8 %
9% 9% 9% 9% 7%
50%
29%
50% 7% 7%
12 % Quarterly
11% 14 % Quarterly
10% 9% 11% 10%
40%
11% 40% 9% 11 % 10%
13% 9% 10%
11 %
12 % 10% Monthly 9 %
16% 12% Monthly
30% 7% 30% 10% 12%
12 %
12% 7% 11% 12%

20% 14% 13% 20% 15% 12% 13%
7% Weekly 14 % Weekly
24%
10%
16% 7 %
17%
10%
18% 18%
13% 13% 13% 13% 14%
Daily 11% Daily
6 %
0 0
TCP-SYN UDP-Flood ICMP IPv6 TCP-Other HTTPS HTTP DNS SMTP Login Malware, App. Vulnerability
Flood Flood Page Phishing Exploitations (SQL
Injection, XSS, CSRF)
Figure 21: How often have you experienced the Figure 22: How often have you experienced the following application
following network attacks in the last year? attacks in the last year?
The application with the highest attack frequency is malware and phishing, with two in five participants
experiencing it on a daily/weekly basis. This rate is consistent with our findings in 2015. About a quarter of
respondents experienced other application attacks daily or weekly.
About half of all respondents indicated that they did not experience any reflected amplification attacks this year.
Roughly 30% said they had suffered from a reflected amplification attack but were able to mitigate the attacks.
In 2016, Radware’s Emergency Response Team (ERT) observed DNS attacks mainly targeting A and AAAA
records. In addition to DNS, the ERT also observed 256,925 NTP monlist floods.
Multi-Vector Attacks
Hackers continue to move away from single vector attacks as advanced persistent DDoS campaigns
become the norm. Attackers are still using burst attacks in an attempt to defeat mitigation processes. In
2016, Radware witnessed the rise of massive 1Tbps botnets using TCP attack vectors versus amplified and
reflected vectors. In addition, attackers are exploring new techniques, such as GRE encapsulation, in hopes of
bypassing ACL limitations.

Ransom-based attacks were also a top attack vector; two in five experienced a ransomware attack in the past
year. Of those surveyed, 39% reported being affected by ransomware while 17% received a ransom not as part
of a RDoS campaign (see the chapter: The Bottom Line: The Rise of Cyber Ransom).
Thirty-nine percent of organizations report having experienced an SSL- or TLS-based attack. This represents
continuous growth of 10% year-over-year, with 35% reporting the same in 2015 (see the chapter: Friend Turned
Enemy: SSL-Based Cyber-Attacks).
Network Attacks Prevalence

TCP-SYN Flood UDP ICM TCP (Other) IPv6 1
40% 33% 32% 31% 6%
In 2016, 64% of organizations experienced attacks on their network infrastructure. Of those that experienced
a network-based attack, 40% experienced a TCP-SYN flood, followed by UDP (33%) and TCP-Other (29%).
Thirty-two percent of respondents experienced an ICMP attack and 16% experienced an IPv6 attack.
TELECOM PRO SVCS TECH FINANCE EDU GOV’T RETAIL HEALTH*

ICMP: TCP-Other:
TCP-Other:
ICMP: 19% 34% TCP-SYN Fl:
MOST 21%
TCP-Other: 12% TCP-Other: TCP-Other: ICMP: 11%
FREQUENT UDP Flood:
13% TCP-Other: 19% 13% 32% ICMP: UDP Flood:
NETWORK 19%
ICMP: 11% UDP Flood: ICMP: TCP-SYN Fl: 11% 18%
ATTACK TYPES TCP-SYN Fl:
12% TCP-SYN Fl: 19% 13% 29% TCP-Other:
(Daily) 18%
9% TCP-SYN Fl: UDP Flood: 11%
ICMP: 17%
18% 24%
MOST
TCP-SYN Fl: IPv4: IPv4: IPv4: TCP-SYN Fl:
FREQUENT
53% 43% 41% IPv4: IPv4: 51% 32% Ipv4:
NETWORK
UDP: TCP-SYN Fl: TCP-SYN Fl: 51% 46% TCP-SYN Fl: IPv4: 53%
ATTACK
48% 38% 40% 46% 27%
VECTORS
Figure 23: Most frequent network attack types
Application
Sixty-three percent of respondents experienced application-based attacks during the year. Forty-two percent
indicated that they experienced an HTTP flood; 36% experienced an HTTPS flood.
TELECOM PRO SVCS TECH FINANCE EDU GOV’T RETAIL HEALTH*

MalPhshRns: MalPhshRns: MalPhshRns: MalPhshRns: MalPhshRns:
MOST MalPhshRns:
24% 14% MalPhshRns: 33% 32% 30% Login Page:
FREQUENT 21%
SMTP: Login Page: 26% Login Page: SMTP: Login Page: 18%
APPLICATION SMTP: 16%
22% 13% SMTP: 17% 27% 19% SMTP:
ATTACK TYPES Login Page:
Login Page: App Exploit: 24% SMTP: Login Page: SMTP: 18%
(Daily) 16%
20% 12% 17% 27% 19%
MOST
FREQUENT Web: 55% Web: 61%
Web: 55% Web: 44% Web: 58% Web: 50% SMTP: 32% Web: 41%
APPLICATION DNS: 35% DNS: 49%
DNS: 46% DNS: 33% DNS: 46% SMTP: 39% Web: 30% DNS: 41%
ATTACK SMTP: 32% SMTP: 44%
VECTORS
Figure 24: Most frequent application attack types
New Attack Tools

This year we have seen several tools released in association with Anonymous campaigns. These tools are often
released in closed networks for members of a specific operation to use during the campaign. In some cases,
they may be released publicly as free-to-use tools—a ploy to generate more support for the operation. These
tools are simple denial-of-service scripts or pre-packaged scripts in simple graphical user interfaces (GUIs).
Attackers have also been observed using these script tools in cloud environments in an attempt to generate
larger attacks from trusted sources.

GUI – Anonymous DDoS (DDoS.exe)
Anonymous released a custom GUI tool for the
2016 Summer Olympics in Rio. This tool is capable
of launching a TCP PSH+ACK flood through Tor.
A PSH+ACK flood sends a TCP packet with the
PUSH and ACK bits set to one. This method triggers
the victim’s system into unloading all data in the
TCP buffer and sends an acknowledgement when
completed. In addition to the tool, the group also
published instructions on how to use the tool
on Facebook.
Scripts – SadAttack and Saphyra

Figure 25: Anonymous DDoS tool for the Olympics
SadAttack and Saphyra are both HULK—that is, HTTP
Unbearable Load King variants. Both tools obfuscate
the source client by changing the user agent and
referrer for every request. Ghost Squad hackers have
loaded both scripts with additional user agents and
referrers pointing to a number of prelisted websites.
Hackers also have been seen modifying these scripts
by adding user agents and referrers points. By
randomly changing the user agent and referrer—and
using Keep-Alive to maintain the connection—an attack
can easily bypass caching methods and hit the server
directly with these tools.
Cloud – Attacks from VPSes

In 2016, Radware has witnessed a number of hackers
using cloud services to launch denial-of-service
attacks. Hackers are using cloud platforms to load
attack scripts and launch their assaults. One of the
reasons attackers are using these services is because
Figure 26: SadAttack.py most organizations leverage cloud infrastructure for
mission-critical business operations. That makes it
very difficult to block communications with cloud
services. In just an hour, an attacker can not only
setup their tools on a VPS, but also access their
toolset from mobile devices via SSH. Attack clouds
provide hackers with more bandwidth and computing
power, allowing them to easily scale their operation
and attacks far beyond their home lab capabilities.
The cost to conduct these attacks is much cheaper
when conducting large-volume attacks versus renting
a stresser service. Hackers were identified using
Google Cloud Services to conduct attacks leveraging
SadAttack and Saphyra. One hacker eventually
shared a screenshot of how he leveraged a cloud
instance to conduct several attacks for a number
of operations, including OpIcarus, an Anonymous
operation targeting the financial sector.
Figure 27: Saphyra.py

Figure 28: Attacker using Google Cloud in combination with SadAttack and Saphyra
10Gbps to 50Gbps 3% 4% Above 50Gbps

Attack Size: Does It Matter? 10%
1Gbps to 10Gbps
In 2016, fewer than one in 10 server attacks qualified
as extra-large (10Gbps or higher). Seven in 10 of the
biggest server attacks were below 100Mbps, and 13%
100Mbps 50%
50% were 10Mbps or less. The number of attacks to 1Gbps 10Mbps
or Less
that were 100Mbps or less was stable, while there
20%
was an increase in attacks 10Mbps or less and fewer 10Mbps to
100Mbps
attacks 10Mbps to 100Mbps. Those ranging from
10Gbps to 50Gbps decreased from 8% in 2015 to
3% in 2016.
Figure 29: What are the three biggest cyber-
attacks you have suffered by bandwidth?
Despite the record-breaking volumes we’ve seen in 2016, non-volumetric DDoS

is still prevalent. This denial-of-service technique is still proven to be very efficient
in exhausting network and server resources. Moreover, a non-volumetric attack
can evade detection mechanisms and consume bandwidth and resources
without the target knowing—affecting service-level quality.
70% Three in five respondents report a cyber-attack that is 10

63% million packets-per-second (PPS) or less, and about one-
60%
fifth indicated they suffered an attack between 10 million
50% PPS and 100 million PPS. The number of attacks that were
100 million PPS or less increased from 76% in 2015 to
40%
82% in 2016. Those with 10 million PPS or less were up,
30% too—increasing from 50% in 2015 to 63% in 2016.
20% 19%
10% Combining firewall, IPS and load balancers,
10%
5% 3%
0
we learn that stateful devices fail when
10M or 10M to 100M to 1B to 10B & at least 36% of attacks hit. They simply
Less 100M 1B 10B Above
cannot handle all kinds of cyber-attacks,
Figure 30: What are the three biggest cyber-attacks you and a dedicated attack mitigation solution is
have suffered by PPS?
required to maintain availability at all times.

04 EMERGING PERILS
The Bottom Line: The Rise of Cyber Ransom

The 2016-2017 Global Application & Network Security Survey revealed
that ransom attacks are by far the most prevalent threat—growing from
25% of attacks in 2015 to 41% in 2016. What’s driving the increase? Quite
simply, cyber ransom can be a highly lucrative “business.” It is faster,
easier and cheaper than ever to execute this form of extortion, which gives
its victims a very short window to respond before suffering what could be a
devastating disruption to systems and day-to-day operations.
50%
40%
41%
30% 27% 26% 26% 24%
20%
20% 21%
10%
11%
0
Ransom Insider Threat Political Competition Cyberwar Angry User No Attacks Motive Unknown
Figure 31: Which of the following motives are behind any cyber-attacks your organization experienced?

Overview of Cyber Ransom
Extortion isn’t a new concept. Nor is ransomware, which has been
on the scene for nearly a quarter century. One of the first examples
was called Aids Info Disk or PC Cyborg Trojan. This Trojan horse
would encrypt all of the filenames on the “C” drive—rendering the PC
unusable. Once a PC was infected, the malware would demand that a
payment of $189 be sent to a post office box somewhere in Panama.
In time, the Aids Info Disk Trojan’s creator was arrested and charged
with 11 counts of blackmail.
Today’s ransom attacks have
Antivirus software makers eventually learned how to detect this two primary “flavors”:
category of malware and were able to quickly block them. For years,
these defenses worked. However, the growing popularity of virtual Ransomware – Attackers
currencies has made ransomware a lucrative opportunity for cyber- typically use malware to
criminals. These criminals no longer request payments to a PO encrypt critical data, making
box. These days, they tell victims that if they ever want to see their it unusable until the user
information again, they must make a payment to a hacker via Bitcoin. complies with instructions to
Of course, the only sure thing is that the money will be taken. make a payment via Bitcoin.
One of the latest varieties to
Ransomware 39% emerge is Ransom32, which
is ransomware as-a-service
Ransom Denial of Service (RDoS) 17% that gives cyber criminals a
None 32% jumpstart on holding victims’
information hostage.
Don’t Know/Not Sure 19%
DDoS for ransom (aka
0% 10% 20% 30% 40% 50%
RDoS) – in which attackers
Figure 32: 49% of companies suffered at least one ransom attempt in 2016 send their target a letter that
threatens a DDoS attack at a
Primary Actors certain day and time unless
To date, RDoS attacks have been carried out primarily by these groups: the organization makes a
payment (usually $2,000 to
Armada Collective $10,000) via Bitcoin. Often
Armada Collective is arguably the best known—and most imitated— hackers will launch a small-
gang of cybercriminals. With a typical ransom demand of 10 to 200 scale attack as a preview of
Bitcoin (about $3,600 to $70,000), this gang often accompanies its what could follow.
ransom notes with a short “demo” or “teaser” attack. When time for
payment expires, Armada Collective takes down the victims’ data
centers with traffic volumes typically exceeding 100Gbps. (Radware
has firsthand experience with these criminals, who waged an RDoS
attack against our customer, ProtonMail, in 2015). Apparent copycats
have begun using the Armada Collective name; one early tactic involved
attempted extortion of about $7.2 million from three Greek banks.
DD4BC
This cybercriminal group, whose name is an acronym for “distributed
denial of service for Bitcoin,” started launching Bitcoin extortion
campaigns in mid-2014. Initially targeting the online gambling industry,
DD4BC has since broadened targets to include financial services,
entertainment and other high-profile companies.

ezBTC Squad
Instead of using email messages, this group of cybercriminals is using Twitter as the vehicle for delivering its
RDoS threats. Others are following suit.
Kadyrovtsy
Named after the elite forces of the Kadyrov administration in Chechnya, this is one of the newest groups to
emerge on the RDoS scene. It recently threatened two Polish banks and a Canadian media company. The group
even launched demo assaults (15-20Gbps) to prove its competence, much like the infamous Armada Collective.
RedDoor
RedDoor issued its first threats in March 2016. Per the “standard,” these criminals use an anonymous email
service to send messages demanding a ransom of 3 Bitcoin. Targeted businesses have just 24 hours to wire the
payment to an individual Bitcoin account.
Beware the Copycats

“Copycats” are compounding the RDoS headaches. These players are issuing fake letters—hoping to turn quick
profits with minimal effort. Here are useful tips to detect a fake ransom letter:
1.
Assess the request. The Armada Collective normally requests 20 Bitcoin. Other campaigns have been
asking for amounts above and below this amount. Fake hackers typically request different amounts of
money. In fact, low Bitcoin ransom letters are most likely from fake groups who are hoping their price point
is low enough for someone to pay rather than seek help from professionals.
2.
Check the network. Real hackers prove their competence by running a small attack while delivering a
ransom note. If there is a change in network activity, the letter and the threat are probably genuine.
3.
Look for structure. Real hackers are well organized. Fake hackers, on the other hand, don’t link to a
website, and they lack official accounts.
4.
Consider other targets. Real hackers tend to attack many companies in a single sector. Fake hackers are
less focused, targeting anyone and everyone in hopes of making a quick buck.
Likely Targets: Who Will CAVE?

What do cybercriminals look for when considering ransom targets? The acronym CAVE highlights the four areas
criminals will assess when choosing which people and companies to target:
Culture
An organization’s culture can make it more or less likely to be targeted by cybercriminals. The two key factors:
cultural views on paying versus not paying and the organization’s overall appetite for risk. Some organizations
are afraid to go public about a breach or simply aren’t interested in a public “fight.” Very private, risk-averse
organizations may represent strong candidates for
an RDoS or ransomware attack. Similarly, those with
a pay-up culture—who are quick to send funds to
“make it go away”—often earn a reputation as such. 50% 49 %
That can result in new attacks from other cyber-

crime groups.
40% 39 %
35%
30%
Assets
At the end of the day, cyber “ransomers” are out for 20%
profits. For their threats to be effective, the target
must have some digital asset—business or personal 10%
data, interface or communication—that is critical to
the individual’s life or the organization’s operations. 0
Those digital assets are what the criminals will Europe APAC North America
attempt to hold hostage to maximize their reward. Figure 33: Distribution of cyber-ransom attacks by geography

Vulnerability
Cybercriminals need a way to lock down assets, making them unavailable to users. In general, they can do so in
two primary ways: either by encrypting data at some level or by denying access by taking hostage an element
of the information technology delivery chain. Either way, criminals need to spot a key vulnerability—such as
an exploit or engineering assumption left unprotected. Ideally, cybercriminals will seek vulnerabilities that are
present across a large number of organizations. Such vulnerabilities can be highly lucrative, giving criminals the
ability to standardize on a technique and repeat it on a mass scale.
Expertise
Criminals aren’t looking for expertise—they’re looking for a lack of it. Indeed, they’re more likely to focus on
organizations or people lacking the resources to hire professionals; those with few or modest investments in IT
security support; and those who lack knowledge of cyber-ransom techniques and how best to respond.
Preparedness
Only 7% of security industry survey respondents indicated they keep Bitcoin at hand as part of their emergency
response plan.
Prof. High Tech Banking & Retail/
Services & Products & Financial Govt./Civil Wholesale/ Media/
Extremely/Very Well Prepared Consulting Services Services Education Service Online Telecom
Ransomware 48% 56% 51% 20% 37% 49% 52%
Figure 34: Distribution of cyber-ransom attacks across verticals
For more on this topic, see Radware’s ebook, Cyber Ransom Survival Guide: The Growing Threat of
Ransomware and RDoS – and What to Do About It
Friend Turned Enemy: SSL-Based Cyber-Attacks

Secure Socket Layer (SSL) and other commercialized encryption technologies provide an essential foundation
for e-commerce and secure online communication. But the 2014 discovery of the Heartbleed3 vulnerability—
followed by news of POODLE4—tarnished SSL’s reputation and led many IT experts to dub it the most vulnerable
technology in widespread use. Many are migrating to new, more secure versions of SSL, and ultimately, a
replacement protocol, Transport Layer Security (TLS). However, neither the story nor the threats are over.
Increasingly, attackers are using the SSL protocol to mask and further complicate attack traffic and malware
detection in both network and application-level threats. Challenges posed by encrypted traffic are poised to
get worse, as Gartner has noted: “The continued growth of SSL/TLS traffic will be amplified by the adoption of
HTTP 2.0. It creates a new attack surface for malware infection, data exfiltration and call back communication.”5
According to Netcraft, use of SSL by the top one million websites has increased by more than 48% over the past
two years.6 As the percentage of inbound and outbound traffic increases, so does the effectiveness of encryption
as a smokescreen for hackers.
Recent surveys show that on average, 25% to 35% of enterprise communication sent through a LAN and WAN
infrastructure is SSL-encrypted traffic.7 In certain verticals, such as finance or medical, it can reach as high as
70% due to the information being communicated. SSL technology continues to improve the security it provides,
with longer, more complex keys used to encrypt data.
3 https://security.radware.com/ddos-threats-attacks/threat-advisories-attack-reports/heartbleed-openssl/
4 https://security.radware.com/ddos-threats-attacks/threat-advisories-attack-reports/sslv3-poodle/
5 “Security Leaders Must Address Threats From Rising SSL Traffic” Gartner Research, January 8, 2015
6 https://news.netcraft.com/archives/2014/01/03/january-2014-web-server-survey.html
7 http://www.networksasia.net/article/3-reasons-ssl-encryption-gives-false-sense-security.1424935771

Types of SSL Attacks
More Frequent and More Virulent Yes No
DDoS and advanced Web application attacks continue to plague 100%
businesses as they move to more online operations. With both 90%
types of attacks, those leveraging encrypted traffic as an attack
80%
vector are on the rise. This increase is further challenging many
70% 61%
incumbent solutions for detecting and mitigating cyber threats. 65%
Most do not actually inspect SSL traffic, as it requires decrypting 60%
the encrypted traffic. In Radware’s latest industry survey, 39% 50%
of respondents confirmed they have been targeted by SSL or 40%
encrypted vectors—a 10% increase compared to the prior year.
30%
Only one in four businesses reported feeling protected against
SSL flood attacks.
20%
35% 39%
10%
SSL-based attacks take many forms. Among them: 0

2015 2016
• Encrypted SSL floods. These attacks are similar in nature to Figure 35: Have you experienced an
standard, non-encrypted SYN flood attacks in that they seek to SSL-based attack this year?
exhaust the resources in place to complete the SYN-ACK

handshake. Encrypted SSL floods complicate the challenge
by encrypting traffic and forcing resource use of SSL
handshake resources. Moving to TLS 1.2
Many security policy bodies and compliance
• SSL renegotiation. These attacks work by initiating a programs are moving toward implementation
regular SSL handshake and then immediately requesting the of the TLS 1.2 protocol. The PCI Council
renegotiation of the encryption key. The tool continuously originally set a June 2016 deadline8 for
repeats this renegotiation request until all server resources have migration from SSL to TLS 1.2. However, it
been exhausted. had to delay the requirement until June 2018
due to implementation challenges among
• HTTPS floods. These attacks generate floods of encrypted many merchants.
HTTP traffic, often as part of multi-vector attack campaigns.
Compounding the impact of “normal” HTTPS floods, encrypted Indeed, the migration will create some
HTTP attacks add the burden of encryption and decryption short- and long-term challenges. Just the
mechanisms. process of identifying all relevant system
components is resource intensive for already
• Encrypted Web application attacks. Multi-vector time-strapped teams. Further, many will face
campaigns also increasingly leverage non-DoS, Web challenges in maintaining interoperability
application logic attacks. By encrypting the traffic that masks with older versions of software and browsers
these attacks, they often pass undetected through both DDoS still used by some customers.
and Web application protections.
Meanwhile, encryption technology continues
to evolve in terms of the length and
Complicating Detection, Stressing Mitigation complexity of keys used. While these provide
SSL and encryption are highly effective at protecting the integrity stronger security, they also bring tradeoffs in
of legitimate communications. Unfortunately, they are equally terms of requiring greater computing power
effective at obfuscating many attributes that help determine if and being more complex to manage—a trend
traffic is malicious or legitimate. Identifying attack traffic within Radware expects to continue.
encrypted traffic flows is akin to finding a needle in a haystack—
8 https://blog.pcisecuritystandards.org/migrating-from-ssl-and-early-tls
in the dark. Most cyber-attack solutions struggle to identify
potentially malicious traffic from encrypted traffic sources and to
isolate that traffic for further analysis (and potential mitigation).
SSL attacks offer attackers another advantage: the ability to

put significant computing stress on the network and application infrastructures they target. The process of
decrypting and re-encrypting SSL traffic increases the requirements of processing the traffic—in many cases
beyond the functional performance of devices used for attack mitigation. Most devices are inline, stateful and
unable to handle SSL encrypted attacks, making them vulnerable to SSL floods. Fewer still can be deployed out
of path—a necessity for providing protection while limiting the impact on legitimate users.
Many solutions that can do some level of decryption tend to rely on limiting the rate of request, which results
in legitimate traffic being dropped and effectively completes the attack. Finally, many solutions require the
customer to share actual server certificates. That requirement complicates implementation and certificate
management and forces customers to share private keys for protection in the cloud.
Visibility into encrypted traffic isn’t the only challenge related to SSL/TLS. When surveyed about the ability of
existing security solutions to decrypt, inspect and re-encrypt traffic, most are similarly working blind. Specifically,
75% of industry practitioners doubt their security solutions provide full encrypted attack protection.9 According
to Gartner, less than 20% of organizations decrypt inbound traffic at the network perimeter; less than half
inspect encrypted traffic leaving the network. Further, more than 90% with public websites decrypt inbound Web
traffic (often through a Web Application Firewall); however, many of the encrypted attack vectors are doing their
damage before traffic gets this deep into the network or application infrastructure.10
Cloud Complexity
Traditional data center environments aren’t the only place where encrypted traffic creates challenges of visibility
and security. As volumetric attacks that saturate Internet pipes or overwhelm data center resources continue to
grow, many are turning to cloud-based attack mitigation solutions.
Cloud-based services vary in capabilities but generally allow an attack target to rely on purpose-built resources
outside of its network to scrub traffic—that is, removing attack traffic and returning what’s legitimate. However,
rerouting encrypted traffic to a third party creates a new set of challenges related to private key management
and coordination. On one hand, decryption by the cloud DDoS provider is necessary to provide protection from
encrypted threats (some providers simply pass encrypted traffic along to the customer). On the other, enabling
a third party to decrypt traffic by sharing private keys sometimes means the customer must coordinate any
certificate management changes with the cloud DDoS provider. It also means potential loss of end-user data
privacy and confidentiality.
Given these challenges, organizations looking to handle volumetric attacks within encrypted traffic flows need to
identify vendors with the ability to support wildcard certificates that do not need to match the server certificates.
This does two things. First, it eliminates the need to share private keys with the cloud DDoS vendor, which will
be against most organizations’ security policies. Second, it dramatically reduces the administrative burden for
coordinating changes and updates to the server certificates and also eliminates the additional risk of exposing
server certificates to the network perimeter.
Encrypted Attack Protection: ‘Keys’ to Success

SSL is both a blessing and a curse: blessing because it solves the privacy problem and secures the
communication of sensitive information; curse because it creates new blind spots and vulnerabilities into an
enterprise IT infrastructure. To address SSL challenges, implement a strategy that considers the following:
• Visibility. Aim to decrypt and re-encrypt SSL sessions to enable security inspection of both clear and
encrypted traffic while maintaining privacy of content en-route.
• Service chaining. Any SSL inspection solution needs to be able to selectively forward traffic to one or more
security solutions.

• Flexible traffic inspection. How can a solution support efficiency while inspecting encrypted traffic that’s
masquerading as clear traffic? It must dynamically define filters that intercept and open traffic for inspection—
even if it flows through non-standard TCP ports (such as HTTPS port 443).
• Security. To avoid turning the SSL traffic inspection solution into a target itself, a solution must not perform
like a proxy or have its own IP address.
• Scalability. As the amount of traffic/SSL traffic continuously grows, SSL traffic inspection solutions must
seamlessly scale to reduce or eliminate the need for forklift upgrades.
• High availability. To avoid downtime due to outages in the security solution, the SSL traffic inspection
solution should always ensure traffic is forwarded to the fastest-responding available security servers,
automatically bypassing out-of-service servers.
Internet of Threats:
IoT Botnets and the Economics of DDoS Protection
2016 brought a long-feared DDoS threat to fruition: cyber-attacks were launched from multiple connected
devices turned into botnets. These attacks are propelling us into the 1Tbps DDoS era. What follows is a closer
look at what happened—and what to do now.
Notable Attacks
 June 28, 2016: PCWorld reports that “25,000 digital video recorders and CCTV cameras were
compromised and used to launch distributed denial-of-service (DDoS) attacks, flooding its targets with
about 50,000 HTTP requests per second.”11 Though impressive and startling, this attack said nothing about
what was still to come.

September 20, 2016: Around 8:00 pm, KrebsOnSecurity.com becomes the target of a record-breaking
620Gbps12 volumetric DDoS attack from a botnet designed to take the site offline.
 September 21, 2016: The same type of botnet is used in a 1Tbps attack targeting the French Web host
OVH.13 A few days later, the IoT botnet source code goes public—spawning what would become the
“marquee” attack of the year.
 October 21, 2016: Dyn, a U.S.-based DNS provider that many Fortune 500 companies rely on, is attacked
by the same botnet in what is publicly known as a “water torture” attack (see below). The attack renders
many services unreachable and causes massive connectivity issues—mostly along the East Coast of the
United States.
The Appeal of Internet of Things (IoT) Devices

For hackers, IoT devices are attractive targets for several reasons:
• IoT devices usually fall short when it comes to endpoint protection implementation.
• Unlike PCs and servers, there are no regulations or standards for secure use of IoT devices. Such regulations
help ensure secured configurations and practices. Among them: changing default passwords and
implementing access control restrictions (for example, to disable remote access to administrative ports).
• IoT devices operate 24x7 and can be in use at any moment.
According to Radware’s survey, 55% of security professionals indicated that they believe Internet of Things
complicates mitigation or detection requirements.
11 http://www.pcworld.com/article/3089346/security/thousands-of-hacked-cctv-devices-used-in-ddos-attacks.html
12 https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/
13 https://twitter.com/olesovhcom/status/779297257199964160

Increases the Attack Surface 52%
Complicates Mitigation Requirements 38%
Increases Detection Requirements 37%
Increases the Sophistication
of the Attack Itself 33%
Has No Effect 17%
0% 10% 20% 30% 40% 50% 60%
Figure 36: IoT threat impact as perceived by cyber security professionals
Different Attack Vectors

Mirai Under the Microscope
As an open-source attack program, Mirai is fueling justifiable fears that hackers will create countless
customizations and evolutions of the tool. To help understand the risks, Radware’s security research team
conducted a thorough study of the infamous botnet.
We can all thank a user named “Anna-senpai”

for publishing the Mirai source code to a public
and easily accessible forum. In short order, the
code spread to numerous locations, including
several GitHub repositories, where hackers began
taking a closer look. Since then, the Mirai botnet
has been infecting hundreds of thousands of
IoT devices—turning them into a “zombie army”
capable of launching powerful volumetric DDoS
attacks. Security researchers estimate that there
are millions of vulnerable IoT devices actively
taking part in these coordinated attacks. Figure 37: Infection map provided by botnets researcher @MalwareTechBlog
In a surprising departure from previous record-holding amplification attacks, attackers did not use DNS and NTP.
Instead, these attacks consisted mainly of TCP-SYN, TCP-ACK and TCP-ACK + PSH along with HTTP and non-
amplified UDP floods. In the case of KrebsOnSecurity, the biggest chunk of attack traffic came in the form of
GRE, which is highly unusual.14 In the OVH attack, more than 140,000 unique IPs were reported in what seemed
to be a SYN and ACK flood attack followed by short bursts over 100Gbps each over a four-day period.15
Outstanding Attack Vectors

GRE Flood Attack
Generic routing encapsulation (GRE) is a
tunneling type protocol developed by Cisco. GRE
mainly encapsulates data packets and routes
them through the tunnel to a destination network
that de-encapsulates the payload packets.
Sending many GRE packets with large amounts
of encapsulated data may lead to resource
consumption, with the victim attempting to de-
encapsulate them until exhaustion.
Figure 38: The bot sends GRE packets with encapsulated
UDP packet containing 512 bytes of random data
14 https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/
15 https://twitter.com/olesovhcom/status/779297257199964160

TCP STOMP Attack
Consider this akin to the classic ACK flood attack—
with a twist. Most network security solutions will
easily block simple botnets as they send large
volumes of ACK packets. Thus, Mirai starts with the
ACK flood only after gaining a legitimate sequence
number by completing the TCP connection process.
By receiving a sequence number, Mirai raises the Figure 39: A function creates a GRE packet and includes it within a
odds of bypassing network security solutions. GRE flood attack
DNS Water Torture Attack

With this technique, the attacker sends a pre-
crafted DNS query to the service provider’s DNS
server. The malicious DNS query contains random
string concatenated previous to the victim’s domain
(for example, xxxyyyy.www.VictimDomain.com). The
DNS server will repeatedly attempt to get an answer
from the authoritative name server with no success.
Sending different false strings with the victims’
domain name will eventually increase the DNS Figure 40: Menu of all Mirai’s attack vectors
server’s CPU utilization until it is no longer available.
What follows is a concise overview of how Mirai operates:

1. Connects to victim machines via a brute-force attack against Telnet servers, using 60+ factory default
credentials of BusyBox.16
2. Every infected device locks itself against additional bots.
3. Mirai sends the victim’s IP and credentials to a centralized ScanListen service.
4. The new victim then helps in harvesting new bots, spawning a self-replicating pattern.
5. Once all devices are ready, Mirai launches the attack.
What makes Mirai so powerful? Consider that:

1. Setup is fast and easy; in fact, it can be completed within an hour.
2. Distribution is rapid. The infection recurrence mechanism leads to exponential growth in the botnet’s size.
In fact, perpetrators can have a botnet of 100,000+ infected devices in 24 hours.
3. Leveraging an efficient Communicating Sequential Processes (CSP) design, this distributed micro-service
architecture allows for scalable control of bots and attack execution in very large botnets.
4. This piece of malware has a low detection rate. It is very difficult to retrieve samples because the malicious
code lives in the device’s memory and is wiped out once the device is restarted.
5. Mirai also offers configurable attack features, including the ability to specify packet size, randomize packet
size, use Tos/idnt/ttl in IP header, force the source and destination ports and use TCP urg/ack/psh.rst/syn/fin.
Figure 41: Mirai’s HTTP flood program creates huge 80MB POST requests
6. The malware is able to recognize DDoS protection solutions and adjust the attack accordingly.
16 https://en.wikipedia.org/wiki/BusyBox

Figure 42: Mirai tries to bypass DDoS protection
Open-Source Attack Tools Open Pandora’s Box

The act of leaking or flat-out releasing source code of advanced hacking tools isn’t new. It has happened
numerous times, especially with high-profile and advanced malware families, such as Zeus, Citadel, Carberp
and SpyEye, which have been responsible for losses measuring in the hundreds of millions of dollars. Once
dangerous tools are released to the public, they can be download—and modified and enhanced—by anyone.
Figure 43: “I made my money, there’s lots of eyes looking at IOT now” –Anna-senpai
As security reporter Brian Krebs wrote, “Miscreants who develop malicious software often dump their
source code publicly when law enforcement investigators and security firms start sniffing around a little too
close to home.”
That can fuel copycats—and “enhanced” copycats. Radware performed a quick test to see how easy or difficult
it would be for an average hacker to take the now open-sourced Mirai source code and extend its capabilities
with a new, advanced attack vector.
Figure 44: Mirai 1.0 source code showing attack vectors including UDP, DNS, SYN, GRE, HTTP

To do this, we considered implementing several
advanced attacks that are NOT currently implemented These advanced Layer-7 attacks
in the original Mirai source code, such as: combined with the massive size
1. SSL attacks and scale of IoT botnets are
2. Layer-7 HTTP attacks with JavaScript support
indeed very dangerous.
3. HTTP 2.0 support
From there, we began our experiment. We were able to

acquire the Mirai source code in a matter of minutes on
GitHub. Compiling the bot binary and building it for the
x86 platform took five minutes and did not require any
programming skills.
In less than an hour, we have managed to integrate

another open-source attack tool called thc-ssl-dos,
which can be used to launch SSL RENEGOTIATION
attacks against Web servers. With some elementary
coding skills, we slightly modified the code to stress Figure 45: Radware obtains the Mirai source code from one of
servers that do not allow SSL renegotiation by rapidly the GitHub repositories and builds the attack bot binary
establishing a new TCP connection on each
SSL handshake.
Benchmarking Our Code

We performed some basic benchmarking of our new Create Your Own Botnet Within an Hour
attack vector capabilities against a target low-end 1. Download the Mirai code from GitHub (5 minutes)
server (Intel Xeon E3-1245V2, 16gb RAM) running Nginx 2. Compile the bot binary (5 minutes)
1.10 Web server (built with OpenSSL 1.0.2g). The client 3. Integrate other open-source attack tools
used to launch these attacks was sitting on a different (50 minutes)
remote server, with a latency of ~15 milliseconds
roundtrip time.
Figure 46: We can see that during “peacetime,” the server CPU usage is very low (4 cores, 8 threads)
Figure 47: But when we launch an SSL attack using our “improved” Mirai bot,
our server starts to get “busy” handling the incoming SSL connections

Figure 48: Running as few as two simultaneous attacks now puts our server under real stress at nearly 100% CPU on all cores
In our test landscape, we have observed that a single instance of our new Mirai code is capable of generating
350 SSL connections per second, which takes 50% of our server CPU resources. Multiple instances easily bring
the server to full CPU utilization—dramatically hurting system performance and availability.
For large enterprises with high-end backend servers, load balancers, proxies and the like, 350 SSL connections
per second is negligible. However, if we extrapolate this value to 100,000 instances—or even 1,000,000
instances—the resulting numbers are large enough to take down, in theory, every major website.
Of course, we need to remember that an IoT device is running on very low power and with limited CPU/network
capabilities. Even so, if we take a factor of x1,000, then an IoT botnet with 20,000 zombies will generate an
attack that is 20 times higher than the one we have measured.
The Economics of Botnets

While much has been discussed around Mirai, IoT, “the rise of the machines” and other catchy buzz-phrases, we
believe one of the most disruptive changes is the new economics model of IoT botnets.
Not so long ago, hackers were investing a great deal of money, time and effort to scan the Internet for vulnerable
servers, build their army of zombie bots and then safeguard it against other hackers who might also want to
claim ownership of them. All the while, hackers would keep continual watch for new infection targets that could
join their zombie army.
Things have changed: Now we see millions of vulnerable devices sitting with default credentials. Bot masters—
the authors and owners of the botnets—do not even bother to secure their bots after infection. After all, as Mirai
demonstrates, it does not even persist infection to disk, so a simple device reboot brings it back to a clean and
healthy state.
Nevertheless, this will not prevent re-infection. As we now know, it takes less than six minutes to scan the entire
IPv4 space—and the time-to-infection of vulnerable devices is constantly dropping. It is now estimated to take
less than an hour.
For a bot master, gaining control of powerful servers with 1Gbit cards or 10Gbit cards was considered to be the
ultimate goal—the “Holy Grail.” Sometimes a hacker would pay hundreds of dollars every month for it. Often he
or she would gain illegal access to it and work very diligently to hide it from others. And finding these servers—
then gaining access and maintaining exclusive control—was and still is difficult and expensive.
Now with IoT botnets, we see a different picture. Instead of spending months of effort and hundreds of dollars to
control a few powerful servers and several hundred infected PCs, bot masters can take control over millions of
IoT devices with near zero cost.

What Now?
To date, the number of connected devices is estimated at 6 billion, while the estimated Internet user count is
just 3.5 billion (though expected to grow to 13 billion by 2020).17 This shift points to a different economy—and
requires changes in thought and action.
The botnet attacks of 2016 also underscore the need to move beyond IoT security as an afterthought. IoT
platforms and devices need to be designed—from the ground up—to be secure. Right now it is far too simple
to victimize IoT devices; all it takes is telnet and a limited list of factory default usernames and passwords to
generate botnets of unimaginable proportions. And this is only the beginning.
Reducing the potential impact of IoT botnets should be a combined effort by all IoT stakeholders:
1. “Smart appliances” manufacturers need to be mindful of producing resilient products with robust
security components.
2. To protect enterprise customers, network carriers need the ability to detect and manage traffic that
originates from such devices.
3. Enterprise customers should understand that when making a security investment to protect their
infrastructure and assets, they need to be able to protect not only against today’s threats, but also against
those that will arise in the next three to five years.
The bottom line: The effort and money we’ve been expending to build defenses is no longer proportional
to attackers’ investments. It is time to review the attack landscape, re-evaluate the architecture of defense
mechanisms and consider how best to defend against higher-order-of-magnitude attacks.
Evolve and Adapt:

Why DevOps is Raising the Bar for Security Solutions
Agile development practices and DevOps are reshaping how organizations work. They’re fueling tighter
collaboration between IT and the business—and enabling frequent changes to systems and processes. The upside:
organizations can more quickly capitalize on emerging opportunities and challenges. The downside: it’s harder than
ever to stay secure. In an environment of continuous integration and delivery, how can security keep pace?
As organizations work to drive higher IT and organizational performance, many are embracing agile and DevOps
methodologies. These approaches emphasize strong connection between IT and the business and focus on continual
improvements. They also strive to speed up delivery while improving quality, security and business outcomes.
For its 2016 State of DevOps Report, Puppet Labs surveyed 4,600 technical professionals. In analyzing the
results, Puppet identified three types of organizations:
•
High IT performers, which complete multiple deployments per day
•
Medium IT performers, which deploy between once a week and once a month
•
Low IT performers, which deploy once per month or less frequently
The study found that high IT performers deploy 200 times more frequently than low IT performers. Further, their
lead times are 2,555 times faster and recovery times are 24 times faster than their low-performing counterparts.
It would be tempting to assume that frequent deployments could lead to higher failure rates. However, one
of the study’s surprising findings is that high IT performers have three times lower failure rates. These high IT
performers also spend 22% less time on unplanned work and rework—reflecting a high level of quality.18
According to another industry study, 20% of organizations emerged as advanced adopters of DevOps.19
Similarly, in Radware’s latest survey, 18% of respondents told us they deploy application changes to production
at least once a day, suggesting that they are high IT performers.
The trend is clear: agile development practices and DevOps have become mainstream. What does it mean for security?
17 http://www.internetlivestats.com/internet-users/
18 https://puppet.com/company/press-room/releases/puppet-2016-state-devops-report-addresses-most-pressing-issues-devops
19 Assembling the DevOps Jigsaw survey by Freeform Dynamic

Bridging the Gap
While DevOps offers tangible advantages in terms of improved quality and speed to market, it introduces
complications for implementing and auditing security controls. Among the issues: constantly changing assets,
continuous deployments and a breakdown in traditional segmentation of duties. Indeed, how best to integrate
security into DevOps remains a pressing challenge for all stakeholders. And while security objectives should be
prioritized alongside other business goals, in reality implementations often fall short.
Chalk it up to a number of traditional security tools and controls that are at odds with agile and DevOps
methodologies. These include:
• Penetration testing. On average, it takes several weeks 19%
Low Degree
to test, produce and assess the report, and then implement 27%
High Degree
necessary security changes in development and production.
That cadence is clearly at odds with the pace of deployments
in a DevOps model.
• Web Application Firewall (WAF). Initial implementation
cycles can take weeks, while security policy modifications can
take even longer—often requiring manual changes. Four out of
five organizations report at least a medium degree of manual
work to try and optimize their WAF. 54%
Medium Degree
• Code analysis methodologies. A medium-sized enterprise
Figure 49: What level of manual tuning does your
application can take days just to scan. The results of such a application security solution require?
scan may reveal issues that require additional time to remediate.
Radware’s security industry survey underscores the prevalence of these traditional tools, with 75% of respondents
using WAF. One-fourth said they only use one method to secure their applications (most often on-premise WAF or
penetration testing) and 66% reported relying on multiple tools and controls.
Hallmarks of High Security Performance

When integration and delivery are continuous, security needs to be as well. Yet traditional security solutions are
not designed to keep up with the speed and complexity driven by DevOps methodologies. The key is an adaptive
security service that allows the IT organization to addresses two fundamental challenges:
• Keeping pace with evolving threats. An adaptive security service can detect and mitigate newly evolved
threats by using a “positive” security model. In other words, the service should heuristically identify legitimate
traffic—and treat all other traffic as suspect. This approach is in stark contrast to traditional “negative” models,
which focus on blocking traffic that matches known attack signatures. Given the pace at which signatures
emerge and change, the “negative” model is more likely to miss the latest threats. Another key capability:
the ability to block attackers and spammers based on their real identity. This requires use of IP-agnostic device
fingerprinting versus tracking of IP addresses, which are continually obfuscated by attackers.
• Keeping pace with evolving assets. An adaptive security service should automatically detect new
application domains, analyze potential vulnerabilities and automatically assign optimal protection policies.
This should be followed by automatic identification of any changes in these applications as they are continuously
integrated by developers. Automation should also support testing for newly introduced vulnerabilities, as well as
patching application protections in real time to mitigate them.
Look for a continuous security delivery service that integrates detection tools, such as Dynamic Application
Security Testing (DAST), with mitigation/blocking controls, such as WAFs. This combination provides immediate
resolution of newly introduced vulnerabilities via automated real-time patching, as described above. Automated
independent security controls with self-adjusting rules and policies can assist in conducting scans that focus on
the application zones that have been changed. That saves time and accelerates detection of vulnerabilities.
Given the rate and pace of change in both external threats and internal applications, now is the time for a new paradigm
for security services. Insist on a service that has been designed for agile development environments and that adapts the
protections of evolving Web applications, thereby delivering effective protection at every stage of the development lifecycle.

05 THIRD-PARTY
VIEWPOINTS
From the Corner Office:

Views from a Chief Information Security Officer
Contributed by the CISO of a top-five US carrier
Top Attack Trends in 2016

1. First and foremost, we’ve seen our network—and the networks we monitor and protect—experience a
tenfold increase in the volume of DDoS attacks. In August 2015, we had a little over 5,000 attacks.
In July 2016, it was 55,000 attacks that we could identify. Last year, 70% to 80% of attacks were less than
a minute—mostly “white noise” events (a.k.a. “hit-and-run DDoS” or “burst attacks”). This year, we’ve seen
attacks falling into the one- to five-minute duration, causing random business disruptions.
2. We’ve also experienced a tremendous spike in malicious use of messaging protocols being tweaked
to carry out attacks—including MMS (Multimedia Messaging Service), SMS (Short Message Service) and
traditional email into these numbers. More than 99% of the total volume in our environment we identified as
being malicious or otherwise inappropriate to deliver to the customer.
3. The third trend is a large increase in mobile-specific ransomware activity targeting the two largest
platforms: Android and Apple. We believe most of that activity is originating in a foreign country and being
delivered via third-party app stores.
Size, Scope and Sophistication of Attacks

Volume. Across all categories of attacks, we’ve seen a large uptick in the total volume transfer that occurred.
I’m not referring to gigs per second but the total volume. We saw our largest category of 500GB or higher have
a four-fold increase. So in addition to a spike in burst attacks, we are also seeing longer-lasting attacks that are
presenting more data.

Vectors. When it comes to vectors, attacks generally fall into three common protocols: NTP, DNS and
CharGEN. Others may be used occasionally, but these are the three we see most commonly. Of those three,
we’ll see for two or three months that DNS will be most common, and then it switches to CharGEN. There’s no
clear pattern, which makes it hard to predict—just that the majority of attacks will use a common protocol and
then it will change.
Sophistication. Attacks are also growing in sophistication. That holds true more so based on what we’ve seen
with mobile-originating attacks. There’s been a sharp increase in malware targeting Android devices and then
leveraging them for DDoS events. Many of those malware packages we’ve identified weren’t written specifically
for DDoS events. It’s typically ad clicking or some other purpose, but we’ve seen some very advanced malware
being leveraged for DDoS.
Best Practices in Managing Security

We have a third party that serves as our Tier 1 Security Operations Center (SOC), the traditional security analyst
team that looks at everything as if through a magnifying glass. They’re the first ones expected to receive the
alarm out of our event management system.
We’re safeguarding thousands of apps—applications in our own corporate environments, applications for our
enterprise customers and more than 20 million subscribers ranging from hotspots with connected Windows
and Linux devices to Android and Apple devices. We lean on our vendor’s Emergency Response Team and
Advanced Services group to help us validate an appropriate implementation of our security policies. These are
high-value devices so we want to ensure we’re getting maximum value for those dollars, and those teams help
us achieve that.
One of the first things I do every morning is go to our dashboards, which display alarms and DDoS trends in an
executive view. Our SOC is looking at metrics on a 24x7 basis and our manager and director levels are looking at
these dashboards daily. We’ve established five severity categories for attacks and each is further broken down
by event or total volume transfer. Our goal is to provide the business with the complete story.
If an event falls into one of our two highest-severity

categories (we average one highest-severity event per week
and one to four second-highest-severity events per day), we
Attacks and techniques
have an incident management process that is initiated. First, change daily. You need
we immediately notify various members of our security and
flexible solutions and
broader carrier/technology organization. Second, we take
a deep dive into the threat intelligence. Was the attack part the ability to make
of something broader—geopolitical, script event, collateral adjustments just as
damage? Third, we present our findings as they pertain to
any potential impact it may have caused. We provide per- frequently to protect the
incident analysis and, if needed, we have different thresholds business. Pull those levers
in place on when and how to communicate. The bottom
line: we’re analyzing each and every event in some manner, to keep pace with ever-
and thanks to how our security architecture has been built changing threats to your
and how we manage our IP space, determine who was
targeted. Generally speaking, nine out of 10 events target our applications and networks.
customers and the rest target our corporate assets.
On a daily basis, I am asked the question, “Why?” I don’t have a quantified response other than a gut feeling.
However, those feelings are reassured and backed by our program development and threat intelligence. We
leverage a series of tools to identify that attacks are increasing. We’re now pretty confident that more and more
advanced malware is being produced targeting the Android platform in particular.

Black Friday: From Crisis to Confidence
When we first deployed a DDoS protection solution back in 2010, we actually had it on the network in a monitor-
and-alert mode because at that time we didn’t see a great enough risk to justify putting those devices inline as a
permanent configuration. We would have them inline as we identified specific risks. A number of times we were
referenced in a campaign, so we placed those devices inline during that high-risk period and then pulled them
back out. But several years ago, we made the decision to place them inline.
On Black Friday 2015—the busiest retail day of the year—we were the target of a large attack. I was able to send
an email to our senior execs letting them know that it had occurred and we blocked it with a 100% effective rate.
That was a big win for our security team.
You simply cannot paint a broad brush in architecture and platforms. You may protect 99 of 100 apps, but if
that one app might be business critical, you still failed. Not all code development has the same level of quality
or standards, and we’ve had to take that in account. Regardless of size or industry, an organization will have
a reasonable, if not definitive, population of assets it’s trying to protect. Solutions must have a broad range of
coverage—focusing not just on traditional network protocol protections but also offering high quality in session
management and all the various techniques, like hold-down timers and HTTP protections.
When I have an incident, I have a very high level of confidence that when I engage Radware’s ERT, I’m getting
support from some of the world’s leading cyber security experts.
Above all, I tell people that if they feel they are at increased risk for DDoS attacks, they should not underestimate
the level of commitment required for maintaining these platforms. Attacks and techniques change daily. You
need flexible solutions and the ability to make adjustments just as frequently to protect the business. Pull those
levers to keep pace with ever-changing threats to your applications and networks.
From the Frontlines: How a Multinational Bank

Handled a Ransom Threat and SSL-Based Attack
Contributed by Senior Network Architect, EMEA multi-national banking group
In this contributed piece, the Network Architect shares his notable experiences protecting this financial
services organization’s network perimeter from cyber security threats during the past 12 months.
Managing the Ransom Reality

Cyber ransom is a growing threat across industries, and we have experienced this phenomenon firsthand. In
November of 2015, our organization received a typical ransom email from the Armada Collective, which was
quickly followed by a teaser flood attack that the bank proactively mitigated. We actually detected and mitigated
the teaser flood attack before we discovered the email, which had been sent to an unattended mailbox while the
company was closed. With a hybrid DDoS mitigation solution in place, the flood attack had no impact and was
immediately diverted to a scrubbing center for cleanup.
Our organization is geographically separated from the rest of the world. This has implications on both the
organization’s ability to protect itself (for instance, in terms of latency in times of diversion) and also limits the
ability of hackers to use volumetric attacks; hackers can’t get even half a terabyte of traffic here. For us, a teaser
attack may bring 300 megabytes of traffic. As a safety precaution, when we receive a flood attack and ransom
note, we divert network traffic to the scrubbing center of our DDoS mitigation vendor, Radware, before the
ransom payment deadline. We believe that hackers executing the ransom attack will observe the traffic being
diverted and will realize the futility of launching a teaser attack. We also believe that it sends a clear signal to
Armada Collective and other ransom groups. By taking powerful and decisive action, we send the message that
we won’t be victimized.
In April of 2016, we received another ransom email purporting to be from Lizard Squad. Because we
communicate frequently with our local banking risk management association, we learned that the emails were
from a copycat. Since we identified it as a hoax, we decided not to divert traffic. However, we did receive a small
teaser attack and relied on Radware’s Emergency Response Team of experts for support.

Facing the Camouflaged Traffic Flood
Since the beginning of 2016, the diversity of attack vectors has increased and the bank has experienced a four-
fold increase in burst attacks. At the same time, attacks lasting more than an hour are decreasing. The trend
seems to be shifting toward very short, “hit and run” assaults.
Yet not all attacks are burst attacks. In September 2016, we received an attack that was relatively small (only
2-3 Gbps) but lasted over four hours and gradually evolved in several stages. First, we noticed that some of
the attacks were ping-back attacks. We experienced attacks of 16,000 SYN connections which were mitigated
via our on-premise DDoS protection appliance. After the Half-SYN attack, there was an HTTP flood with about
2,000 sources in the attack, which was also successfully mitigated. However, we had difficulty mitigating the full
HTTPS flood attack. It was the first time we experienced an encrypted attack, highlighting the need for dedicated
protection against encrypted attacks that leverage SSL standards to evade security controls.
Normally the bank faces UDP fragmented attacks followed by a DNS reflective attack. In this case, we were hit
with a typical SSL attack that we were not prepared to mitigate. Typically attacks only last three to four minutes
and immediately follow each other, but this SSL attack lasted an hour and a half, putting our defenses under
tremendous stress because of the computing resources the attack consumed. In fact, we generated so much
response load that it pushed our outbound connection to its limit; it tripled our usual throughput.
Lessons Learned
1. The benefits of behavioral analysis over rate-limiting analysis.
In the past, the bank tested a DDoS mitigation solution that leveraged rate-limiting technology and discovered
that using behavioral analysis provided a significant advantage. Since it doesn’t block legitimate traffic, it
enables us to maintain our service levels.
2. The importance of time to mitigation.
By having the ability to develop attack signatures in real time, we have been able to mitigate attacks in as little
as 20 seconds. Our traffic pattern during the day is heavy and at night it’s quieter, so we had to do some fine
tuning to reflect different behavioral traffic patterns at different times of the day.
3. The advantages of a single vendor hybrid DDoS protection solution.
The baseline on our perimeter and the baseline on the Radware scrubbing center are now identical. As a
result, we can mitigate attacks faster versus another solution that would have to reanalyze traffic in the cloud
again, or require a lot of manual tuning to reach the same protection level.
4. Let the experts deal with attacks.
Because we are backed by Radware’s Emergency Response Team, we can focus on our daily tasks knowing
that we can rely on their expertise within seconds. It means the bank isn’t required to have that expertise in-
house, which is important since the attack landscape is always evolving. Access to this level of expertise
should be part of any response and business-continuity strategy.
Our networking team preferred no form of Border Gateway Protocol (BGP) on-ramping or off-ramping. Nor
did they want a security application that would interfere with any routine decisions. We suggested leveraging
Radware’s Cloud DDoS Protection and a flow monitor that is deployed out-of-path so the bank’s IT security
team only engages with larger attacks that cross certain bandwidth thresholds. That all takes time and short,
low-bandwidth attacks could “fly under the radar.” With the behavioral engine, we can detect smaller, shorter
attacks. With another DDoS mitigation solution, we would never have detected those attacks.
Tips for Financial Service Security Professionals

In this part of the world, there is a belief that hard-to-detect attacks do not represent a critical threat, but for
a bank, nothing could be further from the truth. We feel the most effective way to protect our organization’s
infrastructure in the event of an attack is to have protection installed in-line. This eliminates the need to analyze
events and reroute traffic and eliminates any infrastructure obstacles to successfully mitigating an attack. There’s
increased visibility because the solution is always on. With automated attack mitigation—including behavioral
analysis that delivers continuous visibility and forensics—we’ll never be left vulnerable to evolving DDoS attacks.
Detect where you can; mitigate where you should.

See Through the DDoS Smokescreen to Protect Sensitive Data
Contributed by Paul Mazzucco, CISO, TierPoint
DDoS attacks can be costly and risky. TierPoint is witnessing a growing trend of using such
attacks as the means to another, potentially more devastating, end: stealing sensitive data.
Call this new breed of attack the “DDDoS”—deceptive distributed denial-of-service. For
two recent examples, look to attacks on Carphone Warehouse and Linode. By bombarding
Carphone Warehouse with online traffic, hackers were able to steal the personal and banking
details of 2.4 million people. Similarly, cloud provider Linode suffered more than 30 DDoS
attacks that appeared to be a ruse to divert attention away from a breach of user accounts.
With these “DDDoS” attacks, cybercriminals distract business and IT resources to pursue larger objectives. The
most recent Radware security industry survey shows that a growing number of security leaders are aware of
escalating threats.
These are true concerns. DDoS as a smokescreen isn’t new. Yet, as with so many cyber security trends, its
rise can be traced to financial motives. The value of stolen data in the dark market intrigues potential cyber-
delinquents to find ways to get access to it. The Darknet offers a marketplace for capturing that value. Consider
the following based on research by McAfee:
• Average estimated price for stolen credit and debit cards: $5 to $30 in the United States, $20 to $35 in the
United Kingdom, $20 to $40 in Canada, $21 to $40 in Australia and $25 to $45 in the European Union
•
Bank login credentials for a bank account with a $2,200 balance: $190
•
Patient Health Information (PHI): $500 to $1,800 depending on patient age and insurance coverage
• Login credentials for online payment services, such as PayPal: $20 to $50 for account balances from $400
to $1,000; $200 to $300 for balances from $5,000 to $8,00020
Why Attacks Succeed

Lack of preparedness for DDoS detection and mitigation is a boon to cybercriminals. Indeed, about two-thirds
of businesses are still mitigating attacks with tools not designed for DDoS. Traditional firewalls, Web application
firewalls, switches, routers and ISP-based protection solutions are unlikely to save a business from a DDoS
attack. In fact, firewalls often create bottlenecks and accelerate outages. Unfortunately, due to inappropriate
DDoS mitigations in place, organizations expose themselves not only to DDoS but also to other data-theft
oriented attacks that arrive in conjunction with the DDoS attack. The unintended consequence? Companies not
only suffer data leakage and reputation loss; the human and technological resources involved in rectifying the
situation are at least doubled.
TierPoint observations and experience point to these as the most common vectors for DDoS smokescreen attacks:
• Encrypted/non-volumetric attacks. This includes protocol attacks, such as SYN floods, fragmented
packet attacks and Pings of Death. These types of attacks consume actual server and/or firewall resources.
Such resource starvation attacks use service calls to the IP stack, such as TCP-SYN requests and calls
to the underlying authentication or operating system, to tie up and eventually overwhelm system memory
and computing processes.
• Application-layer attacks. These include Slowloris and zero-day DDoS attacks, as well as DDoS attacks
targeting Apache, Windows or openBSD vulnerabilities. Built around seemingly legitimate and innocuous
requests, these attacks aim to crash the Web server. Their magnitude is measured in requests per second.
• Volumetric attacks. These include User Datagram Protocols (UDP) floods, ICMP flood and other
spoofed-packet floods. The goal: to saturate the bandwidth of the attacked site. Magnitude is measured
in bits per second.
20 TierPoint’s sources for all of these data points. Source: http://newsroom.mcafee.com/press-release/mcafee-labs-report-reveals-prices-stolen-data-dark-web

Mounting a Defense 100%
Given their reach and impact, DDoS attacks are no longer an 14%
90% 18% 23%
issue for just the security team or IT department. Such attacks—
80%
particularly when used as a smokescreen for more nefarious
70%
tactics—are now an executive and board-level concern:
60%
TierPoint is witnessing a growing percentage of organizations 50%

turning to hybrid IT solutions to address security risks and 82% 86%
40%
77%
concerns. This approach incorporates a mix of cloud and 30%
managed security services with products and services employed 20%
at a business’s own data center.
10%
0
An example is an organization combining a mitigation appliance Total U.S. U.K.
and a mitigation service. While the appliance blocks attacks at the
application layer, a cloud-based service scrubs higher volumes
of malicious traffic. In the financial services industry, 45% of Yes No
institutions have already adopted this approach. Figure 50: Security and the C-Suite: Threats
and Opportunities, Radware, 2016
As the stakes get higher—and the “smoke” grows thicker—TierPoint advises organizations to solidify a strategic
DDoS detection and mitigation plan before an attack takes place. This includes understanding your risk profile
and tolerance as well as determining the right balance of managed security services and security solutions
administered internally.
Adaptive Security:
Changing Threats Require a New Security Paradigm
Contributed by Enterprise Security & Risk Management, Tech Mahindra
As organizations continue to embrace the digital evolution, a growing number of assets are
being connected to the Internet. In fact, most organizations are now using cloud-based
applications to power operations. With this shift, IT infrastructures have become more
distributed. Applications are now accessible from anywhere and personal devices are being
used to conduct business. Together, these realities have blurred the boundaries of the
traditional network perimeter.
Attackers operate under a host of motivations—from hacktivism to monetary gain. No matter their intent,
attackers benefit from the trend toward distributed IT, which increases the threat surface. Gone are the days
when bolt-in and “afterthought” security architectures were sufficient. Static firewalls and intrusion detection
or prevention solutions (IDS/IPS) woven around the asset simply cannot provide adequate protection. That’s
because static firewalls and IDS/IPS leverage a model whereby they are fed known attack & protocol behavior
and are not aware about the assets they protect. They are not cognizant of network behavior and are unable to
protect against emerging attacks. If those approaches don’t work, what does? Tech Mahindra believes there
is a need to realign security architecture by focusing on ensuring application availability and preserving user
experience while protecting applications from both volumetric DDoS attacks and exploitation of vulnerabilities. In
designing such a strategy, there are two important prerequisites for success:
1. Know Your Assets. This includes components such as web and mobile interfaces, databases, development
and test cycles, operating systems, where applications are being deployed, by whom and from where the
infrastructure is being accessed. Understanding these variables is an important requirement for reducing the
attack surface within the environment.
2. Map Your Risks and Take Steps To Reduce Them. Often attack activity goes unnoticed for a significant
periods of time. Thus, it’s crucial to understand attackers: how attacks have evolved over time, which direct

and indirect strategies an attacker might unleash against assets, and the hacker’s “mindset” to help in
identifying attacks that may have gone undetected and thwarting future attacks.
With applications being updated frequently, development and test cycles have shortened, and workloads have
become dynamic. In many organizations, time-to-market pressures, lack of resources and lack of awareness
and focus on security converge to create security gaps in applications. As a result, it has become critically
important that security be highly adaptable—with continuous adjustments to address fast-changing
applications and threats. With an adaptive security approach, an organization can establish an effective
security architecture for mitigating threats—both known and unknown.
Tech Mahindra’s View on Adaptive Security

At Tech Mahindra, we see three key building blocks for adaptive security:
1. Continuous Proactive Assessment. Adaptive security requires continuous assessment of an organization’s

infrastructure and applications. Continuous assessment via manual and automated tools generates a security
baseline that can be tracked and improved upon. With applications as key attack targets, the assessment
must also evaluate the application development phase, thereby preventing vulnerabilities from creeping into
the production environment. Recent attacks originated in IoT devices have illustrated the danger of device
manufacturers failing to consider potential risks and vulnerabilities within their devices. Just as manufacturers
are being held to higher standards, so should application developers. Incorporating security right from the
start will help identify any vulnerabilities during the development stage so that sufficient controls, such as
secure communication, authentication and authorization, can be integrated. In other words, when new code
or a new application is deployed into production, it must pass through these security assessments.
2. Situational Awareness. Adaptive security must continually evolve at run time to address ever-changing
application and user behaviors. Contextual information from continuous monitoring is a key input for an
effective adaptive security strategy. With this approach, the security architecture is not entirely dependent
on the traditional signature-based threat information but is instead based on real-time situational awareness.
Continuously evolving security requires complete awareness of the assets being protected—such as the
core network, applications and endpoints—and user behaviors related to those assets. If new code or a
new application is deployed, the architecture detects the change and fine tunes the policies vis-à-vis any new
vulnerabilities. Volumetric DDoS attacks are a constant threat to online IT assets, with attackers typically
merging malicious traffic with benign traffic (sometimes even using encrypted protocols). Thus, the ability to
analyze traffic behavior and recognize user traffic patterns using various parameters, together with maximum
detection accuracy, is key to dropping only malicious traffic and preventing any service degradation.
3. Automation. When organizations deploy best-of-breed security solutions, these solutions almost always
operate in silos. Automation in security can enable organizations to design a security architecture where
security functions coordinate with each other, share information and respond dynamically to attacks. For
example, adaptive defense mechanisms can use signaling or other forms of messaging between security
controls; they can auto-learn new attack patterns; and they can accelerate time to mitigation through real-
time creation of protection. Ultimately, automation is about prevention versus detection—and it empowers
organizations to secure themselves at the speed of attacks. Automation in security can enable siloed security
modules to work as a synchronized system—operating with minimal intervention and significantly improving
both incident response time and resource consumption. Just as dynamic business environments lead
organizations to adapt, so does the threat landscape. With distributed, heterogeneous information
architectures, application protection can no longer count on static models, but rather must include advanced
mechanisms like real-time auto-learning and self-updating to provide seamless and continuous protection of
an organization’s most critical digital assets.
Tech Mahindra Security Service Portfolio includes Security Consulting, Identity Access Management, Application
Security, Infrastructure Security and Threat Management. We continuously help our customers in their journey
towards the mature security posture. Tech Mahindra’s global partnership with Radware for on premise and
cloud-based security solution is in line with the continuously adaptive security approach.

BUILDING A CYBER-RESILIENT 06
BUSINESS
View cyber-attacks like parasites: not always visible, not

always felt, but with plenty of potential to affect your operational
efficiencies, service level agreements, and computing resources. All of those
impacts bring potentially high costs. Do everything you can to understand
the potential impact and build an effective incident response team so you
can rein in these “parasites” and limit damage to your business.
Calculating the Cost of Cyber-Attacks

Despite the prevalence of cyber-attacks, Radware’s 2016 industry survey reveals that the vast majority of the
world’s security experts (73%) have not devised a formula for calculating the financial impact of the attacks
they suffer. Rather, they rely on estimates. Unfortunately, those estimates tend to be significantly lower than the
findings of those who calculate actual costs. Most security experts (54%) estimate the impact of each cyber-
attack at less than $100,000; only 12% estimated the cost of an attack to be $1 million or more (see Figure 51).
54%
60%
50%
40%
30%
20% 17%
10% 8%
10% 6%
2% 2% 2%
0
Less than 100,001 - 250,001 - 500,001 - 1.1M - 3M 3.1M - 5M 5.1M - 10M 10M +
100,000 250,000 500,000 1M USD/EUR USD/EUR USD/EUR USD/EUR USD/EUR
Figure 51: How much do you believe an attack costs your business?

Interestingly, the survey found significant differences in estimates based on the geographic location of the
business. Nearly 80% of European businesses think an attack does not cost them more than $250,000. Their
counterparts in Asia put forth a much higher average: $1.25 million per attack. U.S.-based respondents fell
somewhere in the middle, estimating the cost of attacks at 33% more than security professionals in Europe but
$500,000 less than those in APAC.
0 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
North America
(A) 52% 8% B 18% 10% 7% 2%2%2%
Europe
(B) 63% AC 15% 8% 9% 2%112%
APAC
(C) 47% 16% 10% 11% 5% 3% 6% 1%
<100K 100K-250K 250.1K-500K 500.1K-1M 1.1M-3M 3.1M-5M 5.1M-10M 10M+
Figure 52: Differences in estimates across geographies
Similarly, this year’s survey uncovered differences across business sectors. While educational institutions
continue to underestimate attack costs, healthcare, government and technology organizations are well aware of
the risks. Indeed, such organizations provide estimates that are five times higher than education respondents’
estimates. For healthcare and government, this better understanding of risk may be associated with the sensitive
nature of the information under their care. Respondents from retailers provided an above-average estimate of
$800,000 per attack. After all, retailers depend on optimal service availability to run their operations; once hit
with an attack, losses are immediate. Surprisingly, financial services organizations provide a relatively moderate
estimate of just $500,000 per attack.
$1,200,000
$1,000,000
$800,000
$600,000
$400,000
$200,000
$0
Government Healthcare Tech Professional Retail Telecom Finance Education
Services
Figure 53: Estimated cyber-attack cost by sector
Those organizations that do calculate monetary consequences of attacks cite a number of factors that they
take into consideration. For at least half, reputational damage and online revenue loss are factors. Other drivers
include SLA fees, legal damage, compliance and processing of unwanted traffic.
60%
54%
49% 47%
50%
43% 43% 41%
40%
30%
20%
10%
5%
0
Financial Impact of Online Revenue SLA Fees Legal Damages Compliance Processing of Unwanted Other
Reputational Damage Loss from Users Fees Attack Traffic
Figure 54: Which of the following does the calculation for cost of attacks include/factor?

The average cost among businesses that calculate the Calculate the Real
impact of a cyber-attack is almost double the estimate of Cost of a Cyber-Attack
other businesses: $1.1 million versus $620,000. Businesses Reputational damage
that actually quantify their costs reported potential losses of + online revenue loss
more than a $1 million dollars at double the rate of the + SLA fees
+ legal damage
guessers (18% versus 9%). As expected, the findings showed
+ compliance costs
a strong correlation between the size of an enterprise and the + handling bad traffic
reported losses. = Actual cost of a cyber-attack
The survey findings point to some interesting variations

by vertical market. Among them: higher likelihood for 1200
1100
Thousands
underestimating by the education and media sectors, a
tendency by government security professionals to believe 1000
that cyber-attacks cost as much as $1 million, and tech and
professional services companies reporting the highest amounts, 800
followed by government and financial services entities. 620

600
The bottom line? Cyber-attacks are more expensive than many 400
organizations assume, making them a significant blind spot. By
more accurately understanding and precisely calculating all of 200
the financial impacts, security teams can make a stronger case
0
for funding—and use that funding to prepare more effectively
Calculating Guessing
and become a cyber-resilient business.
Figure 55: Average attack cost
Vertical
Professional High Tech Banking & Retail/
Services & Products & Financial Government/ Wholesale/ Media/
Total Consulting Services Services Education Civil Service Online Telecom
Less than 100,000 54% 54% 57% 50% 74% 44% 54% 70%
100,001 - 250,000 17% 21% 10% 18% 17% 20% 14% 12%
250,001 - 500,000 10% 7% 9% 14% 4% 12% 11% 9%
500,001 - 1M 8% 8% 12% 7% 4% 10% 11% 3%
1.1M - 3M 6% 2% 4% 9% 2% 2% 3% 6%
3.1M - 5M 2% 3% 1% 1% 0% 5% 3% 0%
5M - 10M 2% 1% 1% 1% 0% 5% 5% 0%
10M+ 2% 4% 5% 0% 0% 2% 0% 0%
Figure 56: How much do you believe an attack costs your business?
Planning a Cyber-Combat Strategy

In addition to querying security experts about quantifying cyber-attack costs, Radware also inquired about how
organizations currently respond to such incidents. Forty percent of global respondents still lack a formal incident
response plan. That’s a dangerous shortcoming. After all, cyber-attacks by definition disrupt “business as usual.”
How can you plan what to do if you don’t know which resources will be available at the moment of attack?
Of course, not all attacks are created equal. For many organizations, dealing with a certain threshold of low-level
attacks has become commonplace. But some actually cause serious disruptions that pose a potential threat to
the business—and must be handled immediately. How can you tell which is which?

Step 1 – Map Your Risks
You may be spending significantly on penetration testing and the latest technology for endpoint protection all
the way down to BYOD mobile phones. Even so, you may be overlooking critical gaps. Think about everything.
Use a bidirectional process where you draw your organization from the inside out, understanding your current
information security architecture and looking for vulnerabilities. Consider who might want to hurt you, why and
what means they may have to do so. These actors may include hacktivists, ransomers, competitors or even
disgruntled insiders or customers.
Step 2 – Understand the Impact

Some costs can be easily added to the equation: What’s the cost of a minute of downtime? An hour? Are there
any legal fees or compliance fines you would face if compromised? What would be the daily cost of investigating
an attack (factor in-house labor as well as the costs of executives’ attention and technology partner services)?
Other financial impacts are harder to pin down. A prime example is reputational impact, which can vary
depending on the severity of the attack and how much time your organization spends in the headlines.
Step 3 – Prioritize Critical Missions

After estimating the different impacts, it becomes easier to determine what is essential for the organization to
continue functioning. Prioritize business procedures and processes, engaging executive management both for
their input as well as their endorsement and resource allocation. As much as possible, use key performance
indicators to help measure the efficiency of the incident response plan.
Step 4 – Choose Your Squad

Once you have defined the critical processes, identify the dedicated personnel to run them. The incident
response plan cannot be the sole purview of the cyber security team; other key players in the organization must
also know how to orchestrate critical missions when enmeshed in a crisis. For the information security aspects
of the breach, your team must include the best security experts in the organization. They should not only know
how best to configure the product, but also know how to think like a hacker.
The “textbook” incident response team has system administrators who are very familiar with IT resources and
how to backup data; network administrators who know network protocols and can dynamically reroute traffic;
and information security personnel who know how to thoroughly track and trace security issues as well as
perform post-mortem analysis of compromised systems.
Radware’s industry survey reveals that one-third of organizations have an incident response team with proven
technology talents. Another fifth say their team has experts with a long track record in IT security. Another fifth
told us they have a mixture of
hackers, experts and tech talent.
Alarmingly, a similar percentage 21%
Don’t Have an
reports having no incident In-house IR Team 34%
response team at all. In terms of Tech Talents
experience and within Organization
Those with a combination of all skills, which of the
three—tech, security and hacker following statements
expertise—were most likely to best describes your
report having experienced and incident response
successfully mitigated attacks. 19% team?
Mixture of All Three
Those who are solely white-
hat hackers indicated that they
experienced these attacks but 5% 21%
did not mitigate them. White Hat Hackers Experts in IT Security
Figure 57

Although it may not always be possible, strive for personnel redundancy within your incident response team. If
depth in core areas is not applicable to your organization, cross-train whenever possible. For any organization,
entrusting the “key” to data safety and integrity to a single individual puts the entire enterprise at extreme risk.
Step 5 – Test, Revise, Adapt

An incident response plan is never “complete.” After all, the threat landscape is dynamic. So is every business
and its network, information and collection of vendors it relies on to support operations. When a crisis occurs,
there is no room for error; your response must be rapid and decisive. To meet that high standard, routinely stage
“emergencies” and practice responding to them. In doing so, your organization will develop a methodology that
fosters speed and accuracy while minimizing the impact of unavailable resources and potential damage should
an actual crisis occur. These simulations should involve not only the cyber security response team but also those
responsible for the communications plan, along with your technology partners, service providers and relevant
executive leaders.
ER Plan Total
No 40%
Yes 60%
Conducting post-event data collection/analysis 53%
Keeping a hard copy of emergency procedures 52%
Email notifications for customers and partners 51%
Regularly practicing possible scenarios w/DMs and key personnel 43%
Using a SIEM system for alerts and classification 42%
Setting a war room with security experts at immediate call 40%
Auto synchronization with DRC to protect data 32%
External communication via social media and/or company’s website 29%
A remotely triggered black hole (RTBH)/traffic diversion 23%
Keeping Bitcoin on hand in the event of ransom attacks 7%
Other 4%
Figure 58: Do you have a cyber security emergency response plan? If yes, which of the following practices does your plan include?
If you are relying solely on in-house resources for incident response, practice is even more crucial. This year’s
survey found that most respondents turn to in-house emergency response teams when they need to mitigate
a cyber-attack. Companies in APAC are more likely than those in North America and Europe to rely on security
vendors (50% versus 30% and 24%, respectively).
In-house Emergency response Team 68%

Service Provider 39%
Security Vendor 32%
3rd Party Consultant/Expert 27%
Other 3%
0% 10% 20% 30% 40% 50% 60% 70%
Figure 59: Who do you turn to when you are under attack for cyber-attack mitigation?
In security, it is generally wise to invest in prevention over detection. With cyber-attacks likely to impact every
business in some capacity, preparation is a major step toward mitigating successfully and minimizing the
financial, reputational and legal havoc an attack can wreak.

07 CYBER SECURITY PREDICTIONS:
LOOKING BACK AT 2O16,
PEERING AHEAD TO 2O17
2016: What a year! IoT threats became a reality and somewhat

paradoxically spawned the first 1TBs DDoS—the largest DDoS
attack in history. Radware predicted these and other 2016 events
in the 2015–2016 Global Application and Network Security Report.
Since initiating this yearly report, we have built a solid track record of
successfully forecasting how the threat landscape will evolve. While
some variables stay the course, the industry moves incredibly quickly,
and it takes just one small catalyst to spark a new direction that
nobody could have predicted.
Let’s take a look back at how our predictions fared in 2016—and then
explore what Radware sees on the horizon for 2017.

Radware’s Cyber Security Prediction Report Card
Did We Get
Prediction for 2016 Current Status It Right?
•
Advanced Persistent Denial of APDoS is an attack technique that leverages multi-vector attack campaigns targeting
Service (APDoS) as Standard various layers of the victim’s IT infrastructure. The majority of today’s cyber-attacks
Operating Procedure are now multi-vector.
•
2016 was the year of cyber-ransom, with 56% of companies reporting being
Continued Rise of Ransom
threatened. While we predicted that cloud companies would be the main targets, it
Denial of Service (RDoS)
turns out that ransomware affected just about every type of business.
•
The United States and the European Union reached the “Privacy Shield” agreement
Privacy as a Right
in May of 2016, followed by a debate about whether or not it accurately reflects the
(Not Just a Regulation)
morals of personal privacy.21
More Laws Governing
Sensitive Data
Under new U.S. Federal Communications Commission (FCC) rules in favor of online
privacy, consumers may forbid Internet providers from using and selling their data.22
•
The Internet of Zombies Everyone’s talking about the Mirai IoT botnet and its record-breaking volumes.
•
•
Arrival of Permanent
“Very slowly” turned out to be the operative words. While we have a few examples in
Denial-of-Service (PDoS) Attacks
2016, we foresee this threat gaining momentum in 2017.
(Albeit Very Slowly)
•
SSL-based attacks grew 10% year over year. Yet encrypting traffic to and from
Growing Encryption to
cloud applications requires additional resources, including overcoming the certificate
and from Cloud Applications
management challenge.
Figure 60 – Radware’s Cyber Security Prediction Scorecard
What’s on the Horizon – Four Predictions for 2017

For years there has been talk about the imminent threat of a dire cyber-attack that cripples society as we
know it. There’s even a TV show about what it might look like. But what are the actual possibilities for such an
occurrence? What follows are some very plausible cyber-attack profiles and scenarios for the upcoming year.
Read them for pleasure—and preparation.
Prediction 1: Rise of Permanent Denial of Service (PDoS)

for Data Center and IoT Operations
Imagine a fast moving bot attack designed not to collect data but rather to completely prevent a victim’s technology
from functioning. Sounds unlikely, but it’s possible. Permanent denial-of-service (PDoS) attacks have been around for
a long time; however, this type of attack shows itself spectacularly to the public only from time to time.
Also known loosely as “phlashing” in some circles, PDoS is an attack that damages a system so badly that it
requires replacement or reinstallation of hardware. By exploiting security flaws or misconfigurations, PDoS can
destroy the firmware and/or basic functions of system. It is a contrast to its well-known cousin, the DDoS attack,
which overloads systems with requests meant to saturate resources through unintended usage.
One method PDoS leverages to accomplish its damage is via remote or physical administration on the
management interface of the victim’s hardware, such as routers, printers or other networking hardware. In
the case of firmware attacks, the attacker may use vulnerabilities to replace a device’s basic software with a
modified, corrupt or defective firmware image—a process which when done legitimately, is known as flashing.
This “bricks” the device, rendering it unusable for its original purpose until it can be repaired or replaced. Other
attacks include overloading the battery or power systems.
Examples include:
• An article published by Help Net Security detailed a new USB exploit that, when inserted into a computer,
can render the machine bricked. According to Help Net, the latest PDoS USB attack “when plugged into a
computer … draws power from the device itself. With the help of a voltage converter, the device’s
capacitors are charged to 220V, and it releases a negative electric surge into the USB port.”23
21 http://arstechnica.com/tech-policy/2016/02/privacy-shield-doomed-from-get-go-nsa-bulk-surveillance-waved-through/
22 https://www.washingtonpost.com/news/the-switch/wp/2016/10/27/the-fcc-just-passed-sweeping-new-rules-to-protect-your-online-privacy/
23 https://www.helpnetsecurity.com/2015/10/15/usb-killer-20-a-harmless-looking-usb-stick-that-destroys-computers/

• An article in Dark Reading highlighted PhlashDance, a tool uncovered by HP Labs. PhlashDance finds
vulnerabilities in often forgotten firmware and binaries that sit locally on computing devices. The risk occurs
when a device hasn’t been properly patched and upgraded. The article states that “remotely abusing
firmware update mechanisms with a phlashing attack, for instance, is basically a one-shot attack. Phlashing
attacks can achieve the goal of disrupting service without ongoing expense to the attacker; once the
firmware has been corrupted, no further action is required for the DOS condition to continue.”24
• Recent safety hazard incidents of the Samsung Note 725 are stoking concerns about devices that can be
intentionally set on fire. There have been numerous test cases of malware and bots overheating devices,
causing them to physically distort or worse. These attacks, bundled into a cyber-attack, could have devastating
and lasting effects beyond what we commonly think about in the world of the “nuisance” DDoS attack.
Prediction 2: Telephony DoS (TDoS) Will Rise in Sophistication and Importance,

Catching Many by Surprise
Cutting off communications during crisis periods would impede first responders’ situational awareness,
exacerbate suffering and pain, and potentially increase loss of life. A new cyber era could consist of multiple
components—including a physical attack with a corresponding cyber-attack targeting the communications
systems that first responders use to contain and minimize damage.
Can the day be far away where a terrorist attack is magnified by an effective outage of first responders’
communication platforms? If you doubt the feasibility, review this bulletin.26 It was issued in 2013 by public safety
organizations asking for assistance in cracking a TDoS attack against 911 systems.
Prediction 3: Ransom Attacks Become More Segmented, More Real and More Personal
Radware predicts that cyber-ransomers extend their reach beyond companies. In 2017, ransom attacks could
get personal.
Hackers target personal implanted health devices. Imagine if your life depended on an implanted
defibrillator or other medical device. Now imagine if such a device were hacked and held for ransom. The idea of
hacking defibrillators is not science fiction. Cyber ransom is the fastest-growing motive and technique in cyber-
attacks. Can a marriage between the two be far off? For those unfamiliar with these risks and U.S. Government-
issued warnings in this category, please refer to the FDA’s Advice to Medical Device Manufacturers, a summary
of FBI & DHS alerts on Internet of Things and these warnings on cyber ransom.
Public transportation held hostage. In many ways, cyber ransoming a public transportation system is the
ultimate hack—empowering attackers to hold a community hostage for financial or criminal gain. If you live in
France, the United States or many other countries, you may have grown accustomed to railway or airline workers
striking and wreaking havoc on the communities around them.
From trains and planes to buses and automobiles, our entire system of transportation is becoming more
automated. This automation is meant to provide us with increased safety, improved reliability and higher
efficiencies. But is it really providing those things? If you have been following cyber security threats to public
transportation as closely as we have, you likely know there have already been many attacks—some of which
have distinguished themselves as harbingers of future attack categories. (In case you missed it, a recent
Radware blog post shares four real-world examples that help illustrate the problem.)
Just as other forms of transportation face increased threats, so does the aviation industry. Like water, terror
threats in aviation tend to take the path of least resistance. Via external analyses and documented evidence, we
now know that the aviation sector is vulnerable to cyber-attacks. How long will it be until terror strikes evolve
in the aviation industry—as they have around the world—to the cyber front? If you have responsibility for any
aspect of these areas, please don’t be a bystander. Be proactive about onboarding controls and saving lives.
24 http://www.darkreading.com/permanent-denial-of-service-attack-sabotages-hardware/d/d-id/1129499?print=yes
25 https://www.cnet.com/news/why-is-samsung-galaxy-note-7-exploding-overheating/
26 http://psc.apcointl.org/2013/03/15/updated-bulletin-tdos-attacks/

If transportation systems are vulnerable, could ransoming of these systems be far behind? If so, what would
politicians pay for a return to operations and safety for their constituencies? Does “pay-for-play” government
behavior reward the pursuit of future combinations of terrorism and crime?
Military devices ransomed. Military branches have long been heavy technology users. They have also
had a technology procurement model based on an outdated approach and xenophobic buying behavior.
In a world of commercial-off-the-shelf (COTS) products, goods are procured fairly at will. Will these COTS
packages—frequently made with large numbers of foreign components—be the small pebbles that undermine
the operational capabilities of the world’s largest military forces? Seemingly innocuous cameras, sensors and
other IoT devices pervade the military—but are just as rife with security issues as any on the planet. Once
demonstrable vulnerabilities are validated, how much would a government pay to regain control of weapons or
other crucial resources?
Prediction 4: The Darknet Goes Mainstream

Many people live two or more lives: one life in flesh and blood, the other life or lives in various online avatars,
which are essential for highly functioning citizenry. These avatars span health, finances, education, love
interests and more. Today the Darknet offers easy, affordable access to terrorize or otherwise alter someone’s
personal avatar for financial or other benefits. What, exactly, do we mean? Here are a few examples of what
2017 could bring:
• Compromised surveillance systems available for rent, enabling someone to see through another
person’s cameras
• Access to FBI files and lawsuit information
• Access to emails and computer systems of people going through a divorce, as well as teachers’ personal
communications or lawyers’ strategic documents and communications
• Personal medical records or previous criminal activity or misdemeanors
In the face of these frightening prospects, who is the definitive source of who we are, and how do we reconcile
file/record issues? Before you answer, picture yourself in a job interview. You provide one set of information
about your educational history; a report from your school serves up conflicting data. Who rules the day?
This analogy can be extended to numerous scenarios. The common thread: that your online avatar now
represents and requires high security and fidelity in order for you to function properly in society. In light of that,
one of the single most personalized acts of terror that can occur is a wide-scale loss, alteration or deletion of
records—with no reconstitution capability. This should strike fear in us all.
Is the Best Behind Us?

The conclusion we draw from all of these predictions: if growth in attack surfaces, techniques and means
continues into 2017, then the best years of security of our systems may be behind us. As we move forward into
2017, Radware views these as key questions to explore:
• With physical terror playing such a major role in global strife, how could cyber security sabotage NOT
be far behind?
• Given the threat landscape, what controls/testing can be performed to ensure that the public risk is abated
through proactive measures—and that private scenarios are regulated so that we can trust our Internet
avatar system as we trust our financial system?
Given the evolution of threats and the importance of the sanctity and trustworthiness of online systems,
government needs to step in and provide something akin to a Federal Bureau of Cyber Security with a separate
and distinct charter. This agency’s role would be equivalent to the physical Secret Service in numerous ways.
However, its operating space and domain would be one with the ghostly characteristics of computer warfare. In
defending the citizenry, this agency would need to cover freedoms of press and speech overall.
No matter when or how the government responds, each organization has a responsibility to be aware and
prepared. Radware urges you to contemplate how our 2017 predictions could affect your organization and the
people you serve—then work to devise appropriate strategies and controls for mitigating the risks.

RESPONDENT 08
PROFILE
In September of 2016, Radware conducted a survey of the security community

and collected 598 responses, almost double the number of responses to the
2015 survey. The survey was sent to a wide variety of organizations globally
and was designed to collect objective, vendor-neutral information about
issues organizations faced while planning for and combating cyber-attacks. All
responder profile information is listed below. Please note that not all answers
add to 100%, as some responders may have skipped the question.
17% 19% I am the top IT

Other executive at my
business unit or
location
Which best
describes you and
your role at work?
27%
My manager reports
directly to the top IT
executive at business
unit or location 37%
I report directly to the
top IT executive at my
business unit or location
Figure 61: Role within organization

Which best describes your title within your organization?
30%
24%
20% 19% 17% 15%
10% 8% 6% 5% 5% 2%
0
Manager/ Security Network CIO/CTO Operational EVP/Senior CSO/CISO Director Other
Supervisor Engineer Engineer Engineer VP/VP
Figure 62: Title within organization
20% 23%
10,000 or More Less than 100
In total, how many 41%

What is the Country-wide
employees are 44% scope of your
Worldwide
14%
currently working in organization’s
3,000-9,999 your organization? business?
17%
100-499
13%
1,000-2,999
11% 500-999 15%Region-wide
Figure 63: Number of employees in organization Figure 64: Geographic scope of business
Which best describes your company’s industry?
Professional Services & Consulting 15%

High Tech Products & Services 15%
Banking & Financial Services 12%
3% Other
Education 9% Central/South America 8%
Government & Civil Service 7% 20% APAC
Retail & Wholesale Trade, Online 6 %
Media & Communications 6%

Carrier & Telecommunication 4%
Manufacturing 3% Europe 26% Regions
Energy and Utilities 3% represented
Healthcare and Pharmaceuticals 3%
Automotive, Transportation 2%
Other 2%
0% 10% 20% 44% North America
Figure 65: Industries represented Figure 66: Regions represented

CREDITS 09
Authors Advisory Board

Carl Herberger Daniel Smith Shira Sagiv
VP Security Solutions ERT Researcher Director, Security Product Marketing
Radware Radware Radware
Michael Groskop Zeev Ravid Liron Machluf

Director, Web Application Products Security Research Architect Director, ERT
Radware Radware Radware
Ben Desjardins Paul Mazzucco Haim Zelikovsky

Director, Security Solutions Marketing CISO VP Cloud Business
Radware TierPoint Radware
Ben Zilberman Enterprise Security and Yotam Ben-Ezra

Manager, Security Product Marketing Risk Management Team CTO Office - Director of Security Innovation
Radware Tech Mahindra Radware
Carolyn Muzyka
Director, Marketing Communications
Radware
Colin Beasty
Manager, Content Marketing
Radware
About the Authors

Radware (NASDAQ: RDWR), is a global leader of application delivery and cyber security solutions for virtual, cloud
and software defined data centers. Its award-winning solutions portfolio delivers service level assurance for business-
critical applications, while maximizing IT efficiency. Radware’s solutions empower more than 10,000 enterprise
and carrier customers worldwide to adapt to market challenges quickly, maintain business continuity and achieve
maximum productivity while keeping costs down.
About the Emergency Response Team (ERT)

Radware’s ERT is a group of dedicated security consultants who are available around the clock. As literal “first
responders” to cyber-attacks, Radware’s ERT members gained extensive experience by successfully dealing with
some of the industry’s most notable hacking episodes, providing the knowledge and expertise to mitigate the kind of
attack a business’s security team may never have handled.
For More Information

Please visit www.radware.com for additional expert resources and information and our security center DDoSWarriors.
com that provides a comprehensive analysis on DDoS attack tools, trends and threats. Radware encourages you
to join our community and follow us on: Facebook, Google+, LinkedIn, Radware Blog, SlideShare, Twitter, YouTube,
Radware Connect app for iPhone®.

© 2017 Radware, Ltd. All Rights Reserved. Radware and all other Radware
product and service names are registered trademarks of Radware in the U.S.
and other countries. All other trademarks and names are the property of their
respective owners. www.radware.com

DDos 2017 Report

Uploaded by

Copyright:

Available Formats

DDos 2017 Report

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DDos 2017 Report

Uploaded by

Copyright:

Available Formats

TABLE OF

02 Methodology and Sources

06 Building a Cyber-Resilient Business

07 Cyber Security Predictions

What do cyber-attacks have in common with hurricanes,

RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 3

Cyber-Ransom Proves Easiest, Most Increased Attacks Against

4 RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017

Combining statistical research and frontline experience, this report

Information Security Industry Survey

Radware Emergency Response Team Case Studies

RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 5

6 RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017

What Motivates Hacking?

RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 7

Most tools offer basic TCP, UDP and HTTP attack

Business Concerns of Cyber-Attacks

8 RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017

RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 9

Weakness Against Volumetric/Pipe Saturation

DDoS Attacks 27%

Don’t Know/Not Sure

on a 10-point scale, it appears

those in most other verticals. 40% 6

10% 8% 10 - Avoiding False

10 RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017

of these attacks. In other words, 98% of

Figure 6: What is the average security threat your organization experienced?

Figure 7: What is the maximum security threat your organization experienced?

RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 11

Overall, preparedness has remained consistent compared to 2015.

Malware (Worms, Viruses) 20% 46% 29% 4% 2 %

Very Well Prepared

Preparedness Across Regions

Socially Engineered Threats 50%

Figure 9: Preparedness to face different types of cyber threats by region

Preparedness Across Business Sectors

Figure 10: Preparedness to face different types of cyber threats by industry/vertical

12 RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017

Other 2% 2% Don’t Know/None

Hybrid Protection for Denial-of-Service Attacks

Premise-based DDoS Protection 50% 23% 28% Currently

CDN based DDoS/Filtering 39% 25% 37% Planning

RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 13

30%28% 2014 2015 2016

Cyber-Attack Ring of Fire

14 RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017

   Industries at High Likelihood for Attacks

RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 15

Government & Civil Service

Service Providers – ISP, Cloud, Colocation, Hosting

2 Australian census attacked by hackers

16 RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017

  Industries at Medium Likelihood for Attacks

 Industries at Low Likelihood for Attacks

RADWARE GLOBAL APPLICATION & NETWORK SECURITY REPORT 2016-2017 17

Attack Vector Landscape

survey, which showed a significant increase in ICMP 32% 9%

network-based attacks. In 2016, about two-thirds of TCP-Other 29% 10%

Figure 19: Impact of attack vectors by business sectors