SlideShare a Scribd company logo

Ben herzberg/incapsula trends of cyber attacks

C
ChungSC_tw

經濟日報、遠傳電信主辦;資策會協辦 2017創新論壇-防駭大作戰

Technology
1 of 47
© 2016 Imperva, Inc. All rights reserved. Cyber Attack Trends Ben Herzberg @KernelXSS @imperva
© 2017 Imperva, Inc. All rights reserved. - @KernelXSS - about() 2 > ben.childNodes.length <· 2 > ben.history <· [“PT”,”Dev”] > ben.employer <· “Imperva” > ben.positionX <· “Research Group Manager” > ben.social <· {“TWT”: “@KernelXSS”, “LNK”: “Ben Herzberg”}
DoS / DDoS Attacks
WHAT’S DDOS (IN 6 SECONDS)
Volumetric Attacks
Layer 7 Attacks
WHY?
Lately…
© 2017 Imperva, Inc. All rights reserved. @KernelXSS @Incapsula_com IoT DDoS through the (very recent) history 16 Mirai 20-SEP-2016 OVH Attack 21-OCT-2016 Dyn DNS DDoS 5-DEC-2016 INVESTIGATED IoT DDoSINVESTIGATED IoT DDoS BEFORE IT WAS COOLBEFORE IT WAS COOL
© 2017 Imperva, Inc. All rights reserved. @KernelXSS @Incapsula_com IoT DDoS through the (very recent) history 17 Mirai OVH Attack 30-DEC-2014 21-OCT-2015 20-SEP-2016 5-DEC-2016 … SOHO Routers CCTV DDoS 21-OCT-2016 Dyn DNS DDoS
@ZAvishh Why use IoTs 4 DDoS?
© 2016 Imperva, Inc. All rights reserved. @KernelXSS19
© 2016 Imperva, Inc. All rights reserved. @KernelXSS20 IoTPC internet connection IoTPC VVinternet connection
© 2016 Imperva, Inc. All rights reserved. @KernelXSS21 IoTPC VVinternet connection code execution IoTPC VVinternet connection VVcode execution
© 2016 Imperva, Inc. All rights reserved. @KernelXSS22 IoTPC VVinternet connection VVcode execution scanability IoTPC VVinternet connection VVcode execution VXscanability
© 2016 Imperva, Inc. All rights reserved. @KernelXSS23 IoTPC VVinternet connection VVcode execution VXscanability hackability IoTPC VVinternet connection VVcode execution VXscanability VXhackability IoTPC VVinternet connection VVcode execution VXscanability VXhackability
@KernelXSS The case of Mirai
© 2016 Imperva, Inc. All rights reserved. - @KernelXSS -25 func (this *Database) CreateUser(username string, password string, max_bots 
 int, duration int, cooldown int)
 bool {
 ...
 this.db.Exec("INSERT INTO users (username, password, max_bots, admin, "
 "last_paid, cooldown, duration_limit)"
 "VALUES (?, ?, ?, 0, UNIX_TIMESTAMP(), ?, ?)", 
 username, password, max_bots, cooldown, duration)
 return true
 }
© 2016 Imperva, Inc. All rights reserved. - @KernelXSS -26 #DEFINE TABLE_MEM_QBOT // REPORT %S:%S
 #DEFINE TABLE_MEM_QBOT2 // HTTPFLOOD
 #DEFINE TABLE_MEM_QBOT3 // LOLNOGTFO
 #DEFINE TABLE_MEM_UPX // X58X4DX4EX4EX43X50X46X22
 #DEFINE TABLE_MEM_ZOLLARD // ZOLLARD
 #DEFINE TABLE_KILLER_ANIME // .anime killer_kill_by_port(htons(23)) // Kill telnet service
 killer_kill_by_port(htons(22)) // Kill SSH service
 killer_kill_by_port(htons(80)) // Kill HTTP service
© 2016 Imperva, Inc. All rights reserved. - @KernelXSS -27 void attack_tcp_syn(uint8_t targs_len, struct attack_target *targs,…)
 void attack_tcp_ack(uint8_t targs_len, struct attack_target *targs,…)
 void attack_tcp_stomp(uint8_t targs_len, struct attack_target *targs,…)
 
 void attack_udp_generic(uint8_t targs_len, struct attack_target *targs,…)
 void attack_udp_plain(uint8_t targs_len, struct attack_target *targs,…)
 void attack_udp_dns(uint8_t targs_len, struct attack_target *targs,…)
 
 void attack_gre_ip(uint8_t targs_len, struct attack_target *targs,…)
 void attack_gre_eth(uint8_t targs_len, struct attack_target *targs,…)
 
 void attack_app_http(uint8_t targs_len, struct attack_target *targs,…)
© 2016 Imperva, Inc. All rights reserved. - @KernelXSS -28 # define TABLE_ATK_DOSARREST 45 // "server: dosarrest"
 # define TABLE_ATK_CLOUDFLARE_NGINX 46 // "server: cloudflare-nginx"
 
 if (util_stristr(generic_memes, ret, table_retrieve_val(TABLE_ATK_CLOUDFLARE_NGINX, NULL)) != -1)
 conn->protection_type = HTTP_PROT_CLOUDFLARE;
 
 if (util_stristr(generic_memes, ret, table_retrieve_val(TABLE_ATK_DOSARREST, NULL)) != -1)
 conn->protection_type = HTTP_PROT_DOSARREST;
© 2016 Imperva, Inc. All rights reserved. - @KernelXSS -29
© 2016 Imperva, Inc. All rights reserved. - @KernelXSS -30
Industry Challenges for 2018
“Secure by default”
TMI
Antivirus 1987 1992 Firewall 1999 WAF IPS NOW ?
Host IDS/IPS Database Access Management Network Anomaly Detection Threat Intelligence Sharing MDM DDoS Mitigation Cloud Access Security Broker Identity Management Threat Containment Solutions Forensic Kits Honeypots Decoys Automated Vulnerability Assessment File Access Management Patch Inventory Management Device Control Management Network Access Control Database Firewalls Data Vaults
DDoS Trends
Over 6,000,000,000 Smart-Phones By 2020
© 2017 Imperva, Inc. All rights reserved. @KernelXSS @Incapsula_com The growing prevalence of IoTs 39 Source: Ericsson Mobility Report; June 2016.
© 2017 Imperva, Inc. All rights reserved. @KernelXSS @Incapsula_com IoT botnets NG • Improving the C2 functionality: • DGA • P2P • Different spreading techniques • TR-069 vulnerabilities • Windows as a relay • Non-DDoS botnets • Bitcoin mining • SPAM spreading • Bruteforcing • IoT vigilantes - Hajime 41 Image credits: www.mobihealthnews.com
How do we do that?
Small Data is the new BigData
“SecOps”
Config: Less is More
Sometimes Cloud is the Security
© 2017 Imperva, Inc. All rights reserved.47 @KernelXSS, @imperva Thanks You! ⾮非常感谢您 linkedin.com/in/sysadmin ben.herzberg@imperva.com

Recommended

Network Monitoring with Icinga
Network Monitoring with IcingaNetwork Monitoring with Icinga
Network Monitoring with Icingalearjk
 
Info 2402 assignment 2_ crawler
Info 2402 assignment 2_ crawlerInfo 2402 assignment 2_ crawler
Info 2402 assignment 2_ crawlerShahriar Rafee
 
SBA Live Academy - Secure Containers for Developer by Mathias Tausig
SBA Live Academy - Secure Containers for Developer by Mathias TausigSBA Live Academy - Secure Containers for Developer by Mathias Tausig
SBA Live Academy - Secure Containers for Developer by Mathias TausigSBA Research
 
ExpertsLiveEurope The New Era Of Endpoint Security
ExpertsLiveEurope The New Era Of Endpoint SecurityExpertsLiveEurope The New Era Of Endpoint Security
ExpertsLiveEurope The New Era Of Endpoint SecurityAlexander Benoit
 
Logs And Backups
Logs And BackupsLogs And Backups
Logs And BackupsCharles Southerland
 
Cloud Intrusion Detection Reloaded - 2018
Cloud Intrusion Detection Reloaded - 2018Cloud Intrusion Detection Reloaded - 2018
Cloud Intrusion Detection Reloaded - 2018randomuserid
 
Artem Storozhuk - Search over encrypted records: from academic dreams to prod...
Artem Storozhuk - Search over encrypted records: from academic dreams to prod...Artem Storozhuk - Search over encrypted records: from academic dreams to prod...
Artem Storozhuk - Search over encrypted records: from academic dreams to prod...NoNameCon
 
Deep learning beyond the learning - Jörg Schad - Codemotion Rome 2018
Deep learning beyond the learning - Jörg Schad - Codemotion Rome 2018 Deep learning beyond the learning - Jörg Schad - Codemotion Rome 2018
Deep learning beyond the learning - Jörg Schad - Codemotion Rome 2018 Codemotion
 

Recommended

Network Monitoring with Icinga
Network Monitoring with IcingaNetwork Monitoring with Icinga
Network Monitoring with Icingalearjk
 
Info 2402 assignment 2_ crawler
Info 2402 assignment 2_ crawlerInfo 2402 assignment 2_ crawler
Info 2402 assignment 2_ crawlerShahriar Rafee
 
SBA Live Academy - Secure Containers for Developer by Mathias Tausig
SBA Live Academy - Secure Containers for Developer by Mathias TausigSBA Live Academy - Secure Containers for Developer by Mathias Tausig
SBA Live Academy - Secure Containers for Developer by Mathias TausigSBA Research
 
ExpertsLiveEurope The New Era Of Endpoint Security
ExpertsLiveEurope The New Era Of Endpoint SecurityExpertsLiveEurope The New Era Of Endpoint Security
ExpertsLiveEurope The New Era Of Endpoint SecurityAlexander Benoit
 
Logs And Backups
Logs And BackupsLogs And Backups
Logs And BackupsCharles Southerland
 
Cloud Intrusion Detection Reloaded - 2018
Cloud Intrusion Detection Reloaded - 2018Cloud Intrusion Detection Reloaded - 2018
Cloud Intrusion Detection Reloaded - 2018randomuserid
 
Artem Storozhuk - Search over encrypted records: from academic dreams to prod...
Artem Storozhuk - Search over encrypted records: from academic dreams to prod...Artem Storozhuk - Search over encrypted records: from academic dreams to prod...
Artem Storozhuk - Search over encrypted records: from academic dreams to prod...NoNameCon
 
Deep learning beyond the learning - Jörg Schad - Codemotion Rome 2018
Deep learning beyond the learning - Jörg Schad - Codemotion Rome 2018 Deep learning beyond the learning - Jörg Schad - Codemotion Rome 2018
Deep learning beyond the learning - Jörg Schad - Codemotion Rome 2018 Codemotion
 
Beyond Mirai: The new age of MDDoS attacks
Beyond Mirai: The new age of MDDoS attacksBeyond Mirai: The new age of MDDoS attacks
Beyond Mirai: The new age of MDDoS attacksAPNIC
 
CanSecWest 2017 - Port(al) to the iOS Core
CanSecWest 2017 - Port(al) to the iOS CoreCanSecWest 2017 - Port(al) to the iOS Core
CanSecWest 2017 - Port(al) to the iOS CoreStefan Esser
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeNowSecure
 
Powering Predictive Mapping at Scale with Spark, Kafka, and Elastic Search: S...
Powering Predictive Mapping at Scale with Spark, Kafka, and Elastic Search: S...Powering Predictive Mapping at Scale with Spark, Kafka, and Elastic Search: S...
Powering Predictive Mapping at Scale with Spark, Kafka, and Elastic Search: S...Spark Summit
 
Information track presentation_final
Information track presentation_finalInformation track presentation_final
Information track presentation_finalKazuki Omo
 
OSMC 2018 | Distributed Tracing FAQ by Gianluca Arbezzano
OSMC 2018 | Distributed Tracing FAQ by Gianluca ArbezzanoOSMC 2018 | Distributed Tracing FAQ by Gianluca Arbezzano
OSMC 2018 | Distributed Tracing FAQ by Gianluca ArbezzanoNETWAYS
 
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack FrameworkDragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack FrameworkDragos, Inc.
 
Doing Dropbox the Native Cloud Native Way
Doing Dropbox the Native Cloud Native WayDoing Dropbox the Native Cloud Native Way
Doing Dropbox the Native Cloud Native WayMinio
 
G3t R00t at IUT
G3t R00t at IUTG3t R00t at IUT
G3t R00t at IUTNahidul Kibria
 
Chapter TwelveNetwork SecurityData Communications an.docx
Chapter TwelveNetwork SecurityData Communications an.docxChapter TwelveNetwork SecurityData Communications an.docx
Chapter TwelveNetwork SecurityData Communications an.docxmccormicknadine86
 
Embedded linux 악성코드 동향 20150323 v1.0 공개판
Embedded linux 악성코드 동향 20150323 v1.0 공개판Embedded linux 악성코드 동향 20150323 v1.0 공개판
Embedded linux 악성코드 동향 20150323 v1.0 공개판Minseok(Jacky) Cha
 
D3TLV17- Keeping it Safe
D3TLV17- Keeping it SafeD3TLV17- Keeping it Safe
D3TLV17- Keeping it SafeImperva Incapsula
 
Trend briefs security
Trend briefs securityTrend briefs security
Trend briefs securityJongseok Choi
 
Automated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposAutomated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposPriyanka Aash
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsRod Soto
 
OSDC 2018 | From batch to pipelines – why Apache Mesos and DC/OS are a soluti...
OSDC 2018 | From batch to pipelines – why Apache Mesos and DC/OS are a soluti...OSDC 2018 | From batch to pipelines – why Apache Mesos and DC/OS are a soluti...
OSDC 2018 | From batch to pipelines – why Apache Mesos and DC/OS are a soluti...NETWAYS
 
9(1)
9(1)9(1)
9(1)sruthi c
 
Android Architecture components
Android Architecture componentsAndroid Architecture components
Android Architecture componentsMichelantonio Trizio
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityIOSR Journals
 
Mobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeMobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeNowSecure
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 

More Related Content

Similar to Ben herzberg/incapsula trends of cyber attacks

Beyond Mirai: The new age of MDDoS attacks
Beyond Mirai: The new age of MDDoS attacksBeyond Mirai: The new age of MDDoS attacks
Beyond Mirai: The new age of MDDoS attacksAPNIC
 
CanSecWest 2017 - Port(al) to the iOS Core
CanSecWest 2017 - Port(al) to the iOS CoreCanSecWest 2017 - Port(al) to the iOS Core
CanSecWest 2017 - Port(al) to the iOS CoreStefan Esser
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeNowSecure
 
Powering Predictive Mapping at Scale with Spark, Kafka, and Elastic Search: S...
Powering Predictive Mapping at Scale with Spark, Kafka, and Elastic Search: S...Powering Predictive Mapping at Scale with Spark, Kafka, and Elastic Search: S...
Powering Predictive Mapping at Scale with Spark, Kafka, and Elastic Search: S...Spark Summit
 
Information track presentation_final
Information track presentation_finalInformation track presentation_final
Information track presentation_finalKazuki Omo
 
OSMC 2018 | Distributed Tracing FAQ by Gianluca Arbezzano
OSMC 2018 | Distributed Tracing FAQ by Gianluca ArbezzanoOSMC 2018 | Distributed Tracing FAQ by Gianluca Arbezzano
OSMC 2018 | Distributed Tracing FAQ by Gianluca ArbezzanoNETWAYS
 
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack FrameworkDragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack FrameworkDragos, Inc.
 
Doing Dropbox the Native Cloud Native Way
Doing Dropbox the Native Cloud Native WayDoing Dropbox the Native Cloud Native Way
Doing Dropbox the Native Cloud Native WayMinio
 
Chapter TwelveNetwork SecurityData Communications an.docx
Chapter TwelveNetwork SecurityData Communications an.docxChapter TwelveNetwork SecurityData Communications an.docx
Chapter TwelveNetwork SecurityData Communications an.docxmccormicknadine86
 
Embedded linux 악성코드 동향 20150323 v1.0 공개판
Embedded linux 악성코드 동향 20150323 v1.0 공개판Embedded linux 악성코드 동향 20150323 v1.0 공개판
Embedded linux 악성코드 동향 20150323 v1.0 공개판Minseok(Jacky) Cha
 
Trend briefs security
Trend briefs securityTrend briefs security
Trend briefs securityJongseok Choi
 
Automated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposAutomated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposPriyanka Aash
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsRod Soto
 
OSDC 2018 | From batch to pipelines – why Apache Mesos and DC/OS are a soluti...
OSDC 2018 | From batch to pipelines – why Apache Mesos and DC/OS are a soluti...OSDC 2018 | From batch to pipelines – why Apache Mesos and DC/OS are a soluti...
OSDC 2018 | From batch to pipelines – why Apache Mesos and DC/OS are a soluti...NETWAYS
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityIOSR Journals
 
Mobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeMobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeNowSecure
 

Similar to Ben herzberg/incapsula trends of cyber attacks (20)

Beyond Mirai: The new age of MDDoS attacks
Beyond Mirai: The new age of MDDoS attacksBeyond Mirai: The new age of MDDoS attacks
Beyond Mirai: The new age of MDDoS attacks
 
CanSecWest 2017 - Port(al) to the iOS Core
CanSecWest 2017 - Port(al) to the iOS CoreCanSecWest 2017 - Port(al) to the iOS Core
CanSecWest 2017 - Port(al) to the iOS Core
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the Code
 
Powering Predictive Mapping at Scale with Spark, Kafka, and Elastic Search: S...
Powering Predictive Mapping at Scale with Spark, Kafka, and Elastic Search: S...Powering Predictive Mapping at Scale with Spark, Kafka, and Elastic Search: S...
Powering Predictive Mapping at Scale with Spark, Kafka, and Elastic Search: S...
 
Information track presentation_final
Information track presentation_finalInformation track presentation_final
Information track presentation_final
 
OSMC 2018 | Distributed Tracing FAQ by Gianluca Arbezzano
OSMC 2018 | Distributed Tracing FAQ by Gianluca ArbezzanoOSMC 2018 | Distributed Tracing FAQ by Gianluca Arbezzano
OSMC 2018 | Distributed Tracing FAQ by Gianluca Arbezzano
 
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack FrameworkDragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
 
Doing Dropbox the Native Cloud Native Way
Doing Dropbox the Native Cloud Native WayDoing Dropbox the Native Cloud Native Way
Doing Dropbox the Native Cloud Native Way
 
G3t R00t at IUT
G3t R00t at IUTG3t R00t at IUT
G3t R00t at IUT
 
Chapter TwelveNetwork SecurityData Communications an.docx
Chapter TwelveNetwork SecurityData Communications an.docxChapter TwelveNetwork SecurityData Communications an.docx
Chapter TwelveNetwork SecurityData Communications an.docx
 
Embedded linux 악성코드 동향 20150323 v1.0 공개판
Embedded linux 악성코드 동향 20150323 v1.0 공개판Embedded linux 악성코드 동향 20150323 v1.0 공개판
Embedded linux 악성코드 동향 20150323 v1.0 공개판
 
D3TLV17- Keeping it Safe
D3TLV17- Keeping it SafeD3TLV17- Keeping it Safe
D3TLV17- Keeping it Safe
 
Trend briefs security
Trend briefs securityTrend briefs security
Trend briefs security
 
Automated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposAutomated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gpos
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
 
OSDC 2018 | From batch to pipelines – why Apache Mesos and DC/OS are a soluti...
OSDC 2018 | From batch to pipelines – why Apache Mesos and DC/OS are a soluti...OSDC 2018 | From batch to pipelines – why Apache Mesos and DC/OS are a soluti...
OSDC 2018 | From batch to pipelines – why Apache Mesos and DC/OS are a soluti...
 
9(1)
9(1)9(1)
9(1)
 
Android Architecture components
Android Architecture componentsAndroid Architecture components
Android Architecture components
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utility
 
Mobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeMobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the Code
 

Recently uploaded

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 

Recently uploaded (20)

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 

Ben herzberg/incapsula trends of cyber attacks

  • 1. © 2016 Imperva, Inc. All rights reserved. Cyber Attack Trends Ben Herzberg @KernelXSS @imperva
  • 2. © 2017 Imperva, Inc. All rights reserved. - @KernelXSS - about() 2 > ben.childNodes.length <· 2 > ben.history <· [“PT”,”Dev”] > ben.employer <· “Imperva” > ben.positionX <· “Research Group Manager” > ben.social <· {“TWT”: “@KernelXSS”, “LNK”: “Ben Herzberg”}
  • 3. DoS / DDoS Attacks
  • 5.
  • 6.
  • 8.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14. WHY?
  • 16. © 2017 Imperva, Inc. All rights reserved. @KernelXSS @Incapsula_com IoT DDoS through the (very recent) history 16 Mirai 20-SEP-2016 OVH Attack 21-OCT-2016 Dyn DNS DDoS 5-DEC-2016 INVESTIGATED IoT DDoSINVESTIGATED IoT DDoS BEFORE IT WAS COOLBEFORE IT WAS COOL
  • 17. © 2017 Imperva, Inc. All rights reserved. @KernelXSS @Incapsula_com IoT DDoS through the (very recent) history 17 Mirai OVH Attack 30-DEC-2014 21-OCT-2015 20-SEP-2016 5-DEC-2016 … SOHO Routers CCTV DDoS 21-OCT-2016 Dyn DNS DDoS
  • 19. © 2016 Imperva, Inc. All rights reserved. @KernelXSS19
  • 20. © 2016 Imperva, Inc. All rights reserved. @KernelXSS20 IoTPC internet connection IoTPC VVinternet connection
  • 21. © 2016 Imperva, Inc. All rights reserved. @KernelXSS21 IoTPC VVinternet connection code execution IoTPC VVinternet connection VVcode execution
  • 22. © 2016 Imperva, Inc. All rights reserved. @KernelXSS22 IoTPC VVinternet connection VVcode execution scanability IoTPC VVinternet connection VVcode execution VXscanability
  • 23. © 2016 Imperva, Inc. All rights reserved. @KernelXSS23 IoTPC VVinternet connection VVcode execution VXscanability hackability IoTPC VVinternet connection VVcode execution VXscanability VXhackability IoTPC VVinternet connection VVcode execution VXscanability VXhackability
  • 25. © 2016 Imperva, Inc. All rights reserved. - @KernelXSS -25 func (this *Database) CreateUser(username string, password string, max_bots 
 int, duration int, cooldown int)
 bool {
 ...
 this.db.Exec("INSERT INTO users (username, password, max_bots, admin, "
 "last_paid, cooldown, duration_limit)"
 "VALUES (?, ?, ?, 0, UNIX_TIMESTAMP(), ?, ?)", 
 username, password, max_bots, cooldown, duration)
 return true
 }
  • 26. © 2016 Imperva, Inc. All rights reserved. - @KernelXSS -26 #DEFINE TABLE_MEM_QBOT // REPORT %S:%S
 #DEFINE TABLE_MEM_QBOT2 // HTTPFLOOD
 #DEFINE TABLE_MEM_QBOT3 // LOLNOGTFO
 #DEFINE TABLE_MEM_UPX // X58X4DX4EX4EX43X50X46X22
 #DEFINE TABLE_MEM_ZOLLARD // ZOLLARD
 #DEFINE TABLE_KILLER_ANIME // .anime killer_kill_by_port(htons(23)) // Kill telnet service
 killer_kill_by_port(htons(22)) // Kill SSH service
 killer_kill_by_port(htons(80)) // Kill HTTP service
  • 27. © 2016 Imperva, Inc. All rights reserved. - @KernelXSS -27 void attack_tcp_syn(uint8_t targs_len, struct attack_target *targs,…)
 void attack_tcp_ack(uint8_t targs_len, struct attack_target *targs,…)
 void attack_tcp_stomp(uint8_t targs_len, struct attack_target *targs,…)
 
 void attack_udp_generic(uint8_t targs_len, struct attack_target *targs,…)
 void attack_udp_plain(uint8_t targs_len, struct attack_target *targs,…)
 void attack_udp_dns(uint8_t targs_len, struct attack_target *targs,…)
 
 void attack_gre_ip(uint8_t targs_len, struct attack_target *targs,…)
 void attack_gre_eth(uint8_t targs_len, struct attack_target *targs,…)
 
 void attack_app_http(uint8_t targs_len, struct attack_target *targs,…)
  • 28. © 2016 Imperva, Inc. All rights reserved. - @KernelXSS -28 # define TABLE_ATK_DOSARREST 45 // "server: dosarrest"
 # define TABLE_ATK_CLOUDFLARE_NGINX 46 // "server: cloudflare-nginx"
 
 if (util_stristr(generic_memes, ret, table_retrieve_val(TABLE_ATK_CLOUDFLARE_NGINX, NULL)) != -1)
 conn->protection_type = HTTP_PROT_CLOUDFLARE;
 
 if (util_stristr(generic_memes, ret, table_retrieve_val(TABLE_ATK_DOSARREST, NULL)) != -1)
 conn->protection_type = HTTP_PROT_DOSARREST;
  • 29. © 2016 Imperva, Inc. All rights reserved. - @KernelXSS -29
  • 30. © 2016 Imperva, Inc. All rights reserved. - @KernelXSS -30
  • 33. TMI
  • 35. Host IDS/IPS Database Access Management Network Anomaly Detection Threat Intelligence Sharing MDM DDoS Mitigation Cloud Access Security Broker Identity Management Threat Containment Solutions Forensic Kits Honeypots Decoys Automated Vulnerability Assessment File Access Management Patch Inventory Management Device Control Management Network Access Control Database Firewalls Data Vaults
  • 36.
  • 39. © 2017 Imperva, Inc. All rights reserved. @KernelXSS @Incapsula_com The growing prevalence of IoTs 39 Source: Ericsson Mobility Report; June 2016.
  • 40.
  • 41. © 2017 Imperva, Inc. All rights reserved. @KernelXSS @Incapsula_com IoT botnets NG • Improving the C2 functionality: • DGA • P2P • Different spreading techniques • TR-069 vulnerabilities • Windows as a relay • Non-DDoS botnets • Bitcoin mining • SPAM spreading • Bruteforcing • IoT vigilantes - Hajime 41 Image credits: www.mobihealthnews.com
  • 42. How do we do that?
  • 43. Small Data is the new BigData
  • 47. © 2017 Imperva, Inc. All rights reserved.47 @KernelXSS, @imperva Thanks You! ⾮非常感谢您 linkedin.com/in/sysadmin ben.herzberg@imperva.com