Positive Technologies helped to reflect 38 thousand cyber attacks to services of transport directorate of World Cup 2018

Specialists of the companies Positive Technologies and "LANIT Northwest" provided protection of information resources Transport directorate — 2018 of ANO on the FIFA World Cup of 2018. On October 15, 2018 the Positive Technologies company reported about it. Web resources and mobile applications, being responsible for free moving of fans to host cities of a tournament by Russian the railroads, registration of the companies carriers for work in the cities hosting championship matches for recruitment of volunteers for a meeting of fans were also among the protected objects.

"The World Cup became the enormous project from the point of view of created IT infrastructures. Broad application of online services made it convenient for fans and media, but at the same time and increased number of possible points of entry for attacking. Long before the tournament began to note keen interest of cybercriminals in the platforms connected with an action. Therefore to exclude a possibility of any influence on the planned movement of fans, risks of traffic standstill or significant reputation damage, "The transport directorate — 2018" needed to provide effective protection of the resources". Alexey Novikov, head of expert center of security of Positive Technologies (PT Expert Security Center)

On start of the project, from February to March, 2018, specialists of Positive Technologies in testing for penetration analyzed work of all created web and mobile applications and setup of the network and server hardware. According to the results of audit recommendations which accomplishment allowed to increase the level of security of infrastructure and to exclude possibility of critically dangerous incidents connected with an IC compromise, receiving unauthorized access using vulnerabilities of web applications with existence of passwords in open form, data theft of users or infection of their devices with the malware were created.

At the second stage security circuit which core was a MaxPatrol SIEM system was constructed. It allowed to reveal quickly critically significant events of information security and to react to threats, liquidating risks and also — in case of detection by the SIEM system of potentially dangerous actions — to block their source on the firewall. Besides, for the analysis and traffic observation of level of applications the product PT Application Firewall was used. It allowed to block their source in case of detection of potentially dangerous actions. Information from the operating systems, DBMS, servers and software used within the protected infrastructure came to MaxPatrol SIEM. Information systems of Transport directorate were located in three data centers — two in Moscow and one in Novosibirsk. Components of means of protecting were installed and configured in all DPCs, taking into account a geographically-distributed structure of architecture.

For support of the created cybersecurity circuit since May, 2018 specialists of division of PT Expert Security Center of Positive Technologies company performed monitoring of security of all 24/7 infrastructure. Automatic means of protecting blocked potential threats. PT Application Firewall in the automatic mode blocked more than half a million threats for the entire period of work, and rules of correlation MaxPatrol SIEM worked in total several tens of thousands of times. At the same time the number of the revealed and blocked critically dangerous attacks directed to web portals of information systems (in particular, SQL Injection, OS Commanding, Shellshock) made 38,641, and critically significant events of information security connected with the protected infrastructure (including — accomplishment of the OS suspicious commands, attempts of a non-authorized access, change of parameters) — 22,453.

Under control of specialists of PT Expert Security Center from May to July of PT Application Firewall in the automated mode blocked about 60,000 IP addresses from which attempts of illegitimate influences which purpose was a compromise of web resources were performed. Total number of the IP addresses from which the suspicious activity was recorded was 150 thousand. North America (44.5%) and the countries of Europe (33.9%) became the main regions to which had the IP address binding, from which the suspicious activity was executed; only about 3.3% were the share of the countries of Asia and another 18.3% of the IP addresses had no binding to the region.

From some addresses were fixed really unique activity. For example, attempts of computer-assisted retrieval of available tickets were detected (perhaps for the purpose of their subsequent resale). During this attack the malefactor tried to change the behavior (patterns on which he could be blocked) so that to avoid repeated automatic blocking when using other IP address. For identification of new vectors of hacker impact on information systems experts executed permanent monitoring of traffic and events of information security as a result of which new rules of the automated blocking were developed and imparted notifications. Similar non-standard impacts on information systems were revealed 26 times, and blocking manually for the addresses from which a large number of potentially dangerous attacks was revealed, 67 times were set.

For all the time of monitoring of the rule of correlation, PT ESC configured in a SIEM system and requiring closer attention of specialists, 22,453 times worked. These events were verified in the manual mode on in advance made plans of response to an incident. If necessary, for clarification of circumstances of the taken place events, the additional analysis and interaction with developers and administrators of systems was carried out. Such escalation was required in 21 cases (in one of them it was not revealed penetration of malefactors into the protected circuit). Potential malefactors showed apparent interest to network infrastructure of World Cup 2018: during the championship several purposeful scannings of infrastructure from the Internet on existence of just appeared critically dangerous vulnerabilities in network equipment were recorded.

"The products Positive Technologies MaxPatrol SIEM and PT Application Firewall became an important component of the created circuit of information security, were perfectly integrated with other used solutions and provided high-quality and continued operation of all information systems. For all the time of the project malefactors could not carry out any successful attack on the protected information resources". Nikolay Yakimov, general direktor of LANIT Northwest