Don’t buy insurance after the fire: Protecting your business against DDoS attacks by Terrence Gareau
The threat of cyber-attacks has been brought to the attention of the public with the activity of cyber-criminals such as the Lizard Squad, which has used DDoS attacks to bring down the networks of corporate giants such as: Sony Playstation, Microsoft Xbox and Malaysian Airlines in recent months.
Furthermore, the same group last year proved that it has another string to its bow, having hacked and infiltrated the system of the US Department of Defense on 15 June 2014.
With the combination of DDoS attacks and hacking at large, it’s time for businesses and brands to realise the multi-faceted security threats presented by sophisticated cyber-criminals and adopt a proactive, rather than reactive, strategy.
Groups such as the Lizard Squad prove, if nothing else, that anyone, anywhere could be the victim of cyber-attacks. Even corporate giants that invest large sums in sophisticated security systems can never be sure when they have done enough to fend off cyber-criminals.
The truth is that these groups are not a rabble of hobbyist hackers trying to make a name for themselves. The gains for the groups engaging in cyber-crime are potentially massive. As a result, the organisations looking to take advantage are often well organised, strategic in their work and at the cutting-edge of technological advancement.
For security companies, the challenge of staying one step ahead of these groups is ongoing and requires consistent investment in R&D, analysis of real-time network security data and big data collated over a longer period of time to spot trends and anomalies. All of these can lead security companies to the same weaknesses in existing solutions and systems.
How do DDoS attacks work?
The world has seen the power and fall out of a well-timed, well executed DDoS attack. Furthermore, this method of cyber-attack is only getting more effective.
The methods used by DDoS networks to locate vulnerabilities within security systems are far more sophisticated and automated. This greatly accelerates the speed with which an attack can be staged. Leveraging zero-day and zero-plus vulnerabilities in unprotected networks means that DDoS attackers are able to recruit and add infected computers to their attack army at an alarming rate.
This increased rate of botnet recruitment not only gives the attacker a flexible arsenal of attacks for causing digital mayhem, but also increases the overall effectiveness and success rate of each attack. Increasing the speed, and reducing the time-frame by which an attack is in full flow, is beneficial to attackers for two main reasons.
The first is simply that the less time it takes for an attack to gain momentum, the less time the network operators have to react, and the more likely the attack is to be successful.
The second is that being able to operate in tighter timeframes gives attackers more control over timing. This means, as we saw with the case of the Christmas holiday attacks on Microsoft and Sony, that attackers are more likely to gain publicity, and potentially a form of leverage, by hitting networks at particularly crucial times. Imagine the leverage a group such as The Lizard Squad could gain by bringing down a betting website on Grand National Day, for example.
Unsurprisingly, from the perspective of the cyber-attacker, the popularity of zero-day-plus-one attacks continues to grow. Successful attacks can spread rapidly because, once a vulnerability is discovered, attack tools that can be reused by copycat criminals become public information within hours. This means that even when most machines have been patched in the aftermath of an attack, hackers will continue with their attempts to exploit popular vulnerabilities.
Zero-plus attacks are typically vulnerabilities used to deploy DDoS toolkits onto infected machines. They are not the only type of DDoS attacks available for cyber-criminals to deploy:
- Multi-vector attacks are designed to cripple a targeted online service and are difficult to defend against due to their complexity – potentially using a mixture of DDoS and hacking.
- Amplified reflective attacks leverage legitimate service queries to public servers. By spoofing the target’s IP as the source IP, a vulnerable public server may respond at a volume up to 366 times as large as the original request. This response drains the bandwidth from the server itself and not the attacker – leaving it susceptible to being overloaded quickly.
- Transport Layer Security (TLS) based attacks take advantage of websites that do not support the latest version of TLS, the successor protocol to SSL, from which the ‘S’ in HTTPS is derived.
- Internet of Things (IoT) based attacks occur as these devices use low-power consumption technology that relies heavily on shared libraries and a rapid development framework. IoT software architecture and limitations like battery life leave many IoT devices with few options for risk management features used to mitigate threats. Malware can be introduced into IoT devices via fake update servers, and hackers can use them as proxies to launch attacks against other Internet-connected targets.
The best way to guard against DDoS attacks to is to remain vigilant and proactively identify vulnerabilities and weaknesses in your system before the attackers do.
For an enterprise, this may mean compiling rules and guidelines on which online applications are approved for use, and implementing proactive monitoring at an application level to detect abnormalities as early as possible. However, this is just the first layer of total protection – an effective defence requires in-depth, tailored implementation, not a one-size-fits-all mitigation solution.
For example, with multi-vector attacks, all avenues of attack must be detected and mitigated. Sophisticated attackers like the Lizard Squad may be using a mixture of DDoS and hacking – no off-the-shelf product is likely to deal with such an approach effectively.
The best practice for businesses is to seek the guidance of a security specialist that can design and customise a solution specific to your business. It’s all well and good telling companies to scan their networks for weaknesses, but as referred to earlier, the goal-posts in the security industry are changing all the time.
What looked like a water-tight system yesterday may suddenly have several potential vulnerabilities in it today. So, essentially, finding sophisticated ways of monitoring your network on an ongoing basis – which is what DDoS attackers are doing – is a must for enterprises.
A specialist security firm can also advise what types of vulnerability you should be looking for. Don’t expect to find gaping holes in your network. Sophisticated attackers can place a proverbial stick of dynamite into the tiniest gap in your security environment – if it blows up, you may have a full-scale network outage or infiltration on your hands.
Therefore, enterprises must take a proactive approach towards security policy. Investing huge amounts of resource and capital into protecting your network after a hack or outage has taken place is analogous to buying home insurance after your house has burnt down.
The damage has already been done – both in terms of loss to assets, an inflated credit rating and reputational damage.
By seeking expert advice and making a considered, strategic investment in cyber security before it’s too late, enterprises can ensure they do not face operational meltdown, negative publicity and a potential break down in trust with key stakeholders.
Terrence Gareau, chief scientist at Nexusguard.