2012 Considerations Before Buying an Attack Mitigation System

Managing the security of critical information has proven a challenge for businesses and organizations of all sizes. Even companies that invest in the latest security infrastructure and tools soon discover that these technology-based “solutions” are short-lived. From antivirus software to firewalls and intrusion detection and prevention systems, these solutions are, in fact, merely the most effective strategies at the time of implementation. In other words, as soon as businesses build or strengthen a protective barrier, the “bad guys” find another way to get in.

Attackers are constantly changing their tactics and strategies to make their attacks and scams as damaging as possible. The good news is that it appears that attacks and subsequent defenses are breaking down in categories which can be measured systematically. The following areas are of a particular concern as we look towards 2012 planning for attacks:

1. Real-Time Protection against Volumetric Attacks: According to Wikipedia, volumetric attacks are defined as the following, “attack involves saturating the target machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. Such attacks usually lead to a server overload. In general terms, DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.” 2011 has seen a dramatic rise in the growth of these attack types and even more ominous is the procurement of more capable ‘weapon systems’ or new application-based tools from which attacks can be launched. The following is a list to consider when making certain you are covering your basis in this category:
• TCP SYN floods
• TCP SYN+ACK floods
• TCP FIN floods
• TCP RESET floods
• TCP Fragment floods
• UDP floods
• ICMP floods
• IGMP floods
• Packet Anomalies
• Known DoS tools
2. Application Layer (L7) Availability Protections: Malware is morphing in scale, scope and delivery payloads. It has managed to renew itself as a top concern related to protecting your organization in 2012 and has emerged as an imminent threat to Organizational Availability. In fact, attackers have shifted away from mass distribution of a small number of threats to micro distribution of large families of threats. These new strains of malware consist of millions of distinct threats that mutate as they spread rapidly. In this category, the following is a list of attacks worthy of considering when choosing protection mechanisms for your enterprise:

Real-time protection against:

• Bot-originated and direct application attacks
• HTTP GET page floods
• HTTP POST floods
• Customized / Additional HTTP Method attacks
• HTTP uplink bandwidth consumption attacks
• DNS query floods (A, MX, PTR,…)
• Brute Force Attacks (HTTP, Telnet, POP3, IMAP, etc.,)

Advanced behavioral application monitoring:

• HTTP servers real time statistics and baselines
• DNS server real time statistics and baseline
3. Service Denials & Behavioral Protections: Trusted Web sites are the focus of a large portion of malicious activity. As more and more users go online to take advantage of Web 2.0 applications — like social-networking sites, blogs, and wikis — authors of ‘hacking and cracking’ software are right behind them, opening up yet another front in the constant cat-and-mouse game between security defenses and hackers. These threats will become increasingly important with younger workforces who are proficient with these tools. To thwart these attack types consider very strong protections against these categories of attacks or threats:
• HTTP servers
• Web vulnerability scans
• Bruteforce
• SIP servers (TCP & UDP)
• SIP spoofed floods
• Pre-SPIT activities
• SIP scanning
• SMTP/IMAP/POP3,FTP,etc
• Application Bruteforce
• Application scans
4. IPS & Reputation Services: The continued high volume of Hacktivist attacks underscored the importance of various signature prevention technologies to prevent proper exploitation of an evolving tool landscape. In fact, the heavy reliance on tools as part of Hacktivist attacks have ironically exposed the over-reliance on the perimeter model of deployed security devices without IPS technologies on the VERY edge. Most DDoS Providers do not rely on signatures and frequently fail to uncover newly developed attack tools, and most IPS providers suggest deployments of their tools to deep in the infrastructure for them to be meaningful to stop attacks at the perimeter. The following is a shopping list of things to consideration when procuring IPS & Reputational Management solutions to prevent perimeter attacks:

Signatures Protection against:

• Application Vulnerabilities and exploits
• Web, Mail, DNS, databases, VoIP
• OS Vulnerabilities and exploits
• Microsoft, Apple, Unix based
• Network Infrastructure Vulnerabilities
• Switches, routers and other network elements vulnerabilities
• Malware
• Worms, Bots, Trojans and Drop-points, Spyware
• Anonymizers
• IPv6 attacks
• Protocol Anomalies

Security Operation Center

• Leading vulnerability security research team
• Weekly and emergency signature updates
5. Network scanning and malware propagation Protections: As mentioned above in the Application-focused problem of bots and malware, the very same categorical problem exists at the network layer, however this time it is as equally as important to protect the internal environment as well as the external in real time. The following is a list of network protection considerations:
• Behavioral Real-time protection against Zero-Minute Malware Propagation and network scans:
• UDP spreading worms detection
• TCP spreading worms detection
• High and low rate network scans
• Scanning/spreading pattern identification
• Infected source identification