2017 Considerations before Buying an Attack Mitigation System
Managing the security of critical information has proven a challenge for businesses and organizations of all sizes. Even companies that invest in the latest security infrastructure and tools soon discover that these technology-based “solutions” are short-lived. From antivirus software to firewalls and intrusion detection and prevention systems, these solutions are, in fact, merely the most effective strategies at the time of implementation. In other words, as soon as businesses build or strengthen a protective barrier, the “bad guys” find another way to get in. Attackers are constantly changing their tactics and strategies to make their attacks and scams as damaging as possible. The good news is that it appears that attacks and subsequent defenses are breaking down in categories which can be measured systematically. The following areas are of a particular concern as we look towards 2017-2018 planning for attacks:
1. Real-Time Protection Against Volumetric Attacks:
According to Wikipedia, volumetric attacks are defined as the following: “involves saturating the target machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. Such attacks usually lead to a server overload. In general terms, DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.” We have seen a dramatic rise in the growth of these attack types, and even more ominous is the procurement of more capable ‘weapon systems’ or new application-based tools from which attacks can be launched. The following is a list to consider when making certain you are covering your bases in this category:
a. TCP SYN floods
b. TCP SYN+ACK floods
c. TCP FIN floods
d. TCP RESET floods
e. TCP Fragment floods
f. TCP STOMP floods
g. Valve Source Specific Floods – Mirai
h. DNS Waterfall Attacks – Mira
i. GRE IP floods – Mirai
j. GRE Ethernet floods – Mirai
k. UDP Family of floods
l. ICMP Family of floods
m. IGMP Family of floods
n. Packet Anomalies
o. Known DoS tools
2. Application Layer (L7) Availability Protections:
Malware is morphing in scale, scope and delivery payloads. It has managed to renew itself as a top concern related to protecting your organization and has emerged as an imminent threat to Organizational Availability. In fact, attackers have shifted away from mass distribution of a small number of threats to micro distribution of large families of threats. These new strains of malware consist of millions of distinct threats that mutate as they spread rapidly. In this category, the following is a list of attacks worthy of considering when choosing protection mechanisms for your enterprise:
Real-time protection against:
a. Bot-originated and direct application attacks – Non-IoT
b. Iot Bot Attacks
c. HTTP GET page floods
d. HTTP POST floods
e. Customized / Additional HTTP Method attacks
f. HTTP uplink bandwidth consumption attacks
g. DNS query floods (A, MX, PTR…)
h. Brute Force Attacks (HTTP, Telnet, POP3, SSH, IMAP, etc.,) – Brickerbot, Mirai & Haijme IoT Attacks
Advanced behavioral application monitoring:
i. HTTP servers real time statistics and baselines
j. DNS server real time statistics and baseline
3. Data-Center Services Behavioral Protections:
Trusted Web sites are the focus of a large portion of malicious activity. As more and more users go online to take advantage of Web 2.0 applications — like social networking sites, blogs, and wikis — authors of ‘hacking and cracking’ software are right behind them, opening up yet another front in the constant cat-and-mouse game between security defenses and hackers. These threats will become increasingly important with younger workforces who are proficient with these tools. To thwart these attack types, consider very strong protections against these categories of attacks or threats:
a. HTTP servers
b. Web vulnerability scans
c. Bruteforce
d. SIP servers (TCP & UDP)
e. SIP spoofed floods
f. Pre-SPIT activities
g. SIP scanning
h. SMTP/IMAP/POP3, FTP, etc.
i. Application Bruteforce
j. Application scans
[You might also like: The offspring of two comic book giants bring us the Bot Squad! Super freaky!]
4. IPS & Reputation Services:
The continued high volume of hacktivist attacks underscored the importance of various signature prevention technologies to prevent proper exploitation of an evolving tool landscape. In fact, the heavy reliance on tools as part of hacktivist attacks have ironically exposed the over-reliance on the perimeter model of deployed security devices without IPS technologies on the VERY edge. Most DDoS providers do not rely on signatures and frequently fail to uncover newly developed attack tools, and most IPS providers suggest deployments of their tools too deep in the infrastructure for them to be meaningful to stop attacks at the perimeter. The following is a shopping list of things to consider when procuring IPS & Reputational Management solutions to prevent perimeter attacks:
Signatures Protection against:
a. Application vulnerabilities and exploits
b. IoT botnet protections
c. Web, Mail, DNS, databases, VoIP
d. OS vulnerabilities and exploits
e. Microsoft, Apple, Unix-based
f. Network Infrastructure vulnerabilities
g. Switches, routers and other network elements vulnerabilities
h. Malware
i. Worms, bots, Trojans and drop-points, Spyware
j. Anonymizers
k. IPv6 attacks
l. Protocol Anomalies
Security Operation Center
m. Leading vulnerability security research team
n. Weekly and emergency signature updates
5. Network scanning and malware propagation protections:
As mentioned above in the application-focused problem of bots and malware, the very same categorical problem exists at the network layer, however this time it is equally as important to protect the internal environment as well as the external in real time. The following is a list of network protection considerations:
a. Behavioral Real-time protection against Zero-Minute Malware Propagation and network scans:
b. UDP spreading worm detection
c. TCP spreading worm detection
d. High and low rate network scans
e. Scanning/spreading pattern identification
f. Infected source identification
6. Encrypted Protections:
As mentioned above in the application-focused problem of bots and malware, these attacks can also be hidden in encrypted variants. The following is a list of encrypted -protection considerations:
a. Ability to handle ALL SSL / TLS algorithms:
i. RSA
ii. Diffie-Hellman (DH) Algorithms
iii. Elliptical Curve (ECC)
b. Network-layer handshake protections and overflow considerations
c. Known SSL / TLS attack tool protections
d. Application-layer SSL flood protections
7. Compliance Certifications:
a. PCI – the gold standard in handling protected user-level financial information
b. GDPR – the new data protection standard for EU citizens worldwide
c. ISO 27001 – the standard for information security
d. IS0 27017 – the gold standard for cloud information security
e. EAL & ICSA Labs – the gold standard for component level security in CPE devices
f. NSS Labs Recommended – the gold standard for performance of vendor claims
8. Enhance Service and at-time-need support:
Cyber-attack protections are complicated and hard and often requires staff augmentation, the need for cloud-fail-over protection or augmentation needs. The following is a list of considerations when selecting a Cyber Attack Mitigation Partner:
a. Emergency Response Services – 24/7/365
b. On-Site ERT Services
c. Professional Services – worldwide
d. Depots – worldwide
e. Multi-lingual TAC support & worldwide
f. Cloud DDoS scrubbing centers which could offload peak loads on internal devices
g. Cloud POPs for application off loads on internal devices
