Software as a service (SaaS) providers have critical requirements for all facets of the information security triad: availability, confidentiality and integrity. Although other industries have the luxury of concentrating only on data confidentiality and integrity, SaaS providers must do this in addition to maintaining their customers’ ability to access their applications.
Safeguarding underlying infrastructure and customer data is becoming increasingly difficult. The ease of access, low cost and increasing sophistication of cyber attack tools are forcing organizations to adapt new detection and mitigation strategies. Let’s take a look at some of the common attack vectors targeting SaaS companies.
A View From the Front Lines
No industry is immune to emerging attack vectors, which are designed to test and challenge defenses. Here are some of the primary attack types that are currently and increasingly targeting SaaS providers:
Burst Attacks and APDoS (Advanced Persistent Denial of Service) Campaigns — Both use short bursts at high volume at random intervals. Attacks may last for weeks and involve multiple vectors aimed at all network layers simultaneously. These type of attacks have a tendency to cause frequent disruptions in network SLAs and can prevent legitimate users from accessing your organization’s services.
IoT Botnets — IoT botnets are one of the top threats targeting organizations given the dramatic increase in the use of IoT devices to create powerful botnets.
SSL/Encrypted Attacks — Attackers use the SSL protocol to mask and further complicate
attack traffic and malware detection in both network and application-level threats. In the same way that SSL and encryption protect the integrity of legitimate communications, they effectively obfuscate many attributes of traffic used to determine if it’s malicious or legitimate.
Layer 7 Application Attacks — Another common attack vector facing SaaS is Layer 7 application attacks, which come in two varieties: application DoS attacks that target resource exhaustion by using HTTP in addition to HTTPS, DNS, SMTP, FTP, VoIP and other application protocols that possess exploitable weaknesses. Much like attacks targeting network resources, attacks targeting application resources come in a variety of flavors, including floods and “low and slow” attacks. These approaches are particularly prominent, mostly targeting weaknesses in the HTTP protocol, which (as the most widely used application protocol on the internet) is an attractive target for attackers. The second category of application attacks looks to exploit vulnerabilities in the application code itself.
Ransom Attacks — Attackers know that downtime or loss of customer data is devastating to a SaaS business. As a result, financially motivated attackers turn to one of their most popular attack tactics, ransom attacks. It usually comes in one of two varieties. The first, Ransomware attacks, use malicious software to take an environment hostage by making critical data or assets unavailable to use unless a payment is made. The second is a ransom denial-of-service (RDoS) attack, where perpetrators send an email threatening to attack an organization — rendering its business, operations or capability unavailable — unless a ransom is paid by the deadline. RDoS attacks are particularly insidious because they don’t require the attacker to actually hack into the target’s network or applications.
DNS Attacks — DNS is a critical infrastructure component of any organization. Although
organizations and service providers take security measurements to protect the DNS infrastructure, attackers are generating more sophisticated attacks. Sophisticated attackers take advantage of the DNS protocol behavior to generate more powerful attacks — including DNS Water Torture and DNS recursive attacks. Mitigating these attacks requires tools that can learn and gain a deep knowledge of the DNS traffic behavior.
Reflection/Amplification Attacks — Reflection and amplification attacks take advantage of the disparity between request and response ratios in certain technical protocols. For instance, the attacker could use a router as an amplifier, taking advantage of the router’s broadcast IP address feature to send messages to multiple IP addresses in which the source IP (return address) is spoofed to the target IP. Another example of an amplification attack is Network Time Protocol (NTP) abuse, which leverages a ratio of request to response as high as 600:1 and then sends requests from the targets spoofed IP address, resulting in an incrementally larger response. At high rates, these responses have generated some of the largest volumetric DDoS attacks seen to date.
Dynamic Content and CDN-based Attacks — SaaS providers often use Content Delivery
Network (CDN) providers to support global site and application performance. CDNs can provide a particularly insidious cover for attacks, as SaaS providers cannot block traffic coming from the CDN’s IP addresses. Malicious actors have made an art form out of spoofing IP addresses to not only obfuscate their identity but also to possibly masquerade as seemingly legitimate users based on geolocation or positive reputational information about the IP addresses that they are able to compromise. Dynamic content attacks further exploit CDN-based protection by overloading origin servers with requests for non-cached content, which the CDN nodes simply pass along.
Proven Protection Strategies
Fortunately, there are several proven strategies for protecting these businesses from today’s known attacks and also from new attacks or attack variants not yet identified.
“Single Pane of Glass” — No matter where applications are hosted – on-premise, private
or public cloud – look for a unified solution that can protect your applications anywhere and
everywhere. Such a solution provides organizations that host their applications in a hybrid
environment, which includes both on-premise and cloud-based applications with unified DDoS protection via a consistent security policy and a single pane of glass.
Hybrid Attack Mitigation — A “hybrid” DDoS solution combines on-premise and cloud-based technologies. There are numerous advantages to hybrid deployments. For DDoS protection, hybrid deployments provide immediate attack detection and mitigation in-line along with the support of cloud-based scrubbing resources in the event of a volumetric attack. For advanced application attacks, single-technology WAF solutions include on-premise WAF and a cloud WAF service to drive coordination and consistency of policy management for applications that are often spread across on-premise and cloud-based data centers.
Integrated DDoS Protection and WAF — Increasingly, cyberattacks are part of advanced, coordinated campaigns that render point mitigation solutions ineffective. SaaS providers need an integrated solution that coordinates detection and mitigation of attacks across commonly combined vectors. Often, DDoS attacks act as a smokescreen or red herring for some other attack activity that goes undetected due to the distraction of a DDoS attack.
SSL Attack Mitigation — The majority of DDoS defenses only provide protection for certain types of attacks, and in many cases struggle with SSL-based attacks. This is especially true for cloud DDoS protection services, which rarely include SSL attack mitigation.
Zero-Day Attack Protection — Today’s attacks can morph within seconds, evading static signature-based protections. Real-time signature creation for automated protection is required to mitigate zero-day DDoS attacks.
Bot Protection — IP-agnostic device fingerprinting for sophisticated web application protection. IP-agnostic source tracking addresses the threats posed by advanced bots, such as web scraping, web application DDoS, Brute Force attacks for password cracking and clickjacking.