It’s Beginning to Look a Lot Like Cyber-Attack Season
The luring presence of large bowls of excess Halloween candy laying around my house can only mean one thing: It’s that time of year when retailers are preparing stores (both physical and virtual) for a crush of holiday shoppers on Black Friday.
As the story goes, the term originates from an incident in the late 19th century in Philadelphia. The retailer Wanamaker’s Department Store decided on a deep discount of calico, the most common fabric used for dressmaking at the time. The throngs of shoppers that showed up for the penny-a-yard fabric sale ended up breaking through the glass windows of the front door, forcing the store to close. The closure no doubt cost Wanamaker’s dozens of dollars.
As we all know, this isn’t a circumstance unique to Wanamaker’s, spikes in demand for calico, or even with physical stores during the holiday shopping rush. The stories of retailers struggling with maintaining web site and application availability during the all-important Black Friday or Cyber Monday shopping blitz have become something of an annual rite. And it’s fair to say that the stakes are much higher than those imparted upon Wanamaker’s in 1890. According to ComScore, last year’s Cyber Monday sales reached over $3 billion dollars, and were nearly $30 billion during the month of November. The Ponemon Institute estimates a minute of downtime costs organizations over $20,000, but if you consider the concentration of sales during this peak shopping period it is fair to estimate its orders of magnitude higher during Cyber Monday.
For instance, in 2014 retailer Best Buy suffered a multi-hour outage on Black Friday, reportedly the result of a spike in traffic generated by mobile devices. Based on the limited information available it’s impossible to say whether this downtime was the result of a wave of legitimate customers or malicious traffic resulting from a cyber security attack.
What we can say with certainty is that the last few weeks have given us all very real and alarming examples about the availability of compromised devices that can launch attacks, bringing some of the largest networks and operators to their knees.
Recent DDoS attacks are proving just how challenging it is to be 100% sure you’re fully protected from today’s attacks. But the advancement of threats such as DDoS shouldn’t be viewed as an excuse to not prepare as much as possible. It’s an unfortunate situation when IT and security professionals reach a point where they conclude that their only defense is to hope they don’t get attacked. As they say, ‘hope is not a strategy.’
The good news is there are some steps you can take to ensure your security operation has factored in the recent evolution of attacks.
[You might also like: Why Online Retailers Should Be On High Alert for Cyber-Attacks]
An obvious but not so easy to accomplish step is having the ability to effectively differentiate between good and bad traffic. I’ll use an analogy here, drawing a parallel between types of traffic and segments of customers. Suppose you have a restaurant that caters to different demographics at different times during the day. During the daytime, your typical customer is the middle-aged, stay-at-home mother or the business person out for a quick lunch. Then in the evenings your customer base turns decidedly younger, the groups of teenagers mulling about town or younger kids with their parents after a little league baseball game. These patterns in customers to your restaurant are your baseline for traffic, the normal behaviors exhibited by your collective customer base.
The same principle applies when talking about using behavioral analysis to detect anomalous network or application traffic (including potential attacks). When a traffic type (say a SYN) becomes an unusual or anomalous percentage of the overall traffic, behavioral engines kick in. If at the same time, the overall rate of SYN traffic increases beyond normal rates, then advanced security solutions will determine it to be an attack and block this unusual behavior.
So back to the restaurant analogy. If during the middle of the day you saw an unusual percentage of customers in the younger demographic, you’d likely take notice. If the volume of these customers became very large, potentially to the point of exhausting necessary resources (say, mac-and-cheese for the youngsters) then you’d likely take a mitigating action.
Unfortunately, not all types of attacks against applications or websites are detectable in this manner. DDoS attacks are, but more advanced attacks that don’t throw off traffic patterns but do include malicious scripts attempting to exploit vulnerabilities in application code require a different type of protection. Many of these types of attacks are documented by the Open Web Application Security Project (OWASP) and are generally the domain of Web Application Firewalls (WAF) for protection. WAFs, like any security technology, vary in capabilities and approach, and of late we’ve found many attacks exploiting the reliance some put on the IP address as the means of attack source identification. Fortunately, advanced WAFs are using device fingerprints, a rapidly growing technology that employs various tools and methodologies to gather IP-agnostic information about the source, including running a JavaScript on the client side. The device fingerprint uniquely identifies a web tool entity by combining sometimes dozens of attributes of a user’s device to identify and then track their activities, generating a behavioral and reputational profile of the user. Identification of their behavior as anomalous, potentially malicious can be tracked over time to define a degree of risk to the device.
Why is all of this so important now? When you consider the high percentage of bot-generated traffic (over 50% by most estimated), it is clear that organizations need more advancements in botnet (malicious or otherwise) identification. Most of the major security threats such as application DDoS, brute force, SQL injection are executed at least in part through botnets. Add to that the unnecessary and unproductive burden these botnets put onto transactional processing capacity and a very rich ROI can be defined for more successful and precise bot detection and blocking.
