main

Attack Types & Vectors

Ransomware: To Pay or Not To Pay?

August 22, 2019 — by Radware0

ransomwarepayorno-960x661.jpg

Ransomware is a type of malware that restricts access to user data by encrypting an infected computer’s files in exchange for payment to decrypt. The attacker often distributes a large-scale phishing campaign in the hope that someone will open the malicious attachment or link. Once infected, the device is unusable and the victim is faced with the decision of whether or not to pay the extortionist to recover the decryption key.

Only in certain cases have keys been recovered. Over the years, Radware researchers have also followed the ransomware-as-a-service (RaaS) industry, which offers novice users the ability to launch their own campaigns for an established price or percentage of the profit. Ransomware has existed for over two decades but has only recently gained popularity among for-profit criminals. This trend has tapered off because ransomware campaigns generate a great deal of attention, notifying potential victims and thereby discouraging them from paying. Campaigns that attract less attention are typically more profitable.

Ransomware campaigns follow a standard pattern of increased activity in the beginning before settling down. Ransomware, once incredibly popular, has fallen out of favor with attackers, who now prefer cryptojacking campaigns. Because of the amount of attention that ransomware campaigns generate, most groups target a wide range of industries, including manufacturing, retail and shipping, in the hope of finding some success.

[You may also like: The Origin of Ransomware and Its Impact on Businesses]

If you think that your organization could be a target of a ransomware campaign, shoring up your network is critical. Ransomware can be delivered in various ways, most commonly via spam/phishing emails containing a malicious document. Other forms of infection include exploit kits, Trojans and the use of exploits to gain unauthorized access to an infected device.

Learn more:

Download Radware’s “Hackers Almanac” to learn more.

Download Now

DDoS

How to Choose a Cloud DDoS Scrubbing Service

August 21, 2019 — by Eyal Arazi0

ddoscloud-960x720.jpg

Buying a cloud-based security solution is more than just buying a technology. Whereas when you buy a physical product, you care mostly about its immediate features and capabilities, a cloud-based service is more than just lines on a spec sheet; rather, it is a combination of multiple elements, all of which must work in tandem, in order to guarantee performance.

Cloud Service = Technology + Network + Support

There are three primary elements that determine the quality of a cloud security service: technology, network, and support.

Technology is crucial for the underlying security and protection capabilities. The network is required for a solid foundation on which the technology runs on, and the operation & support component is required to bring them together and keep them working.

[You may also like: Security Considerations for Cloud Hosted Services]

Take any one out, and the other two legs won’t be enough for the service to stand on.

This is particularly true when looking for a cloud-based DDoS scrubbing solution. Distributed Denial of Service (DDoS) attacks have distinct features that make them different than other types of cyber-attacks. Therefore, there are specific requirements for cloud-based DDoS protection service that cover the full gamut of technology, network, and support that are particular to DDoS protection.

Technology

As I explained earlier, technology is just one facet of what makes-up a cloud security service. However, it is the building block on which everything else is built.

The quality of the underlying technology is the most important factor in determining the quality of protection. It is the technology that determines how quickly an attack will be detected; it is the quality of the technology that determines whether it can tell the difference between a traffic spike in legitimate traffic, and a DDoS attack; and it is the technology that determines whether it can adapt to attack patterns in time to keep your application online or not.

[You may also like: Why You Still Need That DDoS Appliance]

In order to make sure that your protection is up to speed, there are a few key core features you want to make sure that your cloud service provides:

  • Behavioral detection: It is often difficult to tell the difference between a legitimate traffic in customer traffic – say, during peak shopping periods – and a surge caused by a DDoS attack. Rate-based detection won’t be able to tell the difference, resulting in false positives. Therefore, behavioral detection, which looks not just at traffic rates, but also at non-rate behavioral parameters is a must-have capability.
  • Automatic signature creation: Attackers are relying more and more on multi-vector and ‘hit-and-run’ burst attacks, which frequently switch between different attack methods. Any defense mechanism based on manual configurations will fail because it won’t be able to keep up with changed. Only defenses which provide automatic, real-time signature creation can keep up with such attacks, in order to tailor defenses to the specific characteristics of the attack.
  • SSL DDoS protection: As more and more internet traffic becomes encrypted – over 85% according to the latest estimates – protection against encrypted DDoS floods becomes ever more important. Attackers can leverage DDoS attacks in order to launch potent DDoS attacks which can quickly overwhelm server resources. Therefore, protection capabilities against SSL-based DDoS attacks is key.
  • Application-layer protection: As more and more services migrate online, application-layer (L7) DDoS attacks are increasingly used in order to take them down. Many traditional DDoS mitigation services look only at network-layer (L3/4) protocols, but up-to-date protection must including application-layer protection, as well.
  • Zero-day protection: Finally, attackers are constantly finding new ways of bypassing traditional security mechanisms and hitting organizations with attack methods never seen before. Even by making small changes to attack signatures hackers can craft attacks that are not recognized by manual signatures. That’s why including zero-day protection features, which can adapt to new attack types, is an absolute must-have.

[You may also like: Modern Analytics and End-to-End Visibility]

Network

The next building block is the network. Whereas the technology stops the attack itself, it is the network that scales-out the service and deploys it on a global scale. Here, too, there are specific requirements that are uniquely important in the case of DDoS scrubbing networks:

  • Massive capacity: When it comes to protection against volumetric DDoS attacks, size matters. DDoS attack volumes have been steadily increasing over the past decade, with each year reaching new peaks. That is why having large-scale, massive capacity at your disposal in an absolute requirement to stop attacks.
  • Dedicated capacity: It’s not enough, however, to just have a lot of capacity. It is also crucial that this capacity be dedicated to DDoS scrubbing. Many security providers rely on their CDN capacity, which is already being widely utilized, for DDoS mitigation, as well. Therefore, it is much more prudent to focus on networks whose capacity is dedicated to DDoS scrubbing and segregated from other services such as CDN, WAF, or load-balancing.
  • Global footprint: Fast response and low latency are crucial components in service performance. A critical component in latency, however, is distance between the customer and the host. Therefore, in order to minimize latency, it is important for the scrubbing center to be as close as possible to the customer, which can only be achieve with a globally distributed network with a large footprint.

Support

The final piece of the ‘puzzle’ of providing a high-quality cloud security network is the human element; that is, maintenance, operation and support.

Beyond the cold figures of technical specifications, and the bits-and-bytes of network capacity, it is the service element that ties together the technology and network, and makes sure that they keep working in tandem.

[You may also like: 5 Key Considerations in Choosing a DDoS Mitigation Network]

Here, too, there are a few key elements to look at when considering a cloud security network:

  • Global Team: Maintaining global operations of a cloud security service requires a team large enough to ensure 24x7x365 operations. Moreover, sophisticated security teams use a ‘follow-the-sun’ model, with team member distributed strategically around the world, to make sure that experts are always available, regardless of time or location. Only teams that reach a certain size – and companies that reach a certain scale – can guarantee this.
  • Team Expertise: Apart from sheer numbers of team member, it is also their expertise that matter. Cyber security is a discipline, and DDoS protection, in particular, is a specialization. Only a team with a distinguished, long track record in  protecting specifically against DDoS attacks can ensure that you have the staff, skills, and experience required to be fully protected.
  • SLA: The final qualification are the service guarantees provided by your cloud security vendor. Many service providers make extensive guarantees, but fall woefully short when it comes to backing them up. The Service Level Agreement (SLA) is your guarantee that your service provider is willing to put their money where their mouth is. A high-quality SLA must provide individual measurable metrics for attack detection, diversion (if required), alerting, mitigation, and uptime. Falling short of those should call into question your vendors ability to deliver on their promises.

A high-quality cloud security service is more than the sum of its parts. It is the technology, network, and service all working in tandem – and hitting on all cylinders – in order to provide superior protection. Falling short on any one element can potentially jeopardize quality of the protection delivered to customers. Use the points outlined above to ask yourself whether your cloud security vendor has all the right pieces to provide quality protection, and if they don’t – perhaps it is time for you to consider alternatives.

Read “2019 C-Suite Perspectives: From Defense to Offense, Executives Turn Information Security into a Competitive Advantage” to learn more.

Download Now

Botnets

How Hard Is It to Build a Botnet?

August 13, 2019 — by David Hobbs0

botnet-960x540.jpg

While working on Radware’s Ultimate Guide to Bot Management, I began wondering what would it take to build a botnet.

Would I have to dive into the Darknet and find criminal hackers and marketplaces to obtain the tools to make one? How much effort would it take to build a complicated system that would avoid detection and mitigation, and what level of expertise is required to make a scraping/credential stuffing and website abuse botnet?

At Your Fingertips

What I discovered was amazing. I didn’t even need to dive into the Darknet; everything anyone would need was readily available on the public internet. 

[You may also like: What You Need to Know About Botnets]

My learning didn’t end there. During this exploration, I noticed that many organizations use botnets in one form or another against their competitors or to gain a competitive advantage. Of course, I knew hackers leverage botnets for profit; but the availability of botnet building tools makes it easy for anyone to construct botnets that can access web interfaces and APIs while disguising their location and user agents. 

The use cases being advertised from these toolsets range from data harvesting, to account creation and account takeover, to inventory manipulation capabilities, advertising fraud and a variety of ways to monetize and automate integrations into well known systems for IT.  

[You may also like: 5 Things to Consider When Choosing a Bot Management Solution]

Mobile Phone Farms

These tools designers and services clearly know there is a market for cyber criminality, and some are shameless about promoting it.

For example, per a recent Vice article examining mobile phone farms, companies are incentivizing traffic to their apps and content by paying users. Indeed, it appears that people can make anywhere from $100-300 a month per mobile phone on apps like perk TV, Fusion TV, MyPoints or even categorizing shows for Netflix. They merely have to take surveys, watch television shows, categorize content or check into establishments.

[You may also like: Botnets: DDoS and Beyond]

More specifically, people are building mobile phone farms with cheap android devices and used phones, and scale up their operations to a point where they can make a couple of thousands of dollars (or more!) per month. These farms can be rented out to conduct more nefarious activities, like price scraping, data harvesting, ticket purchasing, account takeover, fake article writing and social media development, hacking, launching launching DDoS attacks and more.  To complicate matters, thanks to proxy servers and VPN tools, it has become nearly impossible to detect if a phone farm is being used against a site.  

What’s Next?

It’s not a far leap to assume that incentivized engagement may very well invite people to build botnets. How long until somebody develops an app to “rent your phone’s spare cycles” to scrape data, or watch content, write reviews, etc. (in other words, things that aren’t completely against the law) for money? Would people sign up to make extra beer money in exchange for allowing botnet operators to click on ads and look at websites for data harvesting?

I think it’s just a matter of time before this idea takes flight. Are you prepared today to protect against the sophisticated botnets? Do you have a dedicated bot management solution? When the botnets evolve into the next generation, will you be ready?

Read “The Ultimate Guide to Bot Management” to learn more.

Download Now

Attack Types & Vectors

What You Need to Know About Exploit Kits

July 24, 2019 — by Radware0

exploitkits-960x540.jpg

Exploit kits are prepackaged tool kits containing specific exploitsand payloads used to drop malicious payloads onto a victim’s machine. Once a popular avenue for attacks, they are now barely used due to the popularity of other attack vectors, such as cryptomining. However, they are still utilized to deploy ransomware and mining malware.

These tools can target nearly everyone. Organizations should consider themselves a daily target for possible exploit kits designed to deliver malicious payloads onto their network.

[You may also like: Here’s How You Can Better Mitigate a Cyberattack]

To prevent this, update network devices and ensure that all employee devices are also updated. Often times, these attacks are browser based and exploit vulnerabilities once an employee visits the malicious landing page.

Training and preparation start with user education. Humans are the weakest link, and authors of exploit kits target the masses in the hope that someone will fall for their landing pages.

Watch our video with security researcher Daniel Smith to learn more:



Download “Hackers Almanac” to learn more.

Download Now

DDoS Attacks

The Normalization of DDoS Attacks

July 18, 2019 — by Daniel Smith1

SystemFailure-960x672.jpg

In June, I traveled to Israel to attend BsidesTLV and Cyber Week. Both of these events included incredible presentations, workshops, and networking opportunities. They also provided many unique opportunities to discuss research, privacy, and policy on many different levels with industry leaders and government officials from around the world.

Some of my preferred events during Cyber Week included Exploring The Grey Zone of Cyber Defense, Cyber Attacks Against Nations, and Academic Perspective’s on Cybersecurity Challenges.

One of the expert lectures during the Academic Perspective’s event struck a chord with me. The speech was titled, ‘Normalization as an Approach to Norms,’ and was presented by Prof. Martin Libicki, Professor at the U.S. Naval Academy.

At a high level, the talk was about the use of normalization as an approach to determining what cyber behaviors, carried out by governments, could be considered social norms in the cyber domain and who gets to set this gold standard. (If you would like to watch it for yourself, it can be found here on YouTube).

The part that resonated with me is when Prof. Libicki started talking about who might set the gold standard and what is considered normal cyber behaviors from different countries. For example, North Korea is known for robbing banks, and Russia is known for election interference and targeting the energy sector. Are these activities we want to accept as normal behavior? Of course not.

[You may also like: Protecting Enterprises From State-Sponsored Hackers]

What about China’s behaviors that include launching DDoS attacks on dissidents? Are we, the security industry, the gold standard, comfortable with allowing others to use denial of service attacks as a way to silence others?

This lecture was focused on nation-state attacks and real cyber warfare, but it left me connecting dots and wondering, hasn’t the security industry already accepted denial of service attacks as normalized behavior?

Are Denial of Service Attacks a Social Norm?

In my opinion, yes, denial of service attacks and assisting the behaviors are now accepted and expected on all levels. But why has this happened? Why have denial of service attacks become tolerated? The sad truth is we, the security and tech industry, allowed this to happen by accepting specific actions within the community and not speaking up about others.

[You may also like: Are Darknet Take-Downs Effective?]

One of the main reasons why denial of service attacks became a social norm is because of their popularity, and the attention paid to them earlier in the decade among hacktivist and gamers. With this came the availability for anyone to freely access source codes, tools, and resources need to conduct an attack of their own.

In general, no one prevents the availability of the source code and tools from being publicly accessible. In fact, criminals AND researchers do their fair share in propagating these tools and scripts used to launch denial of service attacks by hosting them on code repository sites.

Another reason why denial of service attacks became a social norm is that legitimate companies like hosting providers and social media outlets allowed the activity for one reason or another. For example, social media platforms enable criminals to not only post operational details but also to advertise their malicious services publicly. At the same time, the hosting providers turn a blind eye for profit and allow criminals to host and mask their infrastructure with their services.  

[You may also like: Here’s How You Can Better Mitigate a Cyberattack]

Also, at this point, you could almost say manufactures and some ISPs are co-conspirators. Manufacturers are building and shipping vulnerable IoT devices with no intention of patching or providing software updates for known exploits thus contributing to the number of possible devices that could be leveraged by a botherder for a denial of service attack. You also have ISPs that know they are significant offenders and the main source of the malicious traffic, yet do very little to mitigate the activity, let alone respond to abuse reports.

So, are we comfortable allowing others to use denial of service attacks as a way to silence people? From my perspective, it seems like we do a lot to support the activity.

Acceptance is a Slippery Slope

To be clear, in no way am I saying that a denial of service attack is nothing to worry about now that they have become a norm. But I believe most of us have grown to accept denial of service attacks, specifically temporary network outages, as a regular occurrence or have written it off as the cost of doing business in the digital era, which has led to this path of acceptance and normalization.

At any rate, if China’s use of denial of service attacks against foreign platforms used by Chinese dissidents is acceptable, or something we allow to happen without any action, then the average denial of service attack against your corporate network is considered normal behavior as well.

[You may also like: DDoS Protection Requires Looking Both Ways]

Under this current environment of acceptance, it becomes harder to look at the average botherder and say their behavior is not normal or acceptable, while simultaneously taking a passive approach on nation-states that use the same attack vector. 

If we want to reduce the number of denial of service attacks by non-government actors, then we have to lead by example as the gold standard. We have to make sure people know that nation-states use of denial of service attack is unacceptable. We also have to do more to prevent malicious actors from gaining access to the tools used to launch these attacks.

Hosting attack services and code should not be acceptable behavior from the security community.

How Much More Will We Tolerate?

This is a question I don’t have an answer for. At the moment, we tolerate a lot. At this rate, almost every teenager, at some point, will be involved in or know someone who is engaged in launching a DDoS attack. And while some will write it off as child’s play to just knock their friend offline, we all know they likely got the code from one of our public repositories or used different services that some of us manage to mask their origin.

Remember, we as the security industry set the golden standard, and when we tolerate specific behavior for long enough, it becomes socially acceptable.

Security

Protecting Enterprises From State-Sponsored Hackers

July 11, 2019 — by Mike O'Malley0

securitylock-960x556.jpg

There seems to be a continuous drip, drip, drip of cyber breaches on a daily basis. For example, last month 12 million patients may have had information exposed in a data breach from Quest Diagnostics, the world’s largest blood-testing company.

The only thing we know for sure is that tomorrow some other enterprise will be next. However, what’s new is the rising threat of state-sponsored cyber attacks on enterprises. Per the White House, cyber attacks cost the US economy between $50 million and $100 million in 2016 — the last year quantified. It’s likely significantly more today.

States Are Leading Players in the Cyber Game

Enterprises need to understand that 22 countries around the world are currently suspected of state-sponsored programs for governmental cyber attacks. And lest you believe that these are all focused on stealing nuclear codes, half of all targets for these attacks are private enterprises, NOT governmental agencies.

World governments are actively investing in building and operating cyber espionage teams to both protect their national interests as well as collect IP for their domestic industries. With this information, they are acquiring expertise, malicious botnets and cyber attack tools to further advance their craft.

[You may also like: Here’s Why Foreign Intelligence Agencies Want Your Data]

Enterprises in developed nations around the world need to understand the high stakes and the need for increased protection. If a company competes based on its Intellectual property in a global marketplace, then it may be a mark for government cyber attacks.

Some nations are more direct about the domestic industries they are interested in building and are tipping their hands as to what intellectual property they are interested in acquiring from specific industries. China for example, has a position paper, “Made in China 2025“, which lays out specific industries in which it has a strategic interest in building domestic expertise.

The plan lays out a very aggressive goal of producing 70% of the content in the following industries with Chinese enterprises: IT, robotics, green energy and EVs, aerospace, ocean engineering, railroads, power, materials, medicine and med tech and agriculture engineering. These plans require domestic industries in developing countries to acquire massive amounts of new intellectual property in order to meet this 70% local content threshold.

Enterprises Don’t Have the Expertise to Fight Government Agents

In this environment, where 20-plus countries are aggressively building cyber attack organizations and pouring millions of dollars into ever more sophisticated attack technology, who is the best, most expert person to protect these businesses?

[You may also like: Here’s How You Can Better Mitigate a Cyberattack]

Before we answer that, let’s understand the current cyber employment context. Per an international security non-profit (ISC2), there were three million unfilled cybersecurity jobs globally in 2018. There continues to be a global STEM shortage. Job boards are bursting with open positions for IT security specialists.

Given the cybersecurity work shortage, it is neither advisable or practical for every Fortune 1000 business to try to match the security defense capabilities of nationally funded cyber attackers. Enterprises cannot spend enough money individually to have the state of the art automated defenses or hire enough security engineers to fight cyber attacks in real time.

We cannot and should not expect the Fortune 1000 to replicate the people and investment of nationally funded cyber groups to protect their most important intellectual property.

[You may also like: How Cyberattacks Directly Impact Your Brand]

In fact, we are seeing tremendous new innovations like the UK government initiative, Cyber Skills Immediate Impact Fund that promotes neurodiversity to help close the security skills gap. This is a tremendous new initiative that taps into groups like people on the autism spectrum for their puzzle-solving prowess to improve cybersecurity through their different and valuable coding abilities. However, initiatives like this alone will take years to provide the additional security engineering talent needed today.

Service and Cloud Providers Could Be the Expert Defenders

Cloud and service providers are another story. Many of them already have Security Operations Centers (SOC)s manned 24×7 to protect themselves and their customers. Many have real-time defenses and have implemented SDN control planes with automated policy. These systems identify an attack in one part of the network and mitigate the attack, while simultaneously updating all other endpoints with the attack characteristics. They are already staffed with top security engineering talent.

[You may also like: Don’t Be A “Dumb” Carrier]

Managed security solutions for virtually all enterprises need to ultimately be the answer. Cloud and service provider SOCs are the only private organization capable of protecting businesses and their most valuable intellectual property. Enterprises can never invest enough individually to have the latest tools and talent to fight the most complex real-time cyber attacks. However, the cloud and service providers have the scale to invest at the necessary level to protect from the most nefarious state-sponsored actor.

We need to fight fire with fire and recognize the Heads of Tier 1 SOCs are the ones who should be protecting the intellectual property of enterprises worldwide. Not 1,000 different IT managers individually.

[You may also like: Hacking Democracy: Vulnerable Voting Infrastructure and the Future of Election Security]

Service Providers Need to Stay Vigilant

As telco companies are racing to deliver 5G services, security has, in some cases, taken a back seat to speed. The most recent attack on telcos by the Chinese government is only the beginning. While it wasn’t especially intricate, nation state cybercriminals are proving that they are able to exploit the growing vulnerabilities that telcos leave behind as they race to 5G. As we approach the 2020 election, we will see a heightened focus as nation states leverage every vulnerability to their advantage. Telcos must be prepared, or the damage could be astronomical.

A version of this post was originally published on Light Reading.

Read “The Trust Factor: Cybersecurity’s Role in Sustaining Business Momentum” to learn more.

Download Now

Security

Executives’ Changing Views on Cybersecurity

July 9, 2019 — by Radware0

cs8-960x540.jpg

What does the shift in how cybersecurity is viewed by senior executives within organizations mean? To find out, Radware surveyed more than 260 executives worldwide and discovered that cybersecurity has moved well beyond the domain of the IT department and is now the direct responsibility of senior executives.

Security as a Business Driver

The protection of public and private cloud networks and digital assets is a business driver that needs to be researched and evaluated just like other crucial issues that affect the health of organizations.

Just because the topic is being elevated to the boardroom doesn’t necessarily mean that progress is being made. Executive preference for cybersecurity management skewed toward internal management (45%), especially in the AMER region (55%), slightly higher than in 2018. Yet the number of respondents who said that hackers can penetrate their networks remained static at 67% from last year’s C-suite perspectives report.

[You may also like: Executives Are Turning Infosec into a Competitive Advantage]

As in the past two years’ surveys, two in five executives reported relying on their security vendors to stay current and keep their security products up to date. Similar percentages also reported daily research or subscriptions to third-party research centers.

At the same time, the estimated cost of an attack jumped 53% from 3 million USD/EUR/GBP in 2018 to 4.6 million USD/EUR/GBP in 2019.

Staying Current on Attack Vectors

Looking Forward

The respondents ranked improvement of information security (54%) and business efficiency (38%) as the top two business transformation goals of integrating new technologies. In last year’s survey, the same two goals earned the top two spots, but the emphasis on information security increased quite a bit this year from 38% in 2018 (business efficiency held steady from 37% in 2018).

Although the intent to enhance cybersecurity increases, actions do not necessarily follow. Often the work to deploy new technologies to streamline processes, lower operating costs, offer more customer touch points and be able to react with more agility to market changes proceeds faster than the implementation of security measures.

Every new touchpoint added to networks, both public and private, exponentially increases organizations’ exposure and vulnerabilities to cyberattacks. If organizations are truly going to benefit from advances in technology, that will require the right level of budgetary investment.

The true costs of cyberattacks and data breaches are only known if they are successful. Senior executives who spend the time now to figure out what cybersecurity infrastructure makes sense for their organizations reduce the risk of incurring those costs. The investment can also be leveraged to build market advantage if organizations let their customers and suppliers know that cybersecurity is part of their culture of doing business. Prevention, not remediation, should be the focus.

[You may also like: How Cyberattacks Directly Impact Your Brand]

Securing digital assets can no longer be delegated solely to the IT department. Rather, security planning needs to be infused into new product and service offerings, security, development plans and new business initiatives. The C-suite must lead the way.

Read “2019 C-Suite Perspectives: From Defense to Offense, Executives Turn Information Security into a Competitive Advantage” to learn more.

Download Now

DDoSSecurity

Why Hybrid Always-On Protection Is Your Best Bet

June 19, 2019 — by Eyal Arazi0

hybridalwayson-960x640.jpg

Users today want more. The ubiquity and convenience of online competition means that customers want everything better, faster, and cheaper. One key component of the user experience is service availability. Customers expect applications and online services to be constantly available and responsive.

The problem, however, is that a new generation of larger and more sophisticated Distributed Denial of Service (DDoS) attacks is making DDoS protection a more challenging task than ever before. Massive IoT botnets are resulting in ever-larger volumetric DDoS attacks, while more sophisticated application-layer attacks find new ways of exhausting server resources. Above all, the ongoing shift to encrypted traffic is creating a new challenge with potent SSL DDoS floods.

Traditional DDoS defense – either premise-based or cloud-based – provide incomplete solutions which require inherent trade-offs between high-capacity volumetric protection, protection against sophisticated application-layer DDoS attacks, and handling of SSL certificates. The solution, therefore, is adopting a new hybrid DDoS protection model which combines premise-based appliances, together with an always-on cloud service.

Full Protection Requires Looking Both Ways

As DDoS attacks become more complex, organizations require more elaborate protections to mitigate such attacks. However, in order to guarantee complete protection, many types of attacks – particularly the more sophisticated ones – require visibility into both inbound and outbound channels.

[You may also like: DDoS Protection Requires Looking Both Ways]

Attacks such as large-file DDoS attacks, ACK floods, scanning attacks, and others exploit the outbound communication channel for attacks that cannot be identified just by looking at ingress traffic. Such attacks are executed by sending small numbers of inbound requests, which have an asymmetric and disproportionate impact either on the outbound channel, or computing resources inside the network.

SSL is Creating New Challenges

On top of that, SSL/TLS traffic encryption is adding another layer of complexity. Within a short time, the majority of internet traffic has become encrypted. Traffic encryption helps secure customer data, and users now expect security to be part of the service experience. According to the Mozilla Foundation’s Let’s Encrypt project, nearly 80% of worldwide internet traffic is already encrypted, and the rate is constantly growing.

[You may also like: HTTPS: The Myth of Secure Encrypted Traffic Exposed]

Ironically, while SSL/TLS is critical for securing user data, it also creates significant management challenges, and exposes services to a new generation of powerful DDoS attacks:

  • Increased Potency of DDoS Attacks: SSL/TLS connections requiring up to 15 times more resources from the target servers than the requesting host. This means that hackers can launch devastating attacks using only a small number of connections, and quickly overwhelm server resources using SSL floods.
  • Masking of Data Payload: Moreover, encryption masks – by definition – the internal contents of traffic requests, preventing deep inspection of packets against malicious traffic. This limits the effectiveness of anti-DDoS defense layers, and the types of attacks they can detect. This is particularly true for application-layer (L7) DDoS attacks which hide under the coverage of SSL encryption.
  • SSL Key Exposure: Many organizational, national, or industry regulations which forbid SSL keys from being shared with third-party entities. This creates a unique challenge to organizations who must provide the most secured user experience while also protecting their SSL keys from exposure.
  • Latency and Privacy Concerns: Offloading of SSL traffic in the cloud is usually a complex and time-consuming task. Most cloud-based SSL DDoS solutions require full decryption of customer traffic by the cloud provider, thereby compromising user privacy and adding latency to customer communications.

Existing Solutions Provide Partial Coverage

The problem, however, is that existing anti-DDoS defenses are unable to provide solutions that provide high-capacity volumetric protection while providing bi-directional protection required by sophisticated types of attacks.

On-Premise Appliances provide high level of protection against a wide variety of DDoS attacks, while providing very low latency and fast response. In addition, being on-premise, they allow companies to deal with SSL-based attacks without exposing their encryption keys to the outside world. Since they have visibility into both inbound and outbound traffic, they offer bi-directional protection against symmetric DDoS attacks. However, physical appliance can’t deal with large-scale volumetric attacks which have become commonplace in the era of massive IoT botnets.

[You may also like: How to (Securely) Share Certificates with Your Cloud Security Provider]

Cloud-based DDoS protection services, on the other hand, possess the bandwidth to deal with large-scale volumetric attacks. However, they offer visibility only into the inbound communication channel. Thus, they have a hard time protecting against bi-directional DDoS attacks. Moreover, cloud-based SSL DDoS defenses – if the vendor has those at all – frequently require that the organization upload their SSL certificates online, increasing the risk of those keys being exposed.

The Optimal Solution: Hybrid Always-On Approach

For companies that place a high premium on the user experience, and wish to avoid even the slightest possible downtime as a result of DDoS attacks, the optimal solution is to deploy an always-on hybrid solution.

The hybrid approach to DDoS protection combines an on-premise hardware appliance with always-on cloud-based scrubbing capacity. This helps ensure that services are protected against any type of attack.

[You may also like: Application Delivery Use Cases for Cloud and On-Premise Applications]

Hybrid Always-On DDoS Protection

Compared to the pure-cloud always-on deployment model, the hybrid always-on approach adds multi-layered protection against symmetric DDoS attacks which saturate the outbound pipe, and allows for maintaining SSL certificates on-premise.

Benefits of the Hybrid Always-On Model

  • Multi-Layered DDoS Protection: The combination of a premise-based hardware mitigation device coupled with cloud-based scrubbing capacity offers multi-layered protection at different levels. If an attack somehow gets through the cloud protection layer, it will be stopped by the on-premise appliance.
  • Constant, Uninterrupted Volumetric Protection: Since all traffic passes through a cloud-based scrubbing center at all times, the cloud-based service provides uninterrupted, ongoing protection against high-capacity volumetric DDoS attack.
  • Bi-Directional DDoS Protection: While cloud-based DDoS protection services inspect only the inbound traffic channel, the addition of a premise-based appliance allows organizations to inspect the outbound channel, as well, thereby protecting themselves against two-way DDoS attacks which can saturate the outbound pipe, or otherwise require visibility to return traffic in order to identify attack patterns.
  • Reduced SSL Key Exposure: Many national or industry regulations require that encryption keys not be shared with anyone else. The inclusion of a premise-based hardware appliance allows organizations to protect themselves against encrypted DDoS attacks while keeping their SSL keys in-house.
  • Decreased Latency for Encrypted Traffic: SSL offloading in the cloud is frequently a complex and time-consuming affair, which adds much latency to user communications. Since inspection of SSL traffic in the hybrid always-on model is done primarily by the on-premise hardware appliance, users enjoy faster response times and lower latency.

[You may also like: Does Size Matter? Capacity Considerations When Selecting a DDoS Mitigation Service]

Guaranteeing service availability while simultaneously ensuring the quality of the customer experience is a multi-faceted and complex proposition. Organizations are challenged by growth in the size of DDoS attacks, the increase in sophistication of application-layer DDoS attacks, and the challenges brought about by the shift to SSL encryption.

Deploying a hybrid always-on solution allows for both inbound and outbound visibility into traffic, enhanced protections for application-layer and encrypted traffic, and allows for SSL keys to be kept in-house, without exposing them to the outside.

Read “The Trust Factor: Cybersecurity’s Role in Sustaining Business Momentum” to learn more.

Download Now

Attack MitigationDDoSSecurity

DDoS Protection Requires Looking Both Ways

March 26, 2019 — by Eyal Arazi0

ddos-960x540.jpg

Service availability is a key component of the user experience. Customers expect services to be constantly available and fast-responding, and any downtime can result in disappointed users, abandoned shopping carts, and lost customers.

Consequently, DDoS attacks are increasing in complexity, size and duration. Radware’s 2018 Global Application and Network Security Report found that over the course of a year, sophisticated DDoS attacks, such as burst attacks, increased by 15%, HTTPS floods grew by 20%, and over 64% of customers were hit by application-layer (L7) DDoS attacks.

Some Attacks are a Two-Way Street

As DDoS attacks become more complex, organizations require more elaborate protections to mitigate such attacks. However, in order to guarantee complete protection, many types of attacks – particularly the more sophisticated ones – require visibility into both inbound and outbound channels.

Some examples of such attacks include:

Out of State Protocol Attacks: Some DDoS attacks exploit weaknesses in protocol communication processes, such as TCP’s three-way handshake sequence, to create ‘out-of-state’ connection requests, thereby drawing-out connection requests in order to exhaust server resources. While some attacks of this type, such as a SYN flood, can be stopped by examining the inbound channel only, others require visibility into the outbound channel, as well.

An example of this is an ACK flood, whereby attackers continuously send forged TCP ACK packets towards the victim host. The target host then tries to associate the ACK reply to an existing TCP connection, and if none such exists, it will drop the packet. However, this process consumes server resources, and large numbers of such requests can deplete system resources. In order to correctly identify and mitigate such attacks, defenses need visibility to both inbound SYN and outbound SYN/ACK replies, so that they can verify whether the ACK packet is associated with any legitimate connection request.

[You may also like: An Overview of the TCP Optimization Process]

Reflection/Amplification Attacks: Such attacks exploit asymmetric responses between the connection requests and replies of certain protocols or applications. Again, some types of such attacks require visibility into both the inbound and outbound traffic channels.

An example of such attack is a large-file outbound pipe saturation attack. In such attacks, the attackers identify a very large file on the target network, and send a connection request to fetch it. The connection request itself can be only a few bytes in size, but the ensuing reply could be extremely large. Large amounts of such requests can clog-up the outbound pipe.

Another example are memcached amplification attacks. Although such attacks are most frequently used to overwhelm a third-party target via reflection, they can also be used to saturate the outbound channel of the targeted network.

[You may also like: 2018 In Review: Memcache and Drupalgeddon]

Scanning Attacks: Large-scale network scanning attempts are not just a security risk, but also frequently bear the hallmark of a DDoS attack, flooding the network with malicious traffic. Such scan attempts are based on sending large numbers of connection requests to host ports, and seeing which ports answer back (thereby indicating that they are open). However, this also leads to high volumes of error responses by closed ports. Mitigation of such attacks requires visibility into return traffic in order to identify the error response rate relative to actual traffic, in order for defenses to conclude that an attack is taking place.

Server Cracking: Similar to scanning attacks, server cracking attacks involve sending large amounts of requests in order to brute-force system passwords. Similarly, this leads to a high error reply rate, which requires visibility into both the inbound and outbound channels in order to identify the attack.

Stateful Application-Layer DDoS Attacks: Certain types of application-layer (L7) DDoS attacks exploit known protocol weaknesses or order to create large amounts of spoofed requests which exhaust server resources. Mitigating such attacks requires state-aware bi-directional visibility in order to identify attack patterns, so that the relevant attack signature can be applied to block it. Examples of such attacks are low-and-slow and application-layer (L7) SYN floods, which draw-out HTTP and TCP connections in order to continuously consume server resources.

[You may also like: Layer 7 Attack Mitigation]

Two-Way Attacks Require Bi-Directional Defenses

As online service availability becomes ever-more important, hackers are coming up with more sophisticated attacks than ever in order to overwhelm defenses. Many such attack vectors – frequently the more sophisticated and potent ones – either target or take advantages of the outbound communication channel.

Therefore, in order for organizations to fully protect themselves, they must deploy protections that allow bi-directional inspection of traffic in order to identify and neutralize such threats.

Read “The Trust Factor: Cybersecurity’s Role in Sustaining Business Momentum” to learn more.

Download Now

Security

The Intersections between Cybersecurity and Diversity

March 20, 2019 — by Kevin Harris0

diversity-960x640.jpg

Cybersecurity and diversity are high-value topics that are most often discussed in isolation. Both topics resonate with individuals and organizations alike.

However, the intersections between cybersecurity and diversity are often overlooked. As nations and organizations seek to protect their critical infrastructures, it’s important to cultivate relationships between the two areas. Diversity is no longer only a social awareness and morality initiative; it is a core element of defending critical infrastructures.

Communities Need to Play a Greater Role in Cybersecurity

Technology careers typically pay more than other careers, providing a pathway to a quality lifestyle. With multiple entry points into the technology field — including degrees, apprenticeships and industry certifications — there are ways that varying communities can take part in technology careers, especially in cybersecurity. For instance, communities can improve cybersecurity education for women, minorities and home users.

Workforce Gaps Involving Women and Minorities Weakens Cybersecurity Defenses

Limited awareness and exposure to cybersecurity education often creates an opportunity gap for minorities and women. Failing to incorporate underserved populations limits the talent and size of our cybersecurity workforce. Without an all-inclusive cyber workforce, our critical infrastructure will have a talent gap, introducing additional system vulnerabilities.

To rectify this problem, communities must implement permanent efforts to ensure that children attending schools in underserved districts have access to technology and courses. That will better prepare them to become cyber workers.

[You may also like: Battling Cyber Risks with Intelligent Automation]

This infusion of technology talent helps to protect our nation’s vital digital assets. Organizations must make their recruitment and retention practices more inclusive. Ideally, they should provide opportunities to individuals who are either trained or are willing to undergo training to have a pathway to a successful career.

Additionally, higher education institutions should find ways to ensure that minorities and women have the support they need as they progress through their technology degrees. In addition, universities and colleges can offer cybersecurity faculty and mentors who can help these groups prepare for meaningful careers.

Cybersecurity Training Must Be Improved for Home Users

Another intersection of cybersecurity and diversity is at the user level. Most cybersecurity discussions center on the protection of government or corporate systems. Organizations spend significant portions of their budgets to prepare for and protect against cyberattacks.

Unfortunately, home users are often left out of such conversations; they are not considered part of any holistic cyber defense plan. With the large number of home users with multiple devices, the vulnerabilities of home systems provide hackers with easy attack opportunities.

[You may also like: The Costs of Cyberattacks Are Real]

Consequently, attackers access and compromise home devices, which allows them to attack other systems. In addition, these hackers can mask their true location and increase their computing power. They can then carry out their attacks more efficiently.

Compromising an individual’s personal device presents additional opportunities for attackers to access that person’s credentials as well as other sensitive workplace data. However, strong organization policies should dictate what information can be accessed remotely.

To increase home users’ threat awareness level, organizations should develop training programs as a part of community involvement initiatives. Vendors should strengthen default security settings for home users and ensure that home security protections are affordable and not difficult to configure.

[You may also like: Personal Security Hygiene]

Organizational Cultures Need to Emphasize that All Employees are Cyber Defenders

Diversity and cybersecurity also intersect at the organizational culture level. Regardless of whether or not organizations have an information systems security department, companies must foster the right type of security-minded workplace culture. All employees should be aware that they are intricate components in protecting the organization’s critical digital assets.

Educational institutions can support this effort by incorporating cyber awareness training across disciplines. This will give all graduates — regardless of their degrees — some exposure to cyber risks and their role in protecting digital assets.

[You may also like: 5 Ways Malware Defeats Cyber Defenses & What You Can Do About It]

Cybersecurity and Diversity Should Work Together, Not in Silos

Cybersecurity and diversity will continue to be important topics. The focus, however, should be on discussing the importance of their mutual support, rather than functioning in two separate silos. Improving our cyber defenses requires the best of all segments of our society, which includes minorities, women and home users.

Read “The Trust Factor: Cybersecurity’s Role in Sustaining Business Momentum” to learn more.

Download Now