A DDoS attack can carry significant costs and consequences. However, these key steps can help minimize the impact and get you on your way to recovery.
The quality of bot detection determines the quality of the solution. And as bots become ever more sophisticated, detection becomes ever more challenging.
Cyber criminals aren't just targeting gamers, they're also targeting the gaming industry and those that support it at high volumes for profit.
Despite the technological advancements, innovation, and experience the knights of the cyber order have acquired over the past 25 years or so, the “bad guys” are still a step ahead. Why? In large part, because of the power of community.
While information security vendors live in a competitive market and must protect their intellectual property, hackers communicate, share information and contribute to each other’s immediate success and long-term skill set.
The Infosec Community
In recent years, we’ve seen more partnerships and collaborations between infosec vendors. For example, the Cyber Threat Alliance (of which Radware is a member) enables cybersecurity practitioners to share credible cyber threat information. Each vendor collects and shares security incidents detected by their security solutions, honeypots and research teams worldwide in order to disrupt malicious actors and protect end-users.
Similarly, several vendors offer live threat maps, which, as the name suggests, help detect live attacks as they’re launched.
Radware’s Live Threat Map, which is open to the public, presents near real-time information on cyberattacks–from scanners to intruders to DDoS and web application hacks–as they occur, based on our global threat deception network (comprised of distributed honeypots that collect information about active threat actors), and cloud systems’ event information. The systems transmit a variety of anonymized and sampled network and application attacks to our Threat Research Center and are shared with the community.
More specifically, our machine learning algorithms profile the attackers and their intent, the attack vector and target – be it a network, a server, an IoT device or an application. Various validation mechanisms assure high-fidelity and minimize false positives. This makes our map sturdy and essentially flawless, if I say so myself.
Visibility Is Key
Detecting live attacks despite all evasion mechanisms is just the first step. The “good guys” must also translate these massive data lakes into guidance for those who wish to gain a better understanding of what, exactly, we’re monitoring and how they can improve their own security posture.
Visibility is key to achieving this. The fact is, the market is overwhelmed with security technologies that constantly generate alerts; but to fight attackers and fend off future cyber attacks, businesses need more than notifications. They need guidance and advanced analytics.
For example, the ability to dig into data related to their own protected objects, while enjoying a unified view of all application and network security events with near real-time alerts via customizable dashboards (like Radware provides) will go a long way towards improving security posture — not just for individual companies, but the infosec community as a whole.
A defacement typically refers to a remote code execution attack or SQL injection that allows the hacker to manipulate the visual appearance of the website by breaking into a web server and replacing the current website content with the hacker’s own.
Defacements are considered digital graffiti and typically contain some type of political or rivalry statement from the hacker. Hacktivist groups often leverage defacements.
These groups are typically unskilled, using basic software to automate their attacks. When major websites are defaced, it is typically due to network operator negligence. Web application firewalls are the best way to prevent these attacks, but updating content management systems or web services is also effective.
If you think that you are the target of a defacement campaign, update and patch your system immediately and alert network administrators to look for malicious activity, as a hacker will typically add a page to your domain. You can also monitor for such attacks retroactively via social media.
It’s inevitable almost as death and taxes: somewhere, at some point, you will come under a DDoS attack.
The reasons for DDoS attacks can vary from cyber crime to hacktivism to simple bad luck, but eventually someone will be out there to try and take you down.
The good news, however, is that there is plenty to be done about it. Below are five key steps you can begin taking today so that you are prepared when the attack comes.
Step 1: Map Vulnerable Assets
The ancient Greeks said that knowing thyself is the beginning of wisdom.
It is no surprise, therefore, that the first step to securing your assets against a DDoS attack is to know what assets there are to be secured.
Begin by listing all external-facing assets that might potentially be attacked. This list should include both physical and virtual assets:
- Physical locations & offices
- Data centers
- IP addresses and subnets
- Domains, sub-domains and specific FQDN’s
Mapping out all externally-facing assets will help you draw your threat surface and identify your point of vulnerability.
Step 2: Assess Potential Damages
After listing all potentially vulnerable assets, figure out how much they are worth to you.
This is a key question, as the answer will help determine how much you should spend in protecting these properties.
Keep in mind that some damages are direct, while other may be indirect. Some of the potential damages from a DDoS attack include:
- Direct loss of revenue – If your website or application is generating revenue directly on a regular basis, then any loss of availability will cause direct, immediate losses in revenue. For example, if your website generates $1m a day, every hour of downtime, on average, will cause over $40,000 in damages.
- Loss in productivity – For organizations that rely on online services, such as email, scheduling, storage, CRM or databases, any loss of availability to any of these services will directly result in loss of productivity and lost workdays.
- SLA obligations – For applications and services that are bound by service commitments, any downtime can lead to breach of SLA, resulting in refunding customers for lost services, granting service credits, and even potentially facing lawsuits.
- Damage to brand – In a world that is becoming ever-more connected, being available is increasingly tied to a company’s brand and identity. Any loss of availability as a result of a cyber-attack, therefore, can directly impact a company’s brand and reputation. In fact, Radware’s 2018 Application and Network Security Report showed that 43% of companies had experienced reputation loss as a result of a cyber-attack.
- Loss of customers – One of the biggest potential damages of a successful DDoS attack is loss of customers. This can be either direct loss (i.e., a customer chooses to abandon you as a result of a cyber-attack) or indirect (i.e., potential customers who are unable to reach you and lost business opportunities). Either way, this is a key concern.
When evaluating potential damages of a DDoS attack, assess each vulnerable asset individually. A DDoS attack against a customer-facing e-commerce site, for example, will result in very different damages than an attack against a remote field office.
After you assess the risk to each asset, prioritize them according to risk and potential damages. This will not only help you assess which assets need protection, but also the type of protection they require.
Step 3: Assign Responsibility
Once you create an inventory of potentially vulnerable assets, and then assign a dollar-figure (or any other currency…) to how much they are worth for you, the next step is to decide who is responsible for protecting them.
DDoS attacks are a unique type of cyber attack, as they affect different levels of IT infrastructure and can therefore potentially fall under the responsibility of different stakeholders:
- Is DDoS the responsibility of the network administrator, since it affects network performance?
- Is it the responsibility of application owner, since it impacts application availability?
- Is it the responsibility of the business manager, since it affects revenue?
- Is it the responsibility of the CISO, since it is a type of cyber attack?
A surprising number of organizations don’t have properly defined areas of responsibility with regards to DDoS protection. This can result in DDoS defense “falling between the cracks,” leaving assets potentially exposed.
Step 4: Set Up Detection Mechanisms
Now that you’ve evaluated which assets you must protect and who’s responsible for protecting them, the next step is to set up measures that will alert you to when you come under attack.
After all, you don’t want your customers – or worse, your boss – to be the ones to tell you that your services and applications are offline.
Detection measures can be deployed either at the network level or at the application level.
Make sure these measures are configured so that they don’t just detect attacks, but also alert you when something bad happens.
Step 5: Deploy a DDoS Protection Solution
Finally, after you’ve assessed your vulnerabilities and costs, and set up attack detection mechanisms, now is the time to deploy actual protection.
This step is best done before you get attacked, and not when you are already under one.
DDoS protection is not a one-size-fits-all proposition, and there are many types of protection options, depending on the characteristics, risk and value of each individual asset.
On-demand cloud mitigation services are activated only once an attack is detected. They require the lowest overhead and are the lowest cost solution, but require traffic diversion for protection to kick-in. As a result, they are best suited for cost-sensitive customers, services which are not mission-critical, and customers who have never been (or are infrequently) attacked, but want a basic form of backup.
Always-on cloud services route all traffic through a cloud scrubbing center at all times. No diversion is required, but there is minor added latency to requests. This type of protection is best for mission-critical applications which cannot afford any downtime, and organizations that are frequently attacked.
Hardware-based appliances provide advanced capabilities and fast-response of premise-based equipment. However, an appliance, on its own, is limited in its capacity. Therefore, they are best used for service providers who are building their own scrubbing capabilities, or in combination with a cloud service.
Finally, hybrid DDoS protection combines the massive capacity of cloud services with the advanced capabilities and fast response of a hardware appliance. Hybrid protection is best for mission-critical and latency-sensitive services, and organizations who encrypt their user traffic, but don’t want to put their SSL keys in the cloud.
Ultimately, you can’t control if-and-when you are attacked, but following these steps will help you be prepared when DDoS attackers come knocking at your door.
Ransomware is a type of malware that restricts access to user data by encrypting an infected computer’s files in exchange for payment to decrypt. The attacker often distributes a large-scale phishing campaign in the hope that someone will open the malicious attachment or link. Once infected, the device is unusable and the victim is faced with the decision of whether or not to pay the extortionist to recover the decryption key.
Only in certain cases have keys been recovered. Over the years, Radware researchers have also followed the ransomware-as-a-service (RaaS) industry, which offers novice users the ability to launch their own campaigns for an established price or percentage of the profit. Ransomware has existed for over two decades but has only recently gained popularity among for-profit criminals. This trend has tapered off because ransomware campaigns generate a great deal of attention, notifying potential victims and thereby discouraging them from paying. Campaigns that attract less attention are typically more profitable.
Ransomware campaigns follow a standard pattern of increased activity in the beginning before settling down. Ransomware, once incredibly popular, has fallen out of favor with attackers, who now prefer cryptojacking campaigns. Because of the amount of attention that ransomware campaigns generate, most groups target a wide range of industries, including manufacturing, retail and shipping, in the hope of finding some success.
If you think that your organization could be a target of a ransomware campaign, shoring up your network is critical. Ransomware can be delivered in various ways, most commonly via spam/phishing emails containing a malicious document. Other forms of infection include exploit kits, Trojans and the use of exploits to gain unauthorized access to an infected device.
Buying a cloud-based security solution is more than just buying a technology. Whereas when you buy a physical product, you care mostly about its immediate features and capabilities, a cloud-based service is more than just lines on a spec sheet; rather, it is a combination of multiple elements, all of which must work in tandem, in order to guarantee performance.
Cloud Service = Technology + Network + Support
There are three primary elements that determine the quality of a cloud security service: technology, network, and support.
Technology is crucial for the underlying security and protection capabilities. The network is required for a solid foundation on which the technology runs on, and the operation & support component is required to bring them together and keep them working.
Take any one out, and the other two legs won’t be enough for the service to stand on.
This is particularly true when looking for a cloud-based DDoS scrubbing solution. Distributed Denial of Service (DDoS) attacks have distinct features that make them different than other types of cyber-attacks. Therefore, there are specific requirements for cloud-based DDoS protection service that cover the full gamut of technology, network, and support that are particular to DDoS protection.
As I explained earlier, technology is just one facet of what makes-up a cloud security service. However, it is the building block on which everything else is built.
The quality of the underlying technology is the most important factor in determining the quality of protection. It is the technology that determines how quickly an attack will be detected; it is the quality of the technology that determines whether it can tell the difference between a traffic spike in legitimate traffic, and a DDoS attack; and it is the technology that determines whether it can adapt to attack patterns in time to keep your application online or not.
In order to make sure that your protection is up to speed, there are a few key core features you want to make sure that your cloud service provides:
- Behavioral detection: It is often difficult to tell the difference between a legitimate traffic in customer traffic – say, during peak shopping periods – and a surge caused by a DDoS attack. Rate-based detection won’t be able to tell the difference, resulting in false positives. Therefore, behavioral detection, which looks not just at traffic rates, but also at non-rate behavioral parameters is a must-have capability.
- Automatic signature creation: Attackers are relying more and more on multi-vector and ‘hit-and-run’ burst attacks, which frequently switch between different attack methods. Any defense mechanism based on manual configurations will fail because it won’t be able to keep up with changed. Only defenses which provide automatic, real-time signature creation can keep up with such attacks, in order to tailor defenses to the specific characteristics of the attack.
- SSL DDoS protection: As more and more internet traffic becomes encrypted – over 85% according to the latest estimates – protection against encrypted DDoS floods becomes ever more important. Attackers can leverage DDoS attacks in order to launch potent DDoS attacks which can quickly overwhelm server resources. Therefore, protection capabilities against SSL-based DDoS attacks is key.
- Application-layer protection: As more and more services migrate online, application-layer (L7) DDoS attacks are increasingly used in order to take them down. Many traditional DDoS mitigation services look only at network-layer (L3/4) protocols, but up-to-date protection must include application-layer protection, as well.
- Zero-day protection: Finally, attackers are constantly finding new ways of bypassing traditional security mechanisms and hitting organizations with attack methods never seen before. Even by making small changes to attack signatures hackers can craft attacks that are not recognized by manual signatures. That’s why including zero-day protection features, which can adapt to new attack types, is an absolute must-have.
The next building block is the network. Whereas the technology stops the attack itself, it is the network that scales-out the service and deploys it on a global scale. Here, too, there are specific requirements that are uniquely important in the case of DDoS scrubbing networks:
- Massive capacity: When it comes to protection against volumetric DDoS attacks, size matters. DDoS attack volumes have been steadily increasing over the past decade, with each year reaching new peaks. That is why having large-scale, massive capacity at your disposal in an absolute requirement to stop attacks.
- Dedicated capacity: It’s not enough, however, to just have a lot of capacity. It is also crucial that this capacity be dedicated to DDoS scrubbing. Many security providers rely on their CDN capacity, which is already being widely utilized, for DDoS mitigation, as well.Therefore, it is much more prudent to focus on networks whose capacity is dedicated to DDoS scrubbing and segregated from other services such as CDN, WAF, or load-balancing.
- Global footprint: Fast response and low latency are crucial components in service performance. A critical component in latency, however, is distance between the customer and the host. Therefore, in order to minimize latency, it is important for the scrubbing center to be as close as possible to the customer, which can only be achieve with a globally distributed network with a large footprint.
The final piece of the ‘puzzle’ of providing a high-quality cloud security network is the human element; that is, maintenance, operation and support.
Beyond the cold figures of technical specifications, and the bits-and-bytes of network capacity, it is the service element that ties together the technology and network, and makes sure that they keep working in tandem.
Here, too, there are a few key elements to look at when considering a cloud security network:
- Global Team: Maintaining global operations of a cloud security service requires a team large enough to ensure 24x7x365 operations. Moreover, sophisticated security teams use a ‘follow-the-sun’ model, with team member distributed strategically around the world, to make sure that experts are always available, regardless of time or location. Only teams that reach a certain size – and companies that reach a certain scale – can guarantee this.
- Team Expertise: Apart from sheer numbers of team member, it is also their expertise that matter. Cyber security is a discipline, and DDoS protection, in particular, is a specialization. Only a team with a distinguished, long track record in protecting specifically against DDoS attacks can ensure that you have the staff, skills, and experience required to be fully protected.
- SLA: The final qualification are the service guarantees provided by your cloud security vendor. Many service providers make extensive guarantees, but fall woefully short when it comes to backing them up. The Service Level Agreement (SLA) is your guarantee that your service provider is willing to put their money where their mouth is. A high-quality SLA must provide individual measurable metrics for attack detection, diversion (if required), alerting, mitigation, and uptime. Falling short of those should call into question your vendors ability to deliver on their promises.
A high-quality cloud security service is more than the sum of its parts. It is the technology, network, and service all working in tandem – and hitting on all cylinders – in order to provide superior protection. Falling short on any one element can potentially jeopardize quality of the protection delivered to customers. Use the points outlined above to ask yourself whether your cloud security vendor has all the right pieces to provide quality protection, and if they don’t – perhaps it is time for you to consider alternatives.
Read “2019 C-Suite Perspectives: From Defense to Offense, Executives Turn Information Security into a Competitive Advantage” to learn more.
While working on Radware’s Ultimate Guide to Bot Management, I began wondering what would it take to build a botnet.
Would I have to dive into the Darknet and find criminal hackers and marketplaces to obtain the tools to make one? How much effort would it take to build a complicated system that would avoid detection and mitigation, and what level of expertise is required to make a scraping/credential stuffing and website abuse botnet?
At Your Fingertips
What I discovered was amazing. I didn’t even need to dive into the Darknet; everything anyone would need was readily available on the public internet.
My learning didn’t end there. During this exploration, I noticed that many organizations use botnets in one form or another against their competitors or to gain a competitive advantage. Of course, I knew hackers leverage botnets for profit; but the availability of botnet building tools makes it easy for anyone to construct botnets that can access web interfaces and APIs while disguising their location and user agents.
The use cases being advertised from these toolsets range from data harvesting, to account creation and account takeover, to inventory manipulation capabilities, advertising fraud and a variety of ways to monetize and automate integrations into well known systems for IT.
Mobile Phone Farms
These tools designers and services clearly know there is a market for cyber criminality, and some are shameless about promoting it.
For example, per a recent Vice article examining mobile phone farms, companies are incentivizing traffic to their apps and content by paying users. Indeed, it appears that people can make anywhere from $100-300 a month per mobile phone on apps like perk TV, Fusion TV, MyPoints or even categorizing shows for Netflix. They merely have to take surveys, watch television shows, categorize content or check into establishments.
More specifically, people are building mobile phone farms with cheap android devices and used phones, and scale up their operations to a point where they can make a couple of thousands of dollars (or more!) per month. These farms can be rented out to conduct more nefarious activities, like price scraping, data harvesting, ticket purchasing, account takeover, fake article writing and social media development, hacking, launching launching DDoS attacks and more. To complicate matters, thanks to proxy servers and VPN tools, it has become nearly impossible to detect if a phone farm is being used against a site.
It’s not a far leap to assume that incentivized engagement may very well invite people to build botnets. How long until somebody develops an app to “rent your phone’s spare cycles” to scrape data, or watch content, write reviews, etc. (in other words, things that aren’t completely against the law) for money? Would people sign up to make extra beer money in exchange for allowing botnet operators to click on ads and look at websites for data harvesting?
I think it’s just a matter of time before this idea takes flight. Are you prepared today to protect against the sophisticated botnets? Do you have a dedicated bot management solution? When the botnets evolve into the next generation, will you be ready?
Read “The Ultimate Guide to Bot Management” to learn more.
Exploit kits are prepackaged tool kits containing specific exploitsand payloads used to drop malicious payloads onto a victim’s machine. Once a popular avenue for attacks, they are now barely used due to the popularity of other attack vectors, such as cryptomining. However, they are still utilized to deploy ransomware and mining malware.
These tools can target nearly everyone. Organizations should consider themselves a daily target for possible exploit kits designed to deliver malicious payloads onto their network.
To prevent this, update network devices and ensure that all employee devices are also updated. Often times, these attacks are browser based and exploit vulnerabilities once an employee visits the malicious landing page.
Training and preparation start with user education. Humans are the weakest link, and authors of exploit kits target the masses in the hope that someone will fall for their landing pages.
Watch our video with security researcher Daniel Smith to learn more: