Category - Stop DoS

1
3 Drivers Behind the Increasing Frequency of DDoS Attacks
2
California Dem hit with DDoS attacks during failed primary bid: report
3
DDoS Protection is the Foundation for Application, Site and Data Availability
4
A Scoville Heat Scale For Measuring Cybersecurity
5
McDreary? The Future of Medical Call Centers & DDoS
6
Rise in multifunctional botnets
7
The complete guide to understanding web applications security
8
Massachusetts Man Convicted of Cyber Attack on Hospital
9
10 Big Security Concerns About IoT For Business (And How To Protect Yourself)
10
DDoS Attacks Get Bigger, Smarter and More Diverse

3 Drivers Behind the Increasing Frequency of DDoS Attacks

What’s causing the uptick? Motivation, opportunity, and new capabilities.

According to IDC Research’s recent US DDoS Prevention Survey, more than 50% of IT security decision makers said that their organization had been the victim of a distributed denial-of-service (DDoS) attack as many as 10 times in the past year. For those who experienced an attack, more than 40% lasted longer than 10 hours. This statistic correlates with our ATLAS findings, which show there were 7.5 million DDoS attacks in 2017 — a rate, says Cisco, that is increasing at roughly the same rate as Internet traffic.

What’s behind the uptick? It boils down to three factors: motivation of the attackers; the opportunity presented by inexpensive, easy-to-use attack services; and the new capabilities that Internet of Things (IoT) botnets have.

Political and Criminal Motivations
In an increasingly politically and economically volatile landscape, DDoS attacks have become the new geopolitical tool for nation-states and political activists. Attacks on political websites and critical national infrastructure services are becoming more frequent, largely because of the desire and capabilities of attackers to affect real-world events, such as election processes, while staying undiscovered.

In June, a DDoS attack was launched against the website opposing a Mexican presidential candidate during a debate. This attack demonstrated how a nation-state could affect events far beyond the boundaries of the digital realm. It threatened the stability of the election process by knocking a candidate’s website offline while the debate was ongoing. Coincidence? Perhaps. Or maybe an example of the phenomenon security experts call “cyber reflection,” when an incident in the digital realm is mirrored in the physical world.

DDoS attacks carried out by criminal organizations for financial gain also demonstrate cyber reflection, particularly for global financial institutions and other supra-national entities whose power makes them prime targets, whether for state actors, disaffected activists, or cybercriminals. While extortion on the threat of DDoS continues to be a major threat to enterprises across all vertical sectors, cybercriminals also use DDoS as a smokescreen to draw attention away from other nefarious acts, such as data exfiltration and illegal transfers of money.

Attacks Made Easy
This past April, Webstresser.org — one of the largest DDoS-as-a-service (DaaS) providers in existence, which allowed criminals to buy the ability to launch attacks on businesses and responsible for millions of DDoS attacks around the globe — was taken down in a major international investigation. The site was used by a British suspect to attack a number of large retail banks last year, causing hundreds of thousands of pounds of damage. Six suspected members of the gang behind the site were arrested, with computers seized in the UK, Holland, and elsewhere. Unfortunately, as soon as Webstresser was shut down, various other similar services immediately popped up to take its place.

DaaS services like Webstresser run rampant in the underground marketplace, and their services are often available at extremely low prices. This allows anyone with access to digital currency or other online payment processing service to launch a DDoS attack at a target of their choosing. The low cost and availability of these services provide a means of carrying out attacks both in the heat of the moment and after careful planning.

The rage-fueled, irrational DDoS-based responses of gamers against other gamers is a good example of a spur-of-the-moment, emotional attack enabled by the availability of DaaS. In other cases, the DaaS platforms may be used in hacktivist operations to send a message or take down a website in opposition to someone’s viewpoint. The ease of accessibility to DaaS services enables virtually anyone to launch a cyberattack with relative anonymity.

IoT Botnets
IoT devices are quickly brought to market at the lowest cost possible, and securing them is often an afterthought for manufacturers. The result? Most consumer IoT devices are shipped with the most basic types of vulnerabilities, including hard code/default credentials, and susceptibility to buffer overflows and command injection. Moreover, when patches are released to address these issues, they are rarely applied. Typically, a consumer plugs in an IoT device and never contemplates the security aspect, or perhaps does not understand the necessity of applying regular security updates and patches. With nearly 27 billion connected devices in 2017, expected to rise to 125 billion by 2030 according to analysis from IHS Markit, they make extremely attractive targest for malware authors.

In the latter half of 2016, a high-visibility DDoS attack against a DNS host/provider was observed, which affected a number of major online properties. The malware responsible for this attack, and many others, was Mirai. Once the source code for Mirai was published on September 30, 2016, it sparked the creation of a slew of other IoT-based botnets, which have continued to evolve significantly. Combined with the proliferation of IoT devices, and their inherent lack of security, we have witnessed a dramatic growth in both the number and size of botnets. These new botnets provide the opportunity for attackers and DaaS services to create new, more powerful, and more sophisticated attacks.

Conclusion
Today’s DDoS attacks are increasingly multivector and multilayered, employing a combination of large-scale volumetric assaults and stealth infiltration targeting the application layer. This is just the latest trend in an ever-changing landscape where attackers adapt their solutions and make use of new tools and capabilities in an attempt to evade and overcome existing defenses. Businesses need to maintain a constant vigilance on the techniques used to target them and continually evolve their defenses to industry best practices.

Source: https://www.darkreading.com/attacks-breaches/3-drivers-behind-the-increasing-frequency-of-ddos-attacks/a/d-id/1332824

California Dem hit with DDoS attacks during failed primary bid: report

The campaign website of a Democratic congressional candidate in California was taken down by cyberattacks several times during the primary election season, according to cybersecurity experts.

Rolling Stone reported on Thursday that cybersecurity experts who reviewed forensic server data and emails concluded that the website for Bryan Caforio, who finished third in the June primary, was hit with distributed denial of service (DDoS) attacks while he was campaigning.

The attacks, which amount to artificially heavy website traffic that forces hosting companies to shut down or slow website services, were not advanced enough to access any data on the campaign site, but they succeeded in blocking access to bryancaforio.com four times before the primary, including during a crucial debate and in the week before the election.

Caforio’s campaign didn’t blame his loss on the attacks, but noted that he failed to advance to a runoff against Rep. Steve Knight (R-Calif.) by coming up 1,497 votes short in his loss against fellow Democrat Katie Hill.

Caforio’s campaign tried several tactics to deter malicious actors, including upgrading the website’s hosting service and adding specific DDoS protections, which in the end failed to deter the attacks.

“As I saw firsthand, dealing with cyberattacks is the new normal when running for office, forcing candidates to spend time fending off those attacks when they should be out talking to voters,” Caforio told the magazine.

A spokeswoman for the Department of Homeland Security (DHS) told Rolling Stone that it offered to help Caforio’s campaign investigate the four attacks but received no response.

A DHS spokesperson did not immediately respond to a request for comment from The Hill.

An aide to the Democratic Congressional Campaign Committee, the campaign arm for House Democrats, told Rolling Stone that it takes attacks such as the ones Caforio faced “very seriously.”

“While we don’t have control over the operations of individual campaigns, we continue to work with and encourage candidates and their staffs to utilize the resources we have offered and adopt best security practices,” the aide said.

Source: https://thehill.com/policy/cybersecurity/407608-california-democrat-hit-with-ddos-attacks-during-failed-primary-bid

DDoS Protection is the Foundation for Application, Site and Data Availability

When we think of DDoS protection, we often think about how to keep our website up and running. While searching for a security solution, you’ll find several options that are similar on the surface. The main difference is whether your organization requires a cloud, on-premise or hybrid solution that combines the best of both worlds. Finding a DDoS mitigation/protection solution seems simple, but there are several things to consider.

It’s important to remember that DDoS attacks don’t just cause a website to go down. While the majority do cause a service disruption, 90 percent of the time it does not mean a website is completely unavailable, but rather there is a performance degradation. As a result, organizations need to search for a DDoS solution that can optimize application performance and protect from DDoS attacks. The two functions are natural bedfellows.

The other thing we often forget is that most traditional DDoS solutions, whether they are on-premise or in the cloud, cannot protect us from an upstream event or a downstream event.

  1. If your carrier is hit with a DDoS attack upstream, your link may be fine but your ability to do anything would be limited. You would not receive any traffic from that pipe.
  2. If your infrastructure provider goes down due to a DDoS attack on its key infrastructure, your organization’s website will go down regardless of how well your DDoS solution is working.

Many DDoS providers will tell you these are not part of a DDoS strategy. I beg to differ.

Finding the Right DDoS Solution

DDoS protection was born out of the need to improve availability and guarantee performance.  Today, this is critical. We have become an application-driven world where digital interactions dominate. A bad experience using an app is worse for customer satisfaction and loyalty than an outage.  Most companies are moving into shared infrastructure environments—otherwise known as the “cloud”— where the performance of the underlying infrastructure is no longer controlled by the end user.

  1. Data center or host infrastructure rerouting capabilities gives organizations the ability to reroute traffic to secondary data centers or application servers if there is a performance problem caused by something that the traditional DDoS prevention solution cannot negate. This may or may not be caused by a traditional DDoS attack, but either way, it’s important to understand how to mitigate the risk from a denial of service caused by infrastructure failure.
  2. Simple-to-use link or host availability solutions offer a unified interface for conducting WAN failover in the event that the upstream provider is compromised. Companies can use BGP, but BGP is complex and rigid. The future needs to be simple and flexible.
  3. Infrastructure and application performance optimization is critical. If we can limit the amount of compute-per-application transactions, we can reduce the likelihood that a capacity problem with the underlying architecture can cause an outage. Instead of thinking about just avoiding performance degradation, what if we actually improve the performance SLA while also limiting risk? It’s similar to making the decision to invest your money as opposed to burying it in the ground.

Today you can look at buying separate products to accomplish these needs but you are then left with an age old problem: a disparate collection of poorly integrated best-of-breed solutions that don’t work well together.

These products should work together as part of a holistic solution where each solution can compensate and enhance the performance of the other and ultimately help improve and ensure application availability, performance and reliability. The goal should be to create a resilient architecture to prevent or limit the impact of DoS and DDoS attacks of any kind.

Source: https://securityboulevard.com/2018/09/ddos-protection-is-the-foundation-for-application-site-and-data-availability/

A Scoville Heat Scale For Measuring Cybersecurity

The Scoville Scale is a measurement chart used to rate the heat of peppers or other spicy foods. It can also can have a useful application for measuring cybersecurity threats. Cyber-threats are also red hot as the human attack surface is projected to reach over 6 billion people by 2022. In addition, cyber-crime damage costs are estimated to reach $6 trillion annually by 2021. The cybersecurity firm RiskIQ states that every minute approximately 1,861 people fall victim to cyber-attacks, while some $1.14 million is stolen. In recognition of these alarming stats, perhaps it would be useful to categorize cyber-threats in a similar scale to the hot peppers we consume.

I have provided my own Scoville Scale-like heat characterizations of the cyber threats we are facing below.

Data Breaches: According to Juniper Research, over The Next 5 Years, 146 Billion Records Will Be Breached. The 2017 Annual Data Breach Year-end Review (Identity Theft Resource Center) found that 1,946,181,599 of records containing personal and other sensitive data that have been in compromised between Jan. 1, 2017, and March 20, 2018. The true tally of victims is likely much greater as many breaches go unreported. According to the Pew Research Center, a majority of Americans (65%) have already personally experienced a major data breach.  On the Scoville scale, data breaches, by the nature of their growing exponential threat can be easily categorized at a “Ghost Pepper” level.

Malware: According to Forrester Research’s 2017 global security survey, there are 430 million types of malware online—up 40 percent from just three years ago. The Malware Tech Blog cited that 100,000 groups in at least 150 countries and more than 400,000 machines were infected by the Wannacry virus in 2017, at a total cost of around $4 billion. Malware is ubiquitous and we deal with it. It is a steady “Jalepeno Pepper” on the scale.

Ransomware:  Cybersecurity Ventures predicts that ransomware damage costs will rise to $11.5 billion in 2019 with an attack occurring every 14 seconds. According to McAfee Lab’s Threat Report covering Q4 2017, eight new malware samples were recorded every second during the final three months of 2017. Cisco finds that Ransomware attacks are growing more than 350 percent annually. Experts estimate that there are more than 125 separate families of ransomware and hackers have become very adept at hiding malicious code. Ransomware is scary and there is reason to panic, seems like a ”Fatali Pepper.”

Distributed Denial of Service (DDoS):   In 2016, DDoS attacks were launched against a Domain Name System (DNS) called Dyn. The attack directed thousands of IoT connected devices to overload and take out internet platforms and services.  The attack used a simple exploit of a default password to target home surveillance cameras, and routers. DDoS is like a “Trinidad Pepper” as it can do quick massive damage and stop commerce cold. DDoS is particularly a frightening scenario for the retail, financial. and healthcare communities.

Phishing:  Phishing is a tool to infect malware, ransomware, and DDoS. The 2017 Ponemon State of Endpoint Security Risk Report found that 56% of organizations in a survey of 1,300 IT decision makers identified targeted phishing attacks as their biggest current cybersecurity threat. According to an analysis by Health Information Privacy/Security Alert, 46,000 new phishing sites are created every day. According to Webroot, An average of 1.385 million new, unique phishing sites are created each month. The bottom line it is easy anyone to be fooled by a targeted phish. No one is invulnerable to a crafty spear-phish, especially the C-Suite. On the Scoville Scale, Phishing is prolific, persistent, and often causes harm. I rate it at the “Habanero Pepper” level.

Protecting The Internet of Things:  The task of securing IoT is increasingly more difficult as mobility, connectivity and the cyber surface attack space grows. Most analysts conclude that there will be more than 20 billion connected Internet devices by 2020. According to a study conducted in April of 2017 by The Altman Vilandrie & Company, neary half of U.S. firms using The Internet of Things experienced cybersecurity breaches.  Last year, Symantec noted that IoT attacks were up 600 percent. Analysts predict 25 percent of cyber-attacks in 2020 will target IoT environments. Protect IoT can be the “Carolina Reaper” as everything connected is vulnerable and the consequences can be devastating.

Lack of Skilled Cybersecurity Workers: Both the public and private sectors are facing major challenges from a dearth of cybersecurity talent. As companies evolve toward digital business, people with cybersecurity skills are becoming more difficult to find and more expensive for companies to hire and keep. A report out from Cybersecurity Ventures estimates there will be 3.5 million unfilled cybersecurity jobs by 2021. A 2017 research project by the industry analyst firm Enterprise Strategy Group (ESG ) and the Information Systems Security Association (ISSA) found that 70 percent of cybersecurity professionals claimed their organization was impacted by the cybersecurity skills shortage. On the Scoville Scale, I rate the skills shortage as a “Scotch Bonett,” dangerous but perhaps automation, machine learning and artificial intelligence can ease the pain.

Insider Threats: Insider threats can impact a company’s operational capabilities, cause significant financial damages, and harm a reputation. The IBM Cyber Security Index found that 60% of all cyber- attacks were carried out by insiders.  And according to  a recent Accenture HfS Research report 69% of enterprise security executives reported experiencing an attempted theft or corruption of data by insiders over one year. Malicious insider intrusions can involve theft of IP, social engineering; spear-phishing attacks, malware, ransomware, and in some cases sabotage. Often overlooked, insider threats correlate to a “Red Savina Habanero.”

Identity Theft: Nearly 60 million Americans have been affected by identity theft, according to a 2018 online survey by The Harris Poll. The reason for the increased rate of identity fraud is clear. As we become more and more connected, the more visible and vulnerable we become to those who want to hack our accounts and steal our identities. We are often enticed via social media or email phishing. Digital fraud and stealing of our identities is all too common and associated closely to data breaches, a “Chocolate Habanero.”

Crypto-mining and TheftCrypto poses relatively new threats to the cybersecurity ecosystem. Hackers need computing power to find and “mine” for coins and can hijack your computer processor while you are online. Hackers place algorithm scripts on popular websites that people innocently visit.  You might not even know you are being hijacked.  Trend Micro disclosed that Crypto-mining malware detections jumped 956% in the first half of 2018 versus the whole of last year. Also, paying ransomware in crypto currencies seems to be a growing trend. The recent WannaCry and the Petya ransomware attackers demanded payment in bitcoin. On The Scoville Scale, it’s still early for crypto and the threats may evolve but right now a “Tabasco Pepper.”

Potential Remedies: Cybersecurity at its core essence is guided by risk management: people, process, policies, and technologies. Nothing is completely invulnerable, but there are some potential remedies that can help us navigate the increasingly malicious cyber threat landscape. Some of these include:

  • Artificial Intelligence and Machine Learning
  • Automation and Adaptive Networks
  • Biometrics and Authentication Technologies
  • Blockchain
  • Cloud Computing
  • Cryptography/Encryption
  • Cyber-hygiene
  • Cyber Insurance
  • Incident Response Plans
  • Information Threat Sharing
  • Managed Security Services
  • Predictive Analytics
  • Quantum-computing and Super-Computing
  • And … Cold Milk

The bottom line is that as we try to keep pace with rising cybersecurity threat levels, we are all going to get burned in one way or another. But we can be prepared and resilient to help mitigate the fire. Keeping track of threats on any sale can be useful toward those goals.

Chuck Brooks is the Principal Market Growth Strategist for General Dynamics Mission Systems for Cybersecurity and Emerging Technologies. He is also Adjunct Faculty in Georgetown University’s Graduate Applied Intelligence program.

Source: https://www.forbes.com/sites/cognitiveworld/2018/09/05/a-scoville-heat-scale-for-measuring-cybersecurity/#15abda233275

McDreary? The Future of Medical Call Centers & DDoS

As healthcare’s digital transformation continues, security remains a top priority — especially as distributed denial-of-service (DDoS) attacks target the click-to-call features on websites.

Click-to-call defines the services that enable patients to immediately call a hospital or clinic directly from a button on their website, either using a traditional phone service or Voice over Internet Protocol (VoIP) technology. This is different from click-to-callback features, which are used for less pressing medical needs, and is an important differentiation when securing hospital communications from DDoS attacks.

Because direct click-to-call scenarios use more resources, such as audio streams and interactive voice response (IVR) systems, these types of connections are much easier to effect using an application-layer DDoS attack.

When a DDoS attack affects a healthcare system, click-to-call features are often taken fully offline. If this occurs during a health emergency, the implications can mean life or death.

However, click-to-call features also offer enhanced and more personalized engagement in a cost-effective manner, so simply removing them could result in delayed care or service abandonment as well as raise the cost of future care. So what’s the best move?

Neustar’s 2017 Worldwide DDoS Attacks and Cyber Insights Research Report found that while 99% of the organizations it surveyed had some sort of DDoS protection in place, the vast majority of them (90%) were planning to invest more than in the previous year, and 36% thought they should be investing even more than that.

The same way that keeping protected health information (PHI) secure continues to be of the utmost importance, further steps must be taken to protect healthcare organizations from DDoS attacks.

Gated access through proper authentication 
One of the primary ways healthcare organizations can prevent a DDoS attack is through proper authentication. Proper authentication reduces the attack surface by providing a gate of access to those systems and rules out certain flavors of anonymous attacks.

Anonymous DDoS attacks use an open access or resource and distribute/coordinate mass usage of the access, and are challenging to thwart as it is difficult to differentiate an attack from actual usage.

Proper authentication provides a simple differentiation. Credential loss is a possible attack vector even with authentication; however, coordinating DDoS attacks with authentication credentials is much more difficult due to the distribution of credentials. For instance, if an attacker has compromised a single access point and distributes the single authentication to all endpoints, a properly protected account could easily thwart an attack with access rate-limiting.

Securing Patient Portals 
Implementing secure patient portals is another way to prevent DDoS attacks on medical call centers.

Patient portals require strong authentication. If proper authentication is required before using resources such as call centers and call agents, then the ability to launch a large-scale attack would require numerous credentials. In circumstances where multi-factor authentication is required, the complexity of a successful DDoS attack only increases — thereby making it more difficult to pull off.

For example, if a username/password entry into a patient portal required a text or email verification as well — or even a prompt on an installed smartphone application — then the loss of even a large set of credentials could not be used in an attack without also compromising some other form(s) of communication. Since patient portals also contain mass amounts of private data, securing that information to the highest degree in order to safeguard it properly is key and can also help prevent a large-scale attack on a hospital’s click-to-call functionality.

What the threat of DDoS attacks means to the global security community 
Today it’s obviously critical that global security managers remain aware of the daunting DDoS threat. When (not “if”) an attack occurs, critical resources are consumed — sometimes even resources that are unrelated.

For example, a DDoS attack against a website might consume networking resources, bringing down a patient portal, and an attack against a patient portal may consume database resources and prevent normal internal operations.

DDoS attacks on weak targets are relatively inexpensive for attackers — existing botnets with simple traffic flooding exist and await the next purchase — and simple networking attacks can be thwarted with up-to-date networking equipment front-ending services.

However, application-aware and custom attacks are much more expensive to create, and can be made prohibitively expensive by taking simple steps like requiring authentication before allowing access to resource offerings.

Additionally, keeping software up-to-date is critical as software flaws are discovered, and quickly updating components is effective at blocking attacks before they can be crafted and deployed. Regularly updating systems and keeping them free of malware not only reduces available botnet size, amplification points and reflection points, but may also prevent a hop-off point for more sophisticated attacks.

As more tech companies enter the healthcare field to enable its digitization, and information security continues to be top of mind in every field, it’s important for those in the security industry — some of whom may directly dabble in healthcare — as well as the healthcare organizations themselves to focus on increasing their security measures and to know what they should be doing to prevent this type of communications attack.

Source: https://www.infosecurity-magazine.com/opinions/mcdreary-medical-ddos/

Rise in multifunctional botnets

There is a growing demand around the world for multifunctional malware that is not designed for specific purposes but is flexible enough to perform almost any task.

This was revealed by Kaspersky Lab researchers in a report on botnet activity in the first half of 2018. The research analysed more than 150 malware families and their modifications circulating through 600 000 botnets around the world.

Botnets are large ‘nets’ of compromised machines that are used by cybercriminals to carry out nefarious activities, including DDoS attacks, spreading malware or sending spam. Kaspersky botnet activity on an ongoing basis to prevent forthcoming attacks or to stop a new type of Trojan before it spreads.

It does this by employing technology that emulates a compromised , trapping the commands received from threat actors that are using the botnets to distribute malware. Researchers gain valuable malware samples and statistics in the process.

Drop in single-purpose malware

The first half of 2018 also saw the number of single-purpose pieces of malware distributed through botnets dropping significantly in comparison to the second half of 2017. In H2 2017, 22.46% of all unique malware strands were banking Trojans. This number dropped to 13.25% in the first half of this year.

Moreover, the number of spamming bots, another type of single-purpose malware distributed through botnets, decreased dramatically, from 18.93% in the second half of 2017 to 12.23% in the first half 2018. DDoS bots, yet another typical single-purpose malware, also dropped, from 2.66% to 1.99%, in the same period.

The only type of single-purpose malicious programs to demonstrate notable growth within botnet networks were miners. Even though their percentage of registered files is not comparable to highly popular multifunctional malware, their share increased two-fold and this fits in the general trend of a malicious mining boom, as noted in previous reports.

There’s a RAT in my PC

Alongside these findings, the company noted distinctive growth in malware that is more versatile, in particular Remote Access Tools (RATs) that give cyber crooks almost unlimited opportunities for exploiting infected machines.

Since H1 2017, the share of RAT files found among the malware distributed by botnets almost doubled, rising from 6.55% to 12.22%, with the Njrat, DarkComet and Nanocore varieties topping the list of the most widespread RATs.

“Due to their relatively simple structure, the three backdoors can be modified even by an amateur threat actor. This allows the malware to be adapted for distribution in a specific region,” the researchers said.

Trojans, which can also be employed for a range of purposes, did not grow as much as RATs, but unlike a lot of single-purpose malware, still increased 32.89% in H2 2017 to 34.25% in H1 2018. In a similar manner to RATs, Trojans can be modified and controlled by multiple command and control servers, for a range of nefarious activities, including cyberespionage or the theft of personal information.

Bot economy

Alexander Eremin, a security expert at Kaspersky Lab, says the reason multipurpose malware is taking the lead when it comes to botnets is clear. “Botnet ownership costs a significant amount of money and, in order to make a profit, criminals must be able to use each and every opportunity to get money out of malware. A botnet built out of multipurpose malware can change its functions relatively quickly and shift from sending spam to DDoS or to the distribution of banking Trojans.”

In addition to switching between different ‘active’ malicious activities, it also opens an opportunity for a passive income, as the owner can simply rent out their botnet to other criminals, he added.

Source: https://www.itweb.co.za/content/LPwQ57lyaoPMNgkj

The complete guide to understanding web applications security

MODERN businesses use web applications every day to do different things, from interacting and engaging with customers to supporting sales and operations.

As a result, web applications are rich with data and critical to the functioning of the company – which means, special precautions must be taken in order to protect them from hackers.

However, not all organizations or their applications are subject to the same level of threats and attacks. In an exclusive interview with Gartner’s Research Director Dale Gardner, Tech Wire Asia learns how businesses can best protect their web applications.

Gartner splits attacks on web and mobile applications and web APIs into four categories:

# 1 | Denial of service (DoS) 

DoS is a specific subtype of abuse where the attacker’s goal is to disrupt the availability of the web application or service.

In particular, this attack type covers volumetric attacks, which overwhelm network capabilities, and so-called “low and slow” attacks, which overwhelm application or service resources.

# 2 | Exploits 

Exploits take advantage of design, code or configuration issues that cause unintended behaviour of the application.

Some common examples include SQL Injection (SQLi), cross-site scripting (XSS), buffer overflows, and various Secure Sockets Layer (SSL) and Transport Layer Security (TLS) manipulation attacks.

# 3 | Abuse 

Abuse covers many non-exploit types of attack that primarily take advantage of business logic. This includes scraping, aggregating, account brute-forcing, scalping, spamming and other — often automated — scenarios.

# 4 | Access

Access violations occur when an attacker or legitimate user takes advantage of weaknesses in the authentication (AuthN) or authorization (AuthZ) policies of a web application or service.

Of the four categories, Gardner says only exploits can be potentially addressed with secure coding and configuration. The others require design-level considerations that cannot be reasonably compensated for in code.

For example, although it’s arguably possible to defend against account takeovers in individual application code, it is much more economical and error-proof to do so in the identity and access management (IAM) system or another external capability.

In an ideal world, the highest level of protection would be available at all times or as needed, but this isn’t feasible due to complexity and cost factors.

And continuously providing the highest level of protection to all web assets can be an expensive proposition, both from economic and operational perspectives.

Securing web applications and web APIs from attacks and abuse requires businesses to assess what level of protection is necessary.

“Security teams must first pick a protection baseline. Then they must decide what extra protections are necessary to apply to specific assets,” recommends Gardner.

When thinking of protecting web applications, security teams often first look to existing network technologies, such as next-generation firewall (NGFW) platforms and intrusion detection and prevention systems (IDPSs).

But these do not provide strong-enough capabilities in any of the protection areas, warns Gardner.

They are not easily integrated to intercept TLS and do not have the same signatures, rules, behavioral analysis and business logic insight as security solutions that focus on web applications and APIs.

Organizations often first look at a “completely automated public Turing test to tell computers and humans apart” (CAPTCHA) when they suffer from abuse of functionality.

But an always-on CAPTCHA creates user-experience hurdles for legitimate users, and it is also no guarantee to keep the abuser out (attackers keep finding ways to circumvent or solve many CAPTCHAs).

Multifactor authentication (MFA) and out of band (OOB) challenges are often used to enable strong access control, as well as to try to thwart abuse. Unfortunately, they suffer from similar issues as CAPTCHA, and in addition are often complex and expensive to implement.

Currently, no single security platform or solution implements the highest possible level of protection in each of the exploit, abuse of functionality, access violation and DoS mitigation categories.

Some organizations will still be able to start with a single solution to address the biggest potential risks. But they often find themselves needing greater security capabilities over time due to changes in threats and the application landscape.

Web application firewalls (WAFs) are broadly deployed, but buyers routinely express disappointment and frustration over factors such as accuracy, the ability to prevent attacks, the administrative overhead required to maintain attack detection profiles and price.

Incumbent vendors have begun addressing emerging requirements, but many products still lag.

The market for solutions to protect web applications will continue to grow, but given buyer dissatisfaction, vendors with innovative approaches and new product packaging will capture the bulk of new spending.

Buyers are shifting to service-based offerings, and demand for infrastructure as a service (IaaS) deployable products is growing. These shifts pose risks, especially to incumbents, but also present opportunities for new offerings and greater growth.

Gartner believes that by 2020, stand-alone WAF hardware appliances will represent less than 20 percent of new WAF deployments, down from 40 percent today.

By 2020, more than 50 percent of public-facing web applications will be protected by cloud-based WAAP services that combine content delivery networks, DDoS protection, bot mitigation and WAFs, which is an increase from fewer than 20 percent today.

Web applications, mobile applications, and web APIs are subject to increased numbers and complexity of attacks.

Gardner, who will be speaking at the Gartner Security & Risk Management Summit in Sydney later this month explains what organizations must keep in mind when planning and implementing solutions:

  • Public, limited-access external, and internal applications require different levels of security.
  • No one capability covers all types of attack.
  • No two capabilities have interchangeable protection efficacy.
  • Some of the capabilities have strong overlaps in addressing specific attack subcategories.
  • Enforcement of policy may be centralized or distributed (for example, use of micro-gateways).

“As a result, a mix of capabilities, though not necessarily separate products, have to be put in place as a layered approach,” concludes Gardener.

Considering the range of exploits and abuse that can occur with web and mobile applications and web APIs, technical professionals must leverage a mix of externalized security controls to deliver appropriate protection and alleviate burdens to development staff.

Source: https://techwireasia.com/2018/08/the-complete-guide-to-understanding-web-applications-security/

Massachusetts Man Convicted of Cyber Attack on Hospital

A Massachusetts man was convicted on Wednesday of carrying out a cyber attack on a Boston hospital’s network on behalf of the hacking activist group Anonymous in protest of its treatment of a teenager at the center of a high-profile custody dispute.

A federal jury in Boston found Martin Gottesfeld, 32, guilty of one count of conspiracy to damage protected computers and one count of damaging protected computers, prosecutors said.

Gottesfeld, who is in federal custody, is scheduled to be sentenced on Nov. 14. In a statement posted to YouTube that was recorded in case he was convicted, Gottesfeld said he plans to challenge the verdict.

He also accused prosecutors of ignoring what happened to the teen at the center of the case and of “not telling you the full truth.”

“I’m going to keep fighting,” he said. “I’m not going to give up.”

Prosecutors said that in late 2013, Gottesfeld, a computer systems engineer living in Somerville, Massachusetts, learned about a child custody dispute involving a Connecticut teenager named Justina Pelletier.

Pelletier had been taken into state custody in Massachusetts after a dispute over her diagnosis arose between her parents and Boston Children’s Hospital, which determined her health problems were psychiatric in nature and believed her parents were interfering with her treatment.

Her case garnered national headlines and drew the attention of religious and political groups who viewed it as an example of government interference with parental rights.

Gottesfeld, who disagreed with the hospital’s diagnosis, began advocating online for her release, prosecutors said.

They said Gottesfeld in March 2014 launched a distributed denial of service (DDOS) attack on a residential treatment facility called Wayside Youth & Family Support Network where Pelletier was a resident following her discharge from the hospital.

DDOS attacks shut down or slow websites by flooding them with data.

He later in April 2014 launched a DDOS attack on behalf of Anonymous on the network of Boston Children’s Hospital that not only knocked it off the internet but also affected several other nearby hospitals, prosecutors said.

Amid a federal investigation into his role in the cyber attacks, Gottesfeld in early 2016 fled, prosecutor said.

In mid-February 2016, a Disney Cruise Line vessel rescued Gottesfeld and his wife from a disabled powerboat off the coast of Cuba, prosecutors said. He was arrested when the cruise ship returned to Miami.

Source: https://www.usnews.com/news/us/articles/2018-08-01/massachusetts-man-convicted-of-cyber-attack-on-hospital

10 Big Security Concerns About IoT For Business (And How To Protect Yourself)

In recent years, the Internet of Things (IoT) has vastly changed the way we view, use and interact with smart devices, especially in the business world. Internet-connected virtual assistants, appliances, security systems and more can all communicate and coordinate with each other, allowing business owners to automate and streamline mundane, time-consuming activities.

But for all the conveniences IoT devices afford us, there’s still one major concern that users need to consider: security. Anything that’s connected to the internet has the potential to be hacked and misused. This is especially unsettling considering the amount of personal data IoT devices collect and use.

Members of Young Entrepreneur Council discussed their top security concerns related to IoT, as well as how they’re protecting their businesses and customers.

1. Default ‘Raw Data’ Storage

Many developers default to saving data in raw form, provided they have the storage capacity to do so. But in an age when federal law enforcement officers choose to follow unconstitutional orders, storing data can be life-threatening. Whether a company sells a product to law enforcement officers or merely retains data that could be subpoenaed, evaluating how IoT devices and the data they collect can be used to endanger people is a part of modern risk assessment. Setting clear policies on anonymizing user data, as well as data retention, can help limit potential problems. But if you work with a homogeneous team, you won’t be equipped to see how some data may be used. While consultants can help on this point, hiring diversely is more effective and less expensive. – Thursday Bram, The Responsible Communication Style Guide

2. Insecure Devices

Software security is a fundamental problem for the Internet of Things. Before the IoT, businesses had to worry about updating their servers, content management systems, and desktop computers. Today, they have to worry about updating everything from connected coffee machines to security cameras. Businesses are bringing insecure devices into their networks, and then failing to update the software. Failing to apply security patches is not a new phenomenon, but insecure IoT devices with a connection to the open internet are a disaster waiting to happen. Criminals can hack insecure security cameras, for example, and use them as beachheads to access the rest of the company’s network or combine thousands together into botnets to launch devastating DDOS attacks. – Vik Patel, Future Hosting

3. Trolls And Bad Players

One of the most notorious examples of IoT and security involves a troll who managed to send white supremacist literature to online printers all over the world simultaneously. This action showed both the overwhelming reach that this new technology holds and its vast potential for corruption. This single action terrified me more than any other exploit, leak, or hack since it showed me how vulnerable we are to those who may want to use this technology for evil purposes. To prevent this, I have adopted IoT technology sparingly and only after an exhaustive vetting process. Despite all of the amazing possibilities this phenomenon can provide, I just can’t trust its security and the intentions of those around me. I’ve passed this paranoia on to my clients, and they seem to appreciate my concern. – Bryce Welker, Crush The LSAT

4. Surveillance

With devices all around us, all collecting data, all accessible remotely, there is a new ability to measure and monitor individuals and groups behavior. Organizations have to have a new level of protective measures to ensure this data is not able to be hacked into from the outside. Two key aspects are network security and the encryption of the data. You can go to providers such as Cisco, Bayshore Networks, or Senrio to get new levels of network security. For encryption, look to providers such as Cisco, Entrust Datacard, Gemalto, HPE, Lynx Software Technologies and Symantec. There are many limitations to securing IoT devices so you’ll need to find solutions that work best for your organization and specific device types. – Baruch Labunski, Rank Secure

5. Lack Of Updates

Without a verified update cycle, most IoT devices will eventually get hacked. It may not be in one year, but it could happen as devices get several years old. It is not uncommon to see devices five to seven years old in use in offices and at home. After many years, the original manufacturer could be out of business. Even if in business, their teams could have moved on to other projects and lack support of the product. Thus, the reliability of future updates is at stake. When purchasing IoT devices, we try to pinpoint manufacturers who we believe will be around for years to come and have proven to update older products when there is an issue. – Peter Boyd, PaperStreet Web Design

6. Data Breaches

As we have learned from the recent Facebook debacle and the millions of personal data that they have shared with its partners, the IoT faces a similar threat as more and more devices join the network and share data. Millions of data points will be collected as devices track our every behavior (for example from when we wake up to how many times we open our refrigerator door) and this data can potentially be shared among a number of different network participants. Unlike Facebook, which is a single entity that controls most of the data, the IoT will see various major players. Managing (and protecting) user’s private data will be a challenge new to this industry. – Diego Orjuela, Cables & Sensors

7. Compliant Data Storage

The Internet of Things is generating a huge amount of data that must be processed and stored. Millions of devices will generate petabytes of data, some of which will be linked to identifiable individuals. Canada (PIPEDA) and Europe (GDPR) — and the U.S. to a more limited degree — have regulatory regimes around the privacy of personal data and the penalties can be devastating. As businesses collect more data via the IoT, they must take care not to suck up personal data without storing it securely and in accordance with international privacy standards. As a server hosting provider with data centers in Canada, Europe, and the US, we are compliant with the GDPR and implement a huge range of server, network, and physical security measures to ensure that data is kept safe. – Justin Blanchard, ServerMania Inc.

8. DDoS Attacks

The rise of IoT has meant there’s a huge amount of internet-connected computing power that simply didn’t exist before. If hackers can gain access to insecure devices, they can take down huge portions of the internet by simply hammering servers with relentless requests from thousands or millions of connected devices (DDoS, or distributed denial-of-service). Even if you’re not an IoT company, you probably rely on the services that will be the targets — Amazon AWS, Google Cloud, Github, or Facebook, all of which have a big target on their back and all of which are now providing critical infrastructure to businesses. You should always have a Plan B, or at the very least, elegant fallback for if and when you lose access to key technological components of your software setup. – Tim Chaves, ZipBooks Accounting Software

9. Sensitive Data Storage

To be honest, I’m not sure if there is anything anyone can do to stop the world’s best hackers. Many of them are even capable of hacking into government systems. I take a different approach of not storing super sensitive data in our own database. For example, my e-commerce company does not store credit card information in our database. Even when you offer a recurring billing service, you can always store that sensitive info in a payment gateway’s server (Braintree, PayPal Pro, Authorize.net, etc.). This will allow you to manage recurring billing services without needing to save credit card data on your server, further protecting this information in the event of a data breach. – Shu Saito, All Filters LLC

10. Smartphone Security

While my business is about SMS marketing rather than IoT, the common denominator is the widespread use of smartphones. I always urge my clients and employees to be vigilant about safeguarding their phones and apps as this is the entry point hackers often use to gain access to private data. Be sure to use secure passwords and be careful about who you share them with. Be cautious about downloading apps connected to smart devices. Make sure the vendor is trustworthy and be careful about the permissions you set on your apps. When it comes to IoT, you might also want to think about how much automation you really need. Sometimes it just makes your life more complicated, as well as less secure, to have everything connected and automated. – Kalin Kassabov, ProTexting

Source: https://www.forbes.com/sites/theyec/2018/07/31/10-big-security-concerns-about-iot-for-business-and-how-to-protect-yourself/#4bd33ebe7416

DDoS Attacks Get Bigger, Smarter and More Diverse

DDoS attacks are relentless. New techniques, new targets and a new class of attackers continue to reinvigorate one of the internet’s oldest nemeses.

Distributed denial of service attacks, bent on taking websites offline by overwhelming domains or specific application infrastructure with massive traffic flows, continue to pose a major challenge to businesses of all stripes. Being knocked offline impacts revenue, customer service and basic business functions – and worryingly, the bad actors behind these attacks are honing their approaches to become ever more successful over time.

Several new themes are emerging in the 2018 distributed denial of service (DDoS) threat landscape, including a shift in tactics to reach new heights in volumetric campaigns, attacks that rely on a sheer wall of large amounts of packet traffic to overwhelm the capacity of a website and take it town.

However, while these traditional, opportunistic brute-force DDoS attacks remain a menace has emerged. These DDoS threats are more sophisticated and micro-targeted attacks. They take aim at, say, a specific application rather than a whole website. These type DDoS attacks are a rapidly growing threat, as are “low and slow” stealthier offensives. At the same time, bot herders are working on expanding their largely IoT-based botnet creations, by any means possible, often to accommodate demand from the DDoS-as-a-service offerings that have created a flood of new participants in the DDoS scene. Those new entrants are all competing for attack resources, creating a demand that criminals are all too happy to fulfill.

“Attacks are getting larger, longer and more complex, as [the tools used to carry out attacks] are becoming more available,” said Donny Chong, product director at Nexusguard. “DDoS used to be a special occurrence, but now it’s really a commonplace thing – and the landscape is moving quickly.”

Terabit Era Dawns

One of the most notable evolutions in the DDoS landscape is the growth in the peak size of volumetric attacks. Attackers continue to use reflection/amplification techniques to exploit vulnerabilities in DNS, NTP, SSDP, CLDAP, Chargen and other protocols to maximize the scale of their attacks. Notably however, in February the world saw a 1.3 Tbps DDoS attack against GitHub—setting a record for volume (it was twice the size of the previous largest attack on record) and demonstrating that new amplification techniques can give unprecedented power to cybercriminals. Just five days later, an even larger attack launched, reaching 1.7 Tbps. These showed that DDoS attackers are more than able to keep up with the growing size of bandwidth pipes being used by businesses.

The technique used in February and March made use of misconfigured Memcached servers accessible via the public internet. Memcached servers are used to bolster responsiveness of database-driven websites by improving the memory caching system. Unfortunately, many of them have been deployed using a default insecure configuration, which has opened the door to DDoS attacks that use User Datagram Protocol (UDP) packets amplified by these servers — by as much as 51,200x. That in turn means that malefactors can use fewer resources.  For example, they can send out only a small amount of traffic (around 200 Mbps) and still end up with a massive attack.

The good news is that even as the peaks get larger, volumetric attacks are quickly dealt with.

“These are big and obvious and relatively easy to mitigate,” said Chong. “Blocking Memcached attacks is as simple as doing ISP filtering and blocking the signature – it just goes away. So, it’s not as scary as it seems.”

However, criminals are almost certainly looking for the next major reflector source.

“Expect a huge attack, then the good guys to come in and shut some of those resources down on) the bad guys,” said Martin McKeay, global security advocate at Akamai. “This is cyclical. We saw it happen with NTP, DNS and now Memcached, and it will happen again.”

He added that the implications of being able to reach such dizzying attack heights could be profound going forward.

“The undersea cable between Europe and the U.S. is 3.2 terabits,” said McKeay. “If you try to send that amount of traffic through that pipe, you’re going to gum up the works for a very long time, for a lot of companies. A lot of countries don’t even have 1.3 terabits coming in in total, so we’re starting to look at attacks that can take whole countries offline for a good amount of time.”

This kind of doomsday scenario is not without precedent: In 2016, a Mirai botnet variant known as Botnet 14 spent seven days continually attacking the west African nation of Liberia, flooding the two companies that co-own the only fiber going into the country with 600 Gbps flows – easily overwhelming the fiber’s capacity and knocking the country offline.

Rising Sophistication

While big, splashy volumetric attacks make headlines, the reality is that smaller, more sophisticated attacks are perhaps the greater concern.

“DDoS has historically been pretty unsophisticated – it doesn’t require a closed-loop response where you steal data and need to get it back to you,” said Sean Newman, director of product management at Corero Network Security. “Typically, you just send out the traffic to a pipe with the goal of filling it up. But, what we’ve seen recently is that those very large unsophisticated attacks [now] represent a small proportion of the [campaigns] that go on. Across all the DDoS efforts that we see, the majority, just over 70 percent, are [now] less than 1 GB in size. And that’s because the attackers are moving away from using simplistic brute force, to using more sophisticated techniques. Modern DDoS toolkits can launch both infrastructure-based (i.e., volumetric) and application-based payloads; application-layer attacks in particular are sneakier and can be very targeted, researchers said.

Rather than just look to overwhelm a company’s broadband connection or DNS infrastructure, as was the norm in the past, application-layer attacks focus on one aspect of the target’s communications, such as, say, a VoIP server. These look to exhaust specific server resources by monopolizing processes and transactions.

“Attacks use just enough traffic to be successful,” Chong explained. “Most of the enterprises out there in the market have around 100 Mbps of bandwidth coming into their location, so you don’t need a 1-terabit attack to be effective. These are small, specially crafted campaigns where threat actors first examine where a service is hosted, such as a data center, in the cloud or at a hosting provider – and then they launch a small attack that just overwhelms the limits of the target’s bandwidth. This approach is much more precise and effective, requires fewer resources, and often flies under the radar because the bad traffic’s volume is close in size to the normal traffic going into that enterprise.”

An example of this is the attacks mounted during protests in the wake of the 2009 Iranian presidential election. That’s when several high-impact and relatively low bandwidth efforts were launched against Iranian government-run sites. Since then, the method has gained popularity. Meanwhile, the large, “big-bang” efforts that still make up 30 percent of the campaigns seen in the wild are sometimes used as a distraction, Chong added, acting as a smokescreen to mask other activities, such as a data exfiltration effort. F5 for example noted last year that almost 50 percent of attacks fell into this category.

To carry this out, higher-end threat actors can use partial link saturation, designed to leave just enough bandwidth available for a secondary attack. In this scenario, a distracting DDoS attack consumes resources in enough security layers to allow a targeted malware attack through. Often the IT staff is so busy dealing with the DDoS attack, which causes damage to revenue and reputation on its own, to notice that another intrusion is taking place through other channels.

IoT Factor

While both volumes and sophistication are on the rise, the impact of DDoS botnets that are built from tens of thousands of compromised internet-of-things (IoT) devices remains perhaps the biggest story in this particular crime sector, representing a rapidly expanding threat surface.

“The explosion of IoT devices is an attack vector that’s going to be around and of interest for a long while,” said Newman. “Consumers and businesses are buying these devices for the coolness factor and the ability to automate your life. And vendors are much more incentivized to get the latest thing to market ASAP instead of spending time on security.”

Elias Bou-Harb, research assistant professor at Florida Atlantic University and a cyber-threat researcher, added: “While the focus was on functionality and accessibility, security is and continue to be an afterthought. Vendors should be vigilant about this and emphasize security in their design, early on. This is especially factual if those IoT devices are deployed and being operated in critical infrastructure.”Meanwhile, for many consumer and business IoT users, security remains low on the list of concerns, making for little pressure on vendors to clean up their act. That’s because owners of compromised IoT devices rarely end up feeling like victims, Newman added.

“The small amount of traffic being requested from each device may be only 1 megabit each, and you’re unlikely to feel that on your home network in terms of performance degradation,” Newman explained. For that reason, IoT botnets continue to be responsible for widespread infections, which can be easily marshalled for DDoS attacks.

“IoT is kind of the sweet spot for DDoS botnets, because these devices are prevalent, but no one really controls them – they’re almost unmanaged,” said Jeremy Kennelly, manager of threat intelligence analysis at FireEye. “Cameras and routers and things are just left out there, not being updated, and meanwhile the non-expert population gets used to what they think are just glitches – they don’t think they might be compromised.”

While Mirai kicked off the era of the IoT botnet on 2016, two of the latest events on the bot scene include the rise of the Satori botnet, which infected more than 100,000 internet-connected D-Link routers in just 12 hours, and the VPNFilter IoT botnet, which infected almost a million consumer-grade internet routers (i.e., Linksys, MikroTik, Netgear, and TP-Link) in more than 50 countries in a very short amount of time. VPNFilter is particularly nasty, capable of DDoS as well as delivering malware and stealing data.

Others meanwhile are appearing all the time.

“Very recently, June 18-June 22, we tracked a botnet (which was never reported before) composed of more than 50,000 IoT bots, distributed over 170 countries and hosted in more than 30 business sectors,” said Bou-Harb. “We are seeing excessive IoT exploitations targeting home and business routers, storage devices, cameras, voice over IP phones and more.”

Bot herders are also in a race to expand their IoT infrastructure – something that’s all too easy. IoT botnets are either built through simplistic compromises involving common, hard-coded, default passwords for devices that are easy to search for on the internet; or via the exploit of known vulnerabilities.

“The recent compromise of GPON home routers came down to a couple of specific vulnerabilities in the code that were never patched,” Newman said.

Code-reuse is also rife in IoT devices, meaning that putting effort into exploiting vulnerabilities can be a valuable vector with a lot of payoff. The Satori botnet for example was created by exploiting a known buffer overflow technique in generic code, Newman added.

Beyond existing IoT, the actors behind botnets are always looking to also commandeer new classes of devices from which to carry out attacks. In the future, things such as sensor networks or devices for smart-city applications could vastly expand the attack infrastructure.

“We haven’t seen the peak of what IoT botnets are capable of yet, and you can be sure there are more pools of resources out there to be found,” McKeay. “For instance, we’re not monitoring IPv6 as closely as we should – and I wouldn’t be surprised if there’s something lurking there that can be harnessed for this.”

All of the bad actors’ frenetic expansion activity is driven by basic market economics. “We continue to see competition for the infrastructure,” said Kennelly. “That’s one of the reasons that the peak sizes for DDoS are decreasing. The bad guys are all competing for the same set of resources. As members of the community trade tips and exploit code, certain botnets become more popularized, and they start competing for access to it. As the resources are consumed, peak sizes level out.”

Motivations

DDoS is traditionally seen as a tool used by politically and religiously motivated hacktivists to make a point. However, DDoS intentions are evolving, particularly with the advent of DDoS-as-a-service. Put simply, IoT botnets have paved the way for a new generation of cheap on-demand services. These dramatically lower the barriers to entry for attackers by eliminating the requirement to have technical knowledge to carry out an offensive.

“Anyone with a PayPal account can make a quick purchase on a WebStresser-like site,” said McKeay. “You could be a 12-year-old that saw a tutorial on a YouTube channel – there’s not a huge amount of technical skills needed to DDoS someone.”

This low bar to entry has given rise to new actors with new kinds of motivations behind attacks. For instance, as with most things in cybercrime, there’s an emerging financial aspect to attacks thanks to the fantastic ROI that some campaigns can offer.

“We are starting to see ransom-driven attacks shifting to DDoS,” explained Newman. “For $10 an hour you can cause enough damage to take a website down. So, you craft a few ransom emails from an anonymous account and ask for Bitcoin in exchange for sparing the target a DDoS attack. You have nothing to lose, really. In the likelihood you get a good hit rate – say one in 1,000, even one in 10,000 – you can be making good money as an individual on the back of that.”

Some DDoS-as-a-service providers even have a “try before you buy” function. As a consequence, person-to-person attacks are also on the rise.

“Many of these are gaming attacks,” explained Darren Anstee, CTO NETSCOUT Arbor. “If I’m a serious player of game X and I want to slow down gameplay for opponents, it’s easy to launch a small, short-lived attack for no money. A lot of people will use it for a social-media beef or gaming issue, or really any personal slight.”

Winning Poker Network CEO Phil Nagy for instance in September 2017 said that his site was hit with a series of 26 separate DDoS attacks over three days – he said they were being carried out by a rival poker room. However, on the other end of the spectrum adaptive adversaries have appeared. Those type bad guys are capable of turning a DDoS attack into something akin to a game of chess.

“In a recent campaign we looked at incoming traffic and identified unique strings and started blocking it – but then we saw the attacker to change the type of traffic, or change the strings, essentially adapting to the defenses,” said McKeay. “The attackers finally started hitting the DNS server—and if you take that offline then you’ve taken the company offline.”

The level of sophistication indicated a different type of opponent as well.

“Reflection tactics and botnets make attribution almost impossible,” McKeay said. “But someone modifying code and traffic on the fly like that is probably organized crime or a nation-state actor, demonstrating training and skills that aren’t everyday things in the DDoS world. They’re doing stuff with the code and reconfiguring tools as time goes by—across a multi-day project.”

That’s not to say that hacktivism doesn’t still play an important role in fomenting DDoS. NETSCOUT Arbor’s 2017 Worldwide Infrastructure Security Report showed that vandalism together with political and ideological disputes were among the top three motivators of DDoS attacks.

In the build up to Mexico’s presidential elections, for instance, the website of the country’s National Action Party was hit by DDoS after it published documents critical of the leading candidate. NETSCOUT Arbor saw more than 300 attacks per day in Mexico during the period of June 12 and 13, which was 50 percent higher than the normal frequency in the country.

Whether we discuss tactics, motivation or sheer capability, the DDoS threat landscape is becoming more sophisticated and varied over time. And, thanks to the rise of the IoT botnet phenomenon, it’s not an area that’s shrinking in terms of the dangers it poses to both businesses and consumers. The good news is that effective mitigations exist, from basic security awareness on the part of consumers (i.e., change those default passwords), to higher-end traffic inspection and in-stream cleaning functions for enterprises; better collaboration between researchers and law enforcement and the emergence of ISPs getting into the filtering act are also helping.

Source: https://threatpost.com/ddos-attacks-get-bigger-smarter-and-more-diverse/134028/

 

Copyright © 2014. DoS Protection UK. All Rights Reserved. Website Developed by: 6folds Marketing Inc. | Demo Test