« You can’t defend against something you don’t understand »

The fifth edition of the Luxembourg Internet Days will discuss issues related to securing networks and systems against DDoS attacks. Manuel Harnisch, Global Customer Success Group at Kentik, will discuss the evolution of risks in this area but also the tactics to adopt to deal with them..

The fifth edition of the Luxembourg Internet Days will discuss issues related to securing networks and systems against DDoS attacks. Manuel Harnisch, Global Customer Success Group at Kentik, will discuss the evolution of risks in this area but also the tactics to adopt to deal with them..

How are DDoS attacks and the risk of being affected evolving in recent years? (In general and specifically in Luxembourg)

It used to be that the threat of a DDoS attack had a fairly singular goal, to flood the target with so much traffic as to drown out all legitimate traffic, rendering everything unusable for legitimate users. The target then was mostly hosting companies, and the goal was to make the life of their customers and users miserable in aggregate.

These days, we see an increasingly more focused, targeted approach from attackers. For one, the target seems to have shifted more towards taking out either individual users or individual companies on the user side, rather than the provider side. For instance, more and more companies now rely on at least some cloud-hosted services, like Google Apps or Salesforce.com, to name just two. Attackers know that both of those services have pretty sophisticated defenses and attacking them would yield little in the way of success. Instead, it’s better to attack a user of those services, flooding their DNS servers or gateways with traffic, forcing them to drop legitimate outbound traffic to cloud-hosted applications. This then causes a productivity loss, and if done right, can allow an attacker to hold the victim to pay a ransom in exchange for stopping the attack.

Another angle we’ve seen is with the ride of cryptocurrency mining, and the reliance of many of the currencies on Proof of Work. A concept which is vulnerable to what is called a 51% attack. If you can control a majority of a crypto network hashrate, you can attempt to double spend tokens or otherwise act against the intentions of legitimate participants. A cryptohacker might also initiate a double-spend attack, mining their own chain, and then DoS all other legitimate pools so that they are the majority of the remaining hashpower. This ensures that the double-spend attack will work and work with less hashrate than it would normally require. This is a very new shift in the use of both DDoS attacks and double-spend attacks, merging DDoS into the mix of cryptocurrency exploit tactics. While this is still niche, this vector of DDoS attacking of crypto nodes holds potentially huge, untraceable financial rewards. It’s the equivalent to stagecoach robberies of the 1800s.

 

Can enterprises protect their network from more and more sophisticated and targeted attacks? 

The short answer is “yes,” but that comes with a set of caveats. First, the best defense, in our experience, has been awareness. Awareness around the fact that DDoS has evolved and can be used in a « weaponized » fashion by attackers.

Second, along with awareness comes the need for insights and understanding of what traffic is considered normal for a given network. You can’t defend against something you don’t understand, and in order to understand what an attack looks like, you have to first understand what the normal baseline looks like.

Third, DDoS defense needs to be something that’s part of an organization’s overall cybersecurity and availability stance.

Fourth, it’s about bringing it all together to choose the right tools for traffic monitoring, anomaly detection, and mitigation. Every organization is going to have slightly different needs here, and it’s important to have a conversation at the company’s C-suite to ensure everyone is aligned with that strategy.

Fifth and last, companies need to constantly re-evaluate the changing landscape. We would recommend looking at this at least annually, or whenever a major attack gets publicized.

 

What is the right strategy or tactic to adopt to ensure the continuity of activities against these attacks?

It’s really a combination of awareness, visibility, executive/leadership buy-in, and execution. I think that recent history has shown that these threats won’t go away and are likely to increase in severity, frequency, and impact.

More and more of our personal and business lives rely on technology to function and function well. Think of it this way: 20 years ago, the digital economy was a really nice thing to have, but it wasn’t mission critical. Ten years ago, it became something that touched most of our lives and was very important. Today, it’s impossible to conduct business at scale without the use of technology. Nobody is going to go back to writing contracts by hand and mailing them, let’s be honest. While the future is always uncertain, if history is any indicator, we’ll be even more reliant on digital infrastructure in the years to come.

With this in mind, every business needs to think about their strategy and keep refining and evaluating it over time.

 

IMPORTANT

Meet Manuel Harnich at Luxembourg Internet Days event on November 13&14 @Chambre de Commerce
Registration mandatory: www.luxembourg-internet-days.com
Agenda:  www.luxembourg-internet-days.com