By Rodney Joffe, Senior Vice President, Senior Technologist and Fellow, Neustar
In the twenty years since a University of Minnesota computer came under attack from a network of over 100 computers infected with a malicious script, three things have seemed certain in life-death, taxes, and that Distributed Denial of Service (DDoS) attacks would continue to steadily grow in size, scale and impact.
From that first instance on, DDoS attacks seemed to adhere to a “grow always in all ways” philosophy. Attackers would exploit vulnerable machines – or, in recent years, insecure IoT devices – to launch a coordinated botnet against the target, the objective being to disrupt or block business traffic.
Revered for their ability to deliver blunt force trauma, DDoS attacks are capable of overwhelming even the mightiest Fortune 500 company, causing untold impact to a business’ infrastructure and operations. As companies began evolving their cybersecurity mechanisms, a funny thing happened—DDoS attacks began to evolve, too.
A recent analysis of DDoS attack patterns found a clearer and more pronounced affirmation of a few recent trends – a steady increase in the number of vectors being used by attackers, and an increase in the volume of small attacks sized 5 Gigabits per second (Gbps) and lower. For perspective, the kinds of massive attacks that make the news are typically above 100 Gbps.
As counterintuitive as it may seem to go tiny, attackers have recognized that small, targeted DDoS attacks can evade an organization’s defenses by coming in below the threshold where defenses are triggered. By remaining below this threshold, an attack might continue on for a long time undetected. While it may seem like an oxymoron to some, the ability for bad actors to narrowly target their DDoS attacks is becoming more and more precise. As the target becomes smaller, less traffic is required to bring it down. Smaller DDoS attacks can narrowly target the weakest link in an organization’s infrastructure, degrading the performance of a specific business application or damaging a single API to harm an organization via the death by 1,000 paper cuts approach.
The volume of attacks sized 5 Gbps and below increased by 158% in Q2 of 2019 compared with the same quarter last year – the single area with the highest percentage of growth. Additionally, over 75% of all attacks mitigated by Neustar last quarter were sized 5 Gbps or less.
What’s more, a survey conducted this quarter by the Neustar International Security Council (NISC) found a staggering 72% of senior cybersecurity leaders and decision-makers were not confident in their organization’s ability to notice a smaller attack. To protect against increasingly precise and inconspicuous DDoS attacks, businesses must deploy best practices to ensure that they are defending the infrastructure that is most valuable to their business. So how do you as an executive defend your business against these attacks?
- Develop a Risk Register: This begins with an inward analysis of your company’s most critical business assets and working outward towards your internet presence. Throughout this process, your team should be asking, “If certain parts of our business were compromised or disabled, how destabilized would our entire enterprise become?” Such destabilization could range from intellectual property theft to compromised customer information or inhibited shopping cart features. For some, a blog is as critical to their enterprise as customer billing logs. This exercise helps you clarify between which parts of your business are valuable to your company’s existence (such as a blog or a shopping cart feature) and which are simply vulnerable by their very nature (such as routers or smart speakers). While valuable assets and vulnerable assets are not mutually exclusive, you may be surprised in how little overlap there is between the two. Creating this clarification will help your executive team deploy the right protection in the right place
- Reevaluate Your DDoS Protection: As multi-vector attacks increase, it is increasingly important to ensure you are taking the right approach to DDoS protection. Between April-June 2019, more than 82% of attacks mitigated by Neustar used two or more threat vectors – with 7% utilizing more than four. There are two types of mitigation services to consider for DDoS protection—always-on and on-demand. Because bad actors increasingly use multiple vectors for attacks, a best practice is, to begin with always-on DDoS protection to gain an understanding of how much malicious traffic you are receiving, then moving to on-demand mitigation if necessary. By initially setting your default to the always-on scenario, you will gain a strong understanding of what should be protected and how much protection you need. Once you have a feel for your attack thresholds, you can then work with your cybersecurity provider to determine which type of mitigation services are needed to protect your critical assets.
- Understand Your IoT Risk: As the use of IoT devices increase, the number of critical assets your company has will only compound the threat. Intel has projected that internet-enabled device penetration will grow from 2 billion in 2006 to 200 billion connected devices by 2020 – that’s about 26 smart devices for each human on earth. IoT devices come with a unique set of cybersecurity and privacy risks, so it is important for organizations to establish best practices now before connected devices with unknown vulnerabilities proliferate throughout the network. Ensure your executive team has a solid understanding of your organization’s existing IoT footprint. Once a database of connected devices is established, the IT and security teams must work together to perform routine checks of those devices to ensure cybersecurity hygiene. Since one of the greatest security risks to an organization is its people, taking the time to ensure employees understand cybersecurity basics – such as how to spot a phishing email and the importance of two-factor authentication – will help to build awareness and create a culture of security.
Although supermassive DDoS attacks that overwhelm a target with a tidal wave of network traffic aren’t going away, some attackers have traded in the sledgehammer and embraced subtlety. They have found ways to launch attacks that are small enough to evade standard DDoS protection and precise enough to target a single weak link in an organization’s infrastructure. Until we see drastic changes in the way communications are handled on the internet, DDoS attacks large and small will remain formidable. But by understanding where you are at risk around critical business operations, knowing how to protect them and maintaining an active awareness of what IoT devices are being managed, you will put your company in a strong position to weather DDoS attacks, regardless of size or complexity.
About the Author
Rodney Joffe, Senior Vice President, Senior Technologist and Fellow, Neustar. Rodney Joffe serves as a Neustar Senior Vice President and is a Senior Technologist and Fellow. His accomplishments include founding the first commercial Internet hosting company, Genuity, as well as the first outsourced and cloud-based Domain Name System (DNS) company, UltraDNS, where he invented Anycast Technology for DNS. Joffe has served on a number of the U.S. government’s cybersecurity intelligence panels and was the leader of the groundbreaking Conficker Working Group. He is one of the first civilians to receive the Federal Bureau of Investigation (FBI) Director’s Award due in no small part to his role in uncovering and taking down the Butterfly Botnet. He has also been honored with the Mary Litynski Lifetime Achievement Award from M3AAWG, the global Messaging, Malware, and Mobile Anti-Abuse Working Group, and was most recently publicly recognized for his years of work and dedication in helping protect against cybercrime, winning The Computing Security Award for his contribution to Cyber Security in 2018.
Joffe is also the chairman of the Neustar International Security Council (NISC), which is comprised of an elite group of cybersecurity leaders across industries and companies who meet regularly to discuss the latest cyberattack trends.