Daily Archives: April 22, 2018

DDoS Attacks Can Cost Organizations $50,000 Per Attack

DDoS attacks are on the rise and can have a damaging impact on a company’s bottom line, both in terms of lost revenue and the costs incurred in terms of manpower required to mitigate attacks. To investigate this problem, Corero surveyed over 300 security professionals from a range of industries including financial services, cloud, government, online gaming and media sectors, which revealed that DDoS attacks are costing enterprises up to $50,000 (£35,000) per attack.

Yet despite this figure, lost revenue was still only considered to be the fourth most damaging consequence of this type of cyber-attack. Most respondents cited the loss of customer trust and confidence as the single most damaging effect on business of DDoS attacks. This is because DDoS attacks can impact the ability of sales teams to acquire new customers in increasingly competitive markets and cause lasting damage to a company’s reputation. In turn this usually has negative consequences for customer loyalty, churn and corporate profits.

DDoS As a Smokescreen

The second most damaging threat revealed by the survey was the risk of intellectual property theft, followed by the threat of malware infection associated with a DDoS attack. Indeed, the majority of respondents believed that DDoS attacks are being used by attackers as a precursor or smokescreen for data breach activity. Incidents like the infamous Carphone Warehouse attack remind us of the dangers of enterprise IT teams being distracted by DDoS attacks, while hackers take advantage of degraded network security to exploit other vulnerabilities for financial gain.

When hackers use DDoS attacks as a smokescreen, they typically use low-volume, short duration attacks that are designed not to outright deny service but to distract from their alternative motives. In addition to service outages, latency and downtime, short attacks allow cyber-criminals to test for vulnerabilities within a network. Considering the huge liability that organizations can face in the event of a data breach, IT teams must be proactive in defending against the DDoS threat and monitor closely for such malicious activity on their networks.

The IoT problem

The majority of respondents reported that their organization experiences between 20 and 50 DDoS attack attempts a month; equivalent to roughly one attack per day. Unsurprisingly, participants in the survey also viewed DDoS attacks as a bigger concern in 2018 than in the past, primarily due to the rise of insecure connected devices and the association between DDoS and data breach activity. Indeed, with the increased availability of cyber-attack tools and their capabilities, hackers can compromise IoT devices and enslave them into a botnet for use in DDoS attacks. For example, this year we’ve seen a new Mirai botnet known as Reaper which is reported to be targeting the financial sector. Reaper has been used to launch some of the largest botnet attacks since the infamous DDoS attack against DNS provider Dyn in October 2016 including those that hit three Dutch banks in January.

What’s next for DDoS?

With multi-vector attacks being the norm, DDoS attacks are becoming more complex to mitigate. The survey results indicate that more than 15 employees are typically involved in diffusing the threat when an attack strikes. In recent months we have also witnessed new records being set for the size of DDoS attacks, as cyber-criminals exploited the Memcached amplification attack vector to headline-grabbing effect. This has ushered in a new chapter in terms of DDoS attacks and made Terabit-scale events a reality.

As a result, any revenue and/or reputation sensitive organization with an online presence must take steps to ensure they are prepared for today’s DDoS attacks. The most effective way to defeat these threats is with always-on DDoS protection that can detect and mitigate the attacks in real-time.

For more information, please contact us.

NBlog April 23 – David v Goliath


Thanks to a mention in the latest RISKS-list email, I've been reading a blog piece by Bruce Schneier about the Facebook incident and changing US cultural attitudes towards privacy.
"As creepy as Facebook is turning out to be, the entire industry is far creepier. It has existed in secret far too long, and it's up to lawmakers to force these companies into the public spotlight, where we can all decide if this is how we want society to operate and -- if not -- what to do about it ... [The smartphone] is probably the most intimate surveillance device ever invented. It tracks our location continuously, so it knows where we live, where we work, and where we spend our time. It's the first and last thing we check in a day, so it knows when we wake up and when we go to sleep. We all have one, so it knows who we sleep with."
With thousands of data brokers in the US actively obtaining and trading personal information between a far larger number of sources and exploiters, broad-spectrum and mass surveillance is clearly a massive issue in America. The size and value of the commercial market makes it especially difficult to reconcile the rights and expectations of individuals against those of big business, plus the government and security services. This is David and Goliath stuff.

GDPR is the EU's attempt to re-balance the equation by imposing massive fines on noncompliant organizations: over the next few years, we'll see how well that works in practice. 

Meanwhile, US-based privacy advocates such as EPIC and EFF have been bravely fighting the individuals' corner. I wonder if they would consider joining forces? 

OMG The Stupid It Burns

This article, pointed out by @TheGrugq, is stupid enough that it's worth rebutting.




The article starts with the question "Why did the lessons of Stuxnet, Wannacry, Heartbleed and Shamoon go unheeded?". It then proceeds to ignore the lessons of those things.

Some of the actual lessons should be things like how Stuxnet crossed air gaps, how Wannacry spread through flat Windows networking, how Heartbleed comes from technical debt, and how Shamoon furthers state aims by causing damage.

But this article doesn't cover the technical lessons. Instead, it thinks the lesson should be the moral lesson, that we should take these things more seriously. But that's stupid. It's the sort of lesson people teach you that know nothing about the topic. When you have nothing of value to contribute to a topic you can always take the moral high road and criticize everyone for being morally weak for not taking it more seriously. Obviously, since doctors haven't cured cancer yet, it's because they don't take the problem seriously.

The article continues to ignore the lesson of these cyber attacks and instead regales us with a list of military lessons from WW I and WW II. This makes the same flaw that many in the military make, trying to understand cyber through analogies with the real world. It's not that such lessons could have no value, it's that this article contains a poor list of them. It seems to consist of a random list of events that appeal to the author rather than events that have bearing on cybersecurity.

Then, in case we don't get the point, the article bullies us with hyperbole, cliches, buzzwords, bombastic language, famous quotes, and citations. It's hard to see how most of them actually apply to the text. Rather, it seems like they are included simply because he really really likes them.

The article invests much effort in discussing the buzzword "OODA loop". Most attacks in cyberspace don't have one. Instead, attackers flail around, trying lots of random things, overcoming defense with brute-force rather than an understanding of what's going on. That's obviously the case with Wannacry: it was an accident, with the perpetrator experimenting with what would happen if they added the ETERNALBLUE exploit to their existing ransomware code. The consequence was beyond anybody's ability to predict.

You might claim that this is just the first stage, that they'll loop around, observe Wannacry's effects, orient themselves, decide, then act upon what they learned. Nope. Wannacry burned the exploit. It's essentially removed any vulnerable systems from the public Internet, thereby making it impossible to use what they learned. It's still active a year later, with infected systems behind firewalls busily scanning the Internet so that if you put a new system online that's vulnerable, it'll be taken offline within a few hours, before any other evildoer can take advantage of it.

See what I'm doing here? Learning the actual lessons of things like Wannacry? The thing the above article fails to do??

The article has a humorous paragraph on "defense in depth", misunderstanding the term. To be fair, it's the cybersecurity industry's fault: they adopted then redefined the term. That's why there's two separate articles on Wikipedia: one for the old military term (as used in this article) and one for the new cybersecurity term.

As used in the cybersecurity industry, "defense in depth" means having multiple layers of security. Many organizations put all their defensive efforts on the perimeter, and none inside a network. The idea of "defense in depth" is to put more defenses inside the network. For example, instead of just one firewall at the edge of the network, put firewalls inside the network to segment different subnetworks from each other, so that a ransomware infection in the customer support computers doesn't spread to sales and marketing computers.

The article talks about exploiting WiFi chips to bypass the defense in depth measures like browser sandboxes. This is conflating different types of attacks. A WiFi attack is usually considered a local attack, from somebody next to you in bar, rather than a remote attack from a server in Russia. Moreover, far from disproving "defense in depth" such WiFi attacks highlight the need for it. Namely, phones need to be designed so that successful exploitation of other microprocessors (namely, the WiFi, Bluetooth, and cellular baseband chips) can't directly compromise the host system. In other words, once exploited with "Broadpwn", a hacker would need to extend the exploit chain with another vulnerability in the hosts Broadcom WiFi driver rather than immediately exploiting a DMA attack across PCIe. This suggests that if PCIe is used to interface to peripherals in the phone that an IOMMU be used, for "defense in depth".

Cybersecurity is a young field. There are lots of useful things that outsider non-techies can teach us. Lessons from military history would be well-received.

But that's not this story. Instead, this story is by an outsider telling us we don't know what we are doing, that they do, and then proceeds to prove they don't know what they are doing. Their argument is based on a moral suasion and bullying us with what appears on the surface to be intellectual rigor, but which is in fact devoid of anything smart.

My fear, here, is that I'm going to be in a meeting where somebody has read this pretentious garbage, explaining to me why "defense in depth" is wrong and how we need to OODA faster. I'd rather nip this in the bud, pointing out if you found anything interesting from that article, you are wrong.