The recently publicized Distributed Denial of Service (DDoS) attacks on the Domain Name System (DNS) service provider Dyn involved large numbers of IoT (Internet of Things) botnets. These attacks took many high traffic websites such as Twitter, Spotify and Netflix temporarily offline.
Contrary to conventional wisdom, recent reports suggest this attack could be the largest of its kind carried out by amateur hackers as opposed to someone with skills that are more sophisticated. This was made possible by an anonymous developer of the Mirai malware who recently published the source code as open source on the underground hacker network. This is the black marketplace on the web where skilled cyber criminals share content, innovate, enhance their skills and offer their expertise and malicious code to lesser skilled criminals. Criminals do not even have to code today. There is an entire support system in place to enable hacking campaigns like this one. The Mirai-based DDoS attack serves as another harsh reminder never to be complacent with our security model.
It is very clear the evolving threat environment has a profound effect on the way we manage security risks with respect to vulnerabilities in the security of IoT devices. It is estimated that the number of these devices connected to IP networks will nearly triple the size of the global human population by 2017. More than 9 billion devices are already connected to the internet today. By 2020, it will increase to the range of 20 and 50 billion according to reports from Gartner, IDC and others. What we should anticipate is a highly intricate Wi-Fi controlled network of devices such as digital wearables, thermostats, light controls, vending units, and all sorts of smart appliances that could live everywhere inside our homes, public places, retail spaces, and work environments. We all need to remember is that the vast majority of these devices are not designed with a focus on good security coding practices. In fact, a very large percentage of these devices have known vulnerabilities within their firmware that can easily be exploited by advanced malware such as Mirai. The questions to ask are (1) how many of these may be connected to your Wi-Fi network, and (2) what is the risk your organization may be exposed to already today?
Let’s face it, attack methods are changing all the time and, frankly, very quickly. IoT-based attacks are one of the fastest growing and most prevalent DDoS attack vectors in 2016. Many organizations are challenged with understanding their risk profile, what risks to focus on, and where to put more of their security, people and resources to better secure their environment from various types of cyber-attacks. Unlike ransomware or zero-day threats, DDoS attacks are commonly used for the purpose of extortion. Although it is still unclear what the primary motivation was behind the Dyn attack, it’s plausible to think that money could be the ultimate endgame. As Dyn and other organizations facing potential Mirai-based attacks in the future, it wouldn’t be unusual for victims to receive a pre-warning of an imminent DDoS attack if the demand for money is not met. So rather than taking a wait and see position with your security model, below are four key steps you can take to immediately reduce your risk profile.
Change the conversation from security to risk.
How would you respond if someone asked you whether your organization is secure? The real answer is no in today’s world. In light of what happened with Dyn and Krebs on Security, I encourage you to think about what you’ve been doing in your security programs, whether they are still effective and if you are secure as you can be. The reality here is that we’re dealing with unpredictable risks. The question of whether or not you’re secure is not the ideal question. The appropriate question should be about your risk. Understanding where your risks are and risk areas that you cannot tolerate allows you to make a realistic, accurate assessment of your security model and what part of your environment needs continuous focus.
Understand who is attacking you.
It is absolutely important to understand the adversary’s focus, what attack methods the hacker is likely to utilize against your specific organization, and make sure you’re not trying to spread security evenly as this weakens security where it needs the most focus. Is the attacker after your data or attempting a service disruption? You want your security to be laser focused on the risk areas that you have zero to low tolerance for while allowing security to be less deep and less focused in areas where you have a greater degree of tolerance. Fundamentally, you have to accurately define the areas your adversaries are going after and where you’re going to put your people and technology.
Establish and rehearse your response and remediation plan.
We should accept the reality that it’s not a matter of if, but when we’re going to be attacked. Therefore, establishing a strong and repeatable response and/or remediation plan is paramount to returning to optimal capacity and preserving your brand reputation. Having a sanctioned plan and process in place to get things under control when they go from bad to worse prepares everyone on the response team to understand their roles and what they’re going to do during an attack. You need to test your plan regularly, conduct simulations as if you would a fire drill, improve the process, and get first responders to be more efficient and well trained to execute the remediation plans as designed. It can be a disaster recovery of the environment or quickly locking down compromised areas or spinning up secondary resources. This way everyone knows their role and understands what needs to be done. It’s also very important to involve non-technical responders such as PR, marketing, and legal to establish how they will respond and communicate on the business side to help maintain customer confidence and avoid any regulatory risks. All of these must be well thought out in advance.
Reduce your attack aperture.
Predominantly, DDoS floods target the UDP protocol as the underlying mechanism and it remains one of the most common flood mechanisms today. Typically, attackers use random UDP ports to target a victim. NTP, DNS, SNMP are more susceptible because they are the most commonly and widely used protocols. UDP floods use sophisticated targeted mechanisms to exhaust a target machine’s/group’s resources to a point that the end device will no longer be able to serve legitimate traffic. Not having a handshake mechanism like TCP (for legitimate connections) makes the protocol a favorite to attackers to spoof the Source IP address and redirect attack responses to any destination. The attacks can be amplified where large responses are redirected towards a target – like DNS amplification attacks on Dyn.
There are flood protection mechanisms on SonicWall firewalls to reduce the aperture for attacks via UDP, SYN and ICMP.
The UDP flood mechanism can be used to mitigate these attacks by setting a “healthy/baseline” threshold value for threats originating either outside or from within. Of course, if the attack were utilizing an anomaly in the protocol to launch an attack, then the SonicWall DPI engine would protect from such attacks. For SYN floods and ICMP floods, baseline thresholds can be set as well. Proper Source IP and Destination IP connection limits can be set on access rules to limit the number of connections to a particular destination. This combines with Geo-IP and Bot-Net (Command and Control centers) to add an additional protection mechanism.
For more information on SonicWall’s Next-Generation Firewall, and how it can help you focus on key risk areas and best prepare your organization for the next attack, contact a SonicWall security expert. To learn more, you can also download Achieve deeper network security and application control.