Guest Post, Author at Security IT Summit | Forum Events Ltd
  • Covid-19 – click here for the latest updates from Forum Events & Media Group Ltd

Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd

Posts By :

Guest Post

The state of the security team: Are executives the problem?

960 640 Guest Post

By LogRhythm

A global survey of security professionals and executives by LogRhythm

Amid a slew of statistics on how job stress is impacting security professionals, we sought to learn the causes of the tension and anxiety — as well understand potential ways teams might alleviate and remediate the potential of job burnout. 

We ran a global survey with security professionals and executives and investigated the tools those security professionals use to understand solution capabilities, deployment strategies, technology gaps, and the value of tool consolidation.

Key findings

“Now, more than ever, security teams are being expected to do more with less leading to increasing stress levels. With more organisations operating under remote work conditions, the attack surface has broadened, making security at scale a critical concern,” says James Carder, CSO and VP of LogRhythm Labs. “This is a call to action for executives to prioritise alleviating the stress and better support their teams with proper tools, processes, and strategic guidance.”

When asked what causes the most work-related stress, not having enough time is cited by 41 percent and working with executives by 18 percent. In fact, 57 percent of respondents think their security program lacks proper executive support — defined as providing strategic vision, buy-in and budget.

In addition, security professionals cite inadequate executive accountability for strategic security decisions as the top reason (42 percent) they want to leave their job. This is a worrying statistic, given that nearly half of companies (47 percent) are trying to fill three or more security positions.

If you are leading a security team or part of a SOC, hearing that stress is increasing in your space is likely no surprise. To keep up with the threats facing your organisation, it is clear there needs to be a cultural shift — and it must start at the top. It is no longer just the responsibility of a CISO or CSO. To ensure a company is secure, the board and executive team must supply their security team with the strategic guidance, a healthy budget, and the proper tools required to effectively do their jobs.

Further information is available in the full report, available from the LogRhythm website

Joiner-Mover-Leaver process: Solve it once and for all?

960 640 Guest Post

By Tenfold Security

JML processes give IT and HR departments regular headaches and often create quite hefty conflicts between those two departments. What is this all about?

When a new employee joins your organization, HR will know about them first, as they sign the contracts and do the onboarding. Today, many employees will require IT system access in order to fill their job role. That means IT needs to know about new hires so they can onboard them as well with all the necessary resources:

  • Client hardware (PC, Laptop, etc.)
  • Active Directory accounts, group memberships
  • E-Mail access, distribution groups, access to shared mailboxes
  • Access to applications like ERP or CRM

If HR fails to pass on that information (for whatever reason), you might end up with a new employee not being productive on their first few days, because they can’t access important systems and data. This is not only a loss for the company, but also creates great frustration for the new hire.

The same challenge arises if HR forgets to inform IT about employee that has departed from the organization recently. The result are orphaned user accounts that pose a huge security risk and generate costs in the form of unused software licenses.

How to solve the issue? We at tenfold, the leading mid-market Identity & Access Management solution propose the following:

  • If you manage less than 500 users, let HR manually input new hires, leavers and data changes (for example last name changes or new telephone numbers) into tenfold. Our software will then distribute those changes to Active Directory and other systems. Your HR users don’t have to be domain administrators for this to work.
  • If you manage more than 500 users, attach your HR management or payroll system directly to tenfold to automate the whole process. Read all about how this is made possible by the tenfold Import Plugin: https://www.tenfold-security.com/en/import-plugin-tenfold/

If you would like to learn about the basics of access management in Microsoft environments (structure, access right levels, access control lists, inheritance) then download our detailed white paper “Best Practices For Access Management In Microsoft® Environments” at this link: https://www.tenfold-security.com/en/whitepaper-best-practices/  

Want to try tenfold for yourself? No problem, just register to download our free trial https://www.tenfold-security.com/en/free-trial/

Why endpoint security matters more than ever

960 640 Guest Post

The swiftly evolving threat landscape, combined with the huge increase in remote working, means that securing your organisation’s endpoints has never been more critical.

Here, George Glass, Head of Threat Intelligence at Redscan, explains the importance of endpoint security and why detecting and responding to the latest threats demands greater endpoint visibility and specialist expertise...

Next-generation endpoint protection is a must

As cyber threats continue to evolve, it’s increasingly clear that organisations must look beyond traditional endpoint security solutions.

Antivirus software remains essential, but relying on traditional AV tools, which are largely signature-based, can leave organisations vulnerable to more sophisticated threats. Most traditional AV solutions are estimated to block just 40% of attacks.

Detecting the latest advanced threats requires next-generation capabilities, such as those provided by Endpoint Detection and Response (EDR) and Next-Gen AV (NGAV) platforms. 

EDR and NGAV technologies provide deep visibility across devices by collecting raw telemetry relating to processes, file modifications and registry changes, and using behavioural analytics to examine events in near real-time. 

Fileless malware is a serious risk to organisations and the top critical threat to endpoints in 2020. However, without more advanced endpoint detection there is a real danger that these and other sophisticated attack vectors can be missed.

The increasing risks of remote working

Providing employees with seamless access to the corporate network is essential to ensure that they can fulfil their roles effectively, but every device that connects to the network carries an inherent risk.

When employees work from home, they are located outside the protection of the corporate firewall, which can monitor and block incoming and outgoing communications to endpoint devices. Many organisations insist that employees connect to a Virtual Private Network (VPN) and while this can offer some security, ensuring all employees do so with regularity can be a challenge.

Employee devices are at greater risk for a number of other reasons too. Many often have unpatched software vulnerabilities and are operated by people susceptible to phishing, the most common attack vector used to target endpoints.

Malware threats such as Emotet are primarily delivered via emails. Emotet is equipped with wormable features, making it highly effective at triggering ransomware. 

The average cost per breach resulting from an attack on endpoints is over £7 million, more than twice the average cost of a general data breach 

(Ponemon Institute)

The significant damage and disruption that endpoint breaches can cause makes incident response critical. Securing endpoints is important because it helps organisations to reduce incident response times by disrupting and containing attacks earlier in the kill chain. Advanced tools like EDR can automate response actions, such as by terminating processes and isolating infected endpoints from a network, thereby ensuring infections are shut down as quickly as possible.

With threats deployed more quickly than ever, a swift response is vital to address critical vulnerabilities such as Zerologon and shutting down ransomware attacks, which can achieve full domain-wide encryption in just a matter of hours.

The challenges of endpoint security 

Early detection of endpoint attacks is imperative, but without a team of security experts to manage and monitor EDR and NGAV technologies around-the-clock, organisations will experience challenges with achieving the required security outcomes.

Next-generation endpoint solutions collect and analyse a huge volume of data, and the greater the number of devices and applications that are monitored, the more security alerts that can result. This causes growing complexity that can be difficult to manage for in-house teams, who may lack the specialist security training required to make sense of them.

Getting the best from the latest tools and reducing false positives requires security teams to draw upon a wide range of threat intelligence and develop custom rulesets that accurately identify the latest threat behaviours.

It is only by maximising the benefits of specialist technology that organisations will fully realise their endpoint security goals.

George Glass is Head of Threat Intelligence at Redscan, a leading UK-provider of Managed Detection and Response and security assessment services. 

To learn more, visit www.redscan.com/

Identity Access Management vs. Access Rights Management – What’s the Difference?

615 410 Guest Post

The terms access management (short: AM; also referred to as access rights management or just rights management) and identity & access management (short: IAM) are often used synonymously. In practice, however, they do not stand for the same thing. In this article, we are going to take a closer look at the difference between access rights management software and identity/access management solutions.

Check out the article at https://www.tenfold-security.com/en/identity-access-management-vs-permission-management-whats-the-difference/

If you are looking to secure data access in your organization by:

  • Getting more visibility out of your Active Directory environment
  • Want to manage file server access rights in a best practice compliant way
  • Want to automate your user lifecycle tasks
  • Let users request access and have your business owners approve requests
  • Achieve compliance for need-to-know permissions

Then try tenfold for free today and see how we will be able to make your IT infrastructure more secure from day one.

Request free trial at: https://www.tenfold-security.com/en/free-trial/

Meeting the Tests to get out of Data Lockdown

960 640 Guest Post

Digital transformation of any business has always been hampered by making sense of underlying data. And that data has been growing in volume at an unprecedented rate driven by the growth of IoT. It’s the perfect storm – the need for real-time information being increasingly distanced by the rate at which the data volume is growing. Businesses need insight, not just data, which means getting the right information, to the right person, at the right time. 

But the age-old problem remains today – how do you understand and see what data you have readily available, in a format that’s usable and that you can access at the right time? Peter Ruffley, CEO, Zizo, explores three aspects businesses must consider to get out of ‘data lockdown‘…

Data access 

There are a multitude of ways to store and access data, but a majority of businesses haven’t considered access to external data sources yet. When we begin to question how to enrich and improve data, one of the fundamental capabilities of this process is by integrating external third-party data sources, such as weather, crime or other open data sources. 

Businesses need to have an understanding of what they need to do to make the process worthwhile, and ensure they have the correct capabilities before they start. A common first approach for many organisations is to build from scratch and make it their own, rather than considering the buyer approaches where you look at what’s out there, explore the marketplace and transform existing data to use within the business, rather than starting from the ground up. 

If they can’t combine different sources of data quickly and cost-effectively together, they won’t move forward. It makes sense to digitally transform an organisation if it is going to make use of what’s already out there, as being able to tap in and share other work and insights will make the exercise worthwhile and cost-effective. With combinations of solutions available in the marketplace that can accelerate the process by providing the necessary building blocks, it’s time to transform the digital transformation process. 

Data responsibility 

There remains a disconnect between IT teams and businesses’ impressions about what it means to provide the data. If both parties are not aligned with the same aims of the business, the project could stall at the first hurdle. Instead, organisations need to bridge the divide and encourage stronger collaboration between all stakeholders. When businesses realise where those holes are in their structure, it’s key to get people involved to solve those challenges. 

This involves change on three levels; personnel, cultural and technological. Who’s responsible for this chain? Whose action is it? How do we bring these teams together? The business might be storing a lot of data, but how can it be accessed, interrogated and made useful? How will the business’ data goals be defined? 

Typically, the digital transformation initiative comes from the top in the organisation. In order to get your business on board, you have to make a very clear case of what the benefits are. Employees need to trust that improvements will be made for them by doing this, rather than just dictating the plan. Digital transformation is a change programme, which impacts all aspects of the business. You therefore have to approach it in the same way that you would approach any change project – with clear objectives and an agreed process of identifying how you’re going to get value from data. With a compelling case, you have a much better chance of carrying it through with buy in from all stakeholders. 

Data and objective identification:

You can’t embark on a digital transformation initiative without a concept – you’re condemning the project to failure if the business is not engaged properly with the process before you start. In order to yield business benefit from data, organisations must identify the areas that will realise the most benefits. Even if they’re hypothetical, there must be measurable ambitions in place or milestones for this journey, so that there is an understanding of what you’re going to do, and what you want to get out of it. Or if those ambitions weren’t achieved, why not? What steps need to be taken next time? 

Organisations have to be able to collect the data and assess whether they can achieve their business objectives from that data. But a goal of just ‘digital transformation’, ‘digitising data’ or ‘making more money’ will never translate into a concrete business case. Goals need to be specific and measurable in order to determine the project roadmap and for success to be evaluated. 

More importantly, you have to understand where the data is in your organisation and what it’s being used for, before you start the process of transformation. The whole supply chain needs to be aware of the transformation and the demands that are going to be in place. You’ve got to be very open about this process, because there will be people who you haven’t thought of that might be impacted by the changes you’re making.

With easy access, a connected team and clear objectives, companies can have a clear outline of what it is they set out to achieve in their digital transformation, how they expect to make this transition with the data available, and who can take on what role in this process. 

User Access Review – What’s That?

960 640 Guest Post

By Tenfold Security

Users come, they stay, they leave, they move around between departments and they collect privileges on the way. That’s OK, they need privileges to do their jobs. But do they need all the privileges they have, always? That’s a question you need to ask yourself, for every userrepeatedly.

This article covers what is meant by a user access review, why is it important for your business and how can you simplify the process and up your company‘s IT security and level of data protection at the same time.

Click here to read the full article.

Securing a hybrid and agile workforce

960 640 Guest Post

2020 has forced businesses to revise many of their operations. One significant transition being the shift to a remote working model, for which many were unprepared in terms of equipment, infrastructure and security. As the Government now urges people to return to work, we’re already seeing a shift towards a hybrid workforce, with many employees splitting their time between the office and working from home.

As organisations are now reassessing their long-term office strategies, front and centre to that shift needs to be their IT security underpinned by a dependable and flexible cloud infrastructure. Andrea Babbs, UK General Manager, VIPRE, discusses what this new way of working means long-term for an organisation’s IT security infrastructure and how businesses can successfully move from remote working to a secure and agile workforce.

Power of the Cloud

In light of the uncertainty that has plagued most organisations, many are looking to options that can future-proof their business and enable as much continuity as possible in the event of another unforeseen event. The migration of physical servers to the Cloud is therefore a priority, not only to facilitate agile working, but to provide businesses with greater flexibility, scalability and more efficient resources. 

COVID-19 accelerated the shift towards Cloud-based services, with more data than ever before now being stored in the Cloud. For those organisations working on Cloud-based applications and drives, the challenges of the daily commute, relocations for jobs and not being able to ‘access the drive’ are in the past for many. Cloud services are moving with the user – every employee can benefit from the same level of security no matter where they are working or which device they are using. However, it’s important to ensure businesses are taking advantage of all the features included in their Cloud subscriptions, and that they’re configured securely for hybrid working. 

Layered security defence 

Cloud-powered email, web and network security will always underline IT security defences, but these are only the first line of defence. Additional layers of security are also required to help the user understand the threat landscape, both external and internal. Particularly when working remotely with limited access to IT support teams, employees must be ready to question, verify the authenticity and interrogate the risk level of potential phishing emails or malicious links. 

With increased pressure placed on users to perform their roles faster and achieve greater results than ever before, employees will do what it takes to power through and access the information they need in the easiest and quickest way possible. This is where the cloud has an essential role to play in making this happen, not just for convenience and agility but also to allow users to stay secure – enabling secure access to applications for all devices from any location and the detection and deletion of viruses – before they reach the network. 

Email remains the most-used communication tool, even more so when remote working, but it also remains the weakest link in IT security, with 91% of cybercrimes beginning with an email. By implementing innovative tools that prompt employees to double-check emails before they send them, it can help reduce the risk of sharing the wrong information with the wrong individual. 

Additional layers of defence such as email checking tools, are removing the barriers which slow the transition to agile working and are helping to secure our new hybrid workforce, regardless of the location they’re working in, or what their job entails. 

Educating the user

The risk an individual poses to an organisation can often be the main source of vulnerability in a company’s IT infrastructure. When remote working became essential overnight, businesses faced the challenges of malware spreading from personal devices, employees being distracted and exposing incorrect information and an increase in COVID-related cyber-attacks. 

For organisations wanting to evolve into a hybrid work environment, their IT security policies need to reflect the new reality. By re-educating employees about existing products and how to leverage any additional functionality to support their decision making, users can be updated on these cyber risks and understand their responsibilities.

Security awareness training programmes teach users to be alert and more security conscious as part of the overall IT security strategy. In order to fully mitigate IT security risks and for the business to benefit from an educated workforce, both in the short and long term, employees need to change their outdated mindset. 

Changing approach

The evolution of IT and security over the past 20 years means that working from home is now easily achievable with cloud-based setups, whereas in the not too distant past, it would have been impossible. But the key to a successful and safe agile workforce is to shift the approach of a full reliance on IT, to a mindset where everyone is alert, responsible, empowered and educated with regular training, backed up by tools that reinforce a ‘security first’ approach. 

IT departments cannot be expected to stay one step ahead of cybercriminals and adapt to new threats on their own. They need their colleagues to work mindfully and responsibly on the front lines of cyber defence, comfortable in the knowledge that everything they do is underpinned by a robust and secure IT security infrastructure, but that the final decision to click the link, send the sensitive information or download the file, lies with them. 

Conclusion

As employees prove they can work from home productively, the role of the physical office is no longer necessary. For many companies, it is a sink or swim approach when implementing a hybrid and agile workforce. Introducing and retaining flexibility in operations now will help organisations cope better with any future unprecedented events or crises.

By focusing on getting the basics right and powered by the capabilities of the Cloud, highlighting the importance of layered security and challenging existing mindsets, businesses will be able to shift away from remote workers being the ‘exception,’ to a secure and agile workforce as a whole.

UK Hacking Fines

How to block hidden malicious commands in obfuscated scripts

960 640 Guest Post

By Chris Corde, VP of Product Management, VMWare Carbon Black

For a long time now, our Threat Analysts have flagged the growing threat of script-based attacks, especially from Microsoft PowerShell and Windows Management Interface script commands, and their ability to escape notice in many antivirus solutions. Increasingly, these types of attacks have become the common standard for gaining entry into corporate systems and moving laterally to inflict damage. Today, we announce several new features to help prevent and detect script abuse, including an extension of our ability to prevent script-based attacks build on AMSI integrations, and the ability to translate the actual contents of obfuscated PowerShell scripts in the Carbon Black Cloud console.      

In our current work from home/COVID-19 environment, these script based attacks continue to grow in size and global spread. Common tools like PowerShell enable attackers to hide their intent behind obfuscated script content, and the resulting lateral movement is facilitated by the abuse of Windows Management Interface (WMI), Google Drive and process hollowing. According to our latest Incident Response Report, lateral movement made up a third (33%) of today’s attacks.  

Detecting Stealthy Script Abuse 

To combat this stealthy attack technique, the Carbon Black Cloud has added capabilities that expose the exact commands behind obfuscated PowerShell scripts. By adding this capability directly into our NGAV product console, we’re able to assist less experienced security teams in detecting attacks they may have otherwise missed, as well as accelerate a formerly time-consuming investigation process. This feature also includes new insights on PowerShell scripts for those using older, legacy systems that don’t support AMSI.  

Due to broad usage of PowerShell in enterprise IT environments, many of these obfuscated scripts go unnoticed by EPP solutions because they trigger either no alert, or deceivingly low-level alerts. This makes it easy for threat actors to hide nefarious commands. Normally, you would have to copy that script and paste into an external script translation app that would offer limited details around the command line, and could take anywhere from several hours to days to resolve. The ability to translate these obfuscated scripts with a button-click during alert triage or threat hunting will save analysts hours of investigation time, by allowing them to quickly see the code and determine whether the intent is malicious or not immediately.  

Preventing Script Abuse Without Decreasing Productivity 

Thanks to our Threat Analysis Unit, VMware Carbon Black built prevention rules onto our AMSI inspection capabilities, along with machine learning to translate these previously hidden scripts. Customers can now quickly at the click of a mouse, translate the script in the Carbon Black Cloud dashboard to see the entire decoded script within seconds, along with an assigned risk score.  This new functionality brings a level of protection and visibility for these advanced attacks rarely seen in endpoint protection platforms, providing customers’ immediate access in-console to the script translation details during both alert triage and threat hunting.  

PowerShell alerts are highlighted in the console, showing the reason why a specific script was flagged, and delivering additional context behind the prevention to speed resolution times. When customers investigate the specific details, they can now simply click a button to translate the obfuscated script.  

In addition to translating obfuscated scripts, we’ve also improved readability of PowerShell scripts through syntax highlighting, making it easier for customers to scan for string content vs PowerShell command-lets and function calls while searching for threats.  

Working closely with our Threat Analysis Unit, we’ve also expanded prevention capabilities for script-based Windows attacks built on Microsoft AMSI Integrations into our default prevention policy, making it easy for customers using our product to have an effective security posture right out of the box,  

VMware Carbon Black’s Threat Analysis Unit updated the default policy to include additional granularity for frequently used off-the-shelf attacker frameworks seen regularly in script-based attacks. These updated rules offer high-fidelity prevention for script-based attacks that decrease false positives and take the strain off already resource-deficient security teams. These updated preventions are available upon download of our latest Windows sensor 3.6 coming out this week.  

Giving resellers the key to unlocking end user continuity, productivity and flexibility

960 640 Guest Post

By Dave Manning, Operations Director, Giacom

Until recently, the transition to working from home was unfolding at a gradual pace for many businesses. Although there is much research to back up the benefits of flexible and remote working, many business leaders remained sceptical, believing that office working remained the setup that would be most productive and beneficial from a cultural perspective. 

But the current crisis delivered an ultimatum for many businesses – cease operations or deploy technology to enable employees to work from home for the foreseeable future. There are, of course, several industries where working from home is not an option, but for the majority, there are ways to simply facilitate it – demonstrated by the fact that more than 39% of adults in employment are now working from home, compared to around 12% last year. 

Many employees are thriving working from home. And the hours they have gained back while working from home are not going to be something they will want to give up easily –  two-thirds (63%) of workers said they are open to full time remote working and never going back to the physical office once the crisis is over. It’s becoming clear that the future will not be a permanent office-based workforce, but will shift to a hybrid model combining both remote and office working, allowing for a larger degree of flexibility. This approach of working fuelled by the pandemic is clearly favoured, as 77% of UK employees believe a mix of office-based and remote working is the best way forward post Covid-19. 

For those companies set up to work from home, it’s clear that if business continuity and productivity are maintained – or even improved – during a crisis, they will long term as well. But companies that aren’t properly set up to support remote working are missing out on significant business value gains. To facilitate hybrid working long term, employees must be equipped not only to survive, but to thrive. So how can resellers support end user organisations in transitioning to this new way of operating in the future?

A cloudy future

The lockdown enforcement saw the need for businesses to adapt to this new way of working almost overnight, resulting in a huge surge of enquiries to resellers to get employees working remotely as quickly as possible. Even with cloud-based solutions gaining popularity over the years, a lot of business infrastructure remain on-premises. Businesses need to be moving to a cloud-based infrastructure where the technology they deploy allows for the flexibility to work remotely and on-premises if required. For IT companies supporting SMBs who want to future-proof their businesses and replace outdated on site servers, the cloud offers a fixed cost server solution to IT companies supporting SMBs, while delivering secure storage and easy provisioning as well as scalability – ensuring a futureproof solution for end users. 

Productivity tools

Collaboration tools have come of age and the race is on to both develop and implement smoother integrated IT communications, video, voice strategies so that business can perform at an even higher level whilst working from home. Similar to the transition from letter writing to email, businesses are realising they can actually get more achieved in the same time with cloud-based tools and people not having to travel miles around the country on public transport, in cars or internationally by plane.

And as virtual collaboration tools develop even further to deliver advanced capabilities, employee productivity will only increase. Resellers will be the crucial advisors to companies in order to facilitate their needs, backed up with support from CSPs to help navigate through the most relevant and valuable cloud solutions for their end users. 

Secure setup

Resellers have undoubtedly already experienced the surge of businesses looking to get staff up and running with remote collaboration tools, such as Microsoft Teams etc.. But in the rush to get everyone online and maintain business continuity, security considerations likely slipped much further down the list. Given the continued increase in frequency and sophistication of cyber attacks, especially those capitalising on the current crisis through phishing scams, ‘Zoom-bombing’ incidents and the like, it’s never been more important to prioritise cyber security. 

This is especially true for those organisations that are new to the concept of remote working. While they may have had a solution in place for keeping the corporate network secure within the physical office, a virtual business requires different tools and techniques. This is where resellers can play a crucial role as key consultants to end-users on how they can keep their data secure and deploy reliable, cloud-based backup solutions to safeguard their sensitive information even further. 

A hybrid and flexible infrastructure

While we are all looking forward to this crisis being over, given the nature of the pandemic it’s unlikely that there will be a hard stop to lockdown. Even with the government now lifting some of the restrictions, we can expect a combination of working from home and office working with social distancing and other measures still in place for some time to come. And research has found that 74% of business leaders intend to shift some employees to remote working permanently. No one knows exactly what that journey will look like, so businesses require the toolkit and technology to enable a hybrid working infrastructure now and into the future. 

Moreover, lockdown measures may be starting to ease gradually, but if the UK is faced with a second wave of the virus, or we experience another crisis in the future, additional lockdown measures may have to be put back in place, as was the case in Singapore that struggled to contain a second wave. Flexibility is therefore crucial to safeguard business continuity and enable organisations to maintain optimum productivity levels even in the midst of another unprecedented event. 

The key will be for resellers to support end users in deploying tools that support this new way of working. From unified communications and collaboration software, to cloud-based backup and security tools that keep the corporate network safe no matter where the user is based, resellers hold the key to unlocking end user organisations’ continuity, productivity and flexibility. 

The growing DDoS landscape 

960 640 Guest Post

By Anthony Webb, EMEA Vice President at A10 Networks  

Last month, news reports highlighted one of the biggest DDoS attacks ever recorded. The attack, which targeted a large European bank, generated 809m packets per second (Mpps). This is a new industry record for a PPS-focused attack which is more than double the size of previous attacks. A10 Networks recently launched its Q2 2020: State of DDoS Weapons Report, based on approximately 10 million unique source addresses tracked by A10 Networks, and the report sheds more light on the loud, distributed nature of DDoS attacks and the key trends and observations that enterprises can learn from when adopting a successful defence. 

DDoS Botnet Agents  

We’ve previously written about how IoT devices and DDoS attacks are a perfect match. IoT devices such as smart watches, routers and cameras are now commonly infected by malware and under the control of malicious actors who use them to launch flexible DDoS attacks. Our researchers accumulated knowledge of repeatedly used hosts in these attacks, scanning for those that show malware-infected characteristics that deserve to be treated with caution whilst under a DDoS attack.  

The report highlighted the top three countries hosting DDoS botnet agents as follows: 

·        China 15% 

·        Vietnam 12% 

·        Taiwan 9% 

From the countries above, the top ASNs hosting DDoS botnet agents were: 

·        Chungwha Telecoms (Taiwan) 

·        China Telecom 

·        China Unicom CN 

·        VNPT Corp (Vietnam) 

Malware Proliferation 

With IoT devices vulnerable, largely due to devices lacking the necessary built-in security to counter threats, this allows threat actors an opportunity to target these devices, through a collection of remote code execution (RCE) exploits and an ever growing list of default user names and passwords from device vendors, to constantly increase the size and strength of DDoS attacks. Our weapons intelligence system detects hundreds of thousands of events per hour on the internet, providing insights into the top IoT exploits and the attack capabilities.  

One of the key report findings highlighted thousands of malware binaries being dropped into systems, in the wake of the different IoT-based attacks and exploits. Among the malware families that were most frequent in attack were the following: Gafgyt family, Dark Nexus and Mirai family. The related binary names from these malwares were arm7, Cloud.x86, mmmmh.x86 respectively. 

Digging deeper into the characteristics and behaviour of the binary we saw the most this quarter, “arm7”, we found that attack types came in varied forms including, but not limited to, TCP floods, HTTP floods and UDP floods. To mitigate these attacks a firm understanding of these DDoS weapons needs to be established by understanding and reverse engineering the attack toolkits. 

Amplified Attacks  

When it comes to large-scale DDoS attacks, amplified reflection is the most effective. An example of this is when the attacker sends volumes of small requests with the spoofed victim’s IP address to internet-exposed servers. The servers reply with large amplified responses to the unwitting victim. These particular servers are targeted because they answer to unauthenticated requests and are running applications or protocols with amplification capabilities. 

The most common types of these attacks can use millions of exposed DNS, NTP, SSDP, SNMP, and CLDAP UDP-based services. These attacks have resulted in record-breaking volumetric attacks, such as the recent CLDAP-based AWS attack in Q1 2020, which peaked at 2.3 Tbps and was 70% higher than the previous record holder, the 1.35 Tbps Memcached-based GitHub attack of 2018. Although CLDAP does not make the top 5 list of our Amplification attack weapons in Q2, we did record 15,651 potential CLDAP weapons. This makes it a fraction of the top amplification attack weapon this quarter, i.e., portmap, where for every CLDAP weapon, we have 116 portmap weapons available to attackers. The AWS attack shows that even this fractional attack surface has the potential for generating very large-scale DDoS attacks and the only way to protect against these attacks is to proactively keep track of DDoS weapons and potential exploits. 

Battling the Landscape  

Every quarter, the findings of our DDoS attack research point to one thing: the need for increased security. Sophisticated DDoS weapons intelligence, combined with real-time threat detection and automated signature extraction, will allow organisations to defend against even the most massive multi-vector DDoS attacks, no matter where they originate. Actionable DDoS weapons intelligence enables a proactive approach to DDoS defences by creating blacklists based on current and accurate feeds of IP addresses of DDoS botnets and available vulnerable servers commonly used for DDoS attacks. DDoS attacks are not going away, and it is time for organisations to match their attackers’ sophistication with a stronger defence, especially as new technology like IoT and 5G continue to gain further momentum.   

Image by Markus Spiske from Pixabay