Attack from DOS: In Zero We Trust
FYI, this story is more than a year old
Article by RSA International (APJ and EMEA) chief security advisor Leonard Kleinman.
Recent global challenges have seen many organisations maintain their survival by going digital and adopting a blend of on premises, work-from-home and third-party collaborations.
Internet and streaming media use is rising - and a rapid shift to distributed work, along with radical changes in human behaviour, is creating new and extended digital risk for organisations while creating opportunities for malicious actors.
A recent report by Cambridge University’s Cybercrime Centre shows a three-fold increase in Distributed Denial of Service (DDoS) attacks, now tracking at around 30,000 attacks per day. Interestingly, this change has been due to new malicious attackers driving the increase as opposed to existing cybercriminals.
Accordingly, many organisations are now realising that DDoS defense is critical to maintaining operations and ensuring a delightful customer experience. Nothing quite detracts from a customer’s experience than a DDOS attack.
DDoS attacks are a popular method of cyber attack, in large part due to their simplicity, low cost, and anonymity.
A DDoS attack is where several compromised systems attack a single target, causing that system to slow down, become unresponsive or shut down. The effect is to deny its users the ability to use it. This is achieved is by simply overwhelming the system with a flood of traffic from multiple sources.
As the world has seen during the pandemic, threat actors never fail to use a good crisis, with DDoS attacks increasing on infrastructure providers such as the massive 2.3TB per second attack on Amazon Web Services – the largest attack to date.
No doubt the increasing number of insecure Internet of Things (IoT) devices that are being infected and recruited into botnets are a major contributor.
DDoS attacks come in various forms and the main categories being protocol attacks, volume-based attacks and application attacks. Some common attacks include:
- Syn flood attacks looking to exploit the traditional three-way handshake
- UDP floods targeting random ports
- Application attacks targeting specific application weaknesses
- Amplification and reflection attacks, both looking to overwhelm systems while using limited resources.
Along with newer methods that include SSL-based attacks, side channel attacks, and proxy server attacks, DDoS attacks are also increasingly used in blended attacks. For example, in combination with malware, DDoS attacks on banks have been used to cause distraction so the transfer of stolen funds goes unnoticed.What can be done to mitigate the risk?
Starting with some important considerations such as implementing patching and updates to prevent exploitable loopholes, and training and awareness to help identify attacks early, organisations should look to overprovision bandwidth to enable them to accommodate sudden spikes and surges in traffic. Note that even in the case of significant overprovisioning, when confronted with a DDoS attack, enterprises are just buying time.
At the technical level, some measures that can be taken to manage the attack can include:
- adding rules to gateway infrastructure to drop packets from obvious sources of attack. This relies on having access to good threat intelligence, for example, drop spoofed or malformed packages;
setting lower SYN, ICMP, and UDP flood drop thresholds;
applying a rate limit to your router to prevent the web server from being overwhelmed;
Activating Web Application Firewall (WAF) if you have it. This provides a layer of protection between the website and the traffic it receives.
Again, enterprises will be buying time as DDoS attacks these days are growing larger in scale.
Lastly, engage with an ISP or hosting provider who can help to ‘black hole’ such traffic, preventing it from hitting infrastructure, or engage the services of a DDoS mitigation specialist.
With the threat of such cyber attacks looming large, a significant shift in mindset is due and this comes by way of the 'Zero-Trust' concept.
Society has long embraced the concept of trusted systems, and this trust in our systems is where the vulnerability and opportunity for exploitation lies. The Zero Trust approach gives us that all-important rule for establishing and maintaining a secure work environment:
‘Trust nothing and treat everything as hostile – this includes the network itself, any host, any applications, or services running on the network.’
The Zero Trust approach to cybersecurity puts an end to the old ‘castle-and-moat’ mentality; a long-held methodology where organisations focused on defending their perimeters while assuming everything inside is ‘trustworthy’ and therefore, automatically cleared for access. We essentially trust way too much.
The Zero Trust approach relies on a range of existing technologies together with the right governance processes in achieving its mission of securing the organisational IT environment, including:
- Technologies, such as multifactor authentication, Identity and Access Management (IAM), file system permissions, orchestration capabilities, analytics, encryption, and
- Governance policies, such as giving users the least amount of access they need to complete their job or specific task, i.e. principle of least privilege.
Additionally, it requires organisations to leverage internal and micro-segmentation, enforce a granular perimeter based on the user, their location and other collated data to determine whether to trust a user, a device or application seeking access to the enterprise. It then requires conditional policy enforcement, i.e. a policy specifying that someone can now have access to something.
Today, about the only thing an organisation really owns or more accurately, is responsible for, is data. The Zero Trust approach of ‘continuous verification’ wraps tighter controls around data, reducing the risk of unauthorised access, manipulation and movement of data – including malicious software. This means businesses can focus efforts on inspection of the data and the application of appropriate access control methodologies.
Zero Trust is not just about technology; it is about process and mindset, more so a philosophy. Many organisations are already utilising many pieces of Zero Trust. It is also about using these and other technologies to enforce that all-important rule: trust nothing, and nothing has access until it has been verified.
The key point is that Zero Trust is about the elimination of trust and by eliminating trust, organisations seek to eliminate the failure of trust as well as such attacks as DDoS.
To hear more about the topic of “The Rise of Zero Trust in the Digital Era”, join RSA’s CTO, Dr Zulfikar Ramzan, who will present his observations and recommendations at an upcoming webinar on 5 November 2020.