Dan Holden is the Director of ASERT, Arbor Networks's Security Engineering and Response Team.. His teams oversee the ATLAS global security intelligence database, and are responsible for threat landscape monitoring and Internet security research including the reverse engineering of malicious code.
With DDoS an increasingly preferred method of attack, especially in the last 12 months, the threat risen to critical levels
Techradar Pro: Why has the DDOS threat grown so much over the last year? Are businesses more vulnerable?
Dan Holden: DDoS attacks are continuing to evolve and the last 12 months has seen huge growth in the number, complexity and size of the attacks occuring. When we couple this with businesses increasing reliance on Internet connectivity, for either revenue or access to cloud based data and applications, protection from DDoS threat should be a top priority.
Over the last year the trend seems to have been a return to large traffic floods, known as volumetric attacks, to effectively cut their targets off from the Internet. Volumetric attacks have always been the most common attack type, but in the last year the scale of the problem has changed.
In 2013 saw an eight fold growth in the number of attacks over 20Gb/sec, based on data from Arbor's ATLAS monitoring system, which receives hourly DDoS statistics from over 300 service providers around the world, with just the first quarter of 2014 seeing 150 per cent increase on 2013's annual total.
TRP: With such a large network footprint, what peaks in DDoS activity has Arbor tracked this year?
DH: Q1 2014 probably saw the most concentrated burst of large volumetric attack activity ever, with 72 attacks against a French ISP tracked at over 100Gb/sec and a new largest ever attack at 325Gb/sec. This attack was caused by amplification/reflection which is used to amplify the volumes of traffic attackers are capable of generating.
While this attack vector has been around for some time, it has grown in popularity since 2013. During January 2014 a number of gaming companies fell victim to a Network Time Protocol (NTP) amplification/reflection attack creating very large bandwidth and causing severe availability problems.
TRP: What types of DDoS attack are organisations currently finding themselves most vulnerable to?
DH: Volumetric attacks have grabbed the headlines in the past year on numerous occasions, but we mustn't forget about the more stealthy application layer attacks. According to the Arbor World-Wide Infrastructure Security Report for 2013, nearly a quarter of attacks now target the application layer.
Web services remain the top target of these attacks, but there has been significant growth in the number of attacks targeting encrypted Web services (HTTPS) – which should be a concern for e-commerce, finance and government organisations. DDoS has become a complex attack type, with a broad spread of organisations being targeted.
TRP: So what does this mean in terms of security mitigation?
DH: Everything we have seen over the past year re-affirms layered DDoS protection as the best way to defend organisations from a DDoS threat. Network perimeter defenses provide proactive protection from application layer attacks, but they need to be coupled with a cloud or service provider based DDoS protection service to deal with higher magnitude, volumetric, attacks which are meant to saturate Internet connectivity.
TRP: When communicating its value to the board, how best can a CIO justify investment in DDoS security?
DH:The security and network teams across a broad spread of organisations are becoming increasingly aware of the need for these layered DDoS defense solutions, but they have to compete, from a budget perspective, with other business priorities.
For the CIO, the key is to compare the financial implications of a prolonged Internet service outage with the cost of appropriate defences. Fundamentally, it's imperative for CIOs and CISOs to be able to put a monetary value on the cost of an attack when building a case for investment into security products and processes.
The starting point is to estimate the overall impact a DDoS attack is likely to have from a revenue, operational overhead and reputational perspective – these may vary according to the nature of the business in question. Modeling all of these costs will help determine the benefits of DDoS protection. Effective DDoS mitigation can help reduce these costs by 90 per cent or more in the event of an attack.
TRP: Is it ever possible for the IT department to win the battle against cyber threats?
DH:How do you define win? These days, the idea of prevention is outdated as attacks are out of an organisation's control. Many organisations can't prevent their business from being attacked. However, what they can control is having the capability in place to detect threats.
Businesses need to be asking themselves how quickly they can detect a threat that has entered their network and if they can't, organisations need to be doing something about it.
TRP: How are CISOs able to deliver an understandable call to action and gain the credibility to push their strategic plans?
DH: CISOs need to elevate security to the boardroom for a C-suite level discussion, so that they cannot only talk about threat assessments and security architecture, but the potential bottom line business implications of a breach. Security can then be communicated from the boardroom downwards, to the rest of the organisation.
TRP: Despite organisations investing in the latest security, why do these threats keep succeeding?
DH: Having all the latest technology is certainly an advantage but it is not the complete picture. It takes a unified, integrated combination of technology, people and processes. Having the right technology to identify threats and alert security teams is only the beginning.
Organisations need to be asking themselves if they have the right teams and skill sets to maximise their investment in the latest technology? Do they have the right incident response processes, planning and practice in place?
Arbor Networks recently commissioned research with the Economist Intelligence Unit, surveying 360 global CISOs and IT decision makers, which revealed that despite more than two thirds of organisations suffering a breach in the past two years, only 17 per cent were confident in their ability to respond to an attack.
TRP: With the launch of new certifications, such as the UK government's Cyber Essentials plan, how should organisations work with government and third parties to boost confidence in their security?
DH: Threats are global and no one company has the capabilities to assess the global landscape and understand its implications for their organisation. Because of this, there should be greater threat intelligence sharing as the more information that is passed between involved parties, the better.
The retail industry has recently been targeted and victimised by a series of very high profile Point-of-Sale (PoS) attacks, and has only started taking the steps in implementing an intelligence shared infrastructure.
This has been demonstrated in the US by the launch of a Retail Cyber Intelligence Sharing Center. This information sharing and analysis center, ISAC, has been backed by Target and other major retailers, and is a great move for the retail industry. This should continue across other industries too.