The long-term arms race between cyber-attackers and defenders has been a 20-year-long battle. These days, denial of service attack methods are getting stronger, more sophisticated, and harder to detect. Attackers seem to have the upper hand, but that doesn’t mean the game is over. Far from it. IT security researchers are bringing the latest technology and a healthy dose of innovation to the battle.
Who will win in the long term? The side that’s willing to commit the most resources and determination to attacks or mitigation. Here’s a cyber-defense bulletin that summarizes the latest trends in attack, threat and defense technology.
Advanced threats and defenses
We start with the litany of woe—the types of attack that we read or hear about in media everywhere. Cryptojacking, phishing, or denial of service attacks are familiar names. However, these terms often tell us nothing about what’s going on under the hood.
Advanced DDoS threats
Here are examples of today’s most sophisticated attacks, described in terms of what causes damage to IT assets:
- Multi-method attacks. Gigantic, stand-alone attacks are much less frequent than they used to be. Now, exploits use more than one attack method to infect and destroy IT resources. Companies often experience one or more network-layer attacks and, increasingly, more than one application-layer attack.
- Deep, long-residence attacks. Over-the-top, high-volume DDoS attacks get most of the headlines. However, low-profile exploits that sneak into an IT infrastructure and stay a long time can also do plenty of damage. These days, sophisticated attack designs make it difficult to tell the difference between camouflaged malware and legitimate traffic. Mitigating these attacks can’t use network-layer detection and response methods. And, defending the application layer requires complex solutions.
- Automated botnet attacks. By using automated attack scripts, botnets don’t need humans to direct bot operations. An example: in automated botnet ops, attackers can create new user accounts, which access the attack surface, even if users of the compromised machines change their passwords. The time needed to generate this malware magic: about 15 seconds. This speedy action gives defenders very little time to create and launch an effective response.
- High-persistence attacks. Persistence is the ability for bots to try many different infection methods—one at a time—until the target is compromised. The original Torii botnet used six different persistence methods in early 2018. According to the Adversarial Tactics, Techniques & Common Knowledge database, there are now 50 different ways of achieving persistence.
- Advanced defense measures
Defending IT assets from these massive, versatile, and persistent assaults requires muscular defenses. So far, traditional rate limiting, patching, and incident handling methods can’t protect vulnerable networks and software from advances in malicious practices. So, what’s more likely to preserve today’s IT assets?
Here’s a list of advanced defense methods used in products today:
- Remote browsers, which can isolate a user’s browsing session from the network endpoints.
- Deception technologies, which try to trap attackers by mimicking a company’s critical assets.
- Endpoint detection and response solutions, which enable sysadmins to monitor network endpoints and alert security professionals to suspicious network behavior.
- Network traffic analysis, which tracks network traffic to determine the type, size, origin, destination, and contents of data packets on a network.
To these new capabilities, add these proven and reliable solutions and defense methods, often offered by DDoS mitigation service providers:
- Application-layer DDoS protection. Application-layer DDoS attacks have become the most frequent attack method. Network-layer DDoS attack protection is not enough. Modern DDoS protection must also include application-layer defenses.
- SSL DDoS flood protection. Encrypted traffic now accounts for most of the world’s internet traffic. As more and more traffic becomes encrypted, SSL DDoS floods are a widespread exploit. However, this type of assault enables sophisticated attackers to cripple a website with surprisingly little traffic. So, defenses for this DDoS attack are a must.
- Zero-day attack protection. Burst attacks are a common example of zero-day exploit. These assaults usually combine many different attack methods. Amplification attacks bounce network signals off servers not involved in the exploit. This method magnifies the amount of traffic and overwhelms the target.
- Response solutions. Web application firewalls, a DDoS rules engine, and a series of increasing challenges are often used in a multi-tier response approach. Also, Web proxies, BGP, and DNS can redirect traffic to a safe location or scrubbing center, where technicians can clean traffic data and wait until an exploit is over.
- Detailed SLAs. Each service level agreement (SLA) is a guarantee of mitigation service quality. That’s why mitigation services and speeds are often part of high-quality SLAs.
The advanced defense methods described here are commercial products and services. Other more glamorous solutions, such as those based on different types of machine learning, are still being developed and maturing into robust attack defense offerings.
Developing comprehensive DDoS defenses
The message delivered by current DDoS attacks is clear. Only adaptable, large-scale defense methods can go toe to toe with malware created by ingenious, determined cyber-attackers. Few organizations have the deep pockets and IT talent needed to create and modify a constant stream of defense solutions. That’s where mitigation service providers come in. They help you avoid the time, effort, and cost of building your defense resources. And, they have the hard-to-find security talent that’s essential to designing effective security defenses.