Defend Against DDoS Archive

DDoS attacks against university campuses are more likely in term time.

Nation-states and criminal gangs often get the blame for cyber attacks against universities, but a new analysis of campaigns against the education sector suggests that students — or even staff — could be perpetrators of many of these attacks.

Attributing cyber attacks is often a difficult task but Jisc, a not-for-profit digital support service for higher education, examined hundreds of DDoS attacks against universities and has come to the conclusion that “clear patterns” show these incidents take place during term-time and during the working day — and dramatically drop when students are on holiday.

“This pattern could indicate that attackers are students or staff, or others familiar with the academic cycle. Or perhaps the bad guys simply take holidays at the same time as the education sector,” said John Chapman, head of security operations at Jisc.

While the research paper notes that in many cases the reasons behind these DDoS campaigns can only be speculated about, just for fun, for the kudos and to settle grudges are cited as potential reasons.

In one case, a DDoS attack against a university network which took place across four nights in a row was found to be specifically targeting halls of residence. In this instance, the attacker was launching an attack in order to disadvantage a rival in online games.

The research notes that attacks against universities usually drop off during the summer — when students and staff are away — but that the dip for 2018 started earlier than it did in 2017.

“The heat wave weather this year could have been a factor, but it’s more likely due to international law enforcement activity — Operation Power Off took down a ‘stresser’ website at the end of April,” said Chapman.

The joint operation by law enforcement agencies around the world took down ‘Webstresser’, a DDoS for hire service which illegally sold kits for overwhelming networks and was, at the time, the world’s largest player in this space. This seemingly led to a downturn in DDoS attacks against universities.

But universities ignore more advanced threats “at their peril” said Chapman. “It’s likely that some of these more sophisticated attacks are designed to steal intellectual property, targeting sensitive and valuable information held at universities and research centres.”

Despite this, a recent survey by Jisc found that educational establishments weren’t taking cyber attacks seriously, as they weren’t considered a priority issue by many.

“When it comes to cyber security, complacency is dangerous. We do everything we can to help keep our members’ safe, but there’s no such thing as a 100% secure network,” said Chapman.

Source: https://www.zdnet.com/article/ddos-attacks-students-blamed-for-many-university-cyber-attacks/

Digital connectivity continues apace – but brings with it increased cyber risks. These relatively new and complex risk profiles require approaches that go far beyond traditional insurance, argues Munich Re’s reinsurance boss Torsten Jeworrek.

Self-learning machines, cloud computing, digital ecosystems: in the steadily expanding Internet of Things, all objects communicate with others. In 2017, 27 billion devices around the world were online, but this number is set to increase five-fold to 125 billion by the year 2030. And many industries are profiting from the connectivity megatrend.

In virtually every sector, automated processes are delivering greater efficiency and therefore higher productivity. By analysing a wide range of data, businesses also hope to gain new insights into existing and prospective customers, their purchasing behaviour, or the risk that they might represent. This will facilitate a more targeted customer approach. At the same time, greater levels of interconnection are leading to new business models. Examples include successful sharing concepts and online platforms.

Growing risk of ransomware

But just as there are benefits to growing connectivity, there are also risks. Ensuring data security at all times is a serious challenge in this complex world. When setting up and developing digital infrastructure, companies must constantly invest in data-security expertise and in technical security systems, not least to protect themselves against cyber attacks. This became clear in 2017, when the WannaCry and NotPetya malware attacks caused business interruption and production stoppages around the world. T

he costs of WannaCry in the form of lost data and business interruption were many times greater than the losses from ransom demands. With other attacks, the objective was not even extortion – but rather to sabotage business operations or destroy data. Phishing, which is the attempted capture of sensitive personal and log-in data, and distributed denial of service (DDoS) attacks, which take down entire servers by systematically overloading them, also cause billions of dollars in damage each year. It is difficult to calculate the exact amounts involved, but business losses from cyber attacks are currently estimated at between $400bn and $1tn each year.

And the number of cyber attacks continues to rise – as do the resulting losses. According to estimates from market research institute Cybersecurity Ventures, companies around the world will fall victim to such attacks every 14 seconds on average in 2019. Europol also notes that there have been attacks on critical national infrastructure in the past, in which people could have died had the attacks succeeded.

Increasing demand for cyber covers from SMEs as well

As the risks increase, so too does the number of companies that attach importance to effective prevention measures and that seek insurance cover. The pressure to improve data protection has also increased as a result of legal requirements such as the EU’s General Data Protection Regulation, which came into force in May 2018 and provides for severe penalties in the event of violations. In a world of digital dependency, automated processes, and networked supply chains, small- and medium- sized companies in particular realise that it is no longer enough to focus on IT security within their own four walls.

For the insurance industry, cyber policies are gradually becoming an important field of business in their own right. According to estimates, further significant increases in premium volume are on their way. In 2017, premium volume was at between $3.5bn and $4bn. That figure is expected to increase to between $8bn and $9bn by 2020. So there will be good growth opportunities over the next few years, particularly in Europe.

Cyber risks difficult to assess

Cyber risks pose unique challenges for the insurance industry, above all in connection with accumulation risk: a single cyber event can impact many different companies at the same time, as well as leading to business interruption for other companies.

How can the market opportunities be exploited, while at the same time managing the new risks? Are cyber risks ultimately uninsurable, as many industry representatives have said? One thing is certain: there are a number of extreme risks that the insurance industry cannot bear alone. At present, these include network outages that interrupt the electricity supply, or internet and telecommunication connections. Scenarios like these, and the costs that come with them, should be borne jointly by governments and companies, for example in the form of pool solutions.

Cyber as a new type of risk

There are key differences between cyber risks and traditional risks. Historical data such as that applied to calculate future natural hazards, for example, cannot tell us much about future cyber events. Data from more than ten years ago, when there was no such thing as cloud computing and smartphones had not yet taken off, are of little use when assessing risks from today’s technologies. Insurers and reinsurers must be able to recognise and model the constantly evolving risks over the course of these rapid advances in technology. An approach that relies on insurance expertise alone will rapidly reach its limits. Instead, the objective of all participants should be to create as much transparency as possible with regard to cyber risks. IT specialists, authorities, and the scientific and research communities can all help to raise awareness of the risks and contribute their expertise for the development of appropriate cyber covers.

Working together to enhance security

Munich Re relies on collaboration with technology companies and IT security providers to develop solutions for cyber risks. This is because the requirements for comprehensive protection are complex, and safeguarding against financial losses is only one component of an overall concept. Accordingly, in consultation with our technology partners, we are developing highly effective, automated prevention services for our clients. These are designed to permanently monitor the client infrastructure, identify risks promptly, and prevent losses. And – importantly – a company needs to respond quickly to limit the loss from an event and allow it to resume normal operations without delay. In this context, we assist our clients with a network of experts.

But cyber risks remain a challenge, and one that the insurance industry needs to tackle. Insurers can only remain relevant for their clients if they constantly adapt their offerings to new or changed risks and requirements. Opportunities for new fields of business are arising.

Source: https://www.re-insurance.com/opinion/cyber-policies-more-than-just-risk-transfer/1687.article

The Scoville Scale is a measurement chart used to rate the heat of peppers or other spicy foods. It can also can have a useful application for measuring cybersecurity threats. Cyber-threats are also red hot as the human attack surface is projected to reach over 6 billion people by 2022. In addition, cyber-crime damage costs are estimated to reach $6 trillion annually by 2021. The cybersecurity firm RiskIQ states that every minute approximately 1,861 people fall victim to cyber-attacks, while some $1.14 million is stolen. In recognition of these alarming stats, perhaps it would be useful to categorize cyber-threats in a similar scale to the hot peppers we consume.

I have provided my own Scoville Scale-like heat characterizations of the cyber threats we are facing below.

Data Breaches: According to Juniper Research, over The Next 5 Years, 146 Billion Records Will Be Breached. The 2017 Annual Data Breach Year-end Review (Identity Theft Resource Center) found that 1,946,181,599 of records containing personal and other sensitive data that have been in compromised between Jan. 1, 2017, and March 20, 2018. The true tally of victims is likely much greater as many breaches go unreported. According to the Pew Research Center, a majority of Americans (65%) have already personally experienced a major data breach.  On the Scoville scale, data breaches, by the nature of their growing exponential threat can be easily categorized at a “Ghost Pepper” level.

Malware: According to Forrester Research’s 2017 global security survey, there are 430 million types of malware online—up 40 percent from just three years ago. The Malware Tech Blog cited that 100,000 groups in at least 150 countries and more than 400,000 machines were infected by the Wannacry virus in 2017, at a total cost of around $4 billion. Malware is ubiquitous and we deal with it. It is a steady “Jalepeno Pepper” on the scale.

Ransomware:  Cybersecurity Ventures predicts that ransomware damage costs will rise to $11.5 billion in 2019 with an attack occurring every 14 seconds. According to McAfee Lab’s Threat Report covering Q4 2017, eight new malware samples were recorded every second during the final three months of 2017. Cisco finds that Ransomware attacks are growing more than 350 percent annually. Experts estimate that there are more than 125 separate families of ransomware and hackers have become very adept at hiding malicious code. Ransomware is scary and there is reason to panic, seems like a ”Fatali Pepper.”

Distributed Denial of Service (DDoS):   In 2016, DDoS attacks were launched against a Domain Name System (DNS) called Dyn. The attack directed thousands of IoT connected devices to overload and take out internet platforms and services.  The attack used a simple exploit of a default password to target home surveillance cameras, and routers. DDoS is like a “Trinidad Pepper” as it can do quick massive damage and stop commerce cold. DDoS is particularly a frightening scenario for the retail, financial. and healthcare communities.

Phishing:  Phishing is a tool to infect malware, ransomware, and DDoS. The 2017 Ponemon State of Endpoint Security Risk Report found that 56% of organizations in a survey of 1,300 IT decision makers identified targeted phishing attacks as their biggest current cybersecurity threat. According to an analysis by Health Information Privacy/Security Alert, 46,000 new phishing sites are created every day. According to Webroot, An average of 1.385 million new, unique phishing sites are created each month. The bottom line it is easy anyone to be fooled by a targeted phish. No one is invulnerable to a crafty spear-phish, especially the C-Suite. On the Scoville Scale, Phishing is prolific, persistent, and often causes harm. I rate it at the “Habanero Pepper” level.

Protecting The Internet of Things:  The task of securing IoT is increasingly more difficult as mobility, connectivity and the cyber surface attack space grows. Most analysts conclude that there will be more than 20 billion connected Internet devices by 2020. According to a study conducted in April of 2017 by The Altman Vilandrie & Company, neary half of U.S. firms using The Internet of Things experienced cybersecurity breaches.  Last year, Symantec noted that IoT attacks were up 600 percent. Analysts predict 25 percent of cyber-attacks in 2020 will target IoT environments. Protect IoT can be the “Carolina Reaper” as everything connected is vulnerable and the consequences can be devastating.

Lack of Skilled Cybersecurity Workers: Both the public and private sectors are facing major challenges from a dearth of cybersecurity talent. As companies evolve toward digital business, people with cybersecurity skills are becoming more difficult to find and more expensive for companies to hire and keep. A report out from Cybersecurity Ventures estimates there will be 3.5 million unfilled cybersecurity jobs by 2021. A 2017 research project by the industry analyst firm Enterprise Strategy Group (ESG ) and the Information Systems Security Association (ISSA) found that 70 percent of cybersecurity professionals claimed their organization was impacted by the cybersecurity skills shortage. On the Scoville Scale, I rate the skills shortage as a “Scotch Bonett,” dangerous but perhaps automation, machine learning and artificial intelligence can ease the pain.

Insider Threats: Insider threats can impact a company’s operational capabilities, cause significant financial damages, and harm a reputation. The IBM Cyber Security Index found that 60% of all cyber- attacks were carried out by insiders.  And according to  a recent Accenture HfS Research report 69% of enterprise security executives reported experiencing an attempted theft or corruption of data by insiders over one year. Malicious insider intrusions can involve theft of IP, social engineering; spear-phishing attacks, malware, ransomware, and in some cases sabotage. Often overlooked, insider threats correlate to a “Red Savina Habanero.”

Identity Theft: Nearly 60 million Americans have been affected by identity theft, according to a 2018 online survey by The Harris Poll. The reason for the increased rate of identity fraud is clear. As we become more and more connected, the more visible and vulnerable we become to those who want to hack our accounts and steal our identities. We are often enticed via social media or email phishing. Digital fraud and stealing of our identities is all too common and associated closely to data breaches, a “Chocolate Habanero.”

Crypto-mining and TheftCrypto poses relatively new threats to the cybersecurity ecosystem. Hackers need computing power to find and “mine” for coins and can hijack your computer processor while you are online. Hackers place algorithm scripts on popular websites that people innocently visit.  You might not even know you are being hijacked.  Trend Micro disclosed that Crypto-mining malware detections jumped 956% in the first half of 2018 versus the whole of last year. Also, paying ransomware in crypto currencies seems to be a growing trend. The recent WannaCry and the Petya ransomware attackers demanded payment in bitcoin. On The Scoville Scale, it’s still early for crypto and the threats may evolve but right now a “Tabasco Pepper.”

Potential Remedies: Cybersecurity at its core essence is guided by risk management: people, process, policies, and technologies. Nothing is completely invulnerable, but there are some potential remedies that can help us navigate the increasingly malicious cyber threat landscape. Some of these include:

  • Artificial Intelligence and Machine Learning
  • Automation and Adaptive Networks
  • Biometrics and Authentication Technologies
  • Blockchain
  • Cloud Computing
  • Cryptography/Encryption
  • Cyber-hygiene
  • Cyber Insurance
  • Incident Response Plans
  • Information Threat Sharing
  • Managed Security Services
  • Predictive Analytics
  • Quantum-computing and Super-Computing
  • And … Cold Milk

The bottom line is that as we try to keep pace with rising cybersecurity threat levels, we are all going to get burned in one way or another. But we can be prepared and resilient to help mitigate the fire. Keeping track of threats on any sale can be useful toward those goals.

Chuck Brooks is the Principal Market Growth Strategist for General Dynamics Mission Systems for Cybersecurity and Emerging Technologies. He is also Adjunct Faculty in Georgetown University’s Graduate Applied Intelligence program.

Source: https://www.forbes.com/sites/cognitiveworld/2018/09/05/a-scoville-heat-scale-for-measuring-cybersecurity/#15abda233275

George Duke-Cohan was recruited by criminal group Apophis Squad

A 19-YEAR-OLD MEMBER of hacking group Apophis Squad has been arrested by British cops.

George Duke-Cohan from Watford, who uses the aliases ‘7R1D3N7′, ‘DoubleParalla’ and ‘optcz1′, was identified after the criminal group launched a series of DDoS attacks on Swiss-based encrypted email and VPN provider ProtonMail in June.

Writing on the ProtonMail blog, CEO Andy Yen said that a team of security researchers had assisted the firm in investigating those responsible for the attacks.

“Our security team began to investigate Apophis Squad almost immediately after the first attacks were launched. In this endeavour, we were assisted by a number of cybersecurity professionals who are also ProtonMail users,” he said.

“It turns out that despite claims by Apophis Squad that federal authorities would never be able to find them, they themselves did not practice very good operational security. In fact, some of their own servers were breached and exposed online.”

Yen did not go into details about how Duke-Cohan was ‘conclusively’ identified, save to say that “intelligence provided by a trusted source” played a part.

The group attacked ProtonMail in June, apparently on a whim, but the attacks intensified after CTO Bart Butler responded to a tweet from the group, saying “we’re back you clowns”. Apophis Squad also attacked Tutanota, another encrypted email provider.

Users of ProtonMail email and VPN services saw them briefly disrupted, but “due to the efforts of Radware, F5 Networks, and our infrastructure team, we were able keep service disruptions to a minimum,” Yen said.

As a member of Apophis Squad, Duke-Cohan was also involved in making hoax bomb threats to schools and colleges and airlines which saw 400 educational facilities in the UK and USA evacuated and a United Airlines flight grounded in San Francisco in March.

He pleaded guilty in Luton Magistrates Court to three counts of making bomb threats and is due to appear before Luton Crown Court on September 21 to face further charges. He also faces possible extradition to the US.

Marc Horsfall, senior investigating officer at the National Crime Agency said: “George Duke-Cohan made a series of bomb threats that caused serious worry and inconvenience to thousands of people, not least an international airline. He carried out these threats hidden behind a computer screen for his own enjoyment, with no consideration for the effect he was having on others.”

Duke-Cohan’s parents have said he was “groomed” by “serious people” online through playing the game Minecraft. Apophis Squad is thought to be based in Russia.

ProtonMail’s Yen said other attackers have also been identified and the authorities notified.

“We will investigate to the fullest extent possible anyone who attacks ProtonMail or uses our platform for crime. We will also cooperate with law enforcement agencies within the framework of Swiss law,” he said.

Source: https://www.theinquirer.net/inquirer/news/3062293/brit-teen-arrested-for-involvement-in-ddos-attack-on-protonmail

Aatish Pattni, regional director, UK & Ireland, Link11, explores in Information Age how DDoS attacks have grown in size and sophistication over the last two decades.

What is the biggest cyber-threat to your company? In April 2018, the UK’s National Crime Agency answered that question by naming DDoS attacks as the joint leading threat facing businesses, alongside ransomware. The NCA noted the sharp increase in DDoS attacks on a range of organisations during 2017 and into 2018, and advised organisations to take immediate steps to protect themselves against the potential attacks.

It’s no surprise that DDoS is seen as such a significant business risk. Every industry sector is now reliant on web connectivity and online services. No organisation can afford to have its systems offline or inaccessible for more than a few minutes: business partners and consumers expect seamless, 24/7 access to services, and being forced offline costs a company dearly. A Ponemon Institute study found that each DDoS incident costs $981,000 on average, including factors such as lost sales and productivity, the effect on customers and suppliers, the cost of restoring IT systems, and brand damage.

So how have DDoS attacks evolved from their early iterations as stunts used by attention-seeking teens, to one of the biggest threats to business? What techniques are attackers now using, and how can organisations defend themselves?

Early days of DDoS

The first major DDoS attack to gain international attention was early in 2000, launched by a 15-year-old from Canada who called himself Mafiaboy. His campaign effectively broke the internet, restricting access to the web’s most popular sites for a full week, including Yahoo!, Fifa.com, Amazon.com, eBay, CNN, Dell, and more.

DDoS continued to be primarily a tool for pranks and small-scale digital vandalism until 2007, when a range of Estonian banking, news, and national government websites were attacked. The attack sparked nationwide riots and is widely regarded as one of the world’s first nation-state acts of cyberwar.

The technique is also successful as a diversion tactic, to draw the attention of IT and security teams while a second attack is launched: another security incident accompanies up to 75% of DDoS attacks.

Denial of service has also been used as a method of protest by activist groups including Anonymous and others, to conduct targeted take-downs of websites and online services. Anonymous has even made its attacks tools freely available for anyone to use. Recent years have also seen the rise of DDoS-on-demand services such as Webstresser.org. Before being shut down by international police, Webstresser offered attack services for as little as £11, with no user expertise required – yet the attacks were powerful enough to disrupt operations at seven of the UK’s biggest banks.

Amplified and multi-vector attacks

In October 2016, a new method for distributing DoS attacks emerged – using a network of Internet of Things (IoT) devices to amplify attacks. The first of these, the Mirai botnet infected thousands of insecure IoT devices to power the largest DDoS attack witnessed at the time, with volumes over a Terabyte. By attacking Internet infrastructure company Dyn, Mirai brought down Reddit, Etsy, Spotify, CNN and the New York Times.

This was just a signpost showing how big attacks could become. In late February 2018, developer platform Github was hit with a 1.35 Tbps attack, and days later a new record was set with an attack volume exceeding 1.7 Tbps. These massive attacks were powered by artificial intelligence (AI) and self-learning algorithms which amplified their scale, giving them the ability to disrupt the operations of any organisation, of any size.

Attacks are not only getting bigger but are increasingly multi-vector. In Q4 2017, Link11 researchers noted that attackers are increasingly combining multiple DDoS attack techniques. Over 45% of attacks used 2 or more different techniques, and for the first time, researchers saw attacks which feature up to 12 vectors. These sophisticated attacks are difficult to defend against, and even low-volume attacks can cause problems, as happened in early 2018 when online services from several Dutch banks, financial and government services were brought to a standstill.

Staying ahead of next-generation AI-based attacks

As DDoS attacks now have such massive scale and complexity, traditional DDoS defences can no longer withstand them. Firewalls, special hardware appliances and intrusion detection systems are the main pillars of protection against DDoS, but these all have major limitations. Current attack volume levels can easily overload even high-capacity firewalls or appliances, consuming so many resources that that reliable operation is no longer possible.

Extortion by DDoS

The next iteration of attackers set out to use DDoS as an extortion tool, threatening organisations with an overwhelming attack unless they meet the attacker’s demand for cryptocurrency. Notable extortionists included the original Armada Collective, which targeted banks, web hosting providers, data centre operators as well as e-commerce and online marketing agencies in Greece and Central Europe.

Between January and March 2018, Link11’s Security Operation Centre recorded 14,736 DDoS attacks, an average of 160 attacks per day, with multiple attacks exceeding 100 Gbps. Malicious traffic at these high volumes can simply flood a company’s internet bandwidth, rendering on-premise network security solutions useless.

What’s needed is to deploy a cloud-native solution that can use AI to filter, analyse, and block web traffic if necessary before it even reaches a company’s IT systems. This can be done by routing the company’s Internet traffic via an external, cloud-based protection service. With this approach, incoming traffic is subject to granular analysis, with the various traffic types being digitally ‘fingerprinted’.

Each fingerprint consists of hundreds of properties, including browser data, user behaviour, and its origin. The solution builds up an index of both normal and abnormal, or malicious traffic fingerprints. When known attack patterns are detected in a traffic flow, the attack ‘client’ is blocked immediately and automatically in the cloud, before it even reaches customers’ networks – so that only clean; legitimate traffic reaches the organisation. However, regular traffic is still allowed, enabling a business to continue unaffected, without users being aware of the filtering process.

The solution’s self-learning AI algorithms also help to identify and block attacks for which there is no current fingerprint within a matter of seconds, to minimise the impact on the organisation’s website or web services. This means each new attack helps the system improve its detection capabilities, for the benefit of all users. Furthermore, this automated approach to blocking attacks frees up IT and security teams, enabling them to focus on more strategic work without being distracted by DDoS attempts.

In conclusion, DDoS attacks will continue to evolve and grow, simply because with DDoS-for-hire services and increasingly sophisticated methods, they are relatively easy and cheap to do – and they continue to be effective in targeting organisations. But by understanding how attacks are evolving and implementing the protective measures described here, organisations will be better placed to deny DDoS attackers.

Source: https://www.information-age.com/evolution-of-ddos-123473947/