What DDoS attacks reveal about your security infrastructure

As we close out 2012, there is no doubt that this year will go down as epic in the history books of information security professionals. Looking back on the year it’s not hard to find a laundry list of security programs that have been overrun by nefarious perpetrators or to see how dramatically different the risk landscape is today than just a year ago. Taking stock of it all, the following are some of the most notable attacks:

  • Jan – Feb 2012 – Group Anonymous attacks various Israeli sites leaving, among others, the Israeli Stock exchange in operational duress for a moment
  • March 2012 – Operation Global Blackout – Group Anonymous threatens to take out the internet by attacking the DNS infrastructure of the world
  • July – Aug 2012 – Admin.HLP Trojan wreaks havoc in wild
  • Aug 2012 – AT&T suffers a near day long outage originating from an attack on their DNS infrastructure
  • Sept – Oct 2012 – Operation Ababil launched against US banking and financial institutions. The vast majority of US banks suffer various degrees of outages, attacks leverage new SSL tool
  • Nov – Dec 2012 – OpIsrael & OpZionism launched against various Israeli interests as a result of ongoing political struggles.

While these are just a few of this year’s attack profiles, there are more than enough lessons to be learned from each event to teach security professionals for months and years to come.

So, what did we learn from this year of carnage? I think we would be fooling ourselves if we believed that the overall success of this past year’s attacks could be attributed to luck or isolated to a few obscure examples. These attacks were by-and-large effective across a multitude of technologies, geographies and industries.

The attacks seemed to have little correlation on the surface as their effectiveness seemed to be felt without regard to the size of the company, geographic operations, the security technologies these organizations had in place or the amount of people studying the problem (e.g. security professionals, risk assessment results, etc).

However, if we are honest with ourselves, not all of the attacks have been successful thus far. There have been notable security programs that have weathered the storm by-and-large intact. Although they shall remain nameless to protect them from undue future attention, these programs were indeed different from the ones that suffered outages.

The people behind these programs are really the unsung heroes of 2012. These security professionals have provided us with a stable model of defense going forward. Let’s look at what they’ve taught us.

Security blind spots
Overall, the programs that were most effective against cyber attacks have taught us that they are doing something other (failed) programs are not. In the vernacular of security professionals, the difference between an effective program and an ineffective program is called a “security blind spot’.

The high-level differences between organizations that have been able to successfully withstand cyber attacks and others that have not are readily apparent when surveying the 2012 cyber security landscape. Below are the five most important lessons learned from those organizations that have managed to build a resilient security environment.

The 5 ingredients of a resilient cyber security environment:

1. Increase focus on availability-security
While most security environments focus exclusively on confidentiality and integrity-based security models, latency is a high priority for folks that are most successful. To effectively combat today’s threats, all three aspects – confidentiality, integrity and availability – must be a priority in order to ensure comprehensive security.

2. Understand the value & meaning of architecture as it relates to attacks
Leveraging technologies like UDP, CDN and stateful devices is key here. However, knowing the limitations of business-logic decisions is also important. Ironically, in the end, RFC and ISO compliancy may be a known vulnerability. What is clear from the past year of attacks is that the deployment of 80% of known technical and operational controls is no longer adequate.

A process must be in place to be able to technically and operationally lock-down your environment 100% during a cyber-attack. Using encrypted technologies such as SSL and TLS and not relying on a single point-of-entry security technology to do the job are also crucial to this step.

3. Focus on the visibility they can get during an attack / attack detection quality
Simply relying on Netflow detection will expose your security architecture to blind spots. Instead, security professionals should leverage challenge/response technology, which is uniquely situated to distinguish attack traffic. Understanding the value of anomaly detection technologies, as well as the role that web-application-firewall plays in an integrated security platform, is also absolutely essential.

In addition, your security environment needs the capabilities to inspect encrypted and encapsulated technologies such as Multi-Protocol Label Switching (MPLS), General Packet Radio Service (GPRS), Layer 2 Tunneling Protocol (L2TP) and Generic Routing Encapsulation (GRE).

4. Focus on real-time authentication & mitigation decisions
Since attacks happen in real-time, resilient cyber security environments integrate reputational management and dynamic black listing technologies. To successfully combat these types of attacks, security professionals must possess the ability to coordinate their response to an attack with eco-system service providers such as Certificate Authorities (CAs), authoritative DNS providers and cloud providers.

Finally, being able to understand the value of real-time signature generation for anomalistic threats plays a key role in successful attack mitigation.

5. Understand the value of emergency response and retaining offensive attack capabilities
It is important not to underestimate the value of being prepared with an emergency response plan in place before attacks occur. In order to do this successfully, organizations should establish an internal intelligence-gathering network to understand current risks and gauge how susceptible the organization is to a cyber attack. Leadership here is also important, with the need for a knowledgeable security professional to oversee and coordinate emergency response and cyber attack mitigation.

In addition to being prepared, organizations need to think beyond defense and incorporate techniques that actively mitigate attackers rather than simply absorb and defend against them. Given the nature of today’s attacks, an organization’s security infrastructure must be able to adjust configurations and techniques during an attack in response to a changing landscape.

There can be no doubt that the selection of security defense technologies is very important. However, successful security environments are not only a matter of selection. Each technology serves a specific purpose. As a result, their proper integration is equally important. In fighting cyber attacks it is clear that the organizations that have successfully managed through these attacks have been keen buyers of world-class technology. But more importantly, they have deployed and integrated security technology in a way that has allowed them to make tremendous use of information and processes to both detect and mitigate attacks that unfold in real-time.

In 2013, if you find yourself facing cyber attack risks or vulnerabilities, these are the steps you’ll need to take as soon as possible to effectively stave off these threats.