Protecting your network from DDoS attacks starts with planning your response. Here, security experts offer their best advice for fighting back. DDoS attacks are bigger and more ferocious than ever and can strike anyone at any time. With that in mind we’ve assembled some essential advice for protecting against DDoS attacks. 1. Have your DDoS mitigation plan ready Organizations must try to anticipate the applications and network services adversaries will target and draft an emergency response plan to mitigate those attacks. [ Find out how DDoS attacks are evolving and bookmark CSO’s daily dashboard for the latest advisories and headlines. | Sign up for CSO newsletters. ] “Enterprises are paying more attention to these attacks and planning how they’ll respond. And they’re getting better at assembling their own internal attack information as well as the information their vendors are providing them to help fight these attacks,” says Tsantes. IBM’s Price agrees. “Organizations are getting better at response. They’re integrating their internal applications and networking teams, and they know when the attack response needs to be escalated so that they aren’t caught off guard. So as attackers are becoming much more sophisticated, so are the financial institutions,” she says. “A disaster recovery plan and tested procedures should also be in place in the event a business-impacting DDoS attack does occur, including good public messaging. Diversity of infrastructure both in type and geography can also help mitigate against DDoS as well as appropriate hybridization with public and private cloud,” says Day. “Any large enterprise should start with network level protection with multiple WAN entry points and agreements with the large traffic scrubbing providers (such as Akamai or F5) to mitigate and re-route attacks before they get to your edge. No physical DDoS devices can keep up with WAN speed attacks, so they must be first scrubbed in the cloud. Make sure that your operations staff has procedures in place to easily re-route traffic for scrubbing and also fail over network devices that get saturated,” says Scott Carlson, technical fellow at BeyondTrust. 2. Make real-time adjustments While it’s always been true that enterprises need to be able to adjust in real-time to DDoS attacks, it became increasingly so when a wave of attacks struck many in the financial services and banking industry in 2012 and 2013, including the likes of Bank of America, Capital One, Chase, Citibank, PNC Bank and Wells Fargo. These attacks were both relentless and sophisticated. “Not only were these attacks multi-vector, but the tactics changed in real time,” says Gary Sockrider, solutions architect for the Americas at Arbor Networks. The attackers would watch how sites responded, and when the site came back online, the hackers would adjust with new attack methods. “They are resolute and they will hit you on some different port, protocol, or from a new source. Always changing tactics,” he says. “ Enterprises have to be ready to be as quick and flexible as their adversaries.” 3. Enlist DDoS protection and mitigation services John Nye, VP of cybersecurity strategy at CynergisTek explains that there are many things enterprises can do on their own to be ready to adjust for when these attacks hit, but enlisting a third-party DDoS protection service may be the most affordable route. “Monitoring can be done within the enterprise, typically in the SOC or NOC, to watch for excessive traffic and if it is sufficiently distinguishable from legitimate traffic, then it can be blocked at the web application firewalls (WAF) or with other technical solutions. While it is possible to build a more robust infrastructure that can deal with larger traffic loads, this solution is substantially costlier than using a third-party service,” Nye says. Chris Day, chief cybersecurity officer at data center services provider Cyxtera, agrees with Nye that enterprises should consider getting specialty help. “Enterprises should work with a DDoS mitigation company and/or their network service provider to have a mitigation capability in place or at least ready to rapidly deploy in the event of an attack.” “The number one most useful thing that an enterprise can do — if their web presence is that critical to their business — is to enlist a third-party DDoS protection service,” adds Nye. “I will not recommend any particular vendor in this case, as the best choice is circumstantial and if an enterprise is considering using such a service they should thoroughly investigate the options.” 4. Don’t rely only on perimeter defenses Everyone we interviewed when reporting on the DDoS attacks that struck financial services firms a few years ago found that their traditional on-premises security devices — firewalls, intrusion-prevention systems, load balancers —were unable to block the attacks. “We watched those devices failing. The lesson there is really simple: You have to have the ability to mitigate the DDoS attacks before it gets to those devices. They’re vulnerable. They’re just as vulnerable as the servers you are trying to protect,” says Sockrider, when speaking of the attacks on banks and financial services a few years ago. Part of the mitigation effort is going to have to rely on upstream network providers or managed security service providers that can interrupt attacks away from the network perimeter. It’s especially important to mitigate attacks further upstream when you’re facing high-volume attacks. “If your internet connection is 10GB and you receive a 100GB attack, trying to fight that at the 10GB mark is hopeless. You’ve already been slaughtered upstream,” says Sockrider. 5. Fight application-layer attacks in-line Attacks on specific applications are generally stealthy, much lower volume and more targeted. “They’re designed to fly under the radar so you need the protection on-premises or in the data center so that you can perform deep-packet inspection and see everything at the application layer. This is the best way to mitigate these kinds of attacks,” says Sockrider. “Organizations will need a web protection tool that can handle application layer DoS attacks,” adds Tyler Shields, VP of Strategy, Marketing & Partnerships at Signal Sciences. “Specifically, those that allow you to configure it to meet your business logic. Network based mitigations are no longer going to suffice,” he says. Amir Jerbi, co-founder and CTO is Aqua Security, a container security company, explains how one of the steps you can take to protect against DDoS attacks is to add redundancy to an application by deploying it on multiple public cloud providers. “This will ensure that if your application or infrastructure provider is being attacked then you can easily scale out to the next cloud deployment,” he says. 6. Collaborate The banking industry is collaborating a little when it comes to these attacks. Everything they reveal is carefully protected and shared strictly amongst themselves, but in a limited way, banks are doing a better job at collaborating than most industries . “They’re working among each other and with their telecommunication providers. And they’re working directly with their service providers. They have to. They can’t just work and succeed in isolation,” says Lynn Price, IBM security strategist for the financial sector. For example, when the financial services industry was targeted, they turned to the Financial Services Information Sharing and Analysis Center for support and to share information about threats. “In some of these information-sharing meetings, the [big] banks are very open when it comes to talking about the types of attacks underway and the solutions they put into place that proved effective. In that way, the large banks have at least been talking with each other,” says Rich Bolstridge, chief strategist of financial services at Akamai Technologies. The financial sector’s strategy is one that could and should be adopted elsewhere, regardless of industry. 7. Watch out for secondary attacks As costly as DDoS attacks can be, they may sometimes be little more than a distraction to provide cover for an even more nefarious attack. “DDoS can be a diversion tactic for more serious attacks coming in from another direction. Banks need to be aware that they have to not only be monitoring for and defending the DDoS attack, but they also have to have an eye on the notion that the DDoS may only be one aspect of a multifaceted attack, perhaps to steal account or other sensitive information,” Price says. 8. Stay vigilant Although many times DDoS attacks appear to only target high profile industries and companies, research shows that’s just not accurate. With today’s interconnected digital supply-chains (every enterprise is dependent on dozens if not hundreds of suppliers online), increased online activism expressed through attacks, state sponsored attacks on industries in other nations, and the ease of which DDoS attacks can be initiated, every organization must consider themselves a target. So be ready, and use the advice in this article as a launching point to build your organization’s own anti-DDoS strategy. Source: https://www.csoonline.com/article/2133613/network-security/malware-cybercrime-ddos-protection-mitigation-and-defense-7-essential-tips.html
The era of artificial intelligence is upon us, though there’s plenty of debate over how AI should be defined much less whether we should start worrying about an apocalyptic robot uprising. The latter issue recently ignited a highly publicized dispute between Elon Musk and Mark Zuckerberg, who argued that it was irresponsible to “try to drum up these doomsday scenarios”. In the near-term however, it seems more than likely that AI will be weaponized by hackers in criminal organizations and governments to enhance now-familiar forms of cyberattacks like identity theft and DDoS attacks. A recent survey has found that a majority of cybersecurity professionals believe that artificial intelligence will be used to power cyberattacks in the coming year. Cybersecurity firm Cylance conducted the survey at this year’s Black Hat USA conference and found that 62 percent of respondents believe that “there is high possibility that AI could be used by hackers for offensive purposes.” Artificial intelligence can be used to automate elements of cyber attacks, making it even easier for human hackers (who need food and sleep) to conduct a higher rate of attacks with greater efficacy, writes Jeremy Straub, an assistant professor of computer science at North Dakota State University who has studied AI-decision making. For example, Straub notes that AI could be used to gather and organize databases of personal information needed to launch spearphishing attacks, reducing the workload for cybercriminals. Eventually, AI may result in more adaptive and resilient attacks that respond to the efforts of security professionals and seek out new vulnerabilities without human input. Rudimentary forms of AI, like automation, have already been used to perpetrate cyber attacks at a massive scale, like last October’s DDoS attack that shut down large swathes of the internet. “Hackers have been using artificial intelligence as a weapon for quite some time,” said Brian Wallace, Cylance Lead Security Data Scientist, to Gizmodo . “It makes total sense because hackers have a problem of scale, trying to attack as many people as they can, hitting as many targets as possible, and all the while trying to reduce risks to themselves. Artificial intelligence, and machine learning in particular, are perfect tools to be using on their end.” The flip side of these predictions is that, even as AI is used by malicious actors and nation-states to generate a greater number of attacks, AI will likely prove to be the best hope for countering the next generation of cyber attacks. The implication is that security professionals need to keep up in their arms race with hackers, staying apprised of the latest and most advanced attacker tactics and creating smarter solutions in response. For the time being, however, cyber security professionals have observed hackers sticking to tried-and-true methods. “I don’t think AI has quite yet become a standard part of the toolbox of the bad guys,” Staffan Truvé, CEO of the Swedish Institute of Computer Science said to Gizmodo . “I think the reason we haven’t seen more ‘AI’ in attacks already is that the traditional methods still work—if you get what you need from a good old fashioned brute force approach then why take the time and money to switch to something new?” Source: https://www.idropnews.com/news/fast-tech/artificial-intelligence-will-make-cyber-criminals-efficient/49575/
See original article:
How Artificial Intelligence Will Make Cyber Criminals More ‘Efficient’
Overlooked among the stark headlines of the sheer scale of personal information hackers stole from credit monitor Equifax, was a Symantec reportdemonstrating that Dragonfly, a cyber-espionage group, continues to escalate its access to energy facilities’ operational systems in the United States, Turkey, and Switzerland. More than simple exploration and espionage, the report shows a clear step towards pursuing sabotage and destruction, a trend that’s become more common alongside rising geopolitical tensions. This latest cause for alarm should not be viewed as an anomaly but as the current state-of-cyber in 2017 and beyond. Over the last decade, destructive attacks have been targeting an increasing number and variety of organizations and critical infrastructure, but there has been a noticeable spike over the last year. In December, Crash Override, destructive malware largely attributed to Russia, struck the Ukraine power grid with a highly customized attack that could control the grid circuit switches and breakers. A few weeks earlier, Shamoon 2.0 surfaced, targeting Saudi government entities, infecting thousands of machines and spreading to Gulf states. Soon after, Stonedrill, another destructive malware, surfaced, targeting Saudi entities and at least one European organization. These attacks are also evolving and bringing additional effects into play. For example, KillDisk, malware with a wiper component, has recently been updated with a ransomware component. On the other hand, NotPetya masqueraded as ransomware, but was likely a targeted wiper malware attack focused on destabilizing business and state organizations in Ukraine. Dragonfly itself reflects an escalation in objectives from general intelligence gathering towards the system control that necessary for more damaging sabotage. This sort of escalation to destructive attacks usually occurs between interstate rivals with a higher propensity for conflict. In 2009, the North Korea-linked Dark Seoul gang was among the first to deploy wiper malware within a larger campaign, targeting the United States and South Korea with a combination of DDoS attacks and wiper malware. Similarly, following the Iran nuclear agreement, Iran and Saudi Arabia’s relative cyber ceasefire from 2012-15 gave way to a major escalation of tit-for-tat attacks on websites prior to Shamoon 2.0 and Stonedrill. More recently, the back-and-forth between Russia and Ukraine represents the most prominent use of these destructive attacks and the best example of a major power attacking smaller country. In many of these instances, private sector organizations are caught in the crossfires. NotPetya may cost shipping giant Maersk $300 million even though, by most accounts, it was not the intended target. Unfortunately, many of these attack vectors and destructive malware are now in the wild and are likely to be deployed by other groups. Dragonfly is just the latest reminder that attackers are increasingly brazen, and critical infrastructure remains a prime target. Unlike the series of publicized destructive attacks that have been slowly on the rise for the last decade, we see no proof of actual sabotage with Dragonfly, but pre-positioning is probably underway. We should not panic that the grid is about to go down, but we must pay attention to the trend. Furthermore, although the energy sector is a prime target for destructive attacks, enterprises in other industries including media (I’m looking at you, HBO), finance and beyond must also be ready to protect themselves. As long as geopolitical tensions remain high, and with the growing open source proliferation of nation-state malware, this trend is unlikely to abate any time soon. Source: http://www.businessinsider.com/equifax-breach-proves-that-cyber-attacks-are-only-going-to-get-worse-2017-9
View original post here:
Destructive cyberattacks are only going to get worse
A new SANS survey found that ransomware, insider threats and denial of service are considered the top three threats organizations face when it comes to securing sensitive data. According to the study, 78 percent of respondents report encountering two or more threats to their data in the past 12 months, while 12 percent actually encountered a breach, with 43 percent of those encountering exfiltration of sensitive data through encrypted channels. User credentials and privileged account … More ?
The Winning Poker Network has cancelled the third leg of its OSS Cub3d series – the Bigger Online Super Series – due to the threat of further DDoS attacks. The Winning Poker Network´s Bigger Online Super Series (BOSS) was scheduled to be a superb finale to a hugely successful three-tiered OSS Cub3d tournament series. The series had started incredibly well, with events in the Mini Online Super Series beating their guarantees by an average of 67% and the “meat in the sandwich” – the Online Super Series – performing much better than had been expected . However, towards the end of last week, a series of DDoS attacks disrupted the series. Connection issues resulted in the cancellation of tournaments – not only the feature events in the Online Super Series, but also many qualifying satellites for the Million Dollar Sunday. Fortunately, the Million Dollar Sunday event was able to go ahead but, due to fears of further disruption, the Winning Poker Network has decided to cancel the remaining events in the OSS Cub3d schedule. New OSS Cub3d Series Scheduled for Later this Month Announcing the cancellation of the Bigger Online Super Series via the Americas Cardroom Twitch stream, the Winning Poker Network´s CEO – Phil Nagy – explained that the measures needed to be put in place to mitigate the threat of further DDoS would not be completed by Wednesday (the start date for the Bigger Online Super Series). He said rather than risk further frustration and disappointment , he was cancelling the series and rescheduling it for later in the month. Rather than just run the seventeen events cancelled from this week, the Winning Poker Network´s CEO announced a whole new OSS Cub3d series that will run from September 24th to October 22nd and feature two Million Dollar Sunday events – one with a half-price buy-in of just $265.00. Nagy said he would also honour the current finishing positions in the OSS Cub3d leaderboard promotion and give Punta Cana Poker Classic packages to the players occupying the top three positions. New Software and Updated Servers will Help Mitigate DDoS Threat Nagy is confident the rescheduled OSS Cub3d series will be able to go ahead without players suffering the disconnection issues that disrupted last weekend´s events. Within two weeks, new software will be released on updated servers that should be able to withstand DDoS attacks . The long-awaited WPN V2 poker client should also provide players with a more enjoyable online poker experience as many of the bugs that exist with the current version of the software have reportedly been fixed. Nagy also announced the Americas Cardroom mobile app is due to be released next week. First put into development in January, and expected to take between nine and twelve weeks, the app will support games of Jackpot Poker and Sit & Go 2.0 . It is not known whether the app will be available for all skins on the Winning Poker Network so, players wanting to play these games on the go may have to create an account with Americas Cardroom in order to access them. Bad Pelican Takes Million Dollar Sunday for $269,800 The fact that the Million Dollar Sunday event was able to go ahead last weekend was good news for “Bad Pelican”. The infrequent visitor to the Winning Poker Network topped a field of 2,698 to collect the $269,800 first prize after fourteen hours of play . The massive field ensured the million dollar guarantee was met and, in total, 405 players cashed in the event. The volume of players on the Winning Poker Network also ensured guarantee-busting prize pools for most of the weekend´s tournaments. Hopefully the next OSS Cub3d series should go without a hitch. As sites on the Winning Poker Network continue to add new features and player benefits, there will be huge expectations for the next OSS Cub3d series , and it will be a huge disappointment – not least for CEO Phil Nagy – if any of the tournaments have to be cancelled due to DDoS attacks or other connection issues. Source: http://www.pokernewsreport.com/bigger-online-super-series-cancelled-due-to-ddos-attacks-21870
It had been a while, but America’s Cardroom seemed due for another cyber attack. Yup, leading into the Labor Day weekend, ACR and its network, the Winning Poker Network, were hit with a Distributed Denial of Service (DDoS) attack, something that is unfortunately not a unique event for either the online poker room or the network. The attack began Thursday evening, affecting, among many other games, ACR’s Online Super Series (OSS) Cub3d. Problems continued all the way through Saturday. America’s Cardroom initially tweeted about the issues at about quarter after eight Thursday night, writing, “We are currently experiencing a DDOS attack, all running tournaments have been paused. Will keep you updated.” A half hour later, ACR announced that it was cancelling all tournaments in progress and providing refunds per the site’s terms and conditions. At about 9:00pm, the site was back up, but the DDoS attacks continued, causing poker client interruptions less than two and a half hours later. Problems continued well into Friday morning until ACR and WPN finally got things under control (temporarily) close to noon. The pattern continued that evening, with games going down after 6:00pm Friday and then resuming, and going down again after 7:00pm. Finally, around noon Saturday, ACR’s techs seemed to get a handle on things “for good.” In a Distributed Denial of Service attack, the attacker (or attackers) floods a server with millions of communications requests at once. It’s not a virus or a hack or anything malicious like that, but the communications overwhelm the server and grind it to a halt. Think of it like the traffic jam to end all traffic jams. It wouldn’t be THAT big of a deal if the attack was coming from one source, but since it is “distributed,” the attacker arranges it so that it originates from literally millions of IP addresses. It makes defending one’s network insanely difficult. To use another brilliant illustration, if you are trapped in a house and a zombie horde is coming for your juicy brains, it’s scary and awful, but if all the zombies decide to come in through the front door, you can probably handle it if properly equipped. If they surround you and just crash in through every door, window, and mouse hole like in Night of the Living Dead, might as well develop a taste for human flesh because you’re screwed. As with other DDoS attacks, the network was contacted by the aggressor, who demanded a ransom of some sort. WPN CEO Phil Nagy went on Twitch and said he refused to cave to any demands. He even posted a brief series of messages from the attacker, who said he was doing it on behalf of a competing poker room (all spelling mistakes what-not his): this is my job anouther site give me money for doos you and i ddos you this is my job Nagy said that he hoped that by at least making it public that it may be another site responsible for the DDoS attack that it will make someone nervous that they could get caught and the attacks will subside. WPN first experienced a major DDoS attack in December 2014, during its Million Dollar Sunday tournament, when it caused disconnections, lag, and registration problems. It happened again in September 2015 and again in October 2015. The network will be re-running many of the tournaments, including the OSS and MOSS, and will cut the buy-in of the million dollar guaranteed OSS tourney in half as well as add an extra Sunday Million. Source: https://www.pokernewsdaily.com/americas-cardroom-wpn-hit-ddos-attack-30342/
Here’s an overview of some of last week’s most interesting news, podcasts and articles: New, custom ransomware delivered to orgs via extremely targeted emails Ransomware campaigns are usually wide-flung affairs: the attackers send out as many malicious emails as possible and hope to hit a substantial number of targets. But more targeted campaigns are also becoming a trend. Getting a start on cyber threat hunting We live in a world where the adversaries will persist … More ?
A number of security researchers teamed up to fight the WireX botnet. If a random storage manager or video player you downloaded recently has disappeared from your Android device, don’t worry: it might have been for your own good. Google has removed 300 apps from the Play store, which were apparently merely masquerading as legitimate applications. In truth, they were made to hi-jack your phone so it can be used as part of a botnet’s distributed denial of service (DDoS) attacks. WireX, as the botnet is called, pummeled several content providers and delivery networks with traffic from the devices it hi-jacked on August 17th, though it’s been active since around August 2nd. In some cases, it also acted as a ransomware, demanding money from its victim. It was content delivery network Akamai that discovered its existence following an assault on one of its clients. The company then got together with Google and several security researchers from rival companies like Cloudflare, Flashpoint, Oracle + Dyn, RiskIQ, Team Cymru and other organizations to solve the issue. Upon learning that the Play Store is inundated with hundreds of fake WireX apps hiding behind the guise of innocuous programs like storage managers and ringtones, the big G did its part and blocked them all. Here are a few samples of infected apps: In a statement, Mountain View said it’s now also in the process of removing applications from affected devices. It’s unclear how long that would take, though, since based on the team’s research, WireX compromised over 70,000 devices from over 100 countries. Source: https://www.engadget.com/2017/08/29/google-pulls-300-android-apps-wirex-ddos/
An ad-hoc alliance of tech firms has managed to seriously cripple an Android-based botnet that was being actively used to DDoS multiple content providers. The botnet, dubbed WireX by the researchers, consisted of Android devices with malicious apps installed. In fact, in the wake of the discovery, Google has pulled some 300 such apps from Google Play, began removing them remotely from affected users’ devices, and blocked them from being installed. The malicious apps The … More ?
Read the article:
Tech firms band together to take down Android DDoS botnet
The Play Store is looking buggier than ever A coalition of tech firms has taken down the WireX botnet, a malware network run predominantly off Android phones running subverted apps.…
Tech firms take down WireX Android botnet