Fight Back with DDoS Mitigation

Have you ever experienced having a server being overloaded by incoming traffic, or how would we call it – a denial of service? It’s one of the most common cyber attacks and it aims to shut down one’s online systems.

DDoS (Distributed Denial of Service) is an attack on the computer system aiming at bringing the system to a failure, i.e., the creation of conditions under which legitimate users cannot access the victimized resource. In addition to its direct purpose – resource unavailability and failure of the targeted system, it can be used to take steps towards mastering the system (in contingencies it may provide critical content – for example, the version of the code, etc.) or to mask other subsequent attacks.

TYPES OF DDOS ATTACKS

DDoS attacks can be divided into two basic types: attack on the channel and attack on the process, the first of which is just hammered with an overwhelming mass of specially crafted requests, whereas the second is an exploiting software and network protocol vulnerabilities, causing limited productivity of hardware, thus blocking customers’ access to information system resources.

 

HOW DO THINGS WORK?

The network DDoS attack type is usually carried out by means of a botnet (zombie networks). The botnet consists of a large number of computers infected with special malware. Usually, the computers are used without the consent or knowledge of their owners. The botnet is commanded from the control center (by the attacker) to start sending many specially forged requests to the target computer. When the requests consume the available resources, access to legitimate users is blocked.

TYPES OF DDoS MITIGATION SOLUTIONS

Cloud Protection – Service providing DDoS attack protection based on the provider’s infrastructure. All traffic is redirected to the proxy of the provider, where traffic is filtered and sent back cleansed from DDoS traffic.

ADVANTAGES

  • No need to invest in special equipment, uplinks, training, etc.;
  • Freedom and availability in the choice of a supplier;
  • Diversification of the hosting and protection against DDoS attacks;

THE DOWNSIDE

  • Lack of complete control over what is happening;
  • Unreliable information on attack situation from vendor;
  • Traffic is redirected for filtering outside the customer’s infrastructure;

On-Site Protection – protection on the perimeter of the customer’s own infrastructure using specialized equipment – devices acting as a filter to all ingress traffic enters client’s network.

ADVANTAGES

  • Exercise total control over the mitigation process;
  • A comprehensive view of the attack;
  • No traffic is redirected for filtering outside the customer’s infrastructure;

THE DOWNSIDE

  • Considerable investment in special equipment, uplinks, training, etc.;
  • Protection is limited to an uplink capacity;
  • Need to maintain a crew of trained professionals 24/7.

Why is professional mitigation necessary?

  • Using your own existing Equipment? Routers and switches will fold under the load, due to insufficient capacity to deal with DDoS. Stateful in-line Firewalls and ISP’s are not designed to mitigate such attacks – if they can withstand the flood at all, packets simply pass through them.
  • Software solutions that don’t work: the likes of mod_evasive, iptables, Apache / LiteSpeed tuning, kernel tuning are not capable of handling attack size or complexity, thus being useful on a very limited number of occasions.
  • ISP’s won’t help. Your service provider has one way to “help” and that’s to null-route your traffic for a period of their own discretion. You may even get banned for suffering a DDoS attack and bringing others on the shared resource down.
  • Who do you block? Massive numbers of IPs are attacking you, seems the whole world is after your resource. You need to block all attacking IPs and allow only the good ones. Can you do that? And how?
  • Human-like attack behavior. It’s not just the sheer flood you’re dealing with. L7 attacks mimic the behavior of real users, thus eating CPU and RAM.
  • Bandwidth is not enough to mitigate. Feasibility is important when provisioning bandwidth. How much do you need, and how much can you afford? Is it worth it?
  • Is your team up to speed? With changing attack methods, your team needs to be able to roll with the punches – tweaking defenses, finding solutions. Can they do that? Quickly?
  • Can you isolate the victim? DDoS attacks inflict collateral damage. When you can’t isolate the victim of an attack, the others on the network suffer too.
  • Insufficient insight into attack details. You only see the symptoms, without attack details you don’t know the cause nor the solution.

THINGS TO LOOK FOR WHEN PROCURING MITIGATION SOLUTIONS

When you have chosen a good cloud DDoS Mitigation service you will benefit from:

Mitigation Invisibility – Depending on the DDoS attack type, the vendor must use different bot verification methods, with at least the larger majority of them being almost completely invisible to your visitors, so they don’t “feel” the mitigation a hindrance.

Search Engine Friendly – It is important to understand that your website needs to remain visible to search engines, so the vendor must provide full support for the most popular search engines. Also, being open to requests for additional search engine support is a plus.

Multi-Gigabit Protection – Sizable network channels distributed over multiple Points of Presence around the world, empowering the mitigation solution to provide performance and scalability to keep the protected resource going.

Multiple Points of Presence – In order to ensure the lowest latency and lag times globally, the vendor will have placed Points of Presence (PoP) in strategic locations announced with BGP Anycast, thus ensuring your visitors’ traffic goes to the cleansing center that is the geographically closest.

And the rules of thumb for On-Site DDoS Mitigation

While so-called proxy shield vendors are abundant, a contemporary market supply of on-premise solutions is represented by a handful of manufacturers and software developers, each claiming to have the best product for meaningful, cost-effective DDoS mitigation.

On-premise DDoS Mitigation solutions provided by today’s vendors consist of server boxes of one to several U’s, which one is expected to place in their data center, switch on and watch them do the job. Unfortunately, that’s not always efficient against all floods, as 98% of today’s DDoS attacks can be mitigated automatically with hardware, but the remaining 2% require qualified human intervention. Why is that? DDoS methods are constantly changing to find new vulnerabilities in OS, Browser, and Protocol execution. As it happens, predefined counter-measure strategies don’t always work, and attack floods do get past the mitigation device.

THE BOX

Constant care – The best vendor will offer not just the hardware, but you will also benefit from round-the-clock care so you’re never alone when a new type of flood arrives. The vendor will be able to intervene in times of need, and place a global monitoring system at your disposal to make sure your content is available to the world.

Custom integration – The vendor engineers must assess your needs and current or planned network structure. They must ensure the best fit in your specific scenario, so you get the most out of the “Box”. Look for vendors that have the knowledge and expertise to do that and gladly place it at your disposal.

Flexible manning – A good vendor will man your protection stack with dedicated remote intervention engineers. Alternatively, you must be able to train your own people to monitor and effectively fend off DDoS attacks – the vendor must offer initial and interim training courses for your staff.

THE PRICE

TCO spread over time – Instead of spending USD 1/2M on heartless hardware in one go, you should be able to spread the cost over easy, affordable monthly payments. You want to be protected without it costing you an arm and a leg, with pricing based on affordable monthly installments to cover hardware, support, upgrade/update, and manning requirements.

Tailored support– Flexibility in choosing comfort level in receiving and paying for support is an important aspect of choosing a product or service. Most vendors will give you preset levels of support, while a good vendor, will estimate your support requirements and offer you only what you need, when you need it.

Upgrades & updates – Total Cost of Ownership (TCO) can be tricky – usually, you’d have to pay for the initial hardware/software configuration and then factor in the upgrade, maintenance, and update expenditures. A good vendor makes it easy and transparent to assess your TCO.

THE OPTIONS

Failover & redundancy – With DDoS attacks, it is not uncommon to see criminals increase flood magnitude when faced with successful mitigation at first, thus you may have to deal with a situation where the “Box” is not the weak point in your setup, but your own uplink capacity. For those times, when you can’t wait to upgrade your uplink, a versatile vendor will offer to switch you over to their global proxy protection service (if they have one).

Linear scalability – A good “Box” comes preconfigured to protect your entire inbound channel from all types of DDoS attacks. Optionally, larger modules should be available so you can increase the capacity by adding additional mitigation modules that feature linear scalability in protection power. Instead of having to replace the entire solution with a more powerful one in order to meet your needs, a good vendor gives you a Lego-like approach to building your defenses as high as you require by simply adding perfectly integrated modules on top of your existing protection configuration.

What is an Independent Audit Good For?

The audit of Information Security is a comprehensive assessment, which is allowed, in order to assess the current condition of Information Security in the business and to plan timely actions in order to increase the level of security.

The audit of Information Security is conducted when a current necessity of independent assessment of the condition of Information Security is needed.

Why do you need internal audit?

There are a number of reasons to perform internal audits either one-time, ad-hock, or regularly. Some of these may be:

  • If there is a change in the strategy of the company;
  • In case of mergers or acquisitions;
  • When there are significant changes in the organizational structure of the company or change of leadership;
  • When there are new internal or external requirements for Information Security;
  • In the event of significant changes in the business processes and IT infrastructure.

THE RULES OF AUDIT

When performing an internal audit, one needs to take into account and adhere to the following “rules”:

  • Analysis of the organizational and administrative documents of the company;
  • Interviews with employees of the organization: representatives from the business units, the administrators and developers of information systems, professionals in Information Security;
  • Technology for inspection of office space in terms of physical security of the IT infrastructure;
  • Analysis of the configuration settings of hardware and software;
  • Auditing of special hardware (scanners, security analysis, control of the leakage of information, etc.);
  • Penetration testing;
  • Assessment of the knowledge of workers in the field of Information Security.

 

An extra special examination can be made that takes into account the particularities of the audited company. If necessary, in the phase of the study, additional information may be collected, that is needed for the implementation of other projects, which hereinafter will save additional resources for the organization and will help the distribution of its budget.

INDEPENDENT vs. INTERNAL IT AUDIT

Objective – An independent audit is usually performed either due to regulatory requirements or those of third parties wishing to enter in collaborative or supplier relations, an outsourcing partner, for example. Internal audits are usually mandated by management and are more focused on business operations and their continuity.

 

Auditors – An independent audit is carried out by an external team, while internal audits are performed by members of staff. While the independent auditor may provide a more “fair view” of the current state, the internal audit may reflect a business’s proprietary technological and organizational characteristics more closely, with in-depth findings.

 

Reporting – Usually, the independent IT audit will result in the main report being in a format required by auditing standards, with a focus on whether the Information Security claims of the company give a true and fair view and comply with requirements. These reports, whether formal or not, are designed to provide a status snapshot, rather than go into detailed recommendations on how to make things better.

 

Internal audit should produce a tailored report about how the risks and objectives are being managed – with a focus on helping the business move forward. As such, internal audit reports are expected to contain recommendations for improvement of the organization’s Information Security.

SIEM for Beginners

We tend to use a lot of stand-alone systems for the analysis of not-so-easy-to-understand processes, but having a thorough log analysis and the big picture of what the systems do altogether is of great importance.

Let’s talk about Security Information & Event Management or SIEM for short. Such systems are used to collect and analyze information from a maximum number of sources of information – such as DLP system, IPS, routers, firewalls, user workstations, servers, and so on. Practical examples of threats that can only be identified correctly by SIEM:

  • APT attacks – relevant for companies holding valuable information. SIEM is perhaps the only way to detect the beginning of such an attack (with research infrastructure, attackers will generate traffic at different ends that allows you to see this activity by the security event correlation systems SIEM);
  • Detection of various anomalies in the network and on the individual nodes, the analysis of which is unattainable for other systems
  • Response to emergency situations, rapid changes in user behavior

The principle of “supply and forget“ is not applicable. Absolute protection does not exist, and the most unlikely risks can backfire and stop the business and cause huge financial losses. Any software and hardware may not work or be configured incorrectly and let the threat through.

WHAT’S THE NEED FOR INFORMATION SECURITY AND EVENT MANAGEMENT?

  • Regulatory mandates require log management to maintain an audit trail of activity. SIEM’s provide a mechanism to rapidly and easily deploy a log collection infrastructure. Alerting and correlation capabilities also satisfy routine log data review requirements. SIEM reporting capabilities provide audit support as well;
  • A SIEM can pull data from disparate systems into a single pane of glass, allowing for efficient cross-team collaboration in extremely large enterprises;
  • By correlating process activity and network connections from host machines a SIEM can detect attacks, without ever having to inspect packets or payloads;
  • SIEM’s store and protect historical logs, and provide tools to quickly navigate and correlate data, thus allowing for rapid, thorough, and court-admissible forensics investigations.

HOW TO SCOPE A SIEM INTEGRATION?

  • Analysis of events and creation of alerts at any network traffic anomalies, unexpected user actions, unidentified devices, etc.;
    Creation of reports, including ones customized specifically for your needs.
  • For example, a daily report on incidents, a weekly report of top 10 violators, a report on the performance of devices, etc. Reports are configured flexibly according to their recipients;
  • Monitoring events from devices / servers / mission-critical systems, the establishment of appropriate notifications;
  • Logging of all events in the event gathering evidence, analyzing attack vectors, etc.

HOW THE SIEM FUNCTIONS

 

DESIGN & INTEGRATION STEPS

The SIEM implementation should leverage a phased approach, with systematic follow-through of the required stages for solution deployment. The typical SIEM implementation phases are:

REQUIREMENTS GATHERING & ASSESSMENT

А detailed assessment of the company’s environment must be performed with the goal to inventory the existing architecture and identify basic SIEM requirements – to understand the current enterprise security architecture and its critical components, the current tools and procedures used to determine potential risk and the procedures used to confirm regulatory compliance. Identifying the business objectives to be met by the development and implementation of a SIEM, as well as capture a clear network with an inventory of all devices in order to ensure solution comprehensiveness.

SYSTEM DESIGN

А detailed technical SIEM deployment design is to be created, based on the gathered requirements. Converting business requirements to conceptual scenarios, as well as creating technical use cases, logical and physical SIEM architecture designs, and SIEM integration project plan.

INTEGRATION ACTIVITIES

System characteristics require the provision of real-time, centralized monitoring and correlation system over the entire network security infrastructure, as well as notification of and response to harmful security events. Sharing information security event data with all relevant business units and generating security even data for forensic purposes.

This phase involves the tasks of configuring and installing the development environment, implementing technical use cases and the interface component, testing system configuration, documenting system configuration, rolling-out to production, and training & knowledge transferring.

POST-DEPLOYMENT ACTIVITIES

As with most systems, the SIEM one also needs looking after. Ensuring support for the solution, placing an effective 24/7 solution monitoring, and preparing for a change of management, always with an eye of evolving threats, are all a must.

CHOOSING A VENDOR

This is a question that can not be answered in advance. The integrator typically examines client infrastructure, their needs, figuring out what is the client’s budget.

After that the vendors make offers and the integrator proposes to the customer the one most suitable. This is needed because there is a lack of compatibility between different vendors.

Sometimes, it is believed that if you have a SIEM, there is no need to install DLP, IDS, vulnerability scanners, etc. In fact, this is not the case. SIEM can track any anomalies in the network stream, but it will not be able to make the normal analysis. SIEM, strictly speaking, is useless without other security systems. The main advantage of SIEM – collection, storage, and analysis of logs – will be reduced down to zero without the sources of these logs.

Cyber Forensics: Helping You Understand and Recover

Cyber forensics (aka digital forensics) is a branch of forensic science belonging to evidence found in computers, digital storage media, cloud services, and social media. Digital forensics in civil litigation is a growing requirement of courts to ensure evidence is properly preserved, processed, and presented in court. Digital forensic collections, data extraction, and forensic reports are all part of this growing field.

WHY ARE DIGITAL FORENSICS IMPORTANT?

Adding the ability to practice sound computer forensics will:

  • Help you ensure the overall integrity and survivability of your network infrastructure by adding a layer of traceable responsibility and monitor compliance with policies and regulations.
  • Help you capture vital information if your network is compromised and will help you deal with the case internally if the intruder is caught.
  • Help you realize that allocating a greater portion of the information technology budgets for computer and network security will ultimately save your organization money.
  • Help preserve vital evidence or having forensic evidence ruled inadmissible in a court of law.
  • Help your organization comply with new laws that mandate regulatory compliance and assign liability if certain types of data are not adequately protected.

You can help your organization if you consider computer forensics as a new basic element in what is known as a “defense-in-depth”, which is designed on the principle that multiple layers of different types of protection from different vendors provide a substantially better protection approach to network and computer security.

Computer forensics is a relatively new discipline to the courts and many of the existing laws used to prosecute computer-related crimes, legal precedents, and practices related to computer forensics are in a state of flux. Nevertheless, digital forensics can be invaluable in dealing with a rogue or ill-intended employee or ex-employee.

In these cases, having the incriminating information intact and safe from further destruction or obliteration, may prove invaluable in not only dealing with said individual, but in applying recovery measures that could otherwise not be possible at all.

ASPECTS OF THE FORENSIC INVESTIGATION

Technical goal: to identify, collect, preserve, and analyze data in a way that preserves the integrity of the evidence collected so it can be used effectively in a legal case or in internal procedures.

Understanding: those who investigate computers have to understand the kind of potential evidence they are looking for in order to structure their search. Crimes involving a computer can range across the spectrum of criminal activity, from child pornography to theft of personal data to destruction of intellectual property.

Use of tools: the investigator must pick the appropriate tools to use. Files may have been deleted, damaged, or encrypted, and the investigator must be familiar with an array of methods and software to prevent further damage in the recovery process.

Data types: persistent data is the data that is stored on a local hard drive (or another medium) and is preserved when the computer is turned off.

Volatile data: any data that is stored in memory or exists in transit, that will be lost when the computer loses power or is turned off. Volatile data resides in registries, cache, and random access memory (RAM). Since volatile data is ephemeral, it is essential that the investigator knows reliable ways to capture it.

Personnel: System administrators and security personnel must also have a basic understanding of how routine computer and network administrative tasks can affect both the forensic process (the potential admissibility of evidence at court) and the subsequent ability to recover data that may be critical to the identification and analysis of a security incident.

Depending on the needs, a whole range of different investigative actions can be taken to produce relevant forensics data. Below is just an exemplary list of actions and checks that reflects the most common scenarios, and can, of course, be expanded to accommodate other requirements:

  • Active, Archival, and Latent Data;
  • Hashes and Checksums;
  • Conducting Keyword Searches;
  • Creating Understandable and Accurate Reports;
  • Creating Forensically Sound Working Copies or Images of Media;
  • Common File Header Formats;
  • Documentation, Chain of Custody, and Evidence Handling Procedures;
  • Assisting with Motions (i.e., Compel Production of HDD’s, Logs, etc.);
  • Questions to Prepare for/Advising Your Retaining Counsel;
  • FAT 12/16/32 File Systems;
  • File Slack, Ram Slack, Drive Slack, and Unallocated Space;
  • NTFS File Systems;
  • Compact Disc Analysis;
  • Interpretation of Various Log Formats;
  • Interpreting Internet History and HTTP concepts;
  • Manual and Automated Data Recovery;
  • Metadata for Microsoft Office and PDF documents;
  • Overcoming Encryption Mechanisms And Password Protection;
  • PC Hardware Concepts;
  • Privacy Issues;
  • Rules of Evidence;
  • Windows Print Spool Files;
  • Windows Registry;
  • Windows Shortcuts;
  • Windows Swap File;
  • Working as an Expert Technical Witness;
  • Insurance/Liability Issues;
  • Viruses and Malware.

Vulnerability Assessment – Know Your Weaknesses

Relax, we’ll not be talking about personal and psychological vulnerabilities here. Instead, let’s talk about IT, its inherent vulnerabilities and their assessment.

IT Vulnerability assessment, also known as vulnerability analysis, is a conscious action aiming to define, identify, and classify the security vulnerabilities in a computer, network, or an entire communications infrastructure. Furthermore, the vulnerability assessment can be used to forecast the effectiveness of proposed countermeasures and evaluate their actual effectiveness after they are put into use.

WHY IS VULNERABILITY ASSESSMENT NECESSARY?

Vulnerability assessment is usually the first step taken in the direction of strengthening an organization’s Information Security. Inasmuch, as it provides a picture of open doors or holes in the security landscape, the vulnerability assessment can be a starting point in rationalizing one’s security strategy, policies, etc. Ultimately, data collected and rationalized fuels the entire Risk Management process.

STEPS

Regardless of the methodology, scope, and timing that can differ, Vulnerability Assessment has to follow certain steps:

  • Determine the scope of assessment;
  • Scan entire network with all devices;
  • Identify and confirm found vulnerabilities;
  • Classify and determine vulnerability levels;
  • Prepare vulnerability report.

THE RELATION TO PENETRATION TESTING

An important part or extension (depending on the underlying philosophy) to vulnerability assessment –Penetration Testing – is usually performed by a white hat using ethical hacking techniques. Using this method to assess vulnerabilities, security experts deliberately probe a network or system to discover its weaknesses. This process can provide guidelines for the development of countermeasures to prevent a genuine attack.

Imagine you’re in a room with many doors and you want to know which ones of all these are locked and which not. Vulnerability Assessment does just that – it provides a “list” of unlocked doors. These doors could be used to break into an organization’s communication system, inflicting damage and disrupting operations.

The scope of Vulnerability Assessment is usually all-encompassing, spreading over an entire organization or, at least over an entire critical system the organization uses.

Penetration Testing, on the other hand, may follow a narrower scope. Instead of just listing doors, it goes through each unlocked door to see how far can one reach into the system.

Also, what impact such entry can have, thus exposing possible vulnerabilities that were not seen in the Vulnerability Assessment of the first “batch” of doors.

PLAN FOR ASSESSMENT WITHOUT THESE COMMONPLACE MISTAKES:

Lack of Vision: Creating a plan for vulnerability assessment is not an easy task. As such, you need to look it over from as many sides as possible and explore every aspect of vulnerabilities found. Being narrow-minded when talking about such an assessment, is one of the biggest mistakes you can make. To adequately examine weaknesses in your infrastructure, you need to put yourself in the shoes of the attacker. What better way to do that, than to try even the most outrageous ideas for testing and to simulate even the rarest situations. Don’t exclude any idea before seriously considering it. You should also have in mind that having a member of the senior management in the room, while thinking of ways to assess vulnerabilities, is a bad idea because suddenly ideas stop flowing and people become afraid to explore different possibilities.

Inadequate Compliance: Complying with laws and regulations is not always enough to secure the information infrastructure of your business. Furthermore, in every country, there are examples of government legislation, enforced to increase business security that can, sometimes, interfere with the business environment in an incomplete fashion. The wise and legal thing to do is to address inadequacies with additional measures in order to enhance productive legislation requirements with legally permitted actions.

Bad Reporting: A problem that is often encountered is lacking a technique of reporting. It is nothing new, for an external consulting company, just to drop off a report full of vulnerabilities and problems, leaving the rest to the client. On other occasions, people focus too much on the problem itself, without providing any answers for the weak points in the infrastructure. Another example of bad reporting is concentrating only on categorizing and enumerating the problems found, again with no perspective of finding a solution. Creating a report with the detailed categorization of all problems is vital, but is only half of the work. The other half involves a detailed analysis of the report and the effort to solve problems found in it.

Knowledge Gained Does Not Enter Corporate Culture: Although there is security-sensitive information in a vulnerability assessment report, that cannot be shared lightly with employees, this is no reason to keep staff members in the dark. Security is part of the corporate culture and as such must be embraced by everyone in the company, not as a mandatory requirement, but as something they are involved in. Security staff meetings and debating of security incidents, both in the company and in other companies, will greatly affect the understanding of security as a group effort.

FROM ASSESSMENT TO MANAGEMENT

Determining the Information Security risks in a company is a complex and involving task. In a dynamic and integrated environment, locating and assessing threats and vulnerabilities is simply not enough. Therefore, what you need is not only a simple vulnerability assessment but an integrated process of vulnerability management.

What is vulnerability management and how is it different from vulnerability assessment?

Vulnerability assessment will tell you where and what the vulnerabilities are, while vulnerability management will make sure these vulnerabilities are addressed by actionable measures, such as but not limited to the installation of a patch, a change in network security policy, reconfiguration of software (such as a firewall), educating users about social engineering, etc.

 

Vulnerability management is the ongoing, cyclical practice to identify, classify, remedy, and mitigate vulnerabilities. The process is especially important when treating issues related to software and firmware. Vulnerability management is integral to computer security and network security and is accompanied by vulnerability assessment, which provides the initial “food for thought”.

Although vulnerabilities are classified by their severity, they are not directly translated to risks in an organization. A high severity vulnerability may or may not be regarded as a critical risk. The risk definitions are handled in the risk assessment process, part of Risk Management activities.