Building A New Cyber Defense Strategy


India as a country of more than a billion people, is now adding close to 10 million daily active internet users every month, touching the highest rate of addition to the internet community anywhere in the world1. But cyberspace inherently has certain vulnerabilities that cannot be eliminated at any cost. Cyber attacks of various kinds are a threat to the online security of individuals and organizations who utilize any kind of internet service. Sophistications in technology are helping bad players develop new and versatile attacks. However, security solutions are on their toes to stay ahead of the attacks by creating better technology at a faster pace than the attackers.

One of the most significant challenges that organizations face on the cyber security front is Distributed Denial of Service (DDoS) attacks. A DDoS attack is an attempt intended at making an online service unavailable, by directing massive amounts of traffic to it from multiple sources. In the past, they were launched to bring down networks, but today the attacks are directed towards bringing down applications and online services. Launching DDoS attacks have become simple and low cost, making multi-vector attacks the order of the day. Protecting the applications against such attacks is getting very challenging for enterprises. DDoS attacks are also growing in frequency, intensity and sophistication, and companies in India have been increasing their security budgets by double or triple lately, to tackle issues like this.

But what has not changed is the delivery methods of using infected botnets and vulnerable open servers to create crushing scale attacks against unwitting targets. As Internet of Things (IoT) is enabling connected networks, the attack on one of the devices in the network could trigger malfunction of the rest and will lead to the whole network being knocked down. This way, when connected networks are attacked, the consequences are massive. The repercussions would spread across everything that’s required for our daily lives. If a whole country can be knocked offline with big scale cyber attacks like the Mirai attack2, it is not a herculean task to target a vendor of essential services – like electricity – and bring a region to its knees.

The Distributed Weaponry for Denial of Service

DDoS attacks are always initiated in a distributed fashion and the attack tools, infected botnets and vulnerable exposed servers, are repeatedly used in multiple DDoS campaigns. Unlike conventional attacks where the attacker leverages sleuth and obfuscation to prevent detection, DDoS attacks are loud and easily identified. A common analogy to illustrate this point is “finding security threats is like searching for a needle in a haystack” whereas finding DDoS attack source is like “finding stacks of needles”.

In some cases, attackers leverage weaknesses in the UDP protocol stack to spoof the target’s IP address, to initiate an unwanted reflected response toward the victim. This strategy amplifies the capabilities of the attackers by producing responses that are much larger than the requests.

Attackers can also leverage malware infected computers, servers and IoT devices that are under the control of a bot herder, typically as DDoS for hire services. The breadth of bots is used to initiate stateful and stateless network and application layer attacks directly at the victim.

Due to the nature of DDoS attacks, information about cyber attacks and their sources can be a great tool to address such cyber security threats. The repeated usage of attacking agents and knowledge of the IP addresses of vulnerable hosts can be an effective way for proactively improving DDoS defenses.

To grasp the scale of DDoS threat agents, organizations need threat intelligence solutions that can gather intel and identify the geolocation of millions of IP addresses that are commonly used, or potential, DDoS attack-agents to help pre-empt future attacks.

This knowledge is available from security researcher’s accumulated threat intelligence that logs millions of hosts that are vulnerable to being exploited as DDoS attacks agents. The challenge is making these voluminous feeds that include tens of millions of entries go beyond information and become actionable.

Threat Intelligence alone cannot prevent DDoS attacks. The threat intelligence is an added benefit that provides organizations with a means to strengthen their existing DDoS defenses based on real-time data. However, Threat Intelligence data is useless unless it is converted into actionable insights. Organizations need to couple threat intelligence with modern DDoS mitigation solutions for a proactive DDoS defense strategy.

In order to be proactive in the face of today’s DDoS attacks, DDoS prevention solutions need to demonstrate precision, automation and scalability capabilities.

This combination of threat intelligence with a solution that offers precision, automation and scalability will not only result in a proactive DDoS defense strategy, but it will also ensure that your network can be protected from even the most devasting DDoS attacks.

Proactive DDoS defense strategy

Unlike legacy DDoS defenses that only support thousands of blacklist entries, the need of the hour is for a solution that can support large class-lists with millions of entries that can be dynamically updated to make threat intelligence proactively actionable.

Precision is key in DDoS defense solution. It brings the ability to intelligently distinguish legitimate users from attacking bots. A surgically precise DDoS detection and mitigation solution, understands the environment in both peacetime and wartime, and can eliminate false positives and false negatives. It can also leverage up-tothe-second threat intelligence to pinpoint and eradicate known bad actors. Additionally, surgical precision can bring down operating costs, since frontline defenders won’t be pulled off critical tasks to combat false and missed incidents.

Precision improves precision abilities, differentiating legitimate users from those that are not. This ensures services are protected and available for actual users at all times, saving down-time costs

Automation is the ability to autodetect, mitigate and profile incoming traffic. An intelligent solution ensures operations are simplified, and speed response time is amplified so that DDoS defense tools focus on its compute resources against more sophisticated attacks

The solution mitigates and defends against attacks of all sizes. Attacks are increasing in size and sophistication, and as such DDoS defense solutions must scale to provide protection. Essentially, one must be prepared to defend against frequent and sophisticated attacks as small as 10 gigabits per second (Gbps) – as well as the rare occurrences when they exceed 1 Tbps. Along with depth in mind, DDoS defenders must rethink their strategy and scale for the intensity and breadth of an attack,

keeping in mind that an attacker’s goal is to cause as much damage with as little effort as possible. It’s often easier for them to throw many millions of small packets of attack traffic against a network’s firewalls and servers rather than launch one massive volumetric flood. This is where attacks from weaponized IoT devices can cause the most devastation―by exploiting the first “D” in DDoS: distributed. Legacy defenses were built to defend against thousands of coordinating DDoS attack agents, not millions of weaponized IoT endpoints.

Hence, it is imperative for modern DDoS solutions to understand the intensity and breadth of an attack based on packets per second and millions of geographically distributed attacking agents, not just the size and intensity, based on Gbps of attack traffic.

Automation brings the ability to auto-detect, mitigate and profile incoming traffic. An intelligent solution ensures operations are simplified, and speed response time is amplified so that DDoS defense tools focus on its compute resources against more sophisticated attacks.

With even the government acknowledging the fact that India is vulnerable to cyber espionage3, it is high-time that we start addressing the nation’s cyber security problems aggressively. Knowing the threats and learning about them inside-out, thus invariably becomes the right point to start building the foundation for a fool-proof cyber defense system.