Tag Archives: blocking-ddos

A Scoville Heat Scale For Measuring Cybersecurity

The Scoville Scale is a measurement chart used to rate the heat of peppers or other spicy foods. It can also can have a useful application for measuring cybersecurity threats. Cyber-threats are also red hot as the human attack surface is projected to reach over 6 billion people by 2022. In addition, cyber-crime damage costs are estimated to reach $6 trillion annually by 2021. The cybersecurity firm RiskIQ states that every minute approximately 1,861 people fall victim to cyber-attacks, while some $1.14 million is stolen. In recognition of these alarming stats, perhaps it would be useful to categorize cyber-threats in a similar scale to the hot peppers we consume. I have provided my own Scoville Scale-like heat characterizations of the cyber threats we are facing below. Data Breaches: According to Juniper Research, over The Next 5 Years, 146 Billion Records Will Be Breached. The 2017 Annual Data Breach Year-end Review (Identity Theft Resource Center) found that 1,946,181,599 of records containing personal and other sensitive data that have been in compromised between Jan. 1, 2017, and March 20, 2018. The true tally of victims is likely much greater as many breaches go unreported. According to the Pew Research Center, a majority of Americans (65%) have already personally experienced a major data breach. On the Scoville scale, data breaches, by the nature of their growing exponential threat can be easily categorized at a “Ghost Pepper ” level. Malware: According to Forrester Research’s 2017 global security survey, there are 430 million types of malware online—up 40 percent from just three years ago. The Malware Tech Blog cited that 100,000 groups in at least 150 countries and more than 400,000 machines were infected by the Wannacry virus in 2017, at a total cost of around $4 billion. Malware is ubiquitous and we deal with it. It is a steady “Jalepeno Pepper” on the scale. Ransomware: Cybersecurity Ventures predicts that ransomware damage costs will rise to $11.5 billion in 2019 with an attack occurring every 14 seconds. According to McAfee Lab’s Threat Report covering Q4 2017, eight new malware samples were recorded every second during the final three months of 2017. Cisco finds that Ransomware attacks are growing more than 350 percent annually. Experts estimate that there are more than 125 separate families of ransomware and hackers have become very adept at hiding malicious code. Ransomware is scary and there is reason to panic, seems like a ”Fatali Pepper.” Distributed Denial of Service (DDoS): In 2016, DDoS attacks were launched against a Domain Name System (DNS) called Dyn. The attack directed thousands of IoT connected devices to overload and take out internet platforms and services. The attack used a simple exploit of a default password to target home surveillance cameras, and routers. DDoS is like a “Trinidad Pepper” as it can do quick massive damage and stop commerce cold. DDoS is particularly a frightening scenario for the retail, financial. and healthcare communities. Phishing: Phishing is a tool to infect malware, ransomware, and DDoS. The 2017 Ponemon State of Endpoint Security Risk Report found that 56% of organizations in a survey of 1,300 IT decision makers identified targeted phishing attacks as their biggest current cybersecurity threat. According to an analysis by Health Information Privacy/Security Alert, 46,000 new phishing sites are created every day. According to Webroot, An average of 1.385 million new, unique phishing sites are created each month. The bottom line it is easy anyone to be fooled by a targeted phish. No one is invulnerable to a crafty spear-phish, especially the C-Suite. On the Scoville Scale, Phishing is prolific, persistent, and often causes harm. I rate it at the “Habanero Pepper” level. Protecting The Internet of Things : The task of securing IoT is increasingly more difficult as mobility, connectivity and the cyber surface attack space grows. Most analysts conclude that there will be more than 20 billion connected Internet devices by 2020. According to a study conducted in April of 2017 by The Altman Vilandrie & Company, neary half of U.S. firms using The Internet of Things experienced cybersecurity breaches. Last year, Symantec noted that IoT attacks were up 600 percent. Analysts predict 25 percent of cyber-attacks in 2020 will target IoT environments. Protect IoT can be the “ Carolina Reaper” as everything connected is vulnerable and the consequences can be devastating. Lack of Skilled Cybersecurity Workers : Both the public and private sectors are facing major challenges from a dearth of cybersecurity talent. As companies evolve toward digital business, people with cybersecurity skills are becoming more difficult to find and more expensive for companies to hire and keep . A report out from Cybersecurity Ventures estimates there will be 3.5 million unfilled cybersecurity jobs by 2021. A 2017 research project by the industry analyst firm Enterprise Strategy Group (ESG ) and the Information Systems Security Association (ISSA) found that 70 percent of cybersecurity professionals claimed their organization was impacted by the cybersecurity skills shortage. On the Scoville Scale, I rate the skills shortage as a “Scotch Bonett,” dangerous but perhaps automation, machine learning and artificial intelligence can ease the pain. Insider Threats: Insider threats can impact a company’s operational capabilities, cause significant financial damages, and harm a reputation. The IBM Cyber Security Index found that 60% of all cyber- attacks were carried out by insiders. And according to a recent Accenture HfS Research report 69% of enterprise security executives reported experiencing an attempted theft or corruption of data by insiders over one year. Malicious insider intrusions can involve theft of IP, social engineering; spear-phishing attacks, malware, ransomware, and in some cases sabotage. Often overlooked, insider threats correlate to a “Red Savina Habanero.” Identity Theft : Nearly 60 million Americans have been affected by identity theft, according to a 2018 online survey by The Harris Poll. The reason for the increased rate of identity fraud is clear. As we become more and more connected, the more visible and vulnerable we become to those who want to hack our accounts and steal our identities. We are often enticed via social media or email phishing. Digital fraud and stealing of our identities is all too common and associated closely to data breaches, a “Chocolate Habanero.” Crypto-mining and Theft : Crypto poses relatively new threats to the cybersecurity ecosystem. Hackers need computing power to find and “mine” for coins and can hijack your computer processor while you are online. Hackers place algorithm scripts on popular websites that people innocently visit. You might not even know you are being hijacked. Trend Micro disclosed that Crypto-mining malware detections jumped 956% in the first half of 2018 versus the whole of last year. Also, paying ransomware in crypto currencies seems to be a growing trend. The recent WannaCry and the Petya ransomware attackers demanded payment in bitcoin. On The Scoville Scale, it’s still early for crypto and the threats may evolve but right now a “Tabasco Pepper.” Potential Remedies: Cybersecurity at its core essence is guided by risk management: people, process, policies, and technologies. Nothing is completely invulnerable, but there are some potential remedies that can help us navigate the increasingly malicious cyber threat landscape. Some of these include: Artificial Intelligence and Machine Learning Automation and Adaptive Networks Biometrics and Authentication Technologies Blockchain Cloud Computing Cryptography/Encryption Cyber-hygiene Cyber Insurance Incident Response Plans Information Threat Sharing Managed Security Services Predictive Analytics Quantum-computing and Super-Computing And … Cold Milk The bottom line is that as we try to keep pace with rising cybersecurity threat levels, we are all going to get burned in one way or another. But we can be prepared and resilient to help mitigate the fire. Keeping track of threats on any sale can be useful toward those goals. Chuck Brooks is the Principal Market Growth Strategist for General Dynamics Mission Systems for Cybersecurity and Emerging Technologies. He is also Adjunct Faculty in Georgetown University’s Graduate Applied Intelligence program. Source: https://www.forbes.com/sites/cognitiveworld/2018/09/05/a-scoville-heat-scale-for-measuring-cybersecurity/#15abda233275

View the original here:
A Scoville Heat Scale For Measuring Cybersecurity

Rise in multifunctional botnets

There is a growing demand around the world for multifunctional malware that is not designed for specific purposes but is flexible enough to perform almost any task. This was revealed by Kaspersky Lab researchers in a report on botnet activity in the first half of 2018. The research analysed more than 150 malware families and their modifications circulating through 600 000 botnets around the world. Botnets are large ‘nets’ of compromised machines that are used by cybercriminals to carry out nefarious activities, including DDoS attacks, spreading malware or sending spam. Kaspersky monitors botnet activity on an ongoing basis to prevent forthcoming attacks or to stop a new type of banking Trojan before it spreads. It does this by employing technology that emulates a compromised device , trapping the commands received from threat actors that are using the botnets to distribute malware. Researchers gain valuable malware samples and statistics in the process. Drop in single-purpose malware The first half of 2018 also saw the number of single-purpose pieces of malware distributed through botnets dropping significantly in comparison to the second half of 2017. In H2 2017, 22.46% of all unique malware strands were banking Trojans. This number dropped to 13.25% in the first half of this year. Moreover, the number of spamming bots, another type of single-purpose malware distributed through botnets, decreased dramatically, from 18.93% in the second half of 2017 to 12.23% in the first half 2018. DDoS bots, yet another typical single-purpose malware, also dropped, from 2.66% to 1.99%, in the same period. The only type of single-purpose malicious programs to demonstrate notable growth within botnet networks were miners. Even though their percentage of registered files is not comparable to highly popular multifunctional malware, their share increased two-fold and this fits in the general trend of a malicious mining boom, as noted in previous reports. There’s a RAT in my PC Alongside these findings, the company noted distinctive growth in malware that is more versatile, in particular Remote Access Tools (RATs) that give cyber crooks almost unlimited opportunities for exploiting infected machines. Since H1 2017, the share of RAT files found among the malware distributed by botnets almost doubled, rising from 6.55% to 12.22%, with the Njrat, DarkComet and Nanocore varieties topping the list of the most widespread RATs. “Due to their relatively simple structure, the three backdoors can be modified even by an amateur threat actor. This allows the malware to be adapted for distribution in a specific region,” the researchers said. Trojans, which can also be employed for a range of purposes, did not grow as much as RATs, but unlike a lot of single-purpose malware, still increased 32.89% in H2 2017 to 34.25% in H1 2018. In a similar manner to RATs, Trojans can be modified and controlled by multiple command and control servers, for a range of nefarious activities, including cyberespionage or the theft of personal information. Bot economy Alexander Eremin, a security expert at Kaspersky Lab, says the reason multipurpose malware is taking the lead when it comes to botnets is clear. “Botnet ownership costs a significant amount of money and, in order to make a profit, criminals must be able to use each and every opportunity to get money out of malware. A botnet built out of multipurpose malware can change its functions relatively quickly and shift from sending spam to DDoS or to the distribution of banking Trojans.” In addition to switching between different ‘active’ malicious activities, it also opens an opportunity for a passive income, as the owner can simply rent out their botnet to other criminals, he added. Source: https://www.itweb.co.za/content/LPwQ57lyaoPMNgkj

Link:
Rise in multifunctional botnets

How to Protect Businesses Against DDoS Attacks

Security, for any business today, is important; we, at HackerCombat, have already reported on the rising costs of IT security on the global level. More and more business today invest heavily in security; they have started realizing that without security, it’s almost impossible for any business to flourish in today’s circumstances. We have arrived at a stage when businesses cannot handle security by simply relying on their ISPs. Proactive measures that businesses adopt for ensuring proper and better security really counts. Businesses today are often targeted by DDoS (Distributed Denial of Service) attacks, planned and executed by cybercriminals all the world over. Hence it becomes important that every business today is armed, in all ways possible, to combat DDoS attacks, in the most effective of manners. Let’s discuss how businesses can secure themselves against such attacks. Let’s begin by discussing how DDoS attacks happen and what they are, in the first place… DDoS Attacks: An Introduction The basic principle of a DDoS attack is this- a very large number of requests are sent from several points targeting a network or server, and that too in a very short span of time. This kind of bombardment causes an overload on the server, which consequently leads to the exhaustion of its resources. The obvious result is that the server would fail and sometime would even become inaccessible, thereby causing a total denial of service, hence the name Distributed Denial of Service attack. The main issue, however, is not that the server or network becomes inaccessible; on the other hand, it pertains to the security of the data stored in the network. A DDoS attack makes a server vulnerable and hackers can penetrate the information system and cause huge losses to the business that’s targeted. The cybercriminals behind a DDoS attack can thus make big money at the expense of the company that’s targeted. The motives behind DDoS attacks vary; such attacks could be carried out for political or financial gains, while some such attacks would have retaliation as the sole purpose. Those who look for political gains would target those who hold contradicting political, social or religious beliefs. Crippling them through a well-planned and well-executed DDoS attack would be the motive here. Retaliatory attacks happen when a botnet or a large cybercriminal network is dismantled and those who stood by the authorities need to be targeted. DDoS attacks that are carried out for financial gains follow a simple pattern. Those who want a business targeted would hire the services of cybercriminals who would carry out the DDoS attack. The hackers are paid for the work they do. Well, irrespective of the motive, the end result for the business that’s targeted is always the same. The network and online services become unavailable, sometimes for a short period and sometimes for a really long period of time, and data security also is at risk. How to protect a business from DDoS attacks ISPs may offer layer 3 and layer 4 DDoS protection, which would help businesses save themselves from many volumetric attacks. But most such ISPs fail when it comes to detecting small, layer 7 attacks. That’s why it’s said that businesses should not depend on their ISPs alone for protecting themselves against DDoS attacks. They should be set to implement measures that ensure comprehensive protection against DDoS attacks. Here’s a look at the different things that need to be done to combat DDoS attacks in the most effective of manners: Go for a good solution provider- There are many service providers who provide Layer 3, 4 and 7 protection against DDoS attacks. There are providers of all kinds, ranging from those that offer low-cost solutions for small websites to those that provide multiple coverages for large enterprises. Most of them would offer custom pricing option, based on your requirements. If yours is a large organization, they would offer advanced layer 7 discovery services with sensors to be installed in your data center. Well, always go for a good provider of security solutions, as per your needs. Always have firewall or IPS installed- Modern firewall software and IPS (Intrusion Prevention Systems) claim to provide a certain level of protection against DDoS attacks. The New Generation Firewalls offers both DDoS protection as well as IPS services and thus would suffice to protect you against most DDoS attacks. There, of course, are some other aspects that need to be kept in mind. Your New Generation Firewall might get overwhelmed by volumetric attacks and might not even suffice for layer 7 detections. Similarly, enabling DDoS protection on your firewall or IPS could even impact the overall performance of your system/network in an adverse manner. Use dedicated appliances that fight DDoS attacks- Today, there are many hardware devices that protect you from DDoS attacks. Some of these provide protection against layer 3 and 4 attacks while some advanced ones give protection against layer 7 DDoS attacks. Such appliances are deployed at the main point of entry for all web traffic and they monitor all incoming and outgoing network traffic. They can detect and block layer 7 threats. There are two versions of these hardware solutions- one for enterprises and the other for telecom operators. The ones for enterprises are cost-effective ones while the ones for providers are too expensive. Investing in getting such hardware appliances would always be advisable. It’s always good to go for devices that use behavior-based adaptation methods to identify threats. These appliances would help protect from unknown zero-day attacks since there is no need to wait for the signature files to be updated. Remember, for any organization, big or small, it’s really important today to be prepared to combat DDoS attacks. For any organization that has a web property, the probability of being attacked is higher today than ever before. Hence, it’s always good to stay prepared. Prevention, as they say, is always better than cure! Source: https://hackercombat.com/how-to-protect-businesses-against-ddos-attacks/

Visit link:
How to Protect Businesses Against DDoS Attacks

Your data center’s IT is lock-tight, are the facility’s operations?

Data centers are the lifeblood of the enterprise, allowing for scale never before imagined and access to critical information and applications. Businesses are increasingly migrating to the cloud, making the role of the data center more and more valuable. In 2017 alone, companies and funds invested more than $18 billion in data centers, both a record and nearly double that of 2016. But as much growth as this unparalleled level of computing has given SMBs to the enterprise, a level of risk remains — and data center operators often aren’t looking in the right places when identifying security threats. As these data centers evolve, so too do the tools and techniques used by hackers – both novice and pro. Securing the physical spaces that house these critical facilities is becoming more important by the day, and operators are doing themselves a disservice by solely focusing on IT as the only line of defense against attacks. Often, the physical operation of the building is the wide-open door for a hacker to exploit, and if done correctly, can cause as much devastation as an attack on software. Even if data center operators think their security operation is lock-tight, there still are several important considerations to ensure a holistic plan is in place. The bottom line? If these important measures haven’t been incorporated as part of a data center’s security plan and ongoing upgrades, there is risk to the entire operation. Your physical operation is more connected Smoke detection, CCTV, power management systems and your cooling control are all becoming increasingly more connected. The Internet of Things (IoT) has allowed building management systems to become far more advanced than ever imagined when managing the more industrial side of your operation. But as these once-mechanical and manual systems start talking, there also are far more opportunities for malicious damage. If they aren’t already, IT and building operations must be in constant contact, updating one another about the most recent changes to either one’s systems. Without this important dialogue, processes and standards change in a vacuum and can leave back doors open for hackers. Threats are evolving Your security plan should too. Many times, operators are solely worried about the data inside the servers, and don’t consider external threats. Gaining access to secure and encrypted servers takes an extremely experienced and skilled hacker. However, infrastructure like HVAC or fire control sprinkler systems are far less complicated to access for a less seasoned cyber-criminal. While a DDoS attack or breach can be dangerous, a cooling operation taken offline or activated fire sprinklers can be downright devastating. Hackers consider this low-hanging fruit, and are almost always looking to do the most damage. Consider updating your security plan with a roadmap of every physical system in place, and sit down with building operations to address potential new areas of weakness. Consider outside advice to ensure security No single person can be expected to be an expert on the security of all physical assets. Consulting with a third-party that understands how facilities and IT should be working together within a data center can an extremely valuable investment. Consider this: Gartner has estimated that a single minute of network downtime costs $5,600 on average. That’s certainly not a huge sum if the interruption is only 10 minutes due to a DDoS attack, but consider the damage if servers catch fire because of a cooling system shutdown. If a data center spends weeks cleaning up physical damage to a poorly secured physical operation, the results could be devastating. To provide true security, data center operators have to stop assuming hackers can only do damage in the zeros and ones. In reality, as systems become more advanced, true security at data centers is reliant on a close relationship between IT and facilities, making sure they frequently and accurately communicate about changes, upgrades and observations at their operations. Not doing so risks a lot more than a little downtime. Source:https://www.helpnetsecurity.com/2018/08/29/securing-data-centers/

A DDoS Knocked Spain’s Central Bank Offline

In a distributed-denial-of-service (DDoS) attack that began on Sunday, 26 August, and extended into today, Spain’s central bank was knocked offline. While Banco de Espana struggled to fight off the attack, business operations were not disrupted, according to Reuters . “We suffered a denial-of-service attack that intermittently affected access to our website, but it had no effect on the normal functioning of the entity,” a spokeswoman for Banco de Espana wrote in an email. DDoS attacks interrupt services by overwhelming network resources. Spain’s central bank is a noncommercial bank, which means that it does not offer banking services online or on site, and communications with the European Central Bank were not impacted. “Worryingly, as of Tuesday afternoon their website remained offline despite the attack having started on Sunday. Whether this was as a result of an ongoing attack, recovering from any resulting damage or as a precaution pending a forensic investigation is not clear,” said Andrew Lloyd, president, Corero Network Security. “The recent guidance from the Bank of England (BoE) requires banks to have the cyber-resilience to ‘resist and recover’ with a heavy emphasis on ‘resist.’ The BoE guidance is a modern take on the old adage that ‘prevention is better than cure.’ Whatever protection the Bank of Spain had in place to resist a DDoS attack has clearly proven to be insufficient to prevent this outage.” To help mitigate the risk of a DDoS attack, banks and other financial institutions can invest in real-time protection that can detect attacks before they compromise systems and impact customer service. As of the time of writing this, the bank’s website appears to be back online. Source: https://www.infosecurity-magazine.com/news/ddos-knocked-spains-central-bank/

Sweden’s Social Democrats’ website hacked in attack linked to Russia and North Korea

The website of Sweden’s centre-left Social Democrats has been hacked for a second time, and the IP address responsible was linked to Russia and North Korea, according to the party’s IT provider. The hack was a distributed denial-of-service (DDoS) attack, meaning those responsible disrupted the site to make it unavailable to users. “This is serious. Citizens don’t have access to our site, the heart of our election campaign, where the information about our policies is,” the party’s head of communications, Helena Salomonson, told TT. The site was attacked at around 9pm on Monday, and was down for around six minutes in total, Salomonson said. The party has reported the incident to police. It’s the second time in around a week that the Social Democrats, currently part of the ruling coalition with the Green Party, have experienced an online attack, after a similar hack when they first launched their election campaign. On that occasion, the site remained down for several hours. “Denial-of-service attacks are quite hard to prevent,” Salomonson said. “Now we need to look over our preventative measures again.” The IP addresses behind the attack were linked to Russia and North Korea, according to information from the party’s IP provider, but Salomonson said: “It feels difficult to speculate about possible participants and motives.” Source: https://www.thelocal.se/20180822/swedens-social-democrats-website-hacked

Taken from:
Sweden’s Social Democrats’ website hacked in attack linked to Russia and North Korea

It’s Time To Protect Your Enterprise From DDoS Attacks

DDoS (Distributed Denial of Service) attacks feature amongst the most dreaded kinds of cyber attacks, for any enterprise today. This is especially because, as the name itself suggests, there it causes a total denial of service; it exhausts all resources of an enterprise network, application or service and consequently it becomes impossible to gain access to the network, application or the service. In general, a DDoS attack is launched simultaneously from multiple hosts and it would suffice to host the resources, the network and the internet services of enterprises of any size. Many prominent organizations today encounter DDoS attacks on a daily basis. Today DDoS attacks are becoming more frequent and they are increasing in size, at the same time becoming more sophisticated. In this context, it becomes really important that enterprises look for DDoS attack prevention services, in fact the best DDoS attack prevention services, so as to ensure maximum protection for their network and data. The different kinds of DDoS attacks Though there are different kinds of DDoS attacks, broadly speaking there are three categories into which all the different kinds of DDoS attacks would fit. The first category is the volumetric attacks, which include those attacks that aim at overwhelming network infrastructure with bandwidth-consuming traffic or by deploying resource-sapping requests. The next category, the TCP state-exhaustion attacks, refer to the attacks that help hackers abuse the stateful nature of the TCP protocol to exhaust resources in servers, load balancers and firewalls. The third category of DDoS attacks, the application layer attacks, are basically the ones targeting any one aspect of an application or service at Layer 7. Of the above-mentioned three categories, volumetric attacks are the most common ones; at the same time there are DDoS attacks that combine all these three vectors and such attacks are becoming commonplace today. DDoS attacks getting sophisticated, complex and easy-to-use Cybercriminals today are getting cleverer and smarter. They tend to package complex, sophisticated DDoS attack tools into easy-to-use downloadable programs, thereby making it easy even for non-techies to carry out DDoS attacks against organizations. What are the main drivers behind DDoS attacks? Well, there could be many, ranging from ideology or politics to vandalism and extortion. DDoS is increasingly becoming a weapon of choice for hacktivists as well as terrorists who seek to disrupt operations or resort to extortion. Gamers too use DDoS as a means to gain competitive advantage and win online games. There are clever cybercriminals who use DDoS as part of their diversionary tactics, intending to distract organizations during APT campaigns that are planned and executed in order to steal data. How to prevent DDoS attacks The first thing that needs to be done, to prevent DDoS attacks from happening, is to secure internet-facing devices and services. This helps reduce the number of devices that can be recruited by hackers to participate in DDoS attacks. Since cybercriminals abuse protocols like NTP, DNS, SSDP, Chargen, SNMP and DVMRP to generate DDoS traffic, it’s advisable that services that use any of these ought to be carefully configured and run on hardened, dedicated servers. Do repeated tests for security issues and vulnerabilities. One good example is doing penetration tests for detecting web application vulnerabilities. Ensure that your enterprise implements anti-spoofing filters as covered in IETF Best Common Practices documents BCP 38 and BCP 84. This is because hackers who plan DDoS attacks would generate traffic with spoofed source IP addresses. Though there are no fool-proof techniques that can prevent DDoS attacks completely, you can ensure maximum protection by ensuring proper configuration of all machines and services. This would ensure that attackers don’t harness publicly available services to carry out DDoS attacks. It’s to be remembered that it’s difficult to predict or avoid DDoS attacks and also that even an attacker with limited resources can bring down networks or websites. Hence, for any organization, it becomes important that the focus is always on maximum level protection for enterprise networks, devices, websites etc. Source: https://ddosattacks.net/wp-admin/post-new.php

See more here:
It’s Time To Protect Your Enterprise From DDoS Attacks

The complete guide to understanding web applications security

MODERN businesses use web applications every day to do different things, from interacting and engaging with customers to supporting sales and operations. As a result, web applications are rich with data and critical to the functioning of the company – which means, special precautions must be taken in order to protect them from hackers. However, not all organizations or their applications are subject to the same level of threats and attacks. In an exclusive interview with Gartner’s Research Director Dale Gardner, Tech Wire Asia learns how businesses can best protect their web applications. Gartner splits attacks on web and mobile applications and web APIs into four categories: # 1 | Denial of service (DoS) DoS is a specific subtype of abuse where the attacker’s goal is to disrupt the availability of the web application or service. In particular, this attack type covers volumetric attacks, which overwhelm network capabilities, and so-called “low and slow” attacks, which overwhelm application or service resources. # 2 | Exploits Exploits take advantage of design, code or configuration issues that cause unintended behaviour of the application. Some common examples include SQL Injection (SQLi), cross-site scripting (XSS), buffer overflows, and various Secure Sockets Layer (SSL) and Transport Layer Security (TLS) manipulation attacks. # 3 | Abuse Abuse covers many non-exploit types of attack that primarily take advantage of business logic. This includes scraping, aggregating, account brute-forcing, scalping, spamming and other — often automated — scenarios. # 4 | Access Access violations occur when an attacker or legitimate user takes advantage of weaknesses in the authentication (AuthN) or authorization (AuthZ) policies of a web application or service. Of the four categories, Gardner says only exploits can be potentially addressed with secure coding and configuration. The others require design-level considerations that cannot be reasonably compensated for in code. For example, although it’s arguably possible to defend against account takeovers in individual application code, it is much more economical and error-proof to do so in the identity and access management (IAM) system or another external capability. In an ideal world, the highest level of protection would be available at all times or as needed, but this isn’t feasible due to complexity and cost factors. And continuously providing the highest level of protection to all web assets can be an expensive proposition, both from economic and operational perspectives. Securing web applications and web APIs from attacks and abuse requires businesses to assess what level of protection is necessary. “Security teams must first pick a protection baseline. Then they must decide what extra protections are necessary to apply to specific assets,” recommends Gardner. When thinking of protecting web applications, security teams often first look to existing network technologies, such as next-generation firewall (NGFW) platforms and intrusion detection and prevention systems (IDPSs). But these do not provide strong-enough capabilities in any of the protection areas, warns Gardner. They are not easily integrated to intercept TLS and do not have the same signatures, rules, behavioral analysis and business logic insight as security solutions that focus on web applications and APIs. Organizations often first look at a “completely automated public Turing test to tell computers and humans apart” (CAPTCHA) when they suffer from abuse of functionality. But an always-on CAPTCHA creates user-experience hurdles for legitimate users, and it is also no guarantee to keep the abuser out (attackers keep finding ways to circumvent or solve many CAPTCHAs). Multifactor authentication (MFA) and out of band (OOB) challenges are often used to enable strong access control, as well as to try to thwart abuse. Unfortunately, they suffer from similar issues as CAPTCHA, and in addition are often complex and expensive to implement. Currently, no single security platform or solution implements the highest possible level of protection in each of the exploit, abuse of functionality, access violation and DoS mitigation categories. Some organizations will still be able to start with a single solution to address the biggest potential risks. But they often find themselves needing greater security capabilities over time due to changes in threats and the application landscape. Web application firewalls (WAFs) are broadly deployed, but buyers routinely express disappointment and frustration over factors such as accuracy, the ability to prevent attacks, the administrative overhead required to maintain attack detection profiles and price. Incumbent vendors have begun addressing emerging requirements, but many products still lag. The market for solutions to protect web applications will continue to grow, but given buyer dissatisfaction, vendors with innovative approaches and new product packaging will capture the bulk of new spending. Buyers are shifting to service-based offerings, and demand for infrastructure as a service (IaaS) deployable products is growing. These shifts pose risks, especially to incumbents, but also present opportunities for new offerings and greater growth. Gartner believes that by 2020, stand-alone WAF hardware appliances will represent less than 20 percent of new WAF deployments, down from 40 percent today. By 2020, more than 50 percent of public-facing web applications will be protected by cloud-based WAAP services that combine content delivery networks, DDoS protection, bot mitigation and WAFs, which is an increase from fewer than 20 percent today. Web applications, mobile applications, and web APIs are subject to increased numbers and complexity of attacks. Gardner, who will be speaking at the Gartner Security & Risk Management Summit in Sydney later this month explains what organizations must keep in mind when planning and implementing solutions: Public, limited-access external, and internal applications require different levels of security. No one capability covers all types of attack. No two capabilities have interchangeable protection efficacy. Some of the capabilities have strong overlaps in addressing specific attack subcategories. Enforcement of policy may be centralized or distributed (for example, use of micro-gateways). “As a result, a mix of capabilities, though not necessarily separate products, have to be put in place as a layered approach,” concludes Gardener. Considering the range of exploits and abuse that can occur with web and mobile applications and web APIs, technical professionals must leverage a mix of externalized security controls to deliver appropriate protection and alleviate burdens to development staff. Source: https://techwireasia.com/2018/08/the-complete-guide-to-understanding-web-applications-security/

Continue Reading:
The complete guide to understanding web applications security

DDoS Extortion Group Sends Ransom Demand to Thousands of Companies

A group of DDoS extortionists using the name of Phantom Squad has sent out a massive spam wave to thousands of companies all over the globe, threating DDoS attacks on September 30, if victims do not pay a ransom demand. The emails spreading the ransom demands were first spotted by security researcher Derrick Farmer and the threats appear to have started on September 19 and continued ever since. Hackers looking for small $700 ransoms The emails contain a simple threat, telling companies to pay 0.2 Bitcoin (~$720) or prepare to have their website taken down on September 30. Sample of a Phantom Squad DDoS ransom email Usually, these email threats are sent to a small number of companies one at a time, in order for extortionists to carry out attacks if customers do not pay. This time, this group appears to have sent the emails in a shotgun approach to multiple recipients at the same time, a-la classic spam campaigns distributing other forms of malware. Because of this, several experts who reviewed the emails and ransom demands reached the conclusion that the group does not possess the firepower to launch DDoS attacks on so many targets on the same day, and is most likely using scare tactics hoping to fool victims into paying. Extortionists are not the sharpest tool in the shed The size of this email spam wave is what surprised many experts. Its impact was felt immediately on social media [1, 2, 3, 4] and on webmaster forums, where sysadmins went looking for help and opinions on how to handle the threat. Bleeping Computer reached out to several security companies to get a general idea of the size of this spam wave. “Not sure how widespread it is in terms of volume, but they are certainly spamming a lot of people,” Justin Paine, Head of Trust & Safety at Cloudflare, told Bleeping . “We’ve had 5 customers so far report these ‘Phantom Squad’ emails,” he added. “These geniuses even sent a ransom threat to the noc@ address for a major DDoS mitigation company.” Extortionists are “recycling” email text Radware engineers received similar reports, so much so that the company issued a security alert of its own. Radware security researcher Daniel Smith pointed out that the extortionists may not be the real Phantom Squad, a group of DDoS attackers that brought down various gaming networks in the winter of 2015 [1, 2]. Smith noticed that the ransom note was almost identical to the one used in June 2017 by another group of extortionists using the name Armada Collective. Those extortion attempts through the threat of DDoS attacks also proved to be empty threats, albeit some were successful. “The part that I find interesting is the low ransom request compared to the ransom request last month,” Smith told Bleeping Computer . “Last month a fake RDoS group going by the name Anonymous ransomed several banks for 100 BTC.” Experts don’t believe the group can launch DDoS attacks This shows an evolution in ransom DDoS (RDoS) attacks, with groups moving from targeting small groups of companies within an industry vertical to mass targeting in the hopes of extracting small payments from multiple victims. “This is what the modern RDoS campaign has come to,” Smith also said. “In the spring of 2016 after a lull in RDoS attacks, a group emerged calling themselves the Armada Collective, but their modus operandi had clearly changed. This group claiming to be Armada Collective was no longer targeting a small number of victims but instead were targeting dozens of victims at once without launching a sample attack.” “As a result, these attackers were able to make thousands of dollars by taking advantage of public fear and a notorious name. Several other copycat groups that emerged in 2016 and 2017 also leveraged the names of groups like, New World Hackers, Lizard Squad, LulzSec, Fancy Bear, and Anonymous.” “To launch a series of denial-of-service attacks, this group will require vast resources. Therefore, when a group sends dozens of extortion letters, they typically will not follow through with a cyber-attack,” Smith said. Smith’s opinion is also shared by Paine, who recently tweeted “ransom demands from this group = spam” and “empty threats, zero attacks from this copycat.” Victims should report extortion attempts to authorities Japan CERT has issued a security alert informing companies how to handle the fake demands by reporting the emails to authorities. Today, security researcher Brad Duncan also published an alert on the ISC SANS forums, letting other sysadmins and security researchers know not to believe the ransom threats. Source: https://www.bleepingcomputer.com/news/security/ddos-extortion-group-sends-ransom-demand-to-thousands-of-companies/

View original post here:
DDoS Extortion Group Sends Ransom Demand to Thousands of Companies

Machine Learning in the DOSarrest Operations

Machine Learning can appear in many different forms and guises, but a general definition of Machine Learning usually incorporates something about computers learning without explicit programming and being able to automatically adapt. And while Machine Learning has been around for decades as a concept, it’s become more of a reality as computational power continues to increase, and the proliferation of Big Data platforms making it easier to capture floods of data. These developments have made ML practical and garnered a lot of interest, as evidenced by the large number of articles in the last two years surrounding AI and machine Learning However despite all this, the adoption of this Machine Learning is still relatively low amongst companies in the tech landscape (Gartner estimating that fewer than 15 percent of enterprises successfully get machine learning into production). And even when you hear about Company X adopting a machine learning strategy, it’s often conflated with another strategy or service within that company, and not truly realizing the automated ‘adaptiveness’ inherent within ML. Those companies that do realize a proper machine learning strategy, understanding and grooming their data as well as identifying the appropriate model/s can see real benefits to their operations, which is why DOSarrest has been developing such a strategy over the last year. Here at DOSarrest, we’ve been focusing on building an Anomaly Detection engine, focusing on the constantly evolving sophisticated application layer attacks. We collect huge amounts of data from disparate sources (e.g. Customized web logs, snmp and flow data, IDS logs, etc.), even when customers are not under attack. This provides an opportunity to identify baselines even in a multi tenant environment. As you would expect, there is a high degree of cardinality within some of the data fields, which can be challenging to work with when working with data in motion, but can have great benefits. With these huge structured data sets, we are able to identify KPI’s (Key Performance Indicators) and statistics that can be leveraged by the engine to identify anomalous behavior and brought to the attention of the Security Ops team, who are then able to investigate and act on the identified pattern. The engine continues to refine the probability of a metric, becoming more accurate over time in determining the severity of an anomaly. The strategy holds great promise, and further developments and refinements to this model will continue to evolve the best Security Operations Center in the business. A more detailed view of an anomaly – this shows a single IP requesting more than 60 times more frequently than a normal visitor. This screen gives an overview of any anomalies, organized by relevant factors. In this case the remote IP address of the requestor. Jag Bains CTO, DOSarrest Internet Security Source: https://www.dosarrest.com/ddos-blog/machine-learning-in-the-dosarrest-operations

Read the article:
Machine Learning in the DOSarrest Operations