Introduction to Cybersecurity Part 2

Introduction to Cybersecurity Part 2 Case Study: Which Technologies, Products/Providers to Counter 2 Threats (DDOS Attack and SQL Injection)?

This is a 7 part introduction to Cybersecurity. The second and following parts of the guide introduces the reader to a case study:

Which Technologies, Products/Providers Can Be Used To Counter 2 threats (DDOS attack and SQL Injection)?

Disclaimer: Preliminary Recommendation is based on the type of DDOS attack employed by the hackers, as described in the open media sources (without the sight of the actual system), therefore to be edited, once more information become available.

In order to recommend the technologies, products and providers, one needs to understand the “anatomy” of the attacks. For this reason, relevant information was gathered and analyzed, as otherwise the recommendation would be largely superficial.

Background information about the attack:
DDoS attacks often serve as a camouflage for a targeted attack, that aims an important data.

In the famous Talk Talk attack, which happened in October 2015, the hacker appears to have used many systems to simultaneously launch attacks against a remote host to flood the company’s website with internet traffic in order to overload digital systems and take them offline. Due to the fact that some sensitive customer information was taken, means that the second attack was taking place simultaneously.

The major advantages to an attacker of using a DDoS attack are that multiple machines can generate more attack traffic than one machine, multiple attack machines are harder to turn off than one attack machine, and that the behavior of each attack machine can be stealthier, making it harder to track and shut down.

These attacker advantages cause challenges for defense mechanisms. For example, merely purchasing more incoming bandwidth than the current volume of the attack might not help, because the attacker might be able to simply add more attack machines. This after all will end up completely crashing a website for period of time.

Therefore to make a recommendation of solutions should not be made, by simply recommending some products, as would not help to resolve a problem in a sustainable way. The right approach would be holistic, and thus the choice of providers will depend on the final selection of solutions applicable in this precise case.

The Anatomy of the attack will need to be established first. Then from which “Illness” it collapsed and then, what Remedy can treat this illness (some approaches will provide a short term remedy, others – a long-term solution). Finally, I will go into the Precautions and Maintenance to enable robust immunity from further attacks.

Systems are like Humans – they may have signs that they are sick from Angina, so most doctors will prescribe ready products (like anti-Angina pills). Others will try to look at the deeper Anatomy and find holistic solutions that will treat the very source of the problem, not only the consequences, in order to allow a sustainable result.

None of the sources transmitting the information about the TalkTalk attack identified the way their internet traffic was overloaded (as one would need the understanding of it), which could be done either through:

1) a network-centric attack which overloads a service by using up a bandwidth

2) an application-layer attack which overloads a service or database with application calls.

Those forms of attacks either crash services or flood services. The inundation of packets to the target causes a denial of service. While the media tends to focus on the target of a DDoS attack as the victim, in reality there are many victims in a DDoS attack — the final target and as well the systems controlled by the intruder. Although the owners of co-opted computers are typically unaware that their computers have been compromised, they are nevertheless likely to suffer a degradation of service and not work well.

To choose the right approach, one needs to examine:

Which method was deployed by hackers to overload the traffic? HOW EXACTLY the system was affected? SYMPTOMS that were occurring during the attack? HOW MANY devices were affected and became a BOTNET or “ZOMBIE ARMY” (A group of co-opted computers under control of an intruder)?
The effect of a DDoS attack is determined by its duration and scenario – these two elements define the scope of damage inflicted on the target.

It is important to have all information about the whole EVOLUTION & DEVELOPMENT of all 3 attacks happened within the last 12 months.

Generally, to have a basic protection from DDOS threats, the organization needs to consider its defense strategy and tactics, subscribe to a junk traffic filtration service and take all required actions depending on a particular case. It has to bear in mind that without this, when an attack starts, it will be much more difficult to escape the losses.

Defensive responses to denial-of-service attacks typically involve the use of a combination of attack detection, traffic classification and response tools, aiming to block traffic that they identify as illegitimate and allow traffic that they identify as legitimate.

Typical DDoS mitigation would consist of a set of techniques for resisting distributed denial-of-service (DDoS) attacks on networks attached to the Internet by protecting the target and relay networks. This is done by passing network traffic addressed to the attacked network through high-capacity networks with “traffic scrubbing” filters. DDoS mitigation requires correctly identifying incoming traffic to separate human traffic from human-like bots and hijacked web browsers. The process is done by comparing signatures and examining different attributes of the traffic, including IP addresses, cookie variations, HTTP headers, and Javascript footprints. Manual DDoS mitigation is no longer recommended due to DDoS attackers being able to circumvent DDoS mitigation software that is activated manually. Best practices for DDoS mitigation include having both anti-DDoS technology and anti-DDoSemergency response services. DDoS mitigation is also available through cloud-based providers.

Introduction to Cybersecurity Part 1 

Introduction to Cybersecurity Part 3