 | Issue: | Global-ICT 2015 |
| Article no.: | 14 | |
| Topic: | A strategic vantage point in the network | |
| Author: | Gary Messiana | |
| Title: | CEO | |
| Organisation: | Nominum | |
| PDF size: | 199KB |
About author
Gary Messiana joined Nominum in July 2011 as CEO bringing an extensive track record of leadership and success in software and hosted service solutions. He also serves on the company’s board of directors. Before joining Nominum Gary was an entrepreneur-in-residence with Bessemer Venture Partners since 2008. At Bessemer, Gary focused on the software and infrastructure-as-a-service sectors.
Prior to Bessemer, Gary served as CEO of Netli, a content-and-application delivery network provider serving both the network operator and enterprise markets. Netli was sold to Akamai in 2007. Gary was also CEO at Diligent Software Systems, a strategic sourcing company that was sold to B2E Markets.
Gary holds a BA degree from Binghamton University where he graduated with honors.
Article abstract
Today’s agile attacks require agile defences. Security protections need to move into networks to better deter today’s dynamic threats. Taking it a step further, properly equipped DNS servers situated in all provider networks can be used to enable new, highly agile, layers of security. DNS queries are a leading indicator of security exposure since the DNS helps set up virtually every web transaction. A single, short, DNS query can be instantly assessed to reveal potential security threats like DDoS activity, malicious web sites, phishing attempts, or hackers trying to reach bots they control.
Full Article
Mobile has made connectivity ubiquitous and the Internet of Things will bring transformational change in how we live, work and play, but at a cost. With all the good, there comes some bad; increased reliance on technology has made security and privacy mainstream issues. Traditional devices like computers have been exploited for years and now hackers are targeting mobile devices, it’s simply too rich an opportunity for them to ignore. Leaks also reveal governments recognize the potential for gathering intelligence, infiltrating military operations and monitoring valuable information.
Service providers are in a unique position to play a central role in protecting their subscribers and improving the overall security of the Internet itself, but they face some meaningful challenges. In the past threats to provider networks came from outside their networks, like massive surges of DDoS traffic intended to swamp network resources and cause service outages. Now threats originating from inside networks must be addressed:
• The latest variants of Domain Name Service (DNS) based DDoS attacks, can generate massive amounts of destructive traffic inside provider networks and send it wherever they want.
• Botnets, malware and phishing have become a primary concern because they’re powerful, pervasive and difficult to eradicate.
Progressive thinking providers recognize security has become part of their brand equity: subscribers expect networks always perform flawlessly and increasingly demand a safe Internet experience. Providers also know secure networks are more efficient and less expensive to operate. Addressing these new challenges is vitally important to both the top line, and the bottom line.
DDoS is a daily event
Nominum Data Science, a dedicated research team that processes 3 terabytes of DNS data every day, has been tracking DNS based DDoS attacks for more than 2 ½ years. DNS DDoS became mainstream when Internet guardian Spamhaus was attacked in 2013. Starting in early 2014 attacks occurred daily, typically targeting obscure gaming and gambling sites although popular web properties were regularly targeted including news sites. Numerous large spikes in DDoS traffic in the second half of the year set new records.
In 2015 attackers have shown more sophistication, monitoring and regulating their attacks to take down targets without necessarily generating headlines that attract unwanted attention. Even with these surgical strikes providers and targets still suffer daily service degradations and incur sizable mitigation costs.
This form of DDoS not only degrades provider networks and the subscriber experience but it also exposes enterprises. Attackers anywhere on the Internet can easily and efficiently target any internet resource, anytime, using unprotected DNS servers on provider networks. Unfortunately even providers doing the right thing: following industry Best Common Practices, properly securing their DNS infrastructure and protecting against address spoofing within their networks, are exposed. Attacks are hard to detect because there are many options for launching them:
• Home gateways with improper default configurations are spread across the Internet. These backdoors, allow attackers to use provider resources for DNS-based DDoS. Although their numbers have declined, the Open Resolver Project, an organization that tracks them, still shows about 17 million worldwide, but a small fraction of these devices can cause substantial damage.
• Domain names registered specifically for DNS-based DDoS that become available for use immediately and change constantly. Providers need tools to detect and deter them instantly.
• Specially crafted DNS queries to take down unprotected DNS resources. Providers also need to identify and deter this activity instantly.
• Bots designed to send the specially crafted DNS queries above, adding yet another vector for attackers.
Attackers use various combinations of these methods and continuously evolve and refine their exploits to fly under the radar. Complicating matters perimeter defences like traditional DDoS solutions are ineffective. New kinds of protections are needed to deter these new forms of malicious activity. DNS servers need highly adaptive, fine-grained policy and integrated access to accurate, dynamic, threat data to defend themselves.
Bots, Malware and Phishing
Cybercriminals have refined tactics for deploying exploits that can cause widespread problems. A botnet is a collection of compromised machines or “bots” that are controlled remotely. Computers and other devices get infected with malicious software in a variety of ways, including social engineering or phishing as discussed below. Botnets or other malware inside provider networks can go from dormant to active instantly and without warning, launching attacks on infrastructure, sending spam, stealing valuable information, or many other things. In fact bots have been used to carry out the powerful DNS-DDoS attacks described above.
Nominum Data Science also tracks botnet activity as it continues to grow and change. Research from mid-2015 shows several interesting trends:
• Bots continue to get more sophisticated, with new methods to avoid detection
• Bots targeting banking and finance are growing more popular, 2015 saw a 38% increase over the previous year
• New bots are appearing for Advanced Persistent Threats, DDoS, info stealing, and ransom attacks. APT represents a tiny percentage of traffic but grew 1800% in 2015 across Nominum’s data set
• Zero day vulnerabilities for Java, Flash, and Windows continue to be exploited
• Conficker, from 2008, is reemerging; perhaps we’ll finally discover it’s true purpose
As development practices improve it becomes more difficult and costly to exploit software flaws so cybercriminals also rely on human factors. In their Emerging Cyber Threats Report 2015 Georgia Tech Information Security Center (GTISC) concluded “Humans remain the link most often exploited in attacks”. They reported one out of four staff in their own Office of Information Technology clicked on a phishing link, all highly trained IT professionals with awareness of security exposure! A similar result was reported in a survey in eWeek, an IT industry publication, in November of 2013. Service providers and enterprises both need to work to address phishing since we humans will always be susceptible to clever manipulation.
The way forward
Cybercriminals are all about money and they constantly change the face of their exploits to maximize their returns. In the past most malware could be detected with static signatures hosted on user devices or servers, but attacks evolved with obfuscated code. This led to dynamic detection systems that attempted to track changing code. Current generation malware looks for and evades these more advanced systems to avoid being discovered. As malware gets smarter traditional protections are less effective. Client software simply can’t keep up with polymorphic or evasive threats, and most users fail to load it or maintain it anyway.
Today’s agile attacks require agile defences. Security protections need to move into networks to better deter today’s dynamic threats. Taking it a step further, properly equipped DNS servers situated in all provider networks can be used to enable new, highly agile, layers of security. DNS queries are a leading indicator of security exposure since the DNS helps set up virtually every web transaction. A single, short, DNS query can be instantly assessed to reveal potential security threats like DDoS activity, malicious web sites, phishing attempts, or hackers trying to reach bots they control.
Because DNS is an extremely lightweight method of identifying existing and potential threats adding intelligence to DNS servers also provides significant scaling and manageability benefits. There is no heavy weight equipment or processing required in the network as with solutions like Deep Packet Inspection (DPI). Another advantage is DNS visibility is bounded, user activity like browsing web sites, watching videos, making VOIP calls is never seen by DNS servers. This is important to preserving privacy and again contrasts with more invasive techniques that require inspecting all user traffic (DPI).
Security exposure created by the Internet will never outweigh all the good it brings, but that implies meeting cybercriminals on the field, and engaging with new tools to deter them. Network operators around the world have an opportunity to deploy a strategic vantage point in their networks to provide visibility into security threats, with simple and effective means to deter DNS-based DDoS, various kinds of malware and bots, and much more. The best place to start is the DNS, with servers equipped with accurate, adaptive and automated defences.
