Last year, the COVID-19 pandemic forced federal government agencies and military organizations to fundamentally shift how they operate. As the COVID-19 pandemic reached our shores and began spreading, federal civilian and military organizations were forced to rush to embrace VPNs, video teleconferencing, and other technologies that would enable them to transition their employees into a remote workforce.
As a result, Internet usage was at an all-time high, new technologies were rushed into adoption and government organizations began relying even more heavily on IT and network-enabled platforms to function. This not only created a new threat environment full of cybersecurity vulnerabilities for malicious actors to pounce on, it made the potential impact of a successful cyberattack on a government or military organization even more damaging.
Reveling in the new cyber playground that resulted from the ongoing pandemic, malicious DDoS actors shattered records in 2020. Hackers surpassed more than 10 million observed DDoS attacks, leaving security researchers with the task of tracking these threats and developing solutions to protect against future attacks.
Earlier this month, NETSCOUT released its 2020 Threat Intelligence Report, which underlined how DDoS attacks impacted enterprises around the world, especially those pertaining to pandemic-related industries.
The GovCyberHub recently sat down with Richard Hummel, a Threat Intelligence Lead at NETSCOUT, to discuss the report’s findings on the role DDoS attacks played in 2020, how malicious actors leveraged new vectors to deploy these attacks, and what to expect from DDoS threats moving forward. Hummel is one of NETSCOUT’s driving forces behind researching cyberattack motivations and distilling global trends in the cyber threat environment.
Here is what he had to say:
GovCyberHub (GCH): For the first time in history, the annual number of observed DDoS attacks crossed the 10 million threshold. What can be done to keep this number from increasing in 2021 and beyond?
Richard Hummel: That’s a hard one, because we have an ever-expanding threat landscape. When you think about how the internet and a DDoS attack work, adversaries will go after things because they can. And the more devices, the more organizations, and the more networks that go online and have connectivity, the more the attacker has at their disposal to target. Combine that with new methodologies, new DDoS attack vectors, and different tools that are being developed in underground forums or DDoS-for-hire services, and you don’t get a recipe for numbers going down.
This is why we talked in the report about the idea of “up and to the right,” and you see it in the regular addition of new attack vectors, increased number of attacks year-over-year, and attack sizes and speeds that continue to push the boundaries. So you have this ever-expanding footprint. Given the unprecedented DDoS attack activity we noted for 2020, you’d think we’d plateau, but we still have a whole slew of attacks coming in.
So far in 2021, we’re on track to meet or break the 10-million attack number that we recorded in 2020. For the first quarter of 2021, I think we are already at the 3.5 million attack mark, which gives us a trajectory that blows right by that that 10 million number. And the thing is, the January/February timeframe is usually the slowest months in DDoS. The fact that we are already at those numbers in the first quarter, I foresee this as “up and to the right” for quite a while yet.
“So far in 2021, we’re on track to meet or break the 10-million attack number that we recorded in 2020. For the first quarter of 2021, I think we are already at the 3.5 million attack mark, which gives us a trajectory that blows right by that that 10 million number.” – Richard Hummel
What can we do to prevent this? Well, the reality is that it’s always going to be there. And there’s a good chance that it will always continue to go “up and to the right.” So the real question we should be asking is, “How do we protect ourselves from these attacks?”
And for that question, preparation is key. Ensure that you understand what adversaries are doing in this space and that you have adequate protection. It’s both dangerous and outdated, “Our company isn’t a target for DDoS attacks, so I don’t need to worry about it.” That’s the past, and attackers widely expanded their target base in 2020. The reality is, having DDoS protection services should really be a stardard part of your normal security stack these days, whether it’s on-premises or in the cloud.
GCH: DDoS is increasingly being used in cyber extortion attacks to get ransom payments from organizations. What advice would you give to an organization who is posed with an extortion demand and/or threat? Are there options other than paying out these malicious actors?
Richard Hummel: The first thing I would say is, don’t pay. Whether it’s DDoS extortion or ransomware, we always recommend not paying.
Here’s why: When you pay, you essentially reward the behavior in the form of payment. It encourages them to continue targeting other folks.
I also want to point out that there is a very clear distinction between DDoS extortion and ransomware. With DDoS extortion, the adversaries don’t have your data. They’re not holding anything hostage and you don’t have to pay them to recover some of your data. Basically, they are holding the threat of a future attack over your head. They may stoke your fears by launching a demonstration attack, but they aren’t holding anything hostage. If you have prepared and have protections in place, there’s a good chance that you can continue to run your operations, and this DDoS extortion is just blowing smoke.
We’ve dealt with a number of these extortion attempts from both customers and non-customers over 2020 and 2021. And every single company that is adequately prepared to handle a DDoS attack of any size, experienced little or no downtime at all from extortion attempts. And that’s due to the fact that they had DDoS protection of some form in place, whether it was stand-alone or a combination of on-premises or cloud-based services.
So, my advice would be to go out and find a service that is right-sized for your organization to make sure that you are protected against a DDoS attack.
GCH: According to the report, the Lazarus Bear Armada (LBA) has proven to be an extremely aggressive threat actor in the DDoS realm. LBA, more often than not, follows through on threats of repeating attacks until extortion demands are paid. What makes LBA different from the other DDoS attackers that are just blowing smoke?
Richard Hummel: I think there are a couple of things that make them different. One is their persistence. They are probably one of the most persistent DDoS extortion groups that I’ve run across. Not only do they launch demonstration attacks, but they also send emails to active addresses. In contrast, past extortion attempts or campaigns have tended to send emails to publically facing addresses like to the general information address on company website, and those emails would end up in a spam trap.
But LBA does reconnaissance work to find the email addresses of higher-level executives, which lets them get their extortion demands in front of important eyeballs. And then they will say, “Hey, if you don’t pay us, we are going to follow up.” And 60-65 percent of the time, they actually do follow through with an attack.
“…my advice would be to go out and find a service that is right-sized for your organization to make sure that you are protected against a DDoS attack.” – Richard Hummel
They also take their reconnaissance well beyond finding the right email address. They also research the organization itself and look for network vulnerabilities. For example they launch attacks and send the email during local business hours. They’ll also do network scanning to find out what is being hosted on IP addresses and whether there are VPN concentrators or DNS servers there. They do this by looking at all of the IP addresses owned by an organization and performing a reverse lookup to find the domains hosted on them. And then they’ll actually go after specific entities on a network to knock them offline.
I will say that they don’t actually achieve the threatened level of attack. In general, they start with a 5-10 minute demonstration attack of between 50 Gbps to 750 Gbps before sending the extortion demand. And that email contains a threat of a 2 Tbps attack being launched if you don’t pay up within an allotted period of time. However, we’ve never seen anything in the terabit threshold. I think the largest we’ve seen is just over 750 Gbps, so their threats are a little overinflated at this point
That being said, LBA is a little bit more sophisticated in how they go about targeting and attacking target organizations.
GCH: Why would malicious cyberactors want to concentrate attacks on pandemic-related industries? What ultimately were the top pandemic-related cybersecurity concerns? And can you speak about the real-world consequences of such attacks?
Richard Hummel: It’s all about money. Most DDoS attacks are financially motivated.
The rule to remember is, if it’s important to us, it’s important to them. When we look at some of the pandemic-specific things, it starts with a huge shift to online work. The whole world went remote. This means that VPNs usage soared. People bought everything online, so ecommerce growth went off the charts. Schools shifted to remote learning and virtual education.
So you have this expanded threat footprint, and the pandemic has been a driver for a lot of these things. And adversaries aren’t sitting by idly. They are taking advantage of that, as they usually do when an opportunity arises.
Of course, there are other motivations, like a student not wanting to go to school. It’s pretty easy to launch a DDoS attack to take down a school’s network and play hooky or avoid a test for a day. That accessibility is a huge issue—it’s so easy and cheap to do. You can launch a 100 Gbps attack for $10. And because everything is connected to the internet, it’s really easy to find the target that you want to go after. So, you have this crazy environment that we are all operating in. And DDoS attacks are just the normal flavor you see across the internet.
GCH: With working from home (WFH) becoming a mainstay of the modern enterprise, how can DDoS attacks be used to disrupt organizations with a large percentage of their workforce working remotely? How can these attacks be averted?
Richard Hummel: The increased targeting of VPN concentrators is a really good example.
Right after the pandemic started, we published a blog called “Availability in the Time of COVID-19“ that forecast increased attacks on VPNs or VPN concentrators. And, sure enough, LBA comes along and that’s one of their mainstays.
And it’s not just LBA. We have others trying to target these VPNs as well because you can just go online and find an IP address and do a reverse lookup and figure out what the domain host is there. And guess what, it’s – for example – VPN.Organization.com. So now they know there’s some sort of VPN service hosted on this IP address, and they’ll just go and target it. And beyond that, they may not just target the VPN concentrator. They may try to also disguise their traffic as legitimate VPN traffic to try to overwhelm that concentrator. There are a number of tactics that can be used, and VPNs are just one of them.
It doesn’t even have to stop at DDoS. You have all these people working from home now. All of their computers, their devices, their cellphones, IoT devices, or whatever it might be… They’re now at home behind home routers that historically have had issues with security. One, because the average user doesn’t know how to go in there and change security settings, or they don’t care. And a lot of times you have default credentials for some of these devices. Now you’re talking about putting all this corporate machinery behind home devices that are significantly less secure than that of an enterprise.
And you have this expanded footprint for adversaries to leverage and set up new IoT botnets, and to launch bigger and more expansive DDoS attacks. So there’s any number of things that contribute to this space and WFH has created a lot of issues. I think we are still trying to play catch up, asking how do we secure the home user? Yes, they have a VPN, and they can secure their organization, but it also opens up issues.
“It doesn’t even have to stop at DDoS. You have all these people working from home now. All of their computers, their devices, their cellphones, IoT devices, or whatever it might be… They’re now at home behind home routers that historically have had issues with security.” – Richard Hummel
There was a recent ransomware event in which an adversary got into a system with administrative privileges and was then able to launch ransomware on some 15,000 connected devices to that organization because they had remote access. Maybe that wouldn’t have happened if we were still on-premises with a workforce that didn’t have to be that interconnected. It could have still happened, but the reality of remote work is that you have all these assets that must remotely connect to corporate environments. It introduces a whole new facet of security and risk that you have to evaluate as an organization.
I think we are still learning. It’s going to get better, but it has risks associated with it.
GCH: The report notes that firewalls do not work against DDoS, yet 62 percent of enterprises report that they use next-gen firewalls to detect threats against their networks. What should they be doing instead, and why haven’t they migrated towards more effective solutions?
Richard Hummel: The biggest thing here is “state vs stateless.” When you have a firewall, all of the connections that come in are stateful. So, it doesn’t take long to fill up your state. Because of this, it doesn’t take a super large or fast DDoS attack to take down a firewall. Once an attack fills up the stateful table, and then your firewall can’t handle any more connections. And it tips over at that point. It’s a very common misconception. Probably one of the most common misconceptions about cyber defense. Firewalls do little to protect against a DDoS attack and are designed for other types of cyber threats like exploitation and brute-forcing attacks.
Our devices basically block things in a stateless environment. We have a product called Arbor Edge Defense, and the whole thing is stateless. All it’s doing is examining flows back and forth. We’re not storing sessions, we’re not assembling packets. We’re basically making decisions based on the flow of traffic. So, we don’t have to worry about DDoS attacks filling up a stateful table. We will basically say, “We know that this is a DDoS attack because it has these behaviors and characteristics of a DDoS attack.” Maybe it matches a blocklist that we have in place. So, we will block it right at that point, before it gets into the organization and before it hits a firewall. That way you don’t have to worry about firewalls tipping over. That’s the misconception that most folks have. And you can see from the data, it’s definitely a concern for a lot of people.