The latest NETSCOUT Threat Intelligence Report is here and it seems that cybercriminals were busy in the second half of 2021. From new applications of old attacks to the continuing evolution of cybercriminal enterprises, there is a lot to dive into. While the report does detail many of the challenges facing government IT, it also notes that there have been some successful efforts to bolster cybersecurity.
Richard Hummel, ASERT Threat Research Lead at NETSCOUT, recently joined GovCyberHub to help unpack what this report means for the federal government, how recent efforts to combat cybercriminal enterprises are going, and to share his insights on how the future of cybersecurity is unfolding in front of the world right now.
GovCyberHub: Richard, welcome back! So to get us started, what are some of the topline messages that came out from the recently released Threat Intel Report? What should people take away from your reporting?
Richard Hummel: The biggest takeaway here is that adversaries are continuing to evolve. They are constantly adapting to the changes we see around what we as security professionals are doing. We’re seeing a rebalancing of the scales between attack methodologies and DDoS attack vectors that are having some pretty profound effects on how we, NETSCOUT, are approaching our security recommendations.
As an example, since 2018 volumetric attacks, namely DNS Amplification, were the preferred and predominant attack. It vastly outweighed things like TCP-based attacks that were sourced from botnets or some other attack tools. But that’s no longer the case, as the two have become more or less equal.
“Something with that longevity should tell you that it is still an effective tool in the cybercriminal enterprises’ arsenal” – Richard Hummel
TCP-based attacks have been around since really DDoS began, I’d even go so far as to say since the beginning of the internet. Something with that longevity should tell you that it is still an effective tool in the cybercriminal enterprises’ arsenal. While some adversaries didn’t use TCP-based attacks for whatever reason, what we see is actors realizing that these attacks are sometimes more effective than these high-bandwidth, high-throughput attacks achieved from the typical volumetric attack vectors.
That’s one kind of trend or outlier that we’re seeing, another one is that more adversaries are going after specific organizations. Just before our conversation today I was looking at an overview of cyberattacks across the entire global system, and the big trend was a slight decrease in attacks on telecommunications services and more towards individual companies and organizations. Earlier in the pandemic, we saw some major cyberattacks against subscriber networks or broadband networks, likely due to the increased number of gamers and subscribers sitting at home getting up to the mischievous activity.
A final trend that we see at a high level is that botnets appear to be getting a facelift. Since 2016, when Mirai went public, IoT botnets have been all the rage. They are still there, they’re still expanding and they’re still adding new bots and botnets. However, we are seeing more high-power devices being subsumed into these botnets. We’re seeing GIT servers conscripted because there’s a vulnerability that allows exploitation code in Mirai that allows it to propagate and spread.
Another facet that makes botnets more powerful is the introduction of 5G networks into the home. Historically, home networks were nowhere near as powerful as data center transit links or even powerful enough to be worth using in small numbers, but now with phones, tablets, really almost anything that connects to a network being introduced to 5G, those home networks are far more useful for botnets. All those devices now present a botnet with nearly unlimited potential to disrupt and attack.
Those are the three major trends that I think people should take away from the report. I’ll add there have been some interesting developments with cybercriminal enterprises, as well as a lot of things evolving, changing, and disrupting the threat landscape so I’d highly recommend people read the full report. It’s great to drill down into these trends and help build a more holistic view of what your organization needs, and how NETSCOUT can help achieve it.
GovCyberHub: DDoS attacks have seen a slight decrease over the last half of 2021, is there a reason why the overall number has gone down from the height of the pandemic? Are there new attack vectors that are better? Is this a response to how the cyber professional community has evolved its preparations against DDoS?
Richard Hummel: Honestly, it’s a little bit of everything. We’re getting a bit better at mitigating attacks, and that’s pushed some would-be attackers away from DDoS or specific types of DDoS attack vectors. That’s largely in part thanks to the shift we’ve seen in our mentality to always expect an attack. Approaching DDoS and cyberattacks less as an if and more as a when has gone a long way towards making cybersecurity and incident response more robust.
“Every enterprise, every service provider, and every single consumer that connects to the internet at some point will be affected by DDoS.” – Richard Hummel
I’ll also add that DDoS is almost always a ripple effect as well, you hit one organization and everybody around them suffers, and all the transit links that got to your victim suffer. Sometimes you take down a target that happens to be in a data center hosting multiple other things which causes a domino effect and tips them over as well. Every enterprise, every service provider, and every single consumer that connects to the internet at some point will be affected by DDoS.
That understanding has changed over the past couple of years and now people realize that it’s not something that can be ignored. Instead, cybersecurity professionals need to make sure that the proper protections are in place, not just DDoS mitigation services or products on-prem, but even just following best current practices like making sure to have IP Address Anti-Spoofing implemented to prevent volumetric attacks.
Governments, service providers, and enterprises have developed much more comprehensive abilities to identify and target attacks, and as a result, we are seeing less of that domino effect I described earlier. When you can look at every IP address, and determine is this fraudulent, is this genuine, or is this ‘internal’ IP address coming from outside, that is when cybersecurity can make an effective difference and we are seeing that reflected, partially, in the decreased number of attacks.
I’d like to add that governments have been especially good about using these access controls. They’ve run with the zero trust methodology and have created systems that can identify when someone or something is trying to communicate with a restricted system and failed or spoofed an authentication. Having that kind of access control is going to go a long way toward preventing attacks. Government IT has gotten much better about this but so have enterprises’ service providers. There’s still a lot of work to do, and DDoS attacks are still effective in many cases, but we’re getting better at preventing them.
GovCyberHub: Last year, you mentioned that your biggest piece of advice for anyone that is experiencing a cyberattack with an extortion element is to not pay, ever. Is that still your top piece of advice? Is there any update on what advice you’d offer?
Richard Hummel: For DDoS? My advice remains the same. No one should pay extortion, a ransom, a demand, not now, not ever. I’ve said it before, and I’ll say it again when you pay you are enabling the continuation of the grift. Companies, governments, and enterprises of all shapes and sizes must understand that they cannot participate in the interaction.
“DDoS attacks… are not permanent things. No adversary on the planet can perpetually launch a high-powered, high potentency attack, full time for an indefinite time… Every moment they are tied up is a moment that they are losing money.” – Richard Hummel
Additionally, there is a very good chance that if you pay, they’ll just keep asking for more. Give a mouse a cookie and it will ask for milk. Criminals have no reason to uphold their end of the bargain, once you deliver the payment nothing is stopping them from continuing to hold you for ransom, to continue their DDoS attacks.
It makes zero sense, especially in the DDoS context, because in ransomware, I get it. You’re trying to recover your files, and maybe you didn’t have proper backups or maybe your backups got encrypted and so paying is the only possible solution for me to be able to recover business to recover my customer files. I’ll still say that despite those arguments in favor of paying, the risk and potential cost outweighs the short-term benefits.
DDoS attacks, however, I want to be clear, are not permanent things. No adversary on the planet can perpetually launch high-powered, high-potency attacks, full time for an indefinite time. At some point in time, they’re going to run out of resources whether that is funds, processing power, or even just will. Every moment they are tied up is a moment that they are losing money.
Even if you’re under attack for multiple sustained days, there are options to circumvent their attack. You can then go to a service provider, a cloud provider managed service, whatever it might be, and say, “Hey, I’m on a constant onslaught for DDoS attacks, I need help.” There are solutions in place for DDoS attacks that can effectively stop an attack in its tracks.
So, to sum up everything, do not ever pay. As far as I am aware not a single payment to a DDoS extortion crew has occurred with a company that has worked with us. Each of them was able to not only avoid the ransom but were able to leverage some of our existing solutions to recover fully and build more robust preventative solutions for the next attempted attack.
GovCyberHub: In our last conversation, you referenced this growing trend of cybercriminal enterprises, specifically about how they are specializing based on their skillsets. Have those trends continued or evolved? Has it continued to be an effective way for these organizations to operate? Have we seen more effective cyberattacks as a result?
Richard Hummel: More effective? Absolutely. That’s predominantly the reason why we keep hearing about attacks today. These cybercriminal enterprises are continuing to expand the way they innovate so much faster. They have zero overhead, they have zero red tape, they have zero investors, they don’t have a board, and they don’t have anybody that has to buy into what they want to do. They just do it.
“That speed, combined with their specialization in certain things like spam distribution, infrastructure management, exploitation, etc. is continuing to just be successful for these guys.” – Richard Hummel
These cybercriminal enterprises can operate super-fast, employing new exploitation methods as they come out. The very next day, it’s incorporated into their tools. It is that fast in the criminal ecosystem. That speed, combined with their specialization in certain things like spam distribution, infrastructure management, exploitation, etc. is continuing to just be successful for these guys.
I anticipate that this is going to continue. Even in the DDoS world, we’re seeing some things that have changed. I recently got a request that said, “Hey, do you know what the average cost of a DDoS attack is?” At first, I said “20 USD?”, but I didn’t know. So I started searching and nobody’s done kind of a deep dive into these details in a few years. I decided that I’m going to go in, create some fake accounts, log into the dark web and figure out what these cybercriminal enterprises offer, the cost of these things, the potential users all this stuff.
What I found was that these organizations have begun to operate even more like legitimate companies. They were focusing on UI enhancements, offering deals on free DDoS attacks with other purchases, and they were focused on finding ways to make their product, there service more attractive than others.
This sort of Buy-One-Get-One attitude existed in the past but only sparsely, but now every single one I looked at has the potential to launch a free DDoS attack using three to five different DDoS attack vectors. Those free attacks, despite them not being very potent or powerful, can still be effective.
“No longer do [cybercrimninal enterprises] have to target the big companies, [instead they can] just provide DDoS-as-a-service to a couple of hundred people for a nominal fee.” – Richard Hummel
Let me share an example. Say you’re a competitive gamer, and you’re working on an internet feed of about 100 megabits per second. A rival player, with some technical skills, can find your IP address, punch it into one of these services and launch an effective DDoS against you and they only need to cause a tiny bit of lag so that your 100 megabit pipeline gets a little bit more clogged. Gaming is one of the largest recipients of DDoS attacks, and it’s likely because of the ease of access. It’s a diversification that opened up a whole new realm of activity from cybercriminal enterprises. No longer do you have to target the big companies, just provide DDoS-as-a-service to a couple of hundred people for a nominal fee.
One other thing I’ll add from my time perusing the DDoS-for-hire platforms is that these cybercriminal enterprises have identified and are ready to exploit a growing number of attack vectors for DDoS attacks. I was able to find 200 different purported attack vectors that can be used. While the free stuff was pretty innocuous, some of these attack vectors would cost upwards of $6,500 and could do some serious damage to a network. It’s a cybercriminal enterprise, and frankly, they’re getting better at what they do.
Thankfully so are we, and anyone who wants to understand these better, and what threat they might pose, should first read the entire Threat Intelligence Report, and then get in contact with us. We have a lot of effective solutions here at NETSCOUT that we’d be more than happy to share with any government organization looking for effective security.