Richard Hummel, ASERT Threat Research Lead at NETSCOUT, recently joined GovCyberHub to detail some of the topline messages from the NETSCOUT Threat Intelligence Report and shared how DDoS attacks have evolved over the second half of 2021. During our conversation, he described the many ways that cybercriminals have evolved to overcome cybersecurity solutions being put in place by government IT and the many ways that government IT is responding to outpace those threats.
Continuing the conversation, the GovCyberHub editorial team asked Hummel to offer his insights on what targeted industries can do to combat cyberattacks, and how recent global events should shape government IT’s response and preparation for large-scale cyberattacks. Here is what he had to say:
GovCyberHub: The report noted that the most targeted industry has shifted from pandemic-related industries i.e., healthcare providers, to insurance agencies, computer manufacturers, and institutions of higher education. What is the reason for this shift? What should people in these industries do to prepare for a DDoS attack or other cyberattacks?
Richard Hummel: The most important thing to take away from this is that cybercriminals are learning. They’re adapting to market conditions and have identified the bigger fish now. Everything has changed because we are moving away from the pandemic and toward an endemic. You can track this shift to August, right when the world essentially decided that it had enough of work-from-home and remote education.
But let’s dive into one of those industries, specifically the software publishers. We saw them get hit hard over the last half-year, and not just by DDoS attacks. Multiple intrusion attempts from a variety of attack vectors have been launched by countless cyber adversaries, but DDoS attacks were the lion’s share and this makes sense.
“Criminals [were] going after the things that allow us to communicate … [but] targeting those was not super effective for adversaries. So whats next? The things that make our society tick.” – Richard Hummel
See, in the DDoS world, there is this semi-logical evolution of their attack targeting and it ties into the last time we talked. I mentioned the connectivity supply chain, and how criminals are going after the things that allow us to communicate across the internet including VPNs, internet exchanges, DNS servers, all of those things. Well, you know what? Targeting those was not super effective for adversaries.
So, what’s next? Logically, the next step is to go after the things that make our society tick. Let’s go after the hardware and its vendors that allow people to connect to the internet. We see this all the time with DDoS attacks and extortions where the criminals will go after what they perceive as the most viable way to take down their target and to get a payment.
“[Cybercriminals] started going down the line targeting everybody who was in the same orbit as their previous victims before moving on to an adjacent industry.” – Richard Hummel
Case in point, look at Lazarus Bear Armada group, they went after financial entities then they went to adjacent insurance agencies brokerages, then they move to crypto exchanges and currency exchanges. They started going down the line targeting everybody who was in the same orbit as their previous victims before moving on to an adjacent industry.
Adversaries are trying to figure out where they are going to be most effective. Where did they have the potential to cause the biggest disruption? And I feel like that’s what we’re seeing now are more adversaries trying to get on this and then we get a runaway feedback loop.
This applies to ransomware as well, and to other attack vectors. We have seen countless copycat attacks based on other, highly publicized and successful attacks. They want to be able to capitalize on what’s happening and so I feel like that’s kind of the phenomenon. You’re seeing more attack targeting which, when successful, results in more groups attacking specific industries or specific types of organizations. That’s what we’re seeing here.
GovCyberHub: Can you detail that trend a bit more? Is this just a change in targeting or is there something else the adversaries are doing in these attacks? What should be the affected industries’ response?
Richard Hummel: So, there is something that the report details that I have not seen discussed too much, and that is this idea of a “Direct Path Attack.” A direct path attack, in essence, refers to a non-spoofed attack where the IP-Address in question that is a source of attacking traffic to the victim is not spoofed, instead the host that owns that IP address at that point in time is actually launching the attack.
Direct path attack is a term that I’m personally familiar with, but I think I really haven’t seen too much about it aside from this report, so what do organizations know about them and what can they do to prepare for that specific attack vector?
“People must know that we are seeing a ramp-up and increase that is going to be even more prevalent as more and more botnets adapt and infiltrate server-class hardware” – Richard Hummel
The reason why we’re seeing more of this, and why we want people to pay attention, is because if an organization is implementing something like source address validation, they’re going to work great against things like reflection amplification, but guess what? Direct path attacks that establish a TCP connection, that’s going to get right through that first layer of protection.
People must know that we are seeing a ramp-up and increase that is going to be even more prevalent as more and more botnets adapt and infiltrate server-class hardware that is sitting on really high throughput bandwidth networks, or 5G/IoT devices. All of which can generate a lot of different volumes in terms of traffic. Address validation is great to mitigate one type of attack, but it does nothing for the non-spoof, direct path attacks.
This is a phenomenon that we’re seeing everywhere and so we must get that messaging out. People need to know this is what adversaries are starting to prefer, and that it can overcome that first layer of protection that a lot of enterprises and service providers are starting to implement.
GovCyberHub: Final question, with recent global events there has been a demonstrated rise in cyberattacks from both state and stateless sources. What can government agencies do to prepare for these attacks?
Richard Hummel: So, let me start by saying, we are not in the business of attribution, but I have my suspicions about who is carrying out this recent spate of attacks. But let’s go back to February, all was relativity calm until we saw a massive, massive increase in reports on Ukrainian assets, websites, financial institutions and so much more. All of a sudden the entire world became very concerned about the role of cyber-attacks, and what they can do to be prepared.
“What we learned is that despite the world viewing these incidents as major threats, they largely were standard attacks.” – Richard Hummel
Like I said, attribution is not as important as some may think, in this case, there are a few questions that matter more than “who”? What we care about is the details of those attacks? What attack vectors are being used? What is the bandwidth? What is the throughput? How long are these attacks lasting? What are things that I can look at specifically to identify if I’m seeing similar attacks across my entire network stack?
NETSCOUT has global visibility and collection that allows us real-time tracking of DDoS attacks, which answers most of those questions, and we find that it is incredibly effective at tracking and providing information on these attacks from the minutiae to the global.
What we learned is that despite the world viewing these incidents as major threats, they largely were standard attacks. Everybody was saying that these are really potent, powerful attacks but what we saw weren’t very high bandwidth or throughput attacks.
“Anybody can mitigate these attacks if they are prepared and have someone like NETSCOUT watching their back.” – Richard Hummel
These are just average attacks likely sourced from booter or stresser services, we’ve known about them for a long time and have had plenty of time to properly prepare and properly understand these things. Anybody can mitigate these attacks if they are prepared and have someone like NETSCOUT watching their back.
On the topic of Ukraine and Russia, let’s divorce ourselves from geopolitics for a second, because both sides saw serious attacks. Groups have been actively launching DDoS attacks, among other vectors, against both countries and have demonstrated what it looks like to see cyberattacks being used in a time of conflict. What may be surprising is that there was not much new. We saw things like DNS Amplification, SYN Floods, DNS Query Floods, all things that we’ve seen for the last 5-7 years.
“The big takeaway is that there is a concentrated and deliberate effort by some actors to pack as much punch into their attacks… through the clever use of specific tactics at specific times. They’re trying to find the exact point in time, the exact way… to be successful.” -Richard Hummel
Another thing that really stood out was the limited size of these attacks. The largest attack we saw against Ukraine was around 173 gigabits per second. Russia did see one over 450 gigabits per second, but it was a single attack. Most were very, very small attacks, and that stood out as something for us to consider when thinking about cyberattacks during a conflict.
The big takeaway is that there is a concentrated and deliberate effort by some actors to pack as much punch into their attacks not through sheer size but through the clever use of specific tactics at specific times. This is what I was talking about where criminals are getting smarter, they’re trying to find the exact point in time, the exact way to launch the attack to be successful.
So, what should we all learn from these incidents? I would implore everyone to get educated and pay attention to the technical aspects of these attacks and specifically the DDoS attacks. Again, we’re not here to attribute but we are here to understand the attack vector, and the processes, we want to ask the right questions. What is their upper bandwidth? That is a great question because if your security solutions are rated above that, then your organization will be prepared for at least that attack if you are the target or if you are just an innocent bystander caught in its wake.
“What should federal agencies do? They should learn, they should take an agnostic approach to everything happening and focus on the cybersecurity ramifications… and they [should] reach out to a partner like NETSCOUT.” – Richard Hummel
In cybersecurity politics has no place, we need to be focused on what our adversary is doing. Just because an attack is attributed to one country or another, it doesn’t mean that there are not some freelancers or opportunistic cybercriminals out there also launching DDoS attacks.
To put a bow on it and answer your question, what should federal agencies do? They should learn, they should take an agnostic approach to everything happening and focus on the cybersecurity ramifications. Alternatively, they can reach out to a partner like NETSCOUT, who can gladly provide them with the information, resources, and skills to both understand what’s going on and the solutions that are best prepared to face whatever challenges come our way.
To read the entire Threat Intelligence Report, click here.
To learn more about what NETSCOUT solutions are available for Government IT, click here.