Hackers behind Mirai botnet could be sentenced to working for the FBI

This comes after more than 18 months of already helping the FBI stop cyberattacks

Three young hackers went from believing they were “untouchable” to helping the FBI stop future cyberattacks.

The trio of hackers behind the Mirai botnet — one of the most powerful tools used for cyberattacks — has been working with the FBI for more than a year, according to court documents filed last week.

Now the government is recommending they be sentenced to continue assisting the FBI, instead of a maximum five years in prison and a $250,000 fine.

“By working with the FBI, the defendants assisted in thwarting potentially devastating cyberattacks and developed concrete strategies for mitigating new attack methods,” US attorneys said in a motion filed Sept. 11. “The information provided by the defendants has been used by members of the cybersecurity community to safeguard US systems and the Internet as a whole.”
Originally, a probation officer on the case recommended that all three defendants be sentenced to five years’ probation and 200 hours of community service.

Because of the hackers’ help, prosecutors have asked that the community service requirement be bumped up to 2,500 hours, which would include “continued work with the FBI on cybercrime and cybersecurity matters.”

The three defendants are set to be sentenced by a federal judge in Alaska. The sentencing plea Tuesday was earlier reported by Wired.

Hacker rehab

Governments have taken a new approach with young, first-offender hackers, in the hopes of rehabilitating them and recruiting them to help defend against future attacks. The UK offers an alternative called the “cybercrime intervention workshop,” essentially a boot camp for young hackers who have technical talent but poor judgment.

The three defendants — Josiah White, Paras Jha and Dalton Norman — were between the ages of 18 and 20 when they created Mirai, originally to take down rival Minecraft servers with distributed denial-of-service attacks.

DDoS attacks send massive amounts of traffic to websites that can’t handle the load, with the intention of shutting them down. Mirai took over hundreds of thousands of computers and connected devices like security cameras and DVRs, and directed them for cyberattacks and traffic scams.

In one conversation, Jha told White that he was “an untouchable hacker god” while talking about Mirai, according to court documents.

The botnet was capable of carrying out some of the largest DDoS attacks ever recorded, including one in 2016 that caused web outages across the internet. The three defendants weren’t behind the massive outage, but instead were selling access to Mirai and making thousands of dollars, according to court documents.

Helping the FBI

The three hackers pleaded guilty in December, but had been helping the government with cybersecurity for 18 months, even before they were charged. Prosecutors estimated they’ve worked more than 1,000 hours with the FBI — about 25 weeks in a typical workplace.

That includes working with FBI agents in Anchorage, Alaska, to find botnets and free hacker-controlled computers, and building tools for the FBI like a cryptocurrency analysis program.

In March, the three hackers helped stop the Memcached DDoS attack, a tool that was capable of blasting servers with over a terabyte of traffic to shut them down.

“The impact on the stability and resiliency of the broader Internet could have been profound,” US attorneys said in a court document. “Due to the rapid work of the defendants, the size and frequency of Memcache DDoS attacks were quickly reduced such that within a matter of weeks, attacks utilizing Memcache were functionally useless.”

According to US officials, the three hackers also last year helped significantly reduce the number of DDoS attacks during Christmas, when activity usually spikes. Along with helping the FBI, the three defendants have also worked with cybersecurity companies to identify nation-state hackers and assisted on international investigations.

Jha now works for a cybersecurity company in California while also attending school. Dalton has been continuing his work with FBI agents while attending school at the University of New Orleans, and White is working at his family’s business.

Prosecutors heavily factored their “immaturity” and “technological sophistication” as part of the decision.

“All three have significant employment and educational prospects should they choose to take advantage of them rather than continuing to engage in criminal activity,” the court documents said.

Source: https://www.cnet.com/news/hackers-behind-mirai-botnet-could-be-sentenced-to-working-for-the-fbi/

DDoS attacks: Students blamed for many university cyber attacks

DDoS attacks against university campuses are more likely in term time.

Nation-states and criminal gangs often get the blame for cyber attacks against universities, but a new analysis of campaigns against the education sector suggests that students — or even staff — could be perpetrators of many of these attacks.

Attributing cyber attacks is often a difficult task but Jisc, a not-for-profit digital support service for higher education, examined hundreds of DDoS attacks against universities and has come to the conclusion that “clear patterns” show these incidents take place during term-time and during the working day — and dramatically drop when students are on holiday.

“This pattern could indicate that attackers are students or staff, or others familiar with the academic cycle. Or perhaps the bad guys simply take holidays at the same time as the education sector,” said John Chapman, head of security operations at Jisc.

While the research paper notes that in many cases the reasons behind these DDoS campaigns can only be speculated about, just for fun, for the kudos and to settle grudges are cited as potential reasons.

In one case, a DDoS attack against a university network which took place across four nights in a row was found to be specifically targeting halls of residence. In this instance, the attacker was launching an attack in order to disadvantage a rival in online games.

The research notes that attacks against universities usually drop off during the summer — when students and staff are away — but that the dip for 2018 started earlier than it did in 2017.

“The heat wave weather this year could have been a factor, but it’s more likely due to international law enforcement activity — Operation Power Off took down a ‘stresser’ website at the end of April,” said Chapman.

The joint operation by law enforcement agencies around the world took down ‘Webstresser’, a DDoS for hire service which illegally sold kits for overwhelming networks and was, at the time, the world’s largest player in this space. This seemingly led to a downturn in DDoS attacks against universities.

But universities ignore more advanced threats “at their peril” said Chapman. “It’s likely that some of these more sophisticated attacks are designed to steal intellectual property, targeting sensitive and valuable information held at universities and research centres.”

Despite this, a recent survey by Jisc found that educational establishments weren’t taking cyber attacks seriously, as they weren’t considered a priority issue by many.

“When it comes to cyber security, complacency is dangerous. We do everything we can to help keep our members’ safe, but there’s no such thing as a 100% secure network,” said Chapman.

Source: https://www.zdnet.com/article/ddos-attacks-students-blamed-for-many-university-cyber-attacks/

How to train your network: the role of artificial intelligence in network operations

With the help of machine learning and AI, software-defined networks could soon aid businesses with network management.

A network that can fix and optimize itself without human intervention could become a reality soon – but not without some training. With the help of machine learning and artificial intelligence, software-defined networks can learn to help with network management by using operational data.  Initial application of AI to WAN operations includes security functions such as DDoS attack mitigation as well as near real-time, automated path selection, and eventually AI-defined network topologies and basic operations essentially running on ‘auto-pilot’.

Enhancing IT operations with artificial intelligence (AI), including configuration management, patching, and debugging and root cause analysis (RCA) is an area of significant promise – enough so that Gartner has defined the emerging market as “AIOps”. These platforms use big data and machine learning to enhance a broad range of IT operations processes, including availability and performance monitoring, event correlation and analysis, IT service management, and automation (Gartner “Market Guide for AIOps platforms,” August 2017).

Gartner estimates that by 2022, 40 percent of all large enterprises will combine big data and machine learning functionality to support and partially replace monitoring, service desk and automation processes and tasks, up from five percent today.

Limits of automation and policy for NetOps

Given the traditional split between APM (application performance management) and NPM (network performance management), even the best network management tools aren’t always going to help trace the root cause of every application and service interruption. There can be interactions between network and application that give rise to an issue, or a router configuration and issue with a service provider that’s impacting application performance.

Network operations personnel might respond to an incident by setting policies in the APM or NPM systems that will alert us when an unwanted event is going to happen again. The issue with policy-based management is that it is backwards looking. That’s because historical data is used to create into policies that should prevent something from happening again. Yet, policy is prescriptive; it doesn’t deal with unanticipated conditions. Furthermore, changes in business goals again more human intervention if there isn’t a matching rule or pre-defined action.

On the whole, SD-WAN services represent an improvement over management of MPLS networks. Still, the use of an SD-WAN isn’t without its own challenges. Depending on the number of locations that have to be linked, there can be some complexity in managing virtual network overlays. The use of on-demand cloud services adds another layer of complexity. Without sufficient monitoring tools, problems can escalate and result in downtime. At the same time, adding people means adding cost, and potentially losing some of the cost efficiencies of SD-WAN services.

AI is way forward for SD-WAN management

What would AIOps bring to SD-WAN management?

Starting with a programmable SD-WAN architecture is an important first step towards a vision of autonomous networking.  Programmable in this case means API-driven, but the system also needs to leverage data from the application performance and security stack as well as the network infrastructure as inputs into the system so that we can move from simple alerting to intelligence that enables self-healing, managing and optimization with minimal human intervention.

Monitoring all elements in the system in real time (or at least near real time) will require storing and analyzing huge amounts of data. On the hardware side, cloud IaaS services have made that possible. Acting on the information will require artificial intelligence in the form of machine learning.

Use Cases for AI in SD-WAN

There are a variety of ways to apply machine learning algorithms to large datasets from supervised to unsupervised (and points in between) with the result being applications in areas such as:

  • Security, where unexpected network traffic patterns and patterns of requests against an application can be detected to prevent DDoS attacks.
  • Enhancing performance of applications over the internet network with optimized route selection.

Looking more closely at security as a use case, how would AI and ML be able to augment security of SD-WANs? While the majority of enterprises are still trying to secure their networks with on-premise firewalls and DDoS mitigation appliances, they are also facing attacks that are bigger and more sophisticated. According to statistics gathered by Verisign last year:

  • DDoS attacks peaked at over 5Gbps approximately 25% of the time
  • During Q3 2017, 29% of attacks combined five or more different attack types.

Challenge: A multi-vector attack on an enterprise network has affected service availability in Europe.

Response: Application of AIOps to the SD-WAN underlay can automate the response to the attack. Instead of manually re-configuring systems, the network can automatically direct traffic to different traffic scrubbing centers based on real-time telemetry around network and peering point congestion, mitigation capacity, and attack type/source. Because the system can process data from outside sources at speeds far beyond human ability to manage the network, the system can adjust traffic flows back to normal transit routes as soon as the attack subsides, saving money on the cost of attack mitigation. AI and ML in conjunction with a programmable SD-WAN are capable of responding more quickly and in more granular fashion than is possible with standard policy-based “automatic detection” and mitigation techniques.

Where does AI in network go next?

Although the industry is still in the early days of applying machine learning to networking, there are a number of efforts underway to keep an eye on. One is the Telecom Infra Project (TIP), founded by Facebook and telecom first firms such as Deutsche Telecom and SK Telecom, which now counts several hundred other companies as members. The TIP recently started collaborating on AI with an eye towards predictive maintenance and dynamic allocation of resources. Important groundwork for the project will include defining common dataset formats that are used to train systems. That work could lead to further sharing of data between network providers and web companies, offering the prospect of significant improvements to security and threat detection for enterprises and consumers.

Further in the future, we might expect to see an AI designed network topology, combined with SDN control over resources. Networking will have moved from a paradigm of self-contained networks to a network ‘awareness’ overlay which enables coordinated, intelligent actions based on operator intention. Network engineers can put the system on ‘auto-pilot’ during everyday computing, and instead spend time orchestrating resources based on the goals of the business.

Source: https://www.itproportal.com/features/how-to-train-your-network-the-role-of-artificial-intelligence-in-network-operations/

DDoS Attacks Increase in Size by 500%

According to the Q2 2018 Threat ReportNexusguard’s quarterly report, the average distributed denial-of-service (DDoS) attack grew to more than 26Gbps, increasing in size by 500%.

The research looked at the same period last year and found that the maximum attack size quadrupled to 359Gbps. Evaluating thousands of worldwide DDoS attacks, researchers reportedly gathered real-time attack data from botnet scanning, honeypots, ISPs and traffic moving between attackers and their targets. Data analysis led researchers to attribute the stark surge to IoT botnets and Satori malware exploits, one of many variants of the Mirai malware.

“Due to the increase in IoT-related malware exploits and the rampant growth of large-scale DDoS attacks, research conclusions point to the continued use of IoT botnets. Cyber-attacks hit the 2018 FIFA World Cup, as well as cryptocurrency-related businesses, maximizing revenue loss,” Nexusguard wrote in a press release. Additionally, attacks on the Verge Network (XVG) resulted in a significant loss of 35 million XVG tokens.

“The biggest zero-day risks can stem from various types of home routers, which attackers can exploit to create expansive DDoS attacks against networks and mission-critical services, resulting in jumbo-sized attacks intended to cripple targets during peak revenue-generating hours,” said Juniman Kasman, chief technology officer for Nexusguard.

“Telcos and other communications service providers will need to take extra precautions to guard bandwidth against these super-sized attacks to ensure customer service and operations continue uninterrupted.”

Nexusguard analysts advise communications service providers (CSPs) and other potentially vulnerable operations to augment their preparedness so that they are able to maintain their bandwidth, especially if they lack full redundancy and failover plans in their infrastructures. CSPs and vulnerable organizations that enhance bandwidth protection will be better positioned to stay ahead of the surging attack sizes.

“In the quarter, increasingly large attacks (a YoY average-size increase of 543.17%) had a severe impact on Communication Service Providers (CSP),” the report said. “Serving as a link between attack sources and victim servers and infrastructures, CSPs bear the burden of the increasing size of traffic, irrespective of its source or destination. As such, Internet service is degraded.”

Source: https://www.infosecurity-magazine.com/news/ddos-attacks-increase-in-size-by/

Edinburgh Uni Hit by Major Cyber-Attack

The website of Edinburgh University was still down at the time of writing after the institution suffered a major cyber-attack during its Freshers’ Week.

A university spokesman told the Edinburgh Evening News that it has “rigid measures in place” to protect IT systems and data.

“Our defenses reacted quickly and no data has been compromised,” he added. “We will continue to work with our internet service provider, [national cybercrime investigators] and with other universities to prevent these network attacks in future.”

The main ed.ac.uk site was still down on Thursday morning, nearly 24 hours after the first reports of an attack went online. That would indicate a serious DDoS attack.

Jisc, the UK non-profit which runs the super-fast Janet network for research and educational institutions, released a statement claiming that a “number of universities” have been targeted this week and adding that the number of DDoS attacks on them “typically increases at this time of year, when students are enrolling at, or returning to university.”

“While Jisc is responsible for protecting connections to the Janet Network for its members (colleges, universities and research centres), members are responsible for protecting their own cyberspace,” it added. “However, Jisc also provides DDoS threat intelligence to its community and provides advice to members affected by cyber-attacks on how to deal with the problem and minimize the impact.”

Ironically, Edinburgh University was praised by the government this year for carrying out cutting-edge cybersecurity research. It is one of 14 Academic Centres of Excellence in Cyber Security Research, backed by the £1.9bn National Cyber Security Strategy.

DDoS attacks grew by 40% year-on-year in the first six months of 2018, according to new figures from Corero Networks.

The security firm claimed that attacks are becoming shorter — with 82% lasting less than 10 minutes — and smaller, with 94% under 5Gbps. However, one in five victims are hit with another attack within 24 hours, the report revealed.

Source: https://www.infosecurity-magazine.com/news/edinburgh-uni-hit-by-major-cyber/

DDoS attacks are getting even larger

Average DDoS attack is five times stronger this year, compared to the year before.
The average DDoS attack is five times stronger this year, compared to the year before, and the biggest DDoS attack is four times stronger than last year’s strongest, according to new reports.

Nexusguard’s Q2 2018 Threat Report analysed thousands of DDoS attacks worldwide and came to the conclusion that the average DDoS attack is now bigger than 26 Gbps, and the maximum attack size is now 359 Gbps.

IoT botnets are still largely in use, mostly because of the increasing number of IoT-related malware exploits, as well as the huge growth in large-scale DDoS attacks.

The report says that CSPs and susceptible operations should ‘enhance their preparedness to maintain their bandwidth, especially if their infrastructure don’t have full redundancy and failover plans in place’.

“The biggest zero-day risks can stem from various types of home routers, which attackers can exploit to create expansive DDoS attacks against networks and mission-critical services, resulting in jumbo-sized attacks intended to cripple targets during peak revenue-generating hours,” said Juniman Kasman, chief technology officer for Nexusguard. “Telcos and other communications service providers will need to take extra precautions to guard bandwidth against these supersized attacks to ensure customer service and operations continue uninterrupted.”

Universal datagram protocol, or UDP, is the hacker’s favourite attack tool, with more than 31 per cent of all attacks using this approach. This is a connectionless protocol which helps launch mass-generated botnets.

Top two sources of these attacks are the US and China.

Source: https://www.itproportal.com/news/ddos-attacks-are-getting-even-larger/

DDoS Protection is the Foundation for Application, Site and Data Availability

When we think of DDoS protection, we often think about how to keep our website up and running. While searching for a security solution, you’ll find several options that are similar on the surface. The main difference is whether your organization requires a cloud, on-premise or hybrid solution that combines the best of both worlds. Finding a DDoS mitigation/protection solution seems simple, but there are several things to consider.

It’s important to remember that DDoS attacks don’t just cause a website to go down. While the majority do cause a service disruption, 90 percent of the time it does not mean a website is completely unavailable, but rather there is a performance degradation. As a result, organizations need to search for a DDoS solution that can optimize application performance and protect from DDoS attacks. The two functions are natural bedfellows.

The other thing we often forget is that most traditional DDoS solutions, whether they are on-premise or in the cloud, cannot protect us from an upstream event or a downstream event.

  1. If your carrier is hit with a DDoS attack upstream, your link may be fine but your ability to do anything would be limited. You would not receive any traffic from that pipe.
  2. If your infrastructure provider goes down due to a DDoS attack on its key infrastructure, your organization’s website will go down regardless of how well your DDoS solution is working.

Many DDoS providers will tell you these are not part of a DDoS strategy. I beg to differ.

Finding the Right DDoS Solution

DDoS protection was born out of the need to improve availability and guarantee performance.  Today, this is critical. We have become an application-driven world where digital interactions dominate. A bad experience using an app is worse for customer satisfaction and loyalty than an outage.  Most companies are moving into shared infrastructure environments—otherwise known as the “cloud”— where the performance of the underlying infrastructure is no longer controlled by the end user.

  1. Data center or host infrastructure rerouting capabilities gives organizations the ability to reroute traffic to secondary data centers or application servers if there is a performance problem caused by something that the traditional DDoS prevention solution cannot negate. This may or may not be caused by a traditional DDoS attack, but either way, it’s important to understand how to mitigate the risk from a denial of service caused by infrastructure failure.
  2. Simple-to-use link or host availability solutions offer a unified interface for conducting WAN failover in the event that the upstream provider is compromised. Companies can use BGP, but BGP is complex and rigid. The future needs to be simple and flexible.
  3. Infrastructure and application performance optimization is critical. If we can limit the amount of compute-per-application transactions, we can reduce the likelihood that a capacity problem with the underlying architecture can cause an outage. Instead of thinking about just avoiding performance degradation, what if we actually improve the performance SLA while also limiting risk? It’s similar to making the decision to invest your money as opposed to burying it in the ground.

Today you can look at buying separate products to accomplish these needs but you are then left with an age old problem: a disparate collection of poorly integrated best-of-breed solutions that don’t work well together.

These products should work together as part of a holistic solution where each solution can compensate and enhance the performance of the other and ultimately help improve and ensure application availability, performance and reliability. The goal should be to create a resilient architecture to prevent or limit the impact of DoS and DDoS attacks of any kind.

Source: https://securityboulevard.com/2018/09/ddos-protection-is-the-foundation-for-application-site-and-data-availability/

Cyber policies: More than just risk transfer

Digital connectivity continues apace – but brings with it increased cyber risks. These relatively new and complex risk profiles require approaches that go far beyond traditional insurance, argues Munich Re’s reinsurance boss Torsten Jeworrek.

Self-learning machines, cloud computing, digital ecosystems: in the steadily expanding Internet of Things, all objects communicate with others. In 2017, 27 billion devices around the world were online, but this number is set to increase five-fold to 125 billion by the year 2030. And many industries are profiting from the connectivity megatrend.

In virtually every sector, automated processes are delivering greater efficiency and therefore higher productivity. By analysing a wide range of data, businesses also hope to gain new insights into existing and prospective customers, their purchasing behaviour, or the risk that they might represent. This will facilitate a more targeted customer approach. At the same time, greater levels of interconnection are leading to new business models. Examples include successful sharing concepts and online platforms.

Growing risk of ransomware

But just as there are benefits to growing connectivity, there are also risks. Ensuring data security at all times is a serious challenge in this complex world. When setting up and developing digital infrastructure, companies must constantly invest in data-security expertise and in technical security systems, not least to protect themselves against cyber attacks. This became clear in 2017, when the WannaCry and NotPetya malware attacks caused business interruption and production stoppages around the world. T

he costs of WannaCry in the form of lost data and business interruption were many times greater than the losses from ransom demands. With other attacks, the objective was not even extortion – but rather to sabotage business operations or destroy data. Phishing, which is the attempted capture of sensitive personal and log-in data, and distributed denial of service (DDoS) attacks, which take down entire servers by systematically overloading them, also cause billions of dollars in damage each year. It is difficult to calculate the exact amounts involved, but business losses from cyber attacks are currently estimated at between $400bn and $1tn each year.

And the number of cyber attacks continues to rise – as do the resulting losses. According to estimates from market research institute Cybersecurity Ventures, companies around the world will fall victim to such attacks every 14 seconds on average in 2019. Europol also notes that there have been attacks on critical national infrastructure in the past, in which people could have died had the attacks succeeded.

Increasing demand for cyber covers from SMEs as well

As the risks increase, so too does the number of companies that attach importance to effective prevention measures and that seek insurance cover. The pressure to improve data protection has also increased as a result of legal requirements such as the EU’s General Data Protection Regulation, which came into force in May 2018 and provides for severe penalties in the event of violations. In a world of digital dependency, automated processes, and networked supply chains, small- and medium- sized companies in particular realise that it is no longer enough to focus on IT security within their own four walls.

For the insurance industry, cyber policies are gradually becoming an important field of business in their own right. According to estimates, further significant increases in premium volume are on their way. In 2017, premium volume was at between $3.5bn and $4bn. That figure is expected to increase to between $8bn and $9bn by 2020. So there will be good growth opportunities over the next few years, particularly in Europe.

Cyber risks difficult to assess

Cyber risks pose unique challenges for the insurance industry, above all in connection with accumulation risk: a single cyber event can impact many different companies at the same time, as well as leading to business interruption for other companies.

How can the market opportunities be exploited, while at the same time managing the new risks? Are cyber risks ultimately uninsurable, as many industry representatives have said? One thing is certain: there are a number of extreme risks that the insurance industry cannot bear alone. At present, these include network outages that interrupt the electricity supply, or internet and telecommunication connections. Scenarios like these, and the costs that come with them, should be borne jointly by governments and companies, for example in the form of pool solutions.

Cyber as a new type of risk

There are key differences between cyber risks and traditional risks. Historical data such as that applied to calculate future natural hazards, for example, cannot tell us much about future cyber events. Data from more than ten years ago, when there was no such thing as cloud computing and smartphones had not yet taken off, are of little use when assessing risks from today’s technologies. Insurers and reinsurers must be able to recognise and model the constantly evolving risks over the course of these rapid advances in technology. An approach that relies on insurance expertise alone will rapidly reach its limits. Instead, the objective of all participants should be to create as much transparency as possible with regard to cyber risks. IT specialists, authorities, and the scientific and research communities can all help to raise awareness of the risks and contribute their expertise for the development of appropriate cyber covers.

Working together to enhance security

Munich Re relies on collaboration with technology companies and IT security providers to develop solutions for cyber risks. This is because the requirements for comprehensive protection are complex, and safeguarding against financial losses is only one component of an overall concept. Accordingly, in consultation with our technology partners, we are developing highly effective, automated prevention services for our clients. These are designed to permanently monitor the client infrastructure, identify risks promptly, and prevent losses. And – importantly – a company needs to respond quickly to limit the loss from an event and allow it to resume normal operations without delay. In this context, we assist our clients with a network of experts.

But cyber risks remain a challenge, and one that the insurance industry needs to tackle. Insurers can only remain relevant for their clients if they constantly adapt their offerings to new or changed risks and requirements. Opportunities for new fields of business are arising.

Source: https://www.re-insurance.com/opinion/cyber-policies-more-than-just-risk-transfer/1687.article

McDreary? The Future of Medical Call Centers & DDoS

As healthcare’s digital transformation continues, security remains a top priority — especially as distributed denial-of-service (DDoS) attacks target the click-to-call features on websites.

Click-to-call defines the services that enable patients to immediately call a hospital or clinic directly from a button on their website, either using a traditional phone service or Voice over Internet Protocol (VoIP) technology. This is different from click-to-callback features, which are used for less pressing medical needs, and is an important differentiation when securing hospital communications from DDoS attacks.

Because direct click-to-call scenarios use more resources, such as audio streams and interactive voice response (IVR) systems, these types of connections are much easier to effect using an application-layer DDoS attack.

When a DDoS attack affects a healthcare system, click-to-call features are often taken fully offline. If this occurs during a health emergency, the implications can mean life or death.

However, click-to-call features also offer enhanced and more personalized engagement in a cost-effective manner, so simply removing them could result in delayed care or service abandonment as well as raise the cost of future care. So what’s the best move?

Neustar’s 2017 Worldwide DDoS Attacks and Cyber Insights Research Report found that while 99% of the organizations it surveyed had some sort of DDoS protection in place, the vast majority of them (90%) were planning to invest more than in the previous year, and 36% thought they should be investing even more than that.

The same way that keeping protected health information (PHI) secure continues to be of the utmost importance, further steps must be taken to protect healthcare organizations from DDoS attacks.

Gated access through proper authentication 
One of the primary ways healthcare organizations can prevent a DDoS attack is through proper authentication. Proper authentication reduces the attack surface by providing a gate of access to those systems and rules out certain flavors of anonymous attacks.

Anonymous DDoS attacks use an open access or resource and distribute/coordinate mass usage of the access, and are challenging to thwart as it is difficult to differentiate an attack from actual usage.

Proper authentication provides a simple differentiation. Credential loss is a possible attack vector even with authentication; however, coordinating DDoS attacks with authentication credentials is much more difficult due to the distribution of credentials. For instance, if an attacker has compromised a single access point and distributes the single authentication to all endpoints, a properly protected account could easily thwart an attack with access rate-limiting.

Securing Patient Portals 
Implementing secure patient portals is another way to prevent DDoS attacks on medical call centers.

Patient portals require strong authentication. If proper authentication is required before using resources such as call centers and call agents, then the ability to launch a large-scale attack would require numerous credentials. In circumstances where multi-factor authentication is required, the complexity of a successful DDoS attack only increases — thereby making it more difficult to pull off.

For example, if a username/password entry into a patient portal required a text or email verification as well — or even a prompt on an installed smartphone application — then the loss of even a large set of credentials could not be used in an attack without also compromising some other form(s) of communication. Since patient portals also contain mass amounts of private data, securing that information to the highest degree in order to safeguard it properly is key and can also help prevent a large-scale attack on a hospital’s click-to-call functionality.

What the threat of DDoS attacks means to the global security community 
Today it’s obviously critical that global security managers remain aware of the daunting DDoS threat. When (not “if”) an attack occurs, critical resources are consumed — sometimes even resources that are unrelated.

For example, a DDoS attack against a website might consume networking resources, bringing down a patient portal, and an attack against a patient portal may consume database resources and prevent normal internal operations.

DDoS attacks on weak targets are relatively inexpensive for attackers — existing botnets with simple traffic flooding exist and await the next purchase — and simple networking attacks can be thwarted with up-to-date networking equipment front-ending services.

However, application-aware and custom attacks are much more expensive to create, and can be made prohibitively expensive by taking simple steps like requiring authentication before allowing access to resource offerings.

Additionally, keeping software up-to-date is critical as software flaws are discovered, and quickly updating components is effective at blocking attacks before they can be crafted and deployed. Regularly updating systems and keeping them free of malware not only reduces available botnet size, amplification points and reflection points, but may also prevent a hop-off point for more sophisticated attacks.

As more tech companies enter the healthcare field to enable its digitization, and information security continues to be top of mind in every field, it’s important for those in the security industry — some of whom may directly dabble in healthcare — as well as the healthcare organizations themselves to focus on increasing their security measures and to know what they should be doing to prevent this type of communications attack.

Source: https://www.infosecurity-magazine.com/opinions/mcdreary-medical-ddos/

The evolution of DDoS attacks – and defences

Aatish Pattni, regional director, UK & Ireland, Link11, explores in Information Age how DDoS attacks have grown in size and sophistication over the last two decades.

What is the biggest cyber-threat to your company? In April 2018, the UK’s National Crime Agency answered that question by naming DDoS attacks as the joint leading threat facing businesses, alongside ransomware. The NCA noted the sharp increase in DDoS attacks on a range of organisations during 2017 and into 2018, and advised organisations to take immediate steps to protect themselves against the potential attacks.

It’s no surprise that DDoS is seen as such a significant business risk. Every industry sector is now reliant on web connectivity and online services. No organisation can afford to have its systems offline or inaccessible for more than a few minutes: business partners and consumers expect seamless, 24/7 access to services, and being forced offline costs a company dearly. A Ponemon Institute study found that each DDoS incident costs $981,000 on average, including factors such as lost sales and productivity, the effect on customers and suppliers, the cost of restoring IT systems, and brand damage.

So how have DDoS attacks evolved from their early iterations as stunts used by attention-seeking teens, to one of the biggest threats to business? What techniques are attackers now using, and how can organisations defend themselves?

Early days of DDoS

The first major DDoS attack to gain international attention was early in 2000, launched by a 15-year-old from Canada who called himself Mafiaboy. His campaign effectively broke the internet, restricting access to the web’s most popular sites for a full week, including Yahoo!, Fifa.com, Amazon.com, eBay, CNN, Dell, and more.

DDoS continued to be primarily a tool for pranks and small-scale digital vandalism until 2007, when a range of Estonian banking, news, and national government websites were attacked. The attack sparked nationwide riots and is widely regarded as one of the world’s first nation-state acts of cyberwar.

The technique is also successful as a diversion tactic, to draw the attention of IT and security teams while a second attack is launched: another security incident accompanies up to 75% of DDoS attacks.

Denial of service has also been used as a method of protest by activist groups including Anonymous and others, to conduct targeted take-downs of websites and online services. Anonymous has even made its attacks tools freely available for anyone to use. Recent years have also seen the rise of DDoS-on-demand services such as Webstresser.org. Before being shut down by international police, Webstresser offered attack services for as little as £11, with no user expertise required – yet the attacks were powerful enough to disrupt operations at seven of the UK’s biggest banks.

Amplified and multi-vector attacks

In October 2016, a new method for distributing DoS attacks emerged – using a network of Internet of Things (IoT) devices to amplify attacks. The first of these, the Mirai botnet infected thousands of insecure IoT devices to power the largest DDoS attack witnessed at the time, with volumes over a Terabyte. By attacking Internet infrastructure company Dyn, Mirai brought down Reddit, Etsy, Spotify, CNN and the New York Times.

This was just a signpost showing how big attacks could become. In late February 2018, developer platform Github was hit with a 1.35 Tbps attack, and days later a new record was set with an attack volume exceeding 1.7 Tbps. These massive attacks were powered by artificial intelligence (AI) and self-learning algorithms which amplified their scale, giving them the ability to disrupt the operations of any organisation, of any size.

Attacks are not only getting bigger but are increasingly multi-vector. In Q4 2017, Link11 researchers noted that attackers are increasingly combining multiple DDoS attack techniques. Over 45% of attacks used 2 or more different techniques, and for the first time, researchers saw attacks which feature up to 12 vectors. These sophisticated attacks are difficult to defend against, and even low-volume attacks can cause problems, as happened in early 2018 when online services from several Dutch banks, financial and government services were brought to a standstill.

Staying ahead of next-generation AI-based attacks

As DDoS attacks now have such massive scale and complexity, traditional DDoS defences can no longer withstand them. Firewalls, special hardware appliances and intrusion detection systems are the main pillars of protection against DDoS, but these all have major limitations. Current attack volume levels can easily overload even high-capacity firewalls or appliances, consuming so many resources that that reliable operation is no longer possible.

Extortion by DDoS

The next iteration of attackers set out to use DDoS as an extortion tool, threatening organisations with an overwhelming attack unless they meet the attacker’s demand for cryptocurrency. Notable extortionists included the original Armada Collective, which targeted banks, web hosting providers, data centre operators as well as e-commerce and online marketing agencies in Greece and Central Europe.

Between January and March 2018, Link11’s Security Operation Centre recorded 14,736 DDoS attacks, an average of 160 attacks per day, with multiple attacks exceeding 100 Gbps. Malicious traffic at these high volumes can simply flood a company’s internet bandwidth, rendering on-premise network security solutions useless.

What’s needed is to deploy a cloud-native solution that can use AI to filter, analyse, and block web traffic if necessary before it even reaches a company’s IT systems. This can be done by routing the company’s Internet traffic via an external, cloud-based protection service. With this approach, incoming traffic is subject to granular analysis, with the various traffic types being digitally ‘fingerprinted’.

Each fingerprint consists of hundreds of properties, including browser data, user behaviour, and its origin. The solution builds up an index of both normal and abnormal, or malicious traffic fingerprints. When known attack patterns are detected in a traffic flow, the attack ‘client’ is blocked immediately and automatically in the cloud, before it even reaches customers’ networks – so that only clean; legitimate traffic reaches the organisation. However, regular traffic is still allowed, enabling a business to continue unaffected, without users being aware of the filtering process.

The solution’s self-learning AI algorithms also help to identify and block attacks for which there is no current fingerprint within a matter of seconds, to minimise the impact on the organisation’s website or web services. This means each new attack helps the system improve its detection capabilities, for the benefit of all users. Furthermore, this automated approach to blocking attacks frees up IT and security teams, enabling them to focus on more strategic work without being distracted by DDoS attempts.

In conclusion, DDoS attacks will continue to evolve and grow, simply because with DDoS-for-hire services and increasingly sophisticated methods, they are relatively easy and cheap to do – and they continue to be effective in targeting organisations. But by understanding how attacks are evolving and implementing the protective measures described here, organisations will be better placed to deny DDoS attackers.

Source: https://www.information-age.com/evolution-of-ddos-123473947/