Re-Assessing DDoS: The Lessons Learned
Neustar's Rodney Joffe on What to Expect from Next StrikesIt's time to start thinking about the next wave of DDoS attacks, says Neustar's Rodney Joffe. And it's time for other critical infrastructure industries - not just banks - to assess their risks.
In late July, Izz ad-Din al-Qassam Cyber Fighters announced the launch of Phase 4 of distributed-denial-of-service attacks on U.S. banks.
But as of late August, those attacks really have not materialized. Joffe, senior vice president and senior technologist at Neustar, thinks we are not necessarily seeing a cessation of DDoS attacks, but rather a regrouping and an evolution.
"Whoever is behind the series of attacks is still looking for vulnerable machines," Joffe says. "But to a large extent, I think the attacks themselves are over, and if we start to see attacks again - it might be called Phase 5 or Phase 6 - my guess is that what it is really likely to be is a totally new initiative, perhaps by the same actors, and perhaps using the same proxy attackers."
And U.S. banks are not likely to be the sole targets of new attacks, he adds.
"If you don't have attacks targeting you at the moment, don't assume that you're going to be protected from them, or you're not going to be a target, irrespective of the industry you're in," Joffe says. "Even if you're not in the financial industry, the lessons to be learned can apply anywhere."
In an interview about the latest DDoS attacks, Joffe discusses:
- Lessons learned from the first three phases of DDoS;
- Why non-banking entities must prepare to be attacked;
- How to help your organization to become a less attractive target.
As SVP & Senior Technologist at Neustar, Joffe is responsible for defining and guiding the technical direction of the company's Neusentry security offering as well as heading the company's cybersecurity initiatives. Joffe joined Neustar in 2006 after the acquisition of UltraDNS Corporation, a directory services company, he founded in 1999. Prior to founding UltraDNS, Joffe was the founder and CTO of Genuity, one of the largest Internet Service and Hosting Providers in the world.
Assessing Phase 4
TOM FIELD: When we last spoke, there was some speculation that maybe we'd seen the last wave of DDoS attacks on banks. What do you interpret from their sort of pledged return, even if the return has been a bit lukewarm to date?
RODNEY JOFFE: I don't change my opinion from what we guessed the last time. I believe that to a larger extent, this particular set of attacks is over. What we've seen [is] there was a posting in the claim that we were now going to be looking at Phase 4 and, shortly after that, there was a little bit of activity over a couple of days. In fact, that has gone quiet again. We see very little activity in the Brobots or the systems that we have that we're monitoring that the bad guys are dealing with. What we're seeing is activity compromising potential machines. The other side of the equation is still occurring. I think that whoever is behind the series of attacks is still looking for volatile machines, but to a large extent I believe that the attacks themselves are over and, if we start to see attacks again, my guess is it might be called Phase 5 or Phase 6. What it's really likely to be is a totally new initiative perhaps by the same actors and perhaps using the same proxy attackers.
FIELD: From the few attacks that we've seen so far, what's your assessment of this initial Phase 4? What are we seeing new if anything?
JOFFE: We're not really seeing anything new. What we're seeing is predominantly the same kind of code, [with] a couple of improvements in the code. There have been some changes, almost as if they made use of the downtime to improve on the code they have, not anything dramatic in terms of sophistication. But I think that all we're seeing is effectively a group of people who are keeping themselves warm, if you like, and ready for another task. But we're seeing nothing beyond that.
Lessons Learned from Previous Attacks
FIELD: What would you say for organizations to prepare themselves that we can apply from the first three phases of pretty rigorous attacks? What would you say are the top lessons?
JOFFE: You're quite right. There were really good lessons that could be learned from the first phases of the attack. They really were sophisticated. They tested the capabilities across the board, not just with the victims or the targets, but with the support and the service organizations that supported them, as well as the federal sector. The kinds of lessons that I think have been very valuable [are], number one, you have to have in place in advance infrastructure or technologies that help defend you against the attacks. The worst time in the world for you to be doing your planning is in the middle of a fire fight, which is what many banks and many of the targeted organizations were really stuck with through these first three rounds.
The second thing is collaboration, not only amongst your service providers but also amongst your competitors, is really important. The ability to share information is critical in identifying who's perhaps behind the attacks or what the motivation is. [Also], what techniques work? One of the things that I think the financial community really benefited from over the course of this was to get an understanding that, at the end of the day, there's no benefit to your competitor being taken down during this kind of an attack. It really disrupts trust and it disrupts public confidence in the industry itself.
The banking industry learned that, in the beginning, there was really very little sharing. By the second or third week there was sharing of information. By the end of it, there was a highly organized and highly evolved infrastructure that allowed sharing of information between the banks. I think the other industries need to pick up from that. They need to learn from that. They need to begin to reach out already with other organizations in their sectors about looking at ways of sharing information as attacks happen, sharing mitigation strategies, sharing profiles of attacks so that individual companies can mitigate themselves.
Then, as I said, have plans in place in advance. Whatever the best practices are that would work for others, certainly coming out of the financial attacks, absolutely follow those best practices. Put them in place, even if you've never seen any sign of attack toward you. ... Unlike the first five or six weeks of Phase 1, we know now that they've gotten their message across [that] they don't give an early warning. If you don't have attacks targeting you at the moment, don't assume that you're going to be protected from them or that you're not going to be a target, in respect also of the industry that you're in.
One other set of lessons I think is quite important is this was a set of attacks that launched by a given or a specific set of adversaries towards a particular industry. It unfortunately has served as a really good educational experience for many of the other malicious actors that are out in the world. If you haven't been attacked already because you're in a totally different industry - you're in something esoteric, you're in the music industry or you're in the movie industry, or you're even in something as bizarre and mundane as perhaps the burial services industry, something that people would think no one would ever attack - if you have competitors, it's absolutely possible that now the commercial attackers that might not have thought of attacking you early on, now that they know it could be successful in terms of disrupting you, they may target you. Really learn from this, even if you're not in the financial industry; the lessons to be learned can be applied everywhere.
Understanding the Actors
FIELD: Let's take a step back and talk about the actors. From your perspective, what do we know about the actors behind the attacks? Are they indeed the hacktivists that they portray themselves to be?
JOFFE: The thing we have to be very cautious about here is what we define as the actors behind the attacks. The attacks were carried out by a group of people who were very knowledgeable, who learned as they went, who understood many aspects of networking as well as computing. They're not necessarily the people that are actually paid for, organized or requested the attacks. You really have two layers. You have those that carried it out and those that were the instigators. I think those are two different groups.
I really am not in the position to go into who's actually behind it. What I'm comfortable talking about is the fact that we were looking at a series of actors for hire in some other way. We had attackers who had the skills who were available for hire by someone. I think the other thing that we can't argue with is that they were nation-state initiators of the attacks, and there has been a lot of press about who it is. For various reasons, I really can't say one way or the other. I'm going to rather say that I have no idea, but the rumors have been that it was a Middle Eastern nation-state. Publicly, Senator Joe Lieberman has talked about the fact that this was the nation-state of Iran. That's quite credible.
In fact, if you map the cycle of attacks, phases 1, 2, 3 and 4, what you start to see is that it does seem to map to some activities that have occurred in the Middle East related to Iran. The U.S. and the rest of the world have applied a fair bit of pressure around the issue of nuclear armaments, nuclear capabilities and threats. One of the interesting things is that Phase 4, the one we've just gone through, the first bit of the attack cycled up over a period of two or three days, right before the elections held in Iran. And the Iranian elections were won by a more moderate set of people in Iran, and there were no attacks following that. If you looked at this in a positive light or an optimistic light, what you might say is that the attackers for hire were prepping their infrastructure on the off-chance that the same hard line administration came into power. When it turned out to be more moderate looking, there was no customer. That's about all that I can comfortably talk about. I know no more, I have no knowledge and I'm very cautious.
Disruption vs. Distraction
FIELD: In the past, we've talked about attacks being a disruption, attacks being aimed at distraction. From the latest instances that you have seen, have they been meant for disruption, distraction or perhaps both?
JOFFE: What they were meant for was purely a cleaning out of the cobwebs of the capabilities, nothing more. I don't think they were meant to disrupt. I don't think they were meant to distract. I really think that what they were was making sure that the infrastructure was still in place and was still working. That's probably a contrary view to anyone else, but that's really what it felt like to me, looking at it both [from] a political as well as an operational level.
Next DDoS Targets
FIELD: You've talked about different organizations and different industries that potentially could be targets. If indeed this current phase warms up or another phase initiates, who do you see as the next obvious targets of DDoS?
JOFFE: I think what we're going to see is a rise in targets that relates to critical infrastructure. It was obvious in this first round for the al-Qassam Cyber Fighters that the targets that they went after were specifically financial, and they had the ability to warn the U.S., both the government as well as the business world, that they had ability to disrupt the financial markets. I think that if we see another round at this stage, having discovered that they were effective, we will start to see disruption that causes a little more fear in the U.S. public if it's against the United States.
The way to do that is probably going to be to disrupt things like the power grid, things like water, delivery of water and water systems. We have had reports over the last while of compromises of the water systems in even small towns. There was a report that came out last week from one of the cybersecurity research companies, a very good report, that talked about it. I wouldn't be surprised if we really start to see attacks like that. We might see them against other industries that both the public and the business world rely on, which would be transportation, some with transportation systems; maybe not the systems themselves, but the business systems related to them.
For example, the ability to make reservations on airlines, making reservations on trains, things like that, I would expect that to begin to occur. What I think we're also going to see - and this is quite important - is in a totally different field. If you put aside the al-Qassam Cyber Fighter type of attacker, I think what we're going to see are the regular criminals, the organized crime, start to use the same techniques against their normal targets where we have DDoS for hire. These will be against traditional businesses, but not against industries. I think what we'll see from them will be attacks against a specific company to get involved in extortion or basically to disrupt them from a competitor point-of-view. [It's] two different things - you'll see it against whole industries from the nation-state, from the hacktivist actors, and then you'll see them against specific companies from organized crime who definitely haven't gone away and have learned some valuable capabilities and lessons over the last nine months.
Becoming a Less Attractive Target
FIELD: We've talked in the past about how organizations are all targets and the key is to make themselves less attractive targets. For these organizations that could be the next victims, what must they be doing now to ensure that they're less attractive targets?
JOFFE: What they have to be doing is preparing to defend themselves. They have to begin to harden their infrastructure, things like DNS. They need to be improving the DNS, making use of third-party organizations that have very robust DNS capabilities and who have been able to protect against these attacks. They have to start hardening the access to their retail presence, so their web servers and business process servers. They need to be doing that by getting in place, if they can afford the cost, the equipment that is armed to filter and protect against attacks. Volumetric attacks will be a problem. They need to make sure they have sufficient bandwidth. If they don't they have to be looking at third-party providers or DDoS mitigation services. What they also have to be thinking about is how they recover if there's an attack. If there's a devastating attack that takes them down for a period of time that disrupts their business, what's plan B and what's plan C? How do they move their resources? How do they find ways of continuing to do business with their customers in a way that's protective against the typical attacks that were shown by the four phases of attacks we've had so far.