DDoS reality check: It can happen to you!
The Distributed Denial of Service (DDoS) threat has changed to one where the attack types are more diverse and nefarious than before. What makes today’s DDoS threats more dangerous than in the past is the fact that multiple attack types in conjunction with other attack threats are being used in unison. This approach is used by perpetrators to find security gaps on the network that can be exploited, and to exhaust the both the network and network resources, thereby acting as a smokescreen to deflect attention away from the nefarious activities happening behind that “screen”. Basically, DDoS attacks are being used as part of a much larger attack campaign.
The majority of enterprises that have DDoS mitigation solutions in place rely on their network operations teams to manage and use these solutions, along with firewalls, routers, load balancers, and more. Back when Denial of Service (DoS) attacks were more of a nuisance, this defense strategy was effective, as its pure intent was to keep the network pipes running. Bear in mind that DoS attacks are more times than not used as a part of a larger security threat to the network and, as such, the network operation team does not have the capacity or capability to focus on the entire attack. This gap between network and security operations can very easily be exploited. Better alignment, if not a consolidation between these two teams should therefore be part of an organisation’s overall security posture and improvement strategy.
The cost and risk analysis of an attack has changed: When organisations are dealing with more than a single attack vector, the reasoning and use cases of an attack become diverse, and the costs to mitigate and recover as well as the values assigned to the risk factors increase. At inception, DoS attacks were used as a way to prohibit access to a network. This caused outages and the inability to move product via the web. Downtime was a company’s single largest cost. In today’s environment, however, the costs range from downtime, to damaged equipment, customer data, and even corporate IP.
Not only have the attack types changed and advanced over time, the use cases for “the network” are different. Just three years ago, most enterprises were experimenting with virtualisation and “some” cloud applications. Today, organisations have accelerated beyond cloud-based applications and are looking at software-defined networks (SDN) and network function virtualisation (NFV). As organisations embrace these advancements, the new complexity and risk to the infrastructure these bring must be recognised that they. The faster organisations move towards technology adoption, the more pragmatic they must be when it comes to security posture. Namely, an organisation must accept the fact that it is increasing its risk, while it looks at technologies that address the most obvious and common attack tactics.
The reality of addressing security threats has not changed: This is a bad thing. That is, although the views have changed, the reality is that businesses are not making the shift to address the newer and greater threats. These threats are real, and organisations need to do something about it, but the reality is that they have not made the change, or have changed enough. The reasons for this are varied and many. Unfortunately, without change, business sustainability is impossible. Network operations and security operations teams must learn to communicate and share their information and resources. Management must also face the fact that their teams will not be able to grow, as there is a predicted shortage of technologist skills in the coming years. Executives must accept the fact that they spend way too much on existing technologies and maintenance, and not enough on where it matters. The risks associated to old thinking are too high.
DDoS attacks are just one of many attack types that can cause irreparable harm to a brand and an organisation’s revenue - making it necessary to change the approach to network security maturity. Don't make the mistake of assuming it'll “never happen to me”.