Jeffrey Lyon, the founder of Black Lotus, discusses the findings of his company’s recent Q1 2014 Threat Report.
Q: What were the most serious findings of the report?
A: There are several findings in our Q1 2014 Threat Report which are quite startling. For instance, in February we observed the largest DDoS (distributed denial of service) attack ever recorded at 421 Gbps. What’s troubling about this is not just the overall size, but the fact that it was indiscriminately targeting many of our customers. To defend customers who did not purchase unmetered DDoS protection plans, we had to implement a filter that would block this type of attack on behalf of all customers, regardless of subscription level.
In the past, attackers would target one customer at a time. The reason that this is such a huge concern is that DDoS attacks have become a threat to the overall viability of the entire service provider and not just its individual customers. If an attacker wants to damage a service provider, they can do so by hitting numerous major customers of a provider, causing widespread collateral damage.
Another key observation in our report is the estimate that DDoS attacks will exceed 800 Gbps in the next 12 to 18 months. While this may seem a bit extreme, it should not come as a surprise, especially to security experts, as it is merely an extension of Moore’s Law. As technology advances and computers and networks become faster, the threats that those systems face also become dramatically more severe.
This brings us to our most prominent observation. Threats to information security, such as large DDoS attacks, SQL (Structured Query Language) injection attacks and the recent Heartbleed vulnerability, are becoming so severe that service providers must become security providers. It is no longer sustainable for a service provider to not offer security as a core competency and to take charge of preventing and remediating security incidents such as DDoS attacks and intrusions caused by vulnerabilities. Companies will begin looking to the service provider to offer these services by default.
Q: What makes a business a target for a DDoS attack?
A: I provided an example above about how an attacker looking to target a service provider may begin attacking companies hosted on its network, even if the companies themselves are not typically a target. Looking at the bigger picture, literally everyone is likely to be a target of DDoS attacks. There are many reasons why DDoS attacks occur, but the motives tend to be ideological or financial. Examples of ideological attacks include those against religious groups, news media, political parties, and governments. Financially motivated attacks often involve sites which handle a lot of money online, such as banks, casinos, and e-commerce sites, but can be involve who conducts business online. These attacks may originate from extortionists, unscrupulous competitors or even cyber-terrorists like the Al-Qassam Freedom Fighters, which have targeted banks in attempts to cause economic disruption.
Q: Who is most vulnerable? Are certain vertical markets more at risk?
A: Most anyone who uses the Internet for commerce or otherwise is at risk of being the victim of a DDoS attack. I would characterize vulnerability in terms of which verticals would sustain the most damage when attacked. This would indicate that financial institutions and e-commerce sites are the most vulnerable.
Banks are extremely vulnerable due to the responsibility they have as stewards of the economy. While a short outage to a bank’s public website may not cause substantial losses, it has the effect of causing fear and uncertainty in the market. Consumers expect their banks to be secure institutions and when something occurs that makes the bank appear vulnerable, it shakes the public’s trust. In an extreme case this could cause a run on the bank and lead to an economic collapse. This is what cyber-terrorists like Al-Qassam are working toward.
E-commerce sites are highly vulnerable due to their reliance on the Internet to conduct business. If the site goes down for even a few minutes, this could result in a substantial loss in sales and erode trust in the brand. Worse, the site might be attacked during peak shopping hours which would compound the losses even further. For instance, what if an attacker caused an outage on Black Friday? The losses would be tremendous. Consumers who shop online expect the sites they use to be fast and secure. Similar to a bank, an attack against an e-commerce site could make consumers question the security of the site and make it very inconvenient to shop online, resulting in a loss of sales. It is important to remember only a few short years ago many consumers did not trust e-commerce.
Q: What do VARs and managed services providers need to know to protect their clients?
A: Service providers, including VARs and MSPs, now carry a very substantial burden to protect their clients against threats to information security of all kinds, including DDoS attacks. The traditional response to a DDoS attack, which many providers continue to practice, is to remove the client for causing “abuse” on the network. Given the rapid proliferation of threats to information security, such as DDoS attacks exceeding 400 Gbps in volume, SQL injection attacks and other high risk vulnerabilities such as Heartbleed, all service providers must become security providers. This means the service provider must have qualified security professionals on staff and must have a plan in place to deal with any contingency that may arise. For some providers this can be accomplished in-house, while others may need to contract outside help as appropriate to obtain capabilities that they do not have organically.