Business leaders are under intense pressure to innovate—if they’re not moving forward, they’re falling behind. So it’s not surprising to find that the engine of any successful businesses today is speed. Open, virtual, and agile are the name of the game. New processes are replacing the old, driving faster innovation across all areas of the organization from DevOps to software and product development and go-to-market processes. New technologies such as machine learning (ML) and artificial intelligence (AI) are driving innovation and automation at scale.
The above paragraph could describe almost every company in the S&P 500. It could also be used to describe many of the leading underground cybercrime organizations. While we’re racing to the cloud and moving applications all over the place, the most sophisticated and well-funded groups are watching, learning, and developing new attack vectors. As we’ve discussed in previous posts, the majority of DDoS attacks leverage the same protocols time and again. The leading-edge groups, however, are looking for entirely new vectors to exploit, and we’ve noticed they’ve accelerated their innovation and product development in 2019.
In the first six months of the year, NETSCOUT’s ATLAS Security Engineering & Response Team (ASERT) has seen five new attack vectors, whereas in 2018, only one new attack vector was identified. Not only are attackers actively identifying new vulnerabilities that allow them to abuse a service or protocol, but they’re also using new technologies such as AI and ML to drive automation. For many years, attackers have changed vectors rapidly, as soon as a defender reacts. What’s changing now is the rate and sustainability of these vector changes. We’ve seen examples of attacks going to a week, with vectors changing every five minutes. For known protocols, Intelligent DDoS Mitigation Systems automate the mitigation, but for newer vulnerabilities more advanced analytics or manual intervention are needed. These extended intrusions are early examples of attackers adopting AI and ML as part of their toolkit. More are coming, for sure. And for defenders forced into react mode, it is hard to maintain uptime.
Low-Hanging Fruit? The ARD Example
A sign of attackers’ creativity is where they found one of the new vulnerabilities, the Apple Remote Desktop (ARD) application and related management service that are used to remotely manage fleets of Apple Macintoshes, primarily in enterprises and universities. In most of the online documentation and discussion ASERT found, there was very little focus on using best practices for security, such as virtual private networks (VPNs) and related secure network access policies and authentication techniques. The primary focus was on doing what was easiest for the user. As a result of our investigation, ASERT has determined that there are approximately 54,000 abusable Apple Remote Management Service (ARMS)-enabled Macs exposed to the public internet, either directly or via static Network Access Translation (NAT) and/or permissive firewall rules and access control lists (ACLs). The Macs are being actively abused by attackers to launch ARMS reflection/amplification DDoS attacks, and not only do the attack targets and intervening networks suffer from the onslaught of DDoS attack traffic, but the abused ARMS-enabled Mac reflectors/amplifiers and the networks on which they reside are negatively impacted as well.
Let’s see if the number of ARMS-enabled Macs continues the trend of better internet hygiene following Memcached attacks, and drops quickly.
IoT in the Crosshairs
We have seen this many times before, where we make attackers’ jobs easier—especially when it comes to vulnerable and/or misconfigured Internet of Things (IoT) devices.
In fact, the National Institute of Standards and Technology (NIST) recently issued its first guidelines for IoT security, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks. NIST wisely starts its guidelines with device security, specifically citing DDoS attacks and the need to prevent IoT devices from being used “to conduct attacks, including eavesdropping on network traffic or compromising other devices on the same network segment. This goal applies to all IoT devices.”
NETSCOUT has a better idea than most as to why this is. Our honeypot research has shown that an unsecured IoT device will be scanned by attackers within five minutes of being connected to the internet, and targeted by specific exploits within 24 hours.
With tens of billions of IoT devices deployed, and the industry’s long and poor track record of implementing best current practices, let’s just say that your choice of DDoS defense will be a critical one for many years to come.
Steinthor Bjarnason is a principal security engineer with ASERT.