It’s that time of year again when many of your favorite security professionals and vendors roll out their predictions for the coming year. Although not all of us have clairvoyant abilities, seasoned pros can spot a trend early and inform the rest of us before we’re caught off guard. Because adversaries continually adapt and change, security practitioners must also adapt their thinking, understanding, and defenses to combat the innovation by using tools such as threat intelligence, threat hunting, and proactive suppression. In this spirit, we have identified a few trends to share with you before it’s too late.
Although distributed denial-of-service (DDoS) attacks have steadily increased over the past 20 years, recent data firmly establishes the reality that network operators need to understand, prepare for, and expect attacks related to politics, religion, and ideology. Nation-state actors often directly target internet infrastructure to take out critical communications, ecommerce, and other vital infrastructure dependent on internet connectivity. This, of course, means targeting internet service provider (ISP) networks to hobble internet connectivity. Further, nation-states typically have vastly more resources at their disposal than other malicious actors. They constantly innovate and explore new and more powerful DDoS attack vectors, evidenced by the creation of new ones every year. As DDoS defenses become more precise and effective, attackers continue to find ways to bypass those defenses with new DDoS attack vectors and methodologies. These advanced techniques invariably find their way into the hands of criminal gangs and even individual hackers, who turn them against any entity from whom they can profit.
Machine Learning and Artificial Intelligence
With ever-increasing use of artificial intelligence (AI) and machine learning (ML) for cybersecurity and other purposes, AI and ML continue to advance and improve. You can look at resources such as Quillbot and ChatGPT, among others, to see how far AI has come in recent months and years. AI and ML technologies for threat hunting will continue to improve this year and become more integrated into threat-hunting tools.
Direct-Path DDoS Attacks
Direct flooding and application-layer DDoS attacks are becoming more popular as anti-spoofing efforts increase globally, making it more difficult for spoofed packets to travel across the internet. Everything old is new again as this methodology returns from the past, back before reflection/amplification attacks dominated the landscape. Enhanced for the modern network, these attacks now come from much more powerful sources, such as cloud-based infrastructure with massive compute and bandwidth resources. Further, adversaries are compromising hosts much closer to the target, thus avoiding many layers of transit, potential discovery, and mitigation. Beware the enemy within…
Outbound and Cross-bound DDoS Attacks
Speaking of the enemy within, DDoS attack traffic is increasingly originating from within the same network it is targeting, thus avoiding ingress and transit points. DDoS defenses traditionally have been focused on protecting internet properties and networks by implementing detection and mitigation technologies at points of convergence for inbound network traffic. This approach worked well to protect targeted organizations and networks from inbound DDoS attacks; however, outbound and cross-bound DDoS attacks can be just as devastating and disruptive as inbound attacks. Because of adversary innovation and adaption, defenders must change their way of thinking and, in turn, adapt to the current threat landscape.
The growth of cloud computing and the Internet of Things (IoT) continues. Cloud computing has been around for many years, but more and more companies are using it for production workloads as opposed to simply using them for prototyping. These production workloads require both performance and security monitoring to ensure that data is not stolen or modified in the cloud. Attacks on resources in the cloud continue to increase, and security monitoring of these resources will become more important.
In an adaptive DDoS attack, adversaries perform extensive pre-attack reconnaissance to identify specific elements of the service delivery chain to target. Increasingly, they are making use of botnet nodes and reflectors/amplifiers that are closer to the target, a phenomenon recently observed with botnets attacking Ukraine. This minimizes the number of boundaries DDoS attack traffic must traverse, often resulting in fewer opportunities to detect and mitigate the attack. The combination of increased available bandwidth and throughput increased populations of abusable devices, and adaptive DDoS attack techniques magnifies the threat to network operators. As such, network operators should move from a default posture of DDoS mitigation to a new posture of DDoS suppression.
Ransomware attacks have been a major threat to businesses and individuals in recent years, and these types of attacks will continue to evolve and become more sophisticated in 2023. One trend that will continue to evolve is the use of ransomware attacks in combination with other attacks, such as supply chain attacks.
It is also likely that attackers will continue to target specific industries or types of organizations with ransomware attacks, specifically to maximize their profits. For example, hospitals and other healthcare organizations have been particularly vulnerable to ransomware attacks in the past because, with lives at stake, they may be more willing to pay a ransom to regain access to critical systems and data.
Another ransomware trend that will continue in 2023 is the use of triple extortion attacks. These campaigns begin by infiltrating a network and stealing valuable assets, such as trade secrets, source code, credit cards, authentication credentials, and other personally identifiable information (PII). In phase two, ransomware is planted to encrypt valuable data or even entire storage systems. At this point, cybercriminals will demand a ransom in exchange for decryption keys. If defenders refuse to pay, perhaps because they were able to simply restore good backups, the threat actor also threatens to release sensitive data publicly if the ransom is not met. This form of attack has been around for several years and can add additional pressure to the victim because the potential consequences of the data being released to the public can be severe. While the first two actions can be invisible to the public, the third phase cannot escape publicity. Finally, a DDoS attack or even the threat of such turns the pressure up to the max. If the ransom is not paid, DDoS can take down an organization’s internet presence, thus exposing the entirety of the security threat and failure to protect valuable assets.
By implementing adaptive DDoS defenses at all edges of their networks, including directly within peering and customer aggregation points of presence (PoPs), network operators can suppress DDoS attack traffic as it ingresses at multiple points across the entire network edge—or before it ever converges into a large-scale attack. By implementing edge-based attack detection, intelligent DDoS mitigation, and network infrastructure-based mitigation techniques at all network ingress points, operators can implement adaptive DDoS suppression systems that scale to counter DDoS attack capacity and adversary innovation.
Threat Detection and Response
Endpoint/network detection and response (EDR/NDR) technologies continue to evolve, integrate, and merge into what many now call extended detection and response (XDR).
Although EDR is a well-known and valuable tool, it does have some shortcomings. In part due to its maturity in the market, threat actors have developed multiple ways to avoid EDR protections. Polymorphism, file-less malware, stealth exfiltration via trusted protocols, and other modern techniques present a challenge for EDR. Further, the attack surface has increased exponentially with IoT, software as a service (SaaS), bring your own device (BYOD), serverless applications, fifth-generation wireless (5G), and more.
To fill the gaps, most organizations are turning to NDR because everything eventually must traverse the network, leaving threats with fewer hiding places. It is not practical to install EDR on every connected device (think IoT), but those devices all require a network connection, and therefore the network is the most logical place for detection and response. Packet manipulation is far more difficult to implement usefully, and even encryption is a challenge we can overcome at the network level. NDR is also more scalable because it can be placed strategically for maximum visibility. Analysis of network packet-derived metadata is extremely fast and makes it easy to conduct initial investigations. Packets can expose all activity, including what data was exfiltrated.
The threat landscape is ever-changing, so it behooves us to be aware of the trends. As any hunter knows, you must aim in front of a moving target. While we do not claim to have an infallible silica orb, we do have insights to share. We hope you find these helpful as you plan and prepare for the coming year.
NETSCOUT is a leader in protecting the internet from malicious and unintended DDoS attacks, and all our solutions can address this today. Check out NETSCOUT’s Arbor DDoS solutions for more details.