Worldwide Infrastructure Security Report (WISR)
Add network and internet connectivity to the list of essential workers for 2020 as the COVID-19 pandemic reinforced our absolute need for online access. That vital importance naturally attracted the attention of malicious actors, who always want the things most important to network operators and enterprises.
Indeed, the changes wrought by the pandemic emerged as an important catalyst affecting DDoS attack activity in 2020. This translates to a significant uptick in DDoS attacks overall, as well as an increase in ransomware and DDoS extortion attacks, such as those launched by the LBA threat actors. And as attackers broadened their target base to exploit vulnerabilities exposed by a massive shift to remote work and play, we saw an increased demand for managed DDoS protection services from companies suddenly in need of protection.
Nearly half of survey respondents reported an increase in DDoS attacks during the pandemic, many of which targeted vulnerabilities exposed by a significant shift to online services. 83 percent of enterprises that suffered a DDoS attack reported that overloaded firewalls and/or VPN devices contributed to an outage, a 21 percent jump year over year. These devices need to be protected, because they perform a vital role for organizations deploying pandemic-related work/learn-from-home scenarios. Defenders also reported increased attack complexity, with 57 percent of services providers reporting multivector attacks in 2020.
Demand surges for managed DDoS protection services
Increases in the size, frequency, and complexity of DDoS attacks resulted in a significant increase in demand for managed DDoS mitigation services. Managed security service providers (MSSPs) saw an increase of as much as 69 percent in enterprise demand for managed DDoS protection services. Moreover, that demand came from a much broader range of enterprise customers. Notably, respondents reported increased interest from both the education and healthcare sectors—two pandemic lifelines that experienced increased interest from threat actors.
Service Provider Concerns
Service providers managed enormous spikes in legitimate network traffic such as streaming video, video conference calls, and gaming while simultaneously defending a commensurate increase in DDoS attacks targeting critical network infrastructure and services. And although DDoS attacks remain the top threat service providers are concerned about, respondents also expressed growing concern over the increasing complexity of those attacks. Thanks to IoT botnets, reflection/amplification techniques, and DDoS-for-hire services, attacks are more distributed, complex, and powerful than ever before. Indeed, 57 percent of respondents reported multivector attacks in 2020. In a trend that continues from the previous year, 31 percent reported outbound/cross-bound DDoS attacks from on-net customers and devices.
Smart Marketing for Cybercriminals
In today’s booming cybercrime economy, DDoS-for-hire services have never been easier or cheaper to use. Anybody with an internet connection can hire a software-as-a-service (SaaS)-based service for a little as US$7 for an attack. And as the WISR research shows, these savvy businesspeople know the value of marketing. The top attack motivation was cybercriminals launching attacks to show off their capabilities, while criminal extortion attempts took the third spot on the list. In a sense, many DDoS attacks are advertisements for illegal DDoS-for-hire services. Meanwhile, online gaming-related attacks continued to show a strong presence, likely mirroring an overall surge in online gaming during the pandemic.
Pandemic Attacks Broaden Demand for Managed Security Services
By forcing a global switch to remote work and heavy reliance on online services, the pandemic increased the risk profile for a wider variety of vertical industries. At the same time, threat actors were able to easily and cheaply access increasingly sophisticated attack tools via for-hire services. The result? More attacks aimed at a wider target range—and broad demand for managed security services. MSSPs saw a significant increase in enterprise demand for managed DDoS protection services from companies of all sizes, and from vertical industries that up until now didn’t consider DDoS a significant threat.
In particular, respondents noted a marked increase in demand from the education and healthcare sectors. These sectors, both lynchpins for vital pandemic-driven online services, sustained increases in DDoS attacks and DDoS extortion attempts. More than half of MSSP respondents reported interest from government, cloud/hosting providers, and financial services customers, while 40 percent of MSSPs have seen interest from education, ecommerce, and ISPs. Meanwhile, more than 20 percent reported requests from healthcare, media and entertainment, and retail.
MSSPs also reported some changes in the types of DDoS protection they offer customers. One notable difference is that 11 percent of MSSPs reported offering third-party DDoS mitigation services to their customers, which could indicate that the MSSPs themselves can’t keep up with their customer demands for protection. Moreover, the number of MSSPs now offering multiple tiers of DDoS protection services has more than tripled year over year. Considered in conjunction with the increase of third-party offerings, it looks as if MSSPs are adding more-advanced, value-added custom services.
Threat Detection Tools Used, and Their Effectiveness
When it came to threat detection, NetFlow-based analyzers remained a perennial favorite, with inline DDoS solutions moving up to third place while next-generation firewalls took second place.
Unsurprisingly, those top three tools were also rated the most effective, although not in the same order: Inline DDoS solutions were more effective than next-generation firewalls, although the latter was used slightly more frequently. Because using a wide array of deployed threat detection tools creates a massive number of alerts, it’s no surprise to see the increased use and importance of security information and event management (SIEM) platforms.
Enterprises found themselves defending a more distributed and vulnerable environment in 2020 as the shift to remote work and online collaboration services introduced vulnerabilities that attackers quickly exploited. This new reality is reflected in some interesting shifts in the enterprise threats and concerns expressed for 2020. The top four threats experienced by enterprises all had clear ties to the pandemic, with DDoS attacks topping the list. Enterprises continue to rate ransomware as a top threat, and 2020 saw DDoS extortion attacks leapfrog from 10th to fourth place in the list of experienced threats, with the number of respondents reporting such attacks growing by 125 percent.
Enterprises also don’t expect a drop in these threats; respondents rated both DDoS and ransomware attacks as top concerns for 2021. However, DDOS was the only threat in which experience nearly matched concern. Note that for ransomware, half are concerned but only a quarter experienced it. Meanwhile, accidental data loss—the biggest threat faced by enterprise network operators in 2019—dropped to seventh place in 2020.
With organizations abruptly executing work/learn-from-home scenarios, it’s not surprising to see the top enterprise concerns were inbound DDoS attacks from external networks, and infrastructure outages. This result likely reflects respondents’ new dependence on devices such as firewalls and VPN concentrators as critical elements of network infrastructure. However, these devices cannot handle massive amounts of inbound communication, and a relatively small DDoS attack can easily bring them down.
Overall DDos Attack Trends
Cybercriminals are unerring in their ability to hit you where it hurts, a fact that WISR respondents made abundantly clear. More than two-thirds of enterprises reported DDoS attacks that targeted customer-facing services and applications, while 75 percent saw attacks targeting their infrastructure. In both cases, these attacks directly affect the organization’s ability to service customers, thus impacting revenue and profitability. More than two thirds of enterprises reported more complex DDoS attacks in 2020, with a significant jump in multivector attacks—58 percent in 2020 compared with 38 percent in 2019.
Meanwhile, the number of respondents reporting a DDoS attack that exceeded their internet bandwidth rose slightly from 43 percent to 50 percent, reflecting the increase in DDoS attack frequency and the expanding target base.
With botmasters compromising and subsuming IoT devices at an astonishing rate, it is no surprise that infected/compromised IoT devices were a top IoT concern for half of the surveyed enterprises. Software patching and maintenance stole the second spot this year, increasing from 39 to 47 percent. Meanwhile, detection/identification of IoT devices fell to the third spot for 42 percent of enterprise respondents.
Firewalls still don’t work for DDoS
Although they are an effective perimeter security tool against certain kinds of threats, firewalls were not designed for DDoS attacks. And yet, companies continue to rely on them, with 62 percent of enterprises reporting they use next-gen firewalls to detect threats against their networks. Entirely unsurprisingly, respondents also continue to note a high failure rate when it comes to DDoS defense.