DDoS attacks a big warning against complacency on cybersecurity – RedShield
The recent distributed denial of service (DDoS) attacks that hit the NZX and other New Zealand companies have receded, but the lessons on cybersecurity preparedness need to be learnt, says a leading cyber expert who was involved in the response to the attacks.
Andy Prow, the CEO and co-founder of web-application defence system provider RedShield, says the bombardment of websites with torrents of traffic many companies experienced two weeks ago was “without a doubt, a global scale attack”.
“What we’ve been seeing recently are not breach attacks where people are trying to get in to steal data,” says Prow.
“This is availability, this is just taking stuff offline.”
The NZX was the most high-profile victim of the attacks, with the country’s national stock exchange needing to halt trading on numerous occasions because its website, a key source of disclosures and trading data, was taken offline by the attacks.
Prow, who has been advising several companies affected by the attacks, said many other organisations were affected but their names never made it into the media.
He sees the DDoS campaign as a wake-up call for company boards and IT managers.
“Because we’re down here in New Zealand doesn’t mean we’re safe from attack. We’re on the internet and the bad guys are out there, but we still have a certain complacency,” Prow told viewers of an IT Professionals New Zealand live webinar last week.
“I would say one of the biggest things that the events have done recently is just highlight that you know, there is no room for complacency.”
The threat is ever-present and constantly-evolving, says Prow.
“We’ll see, in a 90 day period, about 100 million attacks hit systems we shield,” says Prow of the persistence of attackers.
“So it’s not as though it’s really quiet out there and then suddenly some bad stuff happens. There’s always bad stuff happening.”
Around 2.5% of those attacks are considered to be potentially really damaging.
“At its core is criminal activity, done by criminals who are causing business damage and want money to solve it,” says Prow.
“What happens when machinery, and cars and aeroplanes and smart cities also get impacted by these things. This is why we as an industry need to take this incredibly seriously. Today a website’s down but this time next year, a city stops.”
Q&A with Redshield’s Andy Prow on the recent DDoS attacks
Why were these DDOS attacks so hard to shake off?
“It wasn’t just one attack that kept getting replayed,” says Prow.
Not only were they big attacks traffic-wise, but the nature of them changed, making it hard to effectively counter them.
“These are highly dynamic and so what you’ll see is some of the common tools are being used, and being used at a massive scale. But then you’ll always see some new and exotic stuff coming in,” he says.
Essentially, New Zealand companies were dealing with attacks of unprecedented size and complexity, which is why the likes of the NZX experienced outages spanning several days.
Who is behind these attacks?
That’s the million-dollar question.
“It’s not impossible but it is incredibly hard to pinpoint attribution,” says Prow.
If you look at it from a technology perspective, then the traffic origin of most of the attacks is coming from around the world and it moves around. A lot of it is from compromised machines, existing botnets.”
In other words, the attacks could originate from anywhere. While attacks will often have the hallmarks of hackers known to work for state agencies, governments launching rogue attacks on the critical infrastructure and businesses of other nations usually work at arms-length through third parties, their ties to them masked.
“So technically it’s really hard to look for a single authority, because it’s really quite distributed,” says Prow.
“I absolutely have no concrete answer on the attribution of any of the [attacks] that have come through. It’s really easy to bounce lots of traffic around lots of old protocols in this very busy internet.”
Should you ever pay Ransomware demands for money to get your data back?
The government advises not to, security experts advise not to and so does Prow.
He has heard of companies who have paid and got data back and others that paid and got nothing. Some get the data back, but in a compromised form and there are no guarantee cybercriminals won’t keep a copy of it and try to sell your sensitive data on the dark web.
The bottom line, says Prow, is that with ransomware you are likely dealing with overseas criminals. Are you really going to trust them to hold up their end of the bargain?
“If you become known as the organisation that every time you get breached, you pay the money, well, it’s quite possible you’re going to get knocked on the door by a bunch of other hackers who you haven’t yet paid.”
Should the Government outlaw paying cybercriminals’ ransom demands?
Some companies, out of desperation, do pay hackers to cease DDoS attacks or, more commonly, to retrieve data stolen or locked-up due to hacking and malware attacks. Doing so, just as with real-life kidnapping and ransom requests, creates an ongoing market for such criminal enterprise.
That’s why some suggest the Government should make it illegal to negotiate with hackers. Prow is sceptical of taking that step. For starters, it would be hard to police.
Enforcing that by law would require the government to ramp up its efforts to help New Zealand organisations, public and private, avoid falling victim to cybercriminals in the first place.
“If the government’s going to mandate these things to occur, then they need to support the businesses that are getting ransomware [demands].”
After all, New Zealanders trust the police to come to their aid in the event of suffering a robbery or assault and rely on the thin blue line to prevent those crimes from occurring. Shouldn’t we expect the same from the authorities in cyberspace?
“The government needs to look at New Zealand ICT policy. Where’s the line between what we are doing in a physical defence scenario and what we would do in a digital defence scenario,” says Prow.
“Whatever government, we have coming into power, needs to pick up the ICT portfolio and look at it very seriously.”
Is artificial intelligence helping against these threats?
Yes, to some extent, says Prow.
“At RedShield, we’ve got a dedicated AI and machine learning team.”
AI is useful for dealing with the sheer scale of some attacks, where security experts are looking for a needle in a haystack when it comes to tracking down an attacker and their methods.
But the problem with AI is that machine learning models have to be trained with large amounts of data and retrained regularly when the attack methods changed. So while the process of looking for threats can be automated – and has been for decades to some extent with antivirus and firewall software, AI systems struggle to deal with dynamic and evolving threats.
Ultimately, says Prow, a hybrid human and machine approach needs to be taken.
“Looking at new attack profiles, that’s something that definitely bubbled up to a human expert,” he says.
With machine learning, you do a lot of the heavy lifting when you are looking at 30 billion requests. There is another level where there are 100% experts who sit and look at the different profiles of vulnerabilities.”
Those limitations in AI systems also explain why we haven’t seen the rise of AI vs AI automated warfare in cyberspace. The threat landscape changes so quickly, the systems can’t keep up.
Is the answer to move everything to the big cloud providers?
We definitely need a stronger presence here from the big three cloud providers – AWS, Microsoft and Google, Prow agrees.
“One hundred per cent, we want those providers here so we’ve got some excellent cloud providers here in New Zealand.
“But I’m always reticent to say, please come in because this is a global problem so we need some global players to fix little New Zealand’s problems. That’s so not true,” he adds as a caveat.
“We have world-class services and providers here in New Zealand. But, you know, I certainly believe that some of the large cloud providers, absolutely should be bringing those data centres here and services that we can certainly be capitalising on.
Isn’t RedShield largely in the cloud?
“Red Shield’s defensive technique is called defend at source, not destination,” says Prow.
“What do you want to do is defend an attack on New Zealand everywhere the attack is originated.”
“This is why our defences sit in some of the giant hyper-scaling cloud environments. It is for that very reason.”
It means that RedShield can leverage significant bandwidth and computer processing capacity to offshore to try and target and block malicious internet traffic before it gets to its targets in New Zealand.
Why can’t you just block international IP addresses to stop an overseas attack?
It’s a good idea, says Prow. But it was tried and didn’t work.
“There are really simple defences, that were employed by all companies that were getting impacted.”
The attackers are too clever to be thwarted with that approach.
“There are many techniques where the IP address of the traffic is now being reflected it’s not actually the real IP address,” he says.
“The bad guys have tricks and try and get around every defence that exists and there’s a new attack. It’s very much a tit for tat game.”
Now that the dust has settled, what should Kiwi businesses be doing to prepare for future attacks?
You need to understand where your vulnerabilities are, says Prow.
This episode should be triggering board-level discussions everywhere, he says. What customer data does your company hold? Do you process data or run systems that are critical to the functioning of the economy and essential services? What services are absolutely essential to keep running in a major IT outage?
“What’s really hard is to protect against all of the bad things, because that’s an almost infinite problem space,” says Prow.
“If I know that there are 200 things you’re vulnerable to then I can particularly focus on the defence of those.”
It’s time to challenge “pretty much everything” when it comes to your assumptions about your existing architecture, he adds.
“You need to take stock and rip out all the assumptions of what’s good, We probably, as an industry, need to redefine what best practice is.
“I will guarantee you, I’ve seen best practice designs now being destroyed by modern-day attacks.”
Crucial to preparing for the next waves of attacks was performing penetration testing of your network defences and getting a vulnerability assessment report. This gives you a basis from which to work to shore up your defences.
The cloud creates new paradigms for the technologies that support the business. These new paradigms also change how those technologies are adopted, managed, and governed. When entire datacenters can be virtually torn down and rebuilt with one line of code executed by an unattended process, we have to rethink traditional approaches. This is especially true for governance. Cloud governance is an iterative process. For organizations with existing policies that govern on-premises IT environments, cloud governance should complement those policies. The level of corporate policy integration between on-premises and the cloud varies depending on cloud governance maturity and a digital estate in the cloud. As the cloud estate changes over time, so do cloud governance processes and policies.