Understanding the threat landscape

The security threat landscape is changing for enterprises. Internet data centres are increasingly becoming the target of hackers and cybercriminals who view them as vulnerable to new and different kinds of attacks. Internet data centre operators – public and private – are faced with a very real and burgeoning threat, which over the past ten years has become increasingly serious – distributed denial of service attacks (DDoS).

Hactivism appears to be driving this increase in attacks, as shown by research from Arbor Networks’ annual Worldwide Infrastructure Security Report – a survey of the Internet operational security community published in February 2012. Ideologically-motivated hacktivism and vandalism were cited by a staggering 66% of respondents as a motivating factor behind DDoS attacks on their businesses. In recent months there’s also been a spate of attacks on financial institutions worldwide, provoking suspicion that the motivation was politically-charged. Earlier this year in the UK, we saw one of these attacks targeting the BBC. The attack took down email and other internet-based services, with the BBC placing blame on Iran’s cyber army in a bid to disrupt BBC Persian TV.

Democratisation of DDoS
But it’s not just high-profile, politically-connected organisations that are at risk. Any enterprise operating online – which applies to almost any sector and size of business operating in the UK – can become a target, because of who they are, what they sell, who they partner with or for any other real or perceived affiliations. Nobody is immune.

In addition, the underground economy for botnets is booming. Botnets ‘for hire’ are springing up everywhere and unskilled attackers are able to hire botnet services for bargain-basement prices. Just as an enterprise can subscribe to a technology provider, or cloud-based DDoS mitigation service, hacktivists can subscribe to a DDoS service to launch attacks. It really is as simple as that.

Defenses need to adapt
As its name implies, DDoS attacks are an attack on service availability. The goal is to prevent the data centre from functioning – whether that is transacting ecommerce; delivering email, voice, or DNS services; providing Web access; or offering other business-critical services. Clearly DDoS attacks on data centre operations and services have become both highly sophisticated yet easy to perpetrate. As a result, enterprises, hosting providers and cloud service providers are experiencing DDoS attacks on their data centres more frequently and with more severe business consequences than ever before.

Unsurprisingly, many Internet data centre operators, both public and private, are now reassessing their defences against the threat.

Hackers are increasingly deploying application-layer DDoS attacks aimed directly at the perimeter of enterprise networks. These attacks move more slowly and use less bandwidth than flooding attacks, making them harder to detect. They’re also more specific in nature; application-layer attacks target existing stateful security infrastructure, such as firewalls and Intrusion Prevention Systems (IPS), and can be used to shut down a particular website or web service such as email.

Other critical challenges facing enterprises include advanced and insider threats; advanced threats typically infiltrate networks by targeting a company’s employees through email and social engineering techniques. Persistent and stealthy, these threats are designed to look like legitimate traffic and often go undetected by firewalls and IPS. Insider threats, on the other hand, originate from employees or other authorised users on a company’s network who seek to gain access to unauthorised corporate information for personal gain or retribution. With the explosion of personal mobile device use within the enterprise environment and the increased adoption of cloud-based services, IT organisations have less control over the security of their environments. As a result, advanced and insider threats continue to grow at an alarming pace.

To the cloud?
According to a recent report by Infonetics, a new wave of data centre spending is underway driven by the rapid growth in deployment of virtualised environments in enterprise and service provider data centres, the growing availability of cloud services for consumer, enterprises and even carriers and the shifting security requirements driven by the move to virtualisation and the cloud, Service providers and data centres are rebuilding data centres and need new security infrastructure to keep up with new requirements.

The cloud offers enormous benefits for organisations. However some can be reluctant to host data in the cloud because of security concerns regarding data loss and unauthorised entry, which is a very valid concern especially against the backdrop of increased legislation surrounding data protection and other government and corporate audit requirements. It is therefore important when a datacentre operator hosts customer data in the cloud that the essential steps are taken to protect that data from any potential cyber-attacks.

The data centre should be viewed as a secure environment between the customer and the cloud hosting provider and should be segmented away from anything that could put customers’ data at risk. In order to safeguard this, datacentre operators should deploy VPN, firewall and IPS appliances at the edge of the datacentre providing a secure gateway for all traffic entering the datacentre and scanning for anomalies.

However, data centre operators must understand their attack surface because some threats, like DDoS attacks, require a different approach to security, especially stateful attacks which specifically target the security devices deployed at the edge of the datacentre. When faced with DDoS attacks it is advisable to deploy in-cloud and on-premise DDoS mitigation solutions to significantly reduce the impact of an attack and help ensure SLA's are met; this provides a competitive advantage to the datacenter operator.

According to a recent report by Infonetics, a new wave of data centre spending is underway driven by the rapid growth in deployment of virtualised environments in data centres, the growing availability of clouds services for consumer, enterprises and even carriers and the shifting security requirements driven by the move to virtualisation and the cloud. It’s clear that service providers and data centres are rebuilding data centres and there’s a need for new security infrastructure to keep up with new requirements.

Putting It All Together
Arbor believes that optimal protection against DDoS attacks is through a combination of on-premise and in-cloud protection. In-cloud protection is needed to address high volume flood attacks. On-premise protection is needed to detect and block state-based and application-level attacks. Cloud based DDoS services are unable to detect many such attacks before the data centre infrastructure or services are degraded.

Finally, it is imperative that in-cloud and on-premise protections are coordinated. Attackers often use blended methods and will vary attack methods and traffic volumes if the initial attempts are thwarted. Working with its Internet service provider (ISP) and managed security services provider (MSSP) customers, Arbor has developed a protocol called Cloud Signalling that facilitates both customer-edge mitigation of application-layer attacks and upstream mitigation of volumetric attacks in an automated and real-time manner. A feature that provides active, intelligent communication between network perimeter and in-cloud based DDoS protection systems - to help facilitate collaboration and address this complex, and growing problem.