Are You Playing Cybersecurity Checkers or Chess?

It is common knowledge that cybersecurity is no longer about protecting a defined perimeter with good firewalls and network defenses. With the rise of the mobile workforce and the threat posed by users’ bad cyber hygiene, it’s no longer simple in cybersecurity. In effect, the cybersecurity game has evolved from a game of checkers with queens (firewalls) and men (AV), to a more complex game that has rooks, kings, queens, pawns, knights and bishops. Each piece has a different skill set and value on the game board defending an organization’s data.

No longer do we protect the network from a singular ingress/egress point and end points with simple signature based AV. Today’s organizations’ IT infrastructure are accessed by users all over the world, outside the boundaries of an on-premise network and typical IT enterprises utilize efficient cloud technologies that extend networks beyond the control of brick and mortar data centers. The attack surface is difficult to ascertain much less defend against. We are no longer playing checkers; we are indeed in the more strategic and difficult game of chess.

This is clearly on display in the expo halls of the largest cybersecurity conferences the likes of RSA. Hundreds of companies are popping up often with valuable new and innovative ideas for CISOs and CIOs to consider. Each one is like a new game piece offering a different way to move around the cybersecurity board and checkmate the nefarious attackers trying to steal data from organizations. Today is an exciting time to be in cybersecurity, but it’s also daunting.

What organizations need is help navigating the wide array of options and assistance integrating and automating the many game pieces in today’s cybersecurity architectures. Simply sending out your knight and rook to protect a pawn without a coordinated plan will probably cost you all three pieces in chess. That’s what we at GuidePoint do every day.

Not only do we help navigate the many different product choices to find the most valuable, but we help organizations put together an architecture that establishes a plan of attack on the chess board with integration and automation to make each piece more effective. If you would like help with your cybersecurity chess game, contact us at federal@guidepointsecurity.com.

About the author:

Jean-Paul Bergeaux, Federal CTO, GuidePoint Security

With more than 18 years of experience in the Federal technology industry, Jean-Paul Bergeaux is currently the Federal CTO for GuidePoint Security. JP’s career has been marked by success in technical leadership roles with ADIC (now Quantum), NetApp and Commvault and SwishData. Jean-Paul focuses on identifying customers’ challenges and architecting innovative solutions to solve their complex problems. He is also is a thought leader on topics that are top of mind for Federal IT Managers like Cyber Security, VDI, Big Data, and Backup & Recovery.

DDoS Attacks and How You Can Protect Yourself From Joining the Bot Army

If you were online last Friday, chances are you encountered a slowdown across the internet as a Distributed Denial of Services (DDoS) attack launched against Dyn, a company that manages domain registrations.

The attack, according to Dyn, enlisted “up to 100,000 malicious endpoints.” It slowed down access to many popular websites including Amazon, Twitter, Spotify, and more.

While research continues to determine who was behind the attack, Dyn says it happened across multiple vectors and internet locations. Dyn confirms a “significant volume of the attack traffic originated from Mirai-based botnets,” malware that facilitates large-scale network attacks like the one encountered last week.

Denial of service attacks typically occur when a single computer tries to consume the resources a target computing resource needs to perform its job. The malicious behaviors often seek to consume all available bandwidth, attack timing or session-based conditions, attack vulnerabilities in software that cause crashes, or consume so much processing power the target can no longer perform its function.

DDoS attacks enlist tens, hundreds, thousands, even millions or billions of devices as attackers. With the advent of Internet of Things (IoT) and existing low-security devices like VoIP phones, printers, DVRs, home routers, and other IP-connected devices, this creates a rich environment for unknowing targets to join the “bot army.”

Since DNS is part of the core infrastructure that makes the internet work the way we use it today, attacks like the Dyn DNS DDoS impact the entire internet.

A DDoS attack doesn’t just make it difficult to resolve a website’s hostname (the reason you may have timed out trying to access sites during the attack). Today’s applications dynamically load content from third-party sites using DNS to locate resources. This may include third-party javascripts, resource lookups, ad networks, or other capabilities that can impact a web application’s functionality.

Mobile apps consume APIs that use DNS to communicate with web services. Many security protections prohibit direct IP connections because this is frequently a sign of an attack. It also locks in specific IP communication in an ever changing IP system. When DNS fails, there is often no way to communicate.

DNS DDoS attacks primarily work in two ways (although there are others):

DNS Amplification

DDoS attackers can spoof a requesting IP for DNS resolution, which then results in a flood of responses directed to the intended target server. Although the target server never requested a lookup, it suddenly has to deal with a large volume of responses. To further amplify the attack, requests can use DNS protocol extensions or Domain Name System Security Extensions (DNSSEC) to increase the message size. That makes it even more difficult for the target to process the request.

DNS Flood

DDoS attackers use scripts to automate large numbers of queries to exhaust server resources. Since these are User Datagram Protocol (UDP) packets, they are easily spoofed and never need to rely on a response to consume the DNS server resources.

An alternate form of this attack is the NXDOMAIN attack, which intentionally creates malformed requests or requests for nonexistent resources. This makes the DNS server spend computing cycles on lookups that may never resolve or it fills the cache with bad data, preventing legitimate lookups.

It is currently unknown which technique attackers used in the recent Dyn DNS attack, but Mirai malware that created DDoS bots in recent attack against Brian Krebs (a security journalist and blogger), was likely involved in some of the hosts in this attack. This further showcases the need for enhanced IoT security because these devices are typically not designed for security and are frequently not updated when vulnerabilities are discovered.

So what can you do to protect your network? F5 Networks has robust DDoS protections:

  • Local Traffic Manager (LTM) and Advanced Firewall Manager (AFM) provide robust layer 3 and layer 4 protections
  • F5 DNS, previously known as Global Traffic Manager (GTM), can help mitigate DNS-based DDoS attacks by providing greater flexibility in request forwarding and caching, and is several times faster than a BIND server
  • Application Security Manager (ASM) can help with layer 7 attacks
  • The new F5 Hybrid DDoS Defender creates an integration with F5’s Silverline Content Delivery Network (CDN) scrubbing service to offload local DDoS conditions to the F5 Silverline cloud where a larger set of resources and purpose-built protections can help mitigate, or Silverline can be used as a standalone solution.

GuidePoint has several F5 Certified Technology Specialists available to help your team secure your environment from potential DDoS attacks. Our team can help you maximize your installs potential and secure your resources.

For more information about F5’s BIG-IP DNS solution, check out our previous blog.

Other hardware solutions are available from Radware, Arbor Networks, A10, Fortinet and others. They have comprehensive solutions for your organization’s data center as well.

DDoS is one of the primary use cases for cloud-based inline protections like Incapsula, Silverline, Akamai, Cloudflare, and others. GuidePoint Security’s technology professionals have extensive experience in DDoS attack prevention and CDN solutions.

If you’re a GuidePoint client and have questions about CDN solutions and how we can help, please reach out directly to your representative or email us at info@guidepointsecurity.com.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cyber security solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

Making Bad Actors Work Harder Is Better for Agencies

Most security solutions are focused around defending Federal Agency networks, both at the perimeter and in the “soft underbelly” internal networks.  This is a good change from just creating a hard crunchy outside, but it’s not all that is needed to be done.  In order to thwart bad actors, the data needs to be defended and even booby trapped to ensnare them.

GuidePoint Security has been working with companies like Vormetric to defend Agency information where the data is at rest.  Done right, protecting data at rest must be a single platform that can secure file data, integration with application data and a singular solution for on-prem and public cloud data.  By adding this broad platform that focuses on the data itself, new barriers and alerts can become a serious problem for the bad guys.  This works by following NIST guidelines in separation of duties between the system administrators and security teams.  Traditionally, every day administrators have access to highly sensitive data and decide who else gets access to that data.

This has been the source of many a high profile breach.  “Privilege Escalation” has become a term that non-security teams are now aware of because it’s a serious problem.  Whether through “pass the hash”, poor password hygiene, or vulnerability exploitation, gaining access to a domain admin account has become the goal and the “PWNED” moment for bad actors.  The now notorious Target breach is an example.

By encrypting the data without removing the ability to administer the data, Vormetric now adds new hurdles for the bad actors and adds new opportunities to identify a breach early on.  When a privileged user tries to access data, they will receive cypher text that is unusable and Vormetric will send an alert to the SOC either directly or through a SIEM.  In addition to this, the bad actor will now have to attempt to find a user that has access to that data.  If they are able to figure that out, and that is a big if, simply using sudo to become that user will not work either, but would be likely the first thing a bad actor tries.  That again, would set off an alarm to the SOC.  Once all of that has failed, the bad actor would have to pivot to gaining direct access of a specific user or set of user’s accounts in addition to the original user and the administrative user they have escalated privileges to.

Anyone who has been on a Red Team doing penetration testing, or done forensics of a breach will see this is a huge advantage for the defender.  It is very likely that they will trip several alarms, adding to the likelihood that SOC teams will identify an in-process attack before they are able to exfiltrate data.]

For more information about how GuidePoint is helping agencies defend their data with solutions like this, please register and attend our webinar on July 25th here.

About GuidePoint Security

GuidePoint Security LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.