Commentary from Darktrace on DDoS attacks on StarHub

Commentary from Darktrace on DDoS attacks on StarHub
Date: 26 October 2016
By Sanjay Aurora, Managing Director, Asia-Pacific, Darktrace

Why would hackers target StarHub's DNS? What is there to gain?

DDoS victims may never learn what truly motivated an attack. However, what we’ve seen is such attacks can serve as a distraction, performed by adversaries to draw attention away from other intrusions that they simultaneously perform within the organisation’s network environment, such as delivering malware, opening a route into a key enterprise subscriber or perpetrating a large-scale ransomware attack.

In this sense, DDoS is used to achieve maximum damage with minimum effort, causing widespread disruption and panic, with underlying motivations for financial gain or to extract sensitive information and data. Above all else, the reputational damage caused by successful cyberattacks can have long-term business implications.

Should the other telcos or ISPs be worried? And why?

The core infrastructure of telecommunications companies is a very desirable target for cybercriminals. Having said that, gaining access is extremely difficult and requires deep expertise in specialist architecture. This is therefore often initiated by highly-skilled and well-resourced international advanced persistent threat (APT) groups or nation-state attackers, who have strong interest in obtaining inner network access to intercept calls and data, or control, track and impersonate subscribers.

What ISPs should be wary of, is the possibility of similar DNS amplification attacks on a more regular basis, given that they require relatively little skill and effort but can cause a large amount of damage. This makes them increasingly popular among hackers.

DNS-based DDoS amplified attacks can impact networks by saturating bandwidth with malicious traffic. They can also generate a spike in support calls due to service disruption, impacting an operator’s costs, and giving customers a poor user experience that causes attrition, in turn impacting revenue.

What can local organisations do to safeguard themselves from such attacks?

Where DDoS attacks are concerned, companies are often either victims of the attack – like StarHub, or unwilling participants – through compromised external data centres or computers and routers from enterprise subscribers that become ‘zombie machines’. This means that all organisations are equally vulnerable and one company’s IT resources can be used against another.

To prevent IT resources and devices from becoming unwilling accomplices in botnet attacks, organisations must have full visibility of unusual behaviours and movement within their network environments. Attacks like the ones against StarHub prove once again that traditional rule- or perimeter-based cybersecurity approaches that look for pre-identified or ‘known’ threats are no longer working. All organisations, including ISPs, experience thousands of minor incidents daily and it is impossible to manually keep up. They must therefore rely on new technologies like unsupervised machine learning and advanced algorithms that detect these incidents in real-time and point out which incidents are early indicators of a more serious and ‘unknown’ threat.

Finally, we cannot rule out the possibility that the DDoS attack was caused by the IoT botnet ‘Mirai’, given that the source code has been released online and there has since been a rise in attacks of similar nature. IoT devices have never been more a part of our lives in and outside of work. Although IoT is making our lives easier, it’s also putting us at risk – as it is becoming painfully apparent how easy it is to hack them.

This brings to light our need to have better visibility into both existing and new technology, and the environment in which they are becoming entrenched. If we don’t take steps to do this now, we’ll continue seeing a growing pool of vulnerable devices that can be harnessed for malicious botnet attacks.

For the LATEST tech updates,
FOLLOW us on our Twitter
LIKE us on our FaceBook
SUBSCRIBE to us on our YouTube Channel!
    Blogger Comment
    Facebook Comment