Michael Byrnes, director – solutions engineering, iMEA at BeyondTrust, discusses how organizations can leverage Privilege Access Management to stop DDoS attacks
The threat landscape is an ominous specter. Much of it looms beyond the digital perimeter just waiting for a chance to send something nasty our way. Right now, the regional cybersecurity community — from the CISO to the most niche solutions vendor — is obsessed with ransomware, and understandably so. But ransomware is not the only game in town. An old enemy is once again on the rise. The distributed denial of service attack (DDoS) overwhelms services and applications with requests until they collapse. This is a threat that requires a different approach when devising an adequate defense.
In 1999, the denial-of-service attack graduated when a tool named Trinoo was used to mount a UDP-flood attack on servers at the University of Minnesota. DDoS was born. And threat actors — never known to baulk at repetition when they find a vector that works — set to work shutting down some big names. In the winter of 2010, Anonymous affiliates used DDoS to take down online services run by PayPal and Mastercard.
Today, amid the ransomware extravaganza, DDoS barely gets a mention. But just this year, in April, UAE digital services provider e& released its “State of the Market Report 2022”, listing DDoS as one of the top threats faced by its customers throughout the previous year. The country saw a massive 37% increase in the number of DDoS attacks, with government and, alarmingly, healthcare each accounting for more than a third of all attacks (37% and 34%, accordingly). The report also made note of the increase in attack volumes; more than 40Gbps is now standard, and one UAE attack in 2021 was measured to be 145.9 Gbps.
Down for days
Some DDoS attacks are capable of downing operations for days — the very same scenario that fills risk managers with dread when they think about ransomware. And yet currently, DDoS attacks are barely considered and poorly understood. First, there is no defense against DDoS once an attack commences. Of course, you can pull the plug and take the targeted resource offline, but this amounts to the same thing — your operations are down, and you need to recover.
It is important to note that DDoS attacks are so successful for precisely the reason that they are unstoppable. Since a resource has to receive the data before it can assess it as dangerous, you can packet-filter until you are blue in the face — and a large-volume DDoS attack will ensure that you are blue in the face. No matter what precautions are taken to prevent DDoS, each will have a capacity that can be overwhelmed by high enough volumes of inbound traffic.
So, admins are left with one inescapable truth. If enough data is thrown at a network resource, it does not matter what your guard-dog solution does with that data. It can delete it. It can sandbox it. The damage was done by the receipt of the data in the first place. And any system one can concoct that would examine the data before receipt is subject to the same logic.
Admittedly, there are ways to mitigate the data flow step by step until the targeted endpoint recovers. If an organization layers its defenses and allows traffic identified as malicious to be diverted to dead ends, the DDoS attack can be subverted. This involves an operation that extends all the way back and forth across the core of the Internet, where bandwidths are significantly higher than in a single organization. Telecoms operators can act without links becoming saturated. Each layer will syphon off more of the traffic until its flow abates. Sounds like a solution, does it not? To be clear though, this approach is not cheap. In fact, for many organizations it is prohibitively expensive. So, the most practical way to stop DDoS is to address its delivery system.
DDoS differs from other vectors because the assailant does not attack directly. They generally use a botnet — an army of involuntary drone computers that have been previously compromised, very likely without the owners’ knowledge. After the compromise, the attacker uses stolen privileges to drop payloads of tools that they will later use for other tasks, such as executing a DDoS attack.
So, if we do not want to become the unwitting puppets of a DDoS botmaster, we must control access to our legitimate privileged accounts. Privileged access management (PAM) systems prevent direct logons and therefore prevent persistent compromise of machines targeted for botnet conscription. Longer, more complex, and more frequently changed passwords and just-in-time privileges are only the beginning.
PAM to the rescue
Operating systems traditionally implement privilege through inheritance, where each process or application assumes the privileges of the process or user that launched it. The Principle of Least Privilege — the core of PAM platforms — prevents this inheritance, instead granting only standard access to new processes or even blocking their launch entirely. This leads to more secure endpoints and exceedingly frustrated would-be botmasters. Without an army, all a field marshal can do is shout impotently from the hilltop. And then return home.
Privilege access management for everyone helps protect everyone else from DDoS attacks. Unlike the unrealistic packet-filtering that involves large portions of the Internet, PAM technologies are accessible to smaller organizations and serve other value-adding purposes. Purposes like protecting against ransomware, advanced persistent threats (APTs) and a range of other malicious payloads.
All threat actors are opportunists. If we all do our part to stymie their advances, perhaps we can frustrate them enough to consider another career.