All posts by Jeff Petters

Windows PowerShell vs. CMD: What’s The Difference?

powershell vs cmd hero

Back in the day, booting the then-cutting-edge IBM 8086 from the floppy brought you to a green text screen with a cursor blinking at the familiar C:\> prompt. Hacking boot.ini and config.sys to get my games to run was my first introduction to programming.

Eventually that C:\> got replaced with a pretty GUI and boot from hard disk. That command prompt (CMD) still lived on for decades. Only recently did CMD get an upgrade, or replacement, with PowerShell, the shell application Microsoft introduced with Windows 7.

CMD served us well for a good long time, but PowerShell is like going straight from steam engines to autonomous battery powered cars.

Windows Command Prompt

Windows Command Prompt – also known as CMD – is the original shell for the Microsoft DOS operating system. CMD was the default shell until Windows 10 build 14791 when Microsoft made PowerShell the default option. CMD is one of the last remnants of the original MS-DOS operating system that Microsoft replaced

Windows PowerShell

powershell cmdlets positives

Windows PowerShell is the new Microsoft shell that combines the old CMD functionality with a new scripting/cmdlet instruction set with built-in system administration functionality. PowerShell cmdlets allow users and administrators to automate complicated tasks with reusable scripts. System administrators save significant time by automating administration tasks with PowerShell.

PowerShell vs. CMD

PowerShell vs. CMD is like comparing apples to kumquats. They are completely different, despite the illusion that the ‘dir’ command works the same way in both interfaces.

PowerShell uses cmdlets, which are self-contained programming objects that expose the underlying administration options inside of Windows. Before PowerShell, sysadmins navigated the GUI to find these options, and there was no way to reuse the workflow of clicking through the menus to change options on a large scale.

PowerShell uses pipes to chain together cmdlets and share input/output data the same way as other shells, like bash in linux. Pipes allow users to create complex scripts that pass parameters and data from one cmdlet to another. Users can create reusable scripts to automate or make mass changes with variable data – a list of servers, for example.

One of the (many) neat functions of PowerShell is the ability to create aliases for different cmdlets. Aliases allow a user to configure their own names for different cmdlets or scripts, which makes it more straightforward for a user to switch back and forth between different shells: ‘ls’ is a linux bash command that displays directory objects, like the ‘dir’ command. In PowerShell, both ‘ls’ and ‘dir’ are an alias for the cmdlet ‘Get-ChildItem.’

what powershell uses

When to Use PowerShell

For systems administrators and other IT functions, PowerShell is the way to go. There isn’t any command left in CMD that isn’t in PowerShell, and PowerShell includes cmdlets for any administration function you could need. Third-party software vendors are extending PowerShell with custom cmdlets, like the NetApp PowerShell Toolkit that manages Data ONTAP.

PowerShell knowledge can be a differentiator for employment or even a job requirement, so it’s a worthwhile skill to invest in.

To get started on your PowerShell journey, check out this tutorial for the basics – and learn how to automate Active Directory tasks with our free PowerShell course by Adam Bertram, a Microsoft PowerShell MVP (pro-tip: use the code ‘blog’).

Zero-Day Vulnerability Explained

Zero-Day Vulnerability Explained

A zero-day vulnerability is a software bug or exploit that hasn’t been patched. It’s like a hole in the bottom of your shoe that you haven’t noticed yet, but a curly-mustachioed villain has found it and is considering putting rusty nails on your gas pedal. Hackers can use these bugs and exploits to steal your data before you’re able to find and patch the weakness.

What are Vulnerabilities?

Vulnerabilities allow attackers to slip past your defenses and into your network, like the unpatched software that allowed the Equifax hack.

As security professionals, we regularly deal with all kinds of vulnerabilities like software bugs, hacks, and human vulnerabilities.

Software bugs – like the one that led to the Equifax data breach – are faults in the code that hackers can use to get through to your data. Software hacks use existing functionality as part of an attack: the Golden Ticket attack, for instance, is a privilege escalation hack that takes advantage of the way Microsoft Kerberos functions normally. Human vulnerabilities are exploited most frequently by social engineering attacks, which often abuse trust (or naiveté) to steal passwords or send money to African princes.

What Makes a Zero-Day Vulnerability?

attributes of zero day vulnerability attack

In short, urgency and immediacy make a zero-day vulnerability.

These are software bugs that developers have zero days to fix because by the time they’re identified, they are already massive security risks that could cause significant damage. Most of the time, zero-day bugs are not public knowledge and are patched before attackers can build an exploit kit to take advantage of the flaw.

As long as the zero-day vulnerability is not public, developers have time on their side. However, once the exploit becomes public knowledge, it becomes a race for developers to get a patch out before damage is done.

Many organizations offer bounties for discovering zero-day vulnerabilities in their software. Microsoft and Google offer cash rewards for reporting vulnerabilities to them directly, with some rewards north of $100k.

Zero-Day Exploit

A zero-day exploit is different from a zero-day vulnerability. Zero-day exploits do not have to be existing vulnerabilities: they could be a brand new malware of ransomware program. A zero-day exploit is a brand new kind of attack in progress that requires immediate remediation.

When a zero-day vulnerability isn’t discovered and patched before the attackers find the flaw, however, it becomes a zero-day exploit as well.

Zero-day exploits are difficult to detect and defend against: they are unknown until it’s too late, and their nature is under-researched. Signature-based security solutions can’t detect a zero-day exploit, and there are no software vulnerability patches immediately available. You need to react to zero-day exploits quickly to prevent widespread damage to the network or data theft.

How to Defend Against Zero-Day Attacks

You can create a secure network that is resilient against zero-day attacks. By monitoring data and comparing current activity to an established baseline, you can detect abnormalities caused by zero-day attacks. Every cyberattack – zero-day or otherwise – leaves digital footprints in both the data and on the network.

For example, a zero-day exploit that grants an attacker access to a user account will likely cause that user account act abnormally. The attacker might try to search the network for credit card numbers or password lists, or try to elevate the account to a Domain Admin. With Varonis, either of those activities will trigger one of several behavior-based threat models and flag it as suspicious activity. So what can you do to protect yourself against zero-day vulnerabilities?

how to defend against zero day attacks

  • Monitor your core data – including files, folders, emails, Active Directory, VPN, DNS, and Web Proxies – for behaviors that could indicate a zero-day cyberattack
  • Enforce a least-privilege model to prevent lateral movement and data exfiltration from a zero-day attack
  • Update software and security (including IPS and Endpoint) packages as soon as they are available to defend against known zero-day vulnerabilities
  • Back up critical systems and establish recovery and incident response plans
  • Enforce strict software and internet use policies and train users to identify phishing attacks and other security risks

That last point is key. Empower the team to report behaviors on their systems that are out of place – employees are often the last line of defense against a zero-day attack.

Zero-Day Attack Examples

Each year there are at least a dozen or so different zero-day vulnerabilities identified and patched by software vendors. One of the most infamous is the Strutshock vulnerability used in the Equifax data breach. Developers patched that vulnerability in March of 2017, but Equifax didn’t apply the update – making it a zero-day attack.

Other notable zero-day attacks:

Tips to Prevent Zero-Day Vulnerabilities

Protecting your network from zero-day attacks requires behavior-based data monitoring that helps protect against both known and unknown threats. Varonis establishes behavioral baselines to detect unusual behavior in unusual activity in your network, and alerts on suspicious activity so you can respond and stop the threat before it becomes a data breach. Signature-based systems won’t detect a zero-day exploit, but a data-centric solution can detect the digital footprints of a zero-day exploit attack in progress.

See how Varonis detects attacks with a free 1:1 demo – and discover the best practices to defend against zero-day attacks.

IDS vs. IPS: What is the Difference?

ids vs ips

Intrusion Detection Systems (IDS) analyze network traffic for signatures that match known cyberattacks. Intrusion Prevention Systems (IPS) also analyzes packets, but can also stop the packet from being delivered based on what kind of attacks it detects — helping stop the attack.

How Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) Work

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are both parts of the network infrastructure. IDS/IPS compare network packets to a cyberthreat database containing known signatures of cyberattacks — and flag any matching packets.

The main difference between them is that IDS is a monitoring system, while IPS is a control system.

IDS doesn’t alter the network packets in any way, whereas IPS prevents the packet from delivery based on the contents of the packet, much like how a firewall prevents traffic by IP address.

  • Intrusion Detection Systems (IDS): analyze and monitor network traffic for signs that indicate attackers are using a known cyberthreat to infiltrate or steal data from your network. IDS systems compare the current network activity to a known threat database to detect several kinds of behaviors like security policy violations, malware, and port scanners.
  • Intrusion Prevention Systems (IPS): live in the same area of the network as a firewall, between the outside world and the internal network. IPS proactively deny network traffic based on a security profile if that packet represents a known security threat.

Many IDS/IPS vendors have integrated newer IPS systems with firewalls to create a Unified Threat Management (UTM) technology that combines the functionality of those two similar systems into a single unit. Some systems provide both IDS and IPS functionality in one unit.

The Differences Between IDS and IPS

venn diagram on ids vs ips

Both IDS/IPS read network packets and compare the contents to a database of known threats. The primary difference between them is what happens next. IDS are detection and monitoring tools that don’t take action on their own. IPS is a control system that accepts or rejects a packet based on the ruleset.

IDS requires a human or another system to look at the results and determine what actions to take next, which could be a full time job depending on the amount of network traffic generated each day. IDS makes a better post-mortem forensics tool for the CSIRT to use as part of their security incident investigations.

The purpose of the IPS, on the other hand, is to catch dangerous packets and drop them before they reach their target. It’s more passive than an IDS, simply requiring that the database gets regularly updated with new threat data.

*Point of emphasis: IDS/IPS are only as effective as their cyberattack databases. Keep them updated and be prepared to make manual adjustments when a new attack breaks out in the wild and/or the attack signature isn’t in the database.

Why IDS and IPS are Critical for Cybersecurity

what ids and ips cover

Security teams face an ever-growing threat of data breaches and compliance fines while continuing to struggle with budget limitations and corporate politics. IDS/IPS technology covers specific and important jobs of a cybersecurity strategy:

  • Automation: IDS/IPS systems are largely hands-off, which makes them ideal candidates for use in the current security stack. IPS provides the peace of mind that the network is protected from known threats with limited resource requirements.
  • Compliance: Part of compliance often requires proving that you have invested in technologies and systems to protect data. Implementing an IDS/IPS solution checks off a box on the compliance sheet and addresses a number of the CIS Security controls. More importantly, the auditing data is a valuable part of compliance investigations.
  • Policy enforcement: IDS/IPS are configurable to help enforce internal security policies at the network level. For example, if you only support one VPN, you can use the IPS to block other VPN traffic.

Varonis DatAlert complements IDS/IPS: while network security is critical for protection from data breaches — and IDS/IPS solutions fill that role perfectly — Varonis monitors real-time activity on data, which is a critical layer to any cybersecurity strategy.

When a new ransomware attack breaks out the IDS/IPS might not have the signatures ready to prevent the attack at the network level. Varonis, however, not only includes signature-based ransomware detection, but also recognizes the characteristics and behavior of a ransomware attack — multiple files modified in a short time for example — and automatically triggers an alert to stop the attack before it spreads.

Want to see how it works? Get a 1:1 demo to see how Varonis complements your IDS/IPS for a strong cybersecurity strategy.

What is a Brute Force Attack?

Brute Force Attack

A brute force attack (also known as brute force cracking) is the cyberattack equivalent of trying every key on your key ring, and eventually finding the right one. 5% of confirmed data breach incidents in 2017 stemmed from brute force attacks.

Brute force attacks are simple and reliable. Attackers let a computer do the work – trying different combinations of usernames and passwords, for example – until they find one that works. Catching and neutralizing a brute force attack in progress is the best counter: once attackers have access to the network, they’re much harder to catch.

Types of Brute Force Attacks

The most basic brute force attack is a dictionary attack, where the attacker works through a dictionary of possible passwords and tries them all. Dictionary attacks start with some assumptions about common passwords to try to guess from the list in the dictionary. These attacks tend to be somewhat outdated, given newer and more effective techniques.

Recent computers manufactured within the last 10ish years can brute force crack an 8 character alphanumeric password – capitals and lowercase letters, numbers, and special characters – in about two hours. Computers are so fast that they can brute force decrypt a weak encryption hash in mere months. These kinds of brute force attacks are known as an exhaustive key search, where the computer tries every possible combination of every possible character to find the right combination.

Credential recycling is another type of brute force attack that reuses usernames and passwords from other data breaches to try to break into other systems.

The reverse brute-force attack uses a common password like “password,” and subsequently tries to brute force a username to go with that password. Since password is one of the most common password in 2017, this technique is more successful than you might think.

Motives Behind Brute Force Attacks

Cyber Kill Chain

Brute force attacks occur in the early stages of the cyber kill chain, typically during the reconnaissance and infiltration stages. Attackers need access or points of entry into their targets, and brute force techniques are a “set it and forget it” method of gaining that access. Once they have entry into the network, attackers can use brute force techniques to escalate their privileges or to run encryption downgrade attacks.

Attackers also use brute force attacks to look for hidden web pages. Hidden web pages are websites that live on the internet, but are not linked to other pages. A brute force attack tests different addresses to see if they return a valid webpage, and will seek out a page they can exploit. Things like a software vulnerability in the code they could use for infiltration – like the vulnerability used to infiltrate Equifax, or a webpage that contains a list of username and passwords exposed to the world.

There is little finesse involved in a brute force attack, so attackers can automate several attacks to run in parallel to expand their options of finding a positive – for them – result.

How to Defend Against Brute Force Attacks

How to Defend Against Brute Force Attacks

Brute force attacks need time to run. Some attacks can take weeks or even months to provide anything usable. Most of the defenses against brute force attacks involve increasing the time required for success beyond what is technically possible, but that is not the only defense.

  • Increase password length: More characters equal more time to brute force crack
  • Increase password complexity: More options for each character also increase the time to brute force crack
  • Limit login attempts: Brute force attacks increment a counter of failed login attempts on most directory services – a good defense against brute force attacks is to lock out users after a few failed attempts, thus nullifying a brute force attack in progress
  • Implement Captcha: Captcha is a common system to verify a human is a human on websites and can stop brute force attacks in progress
  • Use multi-factor authentication: Multi-factor authentication adds a second layer of security to each login attempt that requires human intervention which can stop a brute force attack from success

The proactive way to stop brute force attacks starts with monitoring. Varonis monitors Active Directory activity and VPN traffic to detect brute force attacks in progress. We’ve got threat models that monitor lockout behaviors (often a sign that there’s a brute force attack under way), threat models that detect potential credential stuffing, and more – all designed to detect and prevent brute force attacks before the attack escalates.

It’s better to detect an attack in progress and actively stop the attack than it is to hope your passwords are un-crackable. Once you detect and stop the attack, you can even blacklist IP addresses and prevent further attacks from the same computer.

Ready to get ahead of brute force attacks? Get a 1:1 demo to learn how Varonis detects attacks so you can stop attackers proactively.

What is ITAR Compliance? Definition and Regulations

ITAR Compliance

The International Traffic in Arms Regulations (ITAR) is the United States regulation that controls the manufacture, sale, and distribution of defense and space-related articles and services as defined in the United States Munitions List (USML).

Besides rocket launchers, torpedoes, and other military hardware, the list also restricts the plans, diagrams, photos, and other documentation used to build ITAR-controlled military gear. This is referred to by ITAR as “technical data”.

ITAR mandates that access to physical materials or technical data related to defense and military technologies is restricted to US citizens only. How can a company ensure that only US citizens have and then access that data on a network and are ITAR compliant? Limiting access to the physical materials is straightforward; limiting access to digital data is more complicated.

Who Needs To Follow ITAR Compliance?

who needs to be ITAR complaint?

Any company that handles, manufactures, designs, sells, or distributes items on the USML must be ITAR compliant. The State Department’s Directorate of Defense Trade Controls (DDTC) manages the list of companies who can deal in USML goods and services, and it is up to each company to establish policies to comply with ITAR regulations.

  • Wholesalers
  • Distributors
  • Computer Software/ Hardware vendors
  • Third-party suppliers
  • Contractors

Every company in the supply chain needs to be ITAR compliant. If company A sells a part to company B and then company B sells the same part to a foreign power, company A is also in violation of ITAR.

ITAR Regulations

ITAR regulations are simple: only U.S. citizens can access items on the USML list.

ITAR’s rules can present a challenge for many US companies. A US-based company with overseas operations is prohibited from sharing ITAR technical data with employees locally hired, unless they gain State Dept. authorization. The same principle applies when US companies work with non-US subcontractors.

The State Department can issue exemptions to that one rule, and there are existing exemptions established for specific purposes. There are certain countries that currently have standing agreements with the U.S. that apply to ITAR – Australia, Canada, and the U.K., for example.

The US government requires having in place and implementing a documented ITAR compliance program, which should include tracking, monitoring and auditing of technical data. With technical data, it’s also a good idea to tag each page with an ITAR notice or marker so employees don’t accidentally share controlled information with unauthorized users.

ITAR exists to track military and defense sensitive material and to keep that material out of the hands of U.S. enemies. Noncompliance can result in heavy fines along with significant brand and reputation damage — not to mention the potential loss of business to a compliant competitor.

Penalties for ITAR Compliance Violations

Penalties for ITAR Compliance Violations
The penalties for ITAR infractions are stiff:

  • Civil fines up to $500,000 per violation
  • Criminal fines of up to $1 million and/or 10 years imprisonment per violation

In April of 2018, the State Department fined FLIR Systems, Inc $30 million in civil penalties for transferring USML data to dual national employees. Part of the penalty requires that FLIR implement better compliance measures and hire an outside official to oversee their agreement with the State Department.

In 2007 ITT took at $100 million fine to the face for exporting night-vision technology illegally. ITT thought they could workaround the restrictions, the Government didn’t agree with their interpretation of the rules.

Types of Defense Articles

There are 21 categories of Defense Articles in the USML. A defense article is anything on this long and oddly specific list.

    1. Firearms, Close Assault Weapons and Combat Shotguns
    2. Guns and Armament
    3. Ammunition/Ordnance
    4. Launch Vehicles, Guided Missiles, Ballistic Missiles, Rockets, Torpedoes, Bombs and Mines
    5. Explosives and Energetic Materials, Propellants, Incendiary Agents and Their Constituents
    6. Surface Vessels of War and Special Naval Equipment
    7. Ground Vehicles
    8. Aircraft and Related Articles
    9. Military Training Equipment and Training
    10. Personal Protective Equipment
    11. Military Electronics
    12. Fire Control, Laser, Imaging and Guidance Equipment
    13. Materials and Miscellaneous Articles
    14. Toxicological Agents, Including Chemical Agents, Biological Agents and Associated Equipment
    15. Spacecraft and Related Articles
    16. Nuclear Weapons Related Articles
    17. Classified Articles, Technical Data and Defense Services Not Otherwise Enumerated
    18. Directed Energy Weapons
    19. Gas Turbine Engines and Associated Equipment
    20. Submersible Vessels and Related Articles
    21. Articles, Technical Data and Defense Services Not Otherwise Enumerated

How to Secure Your ITAR Data

Given the penalties associated with ITAR, it makes sense to protect the digital data with as many layers of security as possible. Because ITAR is a U.S. Federal regulation, their own guidance for data security is a great place to start. NIST SP 800-53 defines the standards and guidelines federal agencies must follow, and any company that manages ITAR regulated materials should use NIST SP 800-53 as a baseline for their own security standards.. Follow these basic principles to secure your ITAR data:

  • Discover and Classify Sensitive Data
    Locate and secure all sensitive data
    Classify data based on business policy
  • Map Data and Permissions
    Identify users, groups, folder and file permissions
    Determine who has access to what data
  • Manage Access Control
    Identify and deactivate stale users
    Manage user and group memberships
    Remove Global Access Groups
    Implement a least privilege model
  • Monitor Data, File Activity, and User Behavior
    Audit and report on file and event activity
    Monitor for insider threats, malware, misconfigurations and security breaches
    Detect security vulnerabilities and remediate

ITAR Compliance FAQs

  1. How can Varonis help me find all of my ITAR data?
    The Data Classification Engine identifies and classifies ITAR regulated data on your core data stores – both on-premise and in the cloud. With a pre-built library of more than 400 patterns for common laws and standards, you can identify ITAR data and even apply custom tags, flags, and notes to regulated data.
  2. Who can access this ITAR data?
    Varonis DatAdvantage crawls your file systems to analyze permissions to all of your data, including the ITAR data. Understanding who can access this data is step one to protecting the data from illegal access. With DatAdvantage, you can see this information graphically in a clean, user-friendly UI, or as an exportable report.
  3. How will I know if my ITAR data is accessed?
    Varonis DatAlert monitors and trigger alerts when data is accessed, including a folder of your ITAR data. You can detect, flag, and investigate any suspicious behavior or unusual activity on your ITAR data, and maintain a complete audit trail to help meet ITAR regulations.
  4. How can I manage access to ITAR data?
    The Automation Engine automatically repairs and maintains file system permissions – keeping ITAR data locked down, and helping achieve a least privilege model. Varonis DataPrivilege helps streamline access governance, automatically enforce security policies, and demonstrate compliance to government auditors.

Want to learn more about how to manage your ITAR data to meet compliance? Get a 1:1 demo with a security engineer to see how Varonis can help.

Threat Modeling: 6 Mistakes You’re Probably Making

Threat Modeling

Threat modeling is the new normal for modern cybersecurity teams. Predicting threats and testing all possible permutations of those threats and vulnerabilities is a difficult job. Companies spend hundreds of work hours to develop a comprehensive security strategy and the appropriate threat modeling to test, verify, and enhance the strategy over time. We will discuss mistakes security teams make while creating their threat models, along with strategies on how to use threat modeling as a proactive measure for cybersecurity.

What is Threat Modeling?

Threat modeling is the proactive process of identifying potential risks and threats, then creating tests and countermeasures to respond to potential threats. Threat modeling for cybersecurity is a rapidly evolving discipline: you can create threat models for almost any scenario you can imagine.

Successful threat modeling requires identifying potential threats, analyzing the possible effects of those threats, and determining if the threat is significant and requires a neutralization strategy. Cybersecurity teams encounter new threats constantly, and adapting to the latest malware or ransomware could protect the company from a large data breach penalty.

Note: Threat modeling is the process to create threat models. Threat models are the parameters that define a threat. Not all threat models apply to every system, and not all threat modeling will develop a new threat model.

How Threat Modeling Works

Threat modeling is asking and answering questions about the thing you are working to protect. It requires that you step out of the day-to-day whirlwind of data security and imagine the future. It’s important to not only create threat models as part of an implementation plan for new systems but also to set aside time to create or update threat models for older systems as well.

In addition to security team members, a threat modeling team should be made up of representatives from application owners, architects, administrators, and even customers. Pull all of those people into a room to ask questions, flag concerns, discuss potential resolutions, and troubleshoot issues. Here are some threat modeling example questions to get you thinking about that process:

Threat Modeling Questions to Ask

What are we building?

In order to understand the system you are threat modeling, you need to break down the system into smaller parts. For example, what kind of application is it? Does it have several components? Who does the application serve? By working through the system all the way down to the smallest components, you’ll have a decent framework to continue building the threat model.

What can go wrong?

Now review all of the “What if?” scenarios the team can imagine. What if a hacker steals someone’s account? What if someone breaks into the database? What if we get hit with a ransomware attack? Be creative and do your research. NIST and SANS have guidance to create comprehensive cybersecurity plans. Use that research to formulate your own questions. Be realistic and thorough with the “What Ifs?” – and let those questions drive threat modeling forward.

What are we going to do about that?

With the “What if?” questions prepared, the team needs to then spec out the impact of that scenario, how to manage the scenario, and the protections needed to defend against that scenario. There might be several mitigation options for each question, while some mitigation options might apply to several questions. Some “What ifs” might not require a response at all.

Did we do a good enough job?

Threat modeling isn’t a one and done meeting: schedule a recurring meeting to review the threat model’s performance and update the threat model. The threat model might need to be updated based on new cybersecurity threats that attackers employ, new variants, or new types of attacks. Whatever the case, take the time to bring the threat modeling team back together and do some further brainstorming and answer a few more “What ifs.”

6 Threat Modeling Mistakes

Threat Modeling Mistakes

 

  1. Think like an attacker. While this might seem like good advice at first, you probably aren’t, in fact, an attacker. At best, you’ll be guessing what an attacker is thinking about – or how they’re planning to behave. It’s not the worst thing you can do as part of your threat modeling, but make sure you cover the cybersecurity basics from the NIST or SANS guidelines before you get into the more esoteric.
  2. Don’t get esoteric. No, extra-terrestrials are not going to corrupt your data with their advanced system interface technology. And if they could, what are you actually going to do about it? Focus on the risks that are real and manageable.
  3. My threat model is complete. This is a two-edged sword. Never assume that the threat modeling team can imagine every potential threat that ever will exist, and don’t hold off deployment of a new system because there is a miniscule amount of risk either. So when the boss asks if the threat model is complete? Give them a realistic risk assessment and tell them that when the risk profile changes, there’s a plan to update the threat models.
  4. No CISSP, no dice. Gather a diverse team and include the stakeholders as well as customer voices, if possible – no certifications required. If necessary, have someone stand in for the customer – support techs are good at that role. Bring cybersecurity expertise to the team, but don’t exclude anyone based on that criteria alone.
  5. Don’t worry about that old system, we don’t need to develop a threat model for that. This is a huge mistake – just look at some of the recent data breaches making headlines. Go back through the service catalog and build threat models for any systems that don’t have one. It could be a colossal task, but the cost of not protecting your data and systems is only getting higher.
  6. Fail to use Varonis Threat Models to protect data. We’ve already put in the time, research, and analysis to get you started – with hundreds of out-of-the-box threat models. Varonis threat models reduce the time required to complete your threat modeling by providing pre-configured and thoroughly researched threat models out of the box. Our threat models analyze behavior and activity across multiple platforms, and alert on suspicious activity and other behavior that indicates a potential data breach.

How Does Varonis Make Threat Modeling Easier?

Varonis has developed hundreds of threat models to detect potential malware, cyberattacks, security vulnerabilities, and unusual behavior. Our dedicated research lab of security experts and data scientists continually develop new threat models to help detect everything from evolving strains of ransomware to the stealthiest of zero-day malware to types of known cyberattacks based on behavioral profiles.

Check out a free 1:1 demo to see how Varonis threat models can help protect your data.

 

5 Ways to Protect Active Directory with Varonis

5 Ways to Protect Active Directory with Varonis

The fastest way to break into someone’s network is through Active Directory (AD) – it’s the key to the entire kingdom. If you need access to any server, you need to ask AD for permission.

Varonis monitors Active Directory to protect you from a myriad of cybersecurity threats. By combining knowledge of AD, file server activity, and perimeter telemetry, Varonis can detect threats in AD before they become full-blown data breaches.

Technical note: Active Directory and Directory Services are often used interchangeably: Active Directory is Microsoft’s implementation of Directory Services, or LDAP.

How Does Varonis Monitor Active Directory?

Varonis gathers and stores the security event logs from your Domain Controllers (DC). We analyze the AD log data in context with file activity, VPN activity, DNS requests, and Proxy requests to paint a clear picture of normal and abnormal behavior. Varonis analyzes user behavior patterns over time and compares known behavior patterns to current activity – if there’s AD activity that looks suspicious, or deviates from the norm for a particular user (or type of user), it triggers an alert. Security teams use these alerts to detect active threats, while leveraging the Varonis UI to investigate how the incident occurred in the first place.

How Varonis Detects Credential Theft

Credential theft, the unlawful use of someone else’s login credentials, is one of the more common methods used to infiltrate networks. It’s always easier to steal a password than it is to brute force attack or hack through Kerberos. No matter how much you train users in cybersecurity principles and build out cybersecurity protections, your users remain the chink in your armor. On any given day, any given user can accidentally click a phishing link. Which means on top of all that training, it’s important to monitor for possible credential theft. Here are a few threat models that catch evidence of credential theft.

Threat Model: Abnormal access behavior: possible credential stuffing attack from a single source

How it works: Varonis detected multiple failed attempts to login with invalid user names or passwords from a single device.

What it means: Either an attacker is trying to find a valid username to use in a brute force password attack, or they have a list of usernames from a prior data breach that they’re using to guess a valid username/password combination – which makes it a credential stuffing attack. The good news is that at this point, they do not have access to your network, and you can proactively shut them down.

Where it works: Directory Services

Threat Model: Abnormal behavior: unusual amount of devices accessed

How it works: Varonis continuously scans Directory Services for logins, comparing historical behavior patterns to the current data. In this case, the attacker has a user’s credentials, and they are probing the network to figure out what devices they can access with that account.

What it means: An attacker might be leveraging a user account in order to exploit their assets – on multiple devices. At a minimum, you need to change a password and figure out how this account got hacked. You might need to do some digging to figure out where else the attacker accessed to make sure there are no data breaches.

Where it works: Directory Services

How Varonis Detects Privilege Escalations

Once attackers have access to your network, they will try to expand their access to Administrative or Domain Admin privileges. That type of activity – attempts at elevating access – is known as privilege escalation. Attackers use the privileges they already have to steal higher privileged access. There are several methods to gather more access and enable lateral movement through the network. Here are a few threat models that will detect attempts at privilege escalations.

Threat Model: Membership changes: admin groups

How it works: Varonis categorizes users and groups into four buckets: privileged, service, executive, and user. Privileged groups have admin level permissions to at least a few, if not most of the resources in your network. This threat model is looking for any members that were added or deleted to admin (privileged) groups.

What it means: Someone either added or removed a user from an admin group. An attacker might add an admin to a group in order to get more access – or they might delete an admin to deny access, potentially preventing a response to the attack. If they made this change outside of change control, it could be evidence of a privilege escalation in a cyberattack.

Where it works: Directory Services

Threat Model: Failed privilege escalation detected via vulnerability in Kerberos

How it works: Varonis monitors domain user logins for evidence of a Silver Ticket attack. Each login contains details that Varonis analyzes for possible attempts to circumvent Kerberos authentication.

What it means: An attacker tried to exploit a Microsoft vulnerability in their Kerberos implementation that lets attackers elevate their permissions using a forged TGS. Check out Microsoft CVE-2014-6324 for all the details. Patch your DCs for this CVE and lock the attacker out of your network STAT!

Where it works: Directory Services

How Varonis Detects Lateral Movement

Assuming the attacker made it this far undetected – they may start looking around for sensitive data they can steal. We refer to this phase of the cyber kill chain as lateral movement, as the attackers are moving laterally across your network using the stolen access. Varonis identifies and monitors your sensitive data stores and AD to catch such shenanigans. Varonis identifies where sensitive data lives and categorizes each AD account as a service, executive, privileged, or user. Based on knowledge of what kind of data each account is accessing Varonis can make informed decisions and analysis about current user activity.

Threat Model: Abnormal behavior: unusual amount of logons to personal devices

How it works: Each time the attacker accesses a new server on the network, they generate a new login event. Varonis watches those login events for abnormal behavior, and a user hitting multiple servers in a short amount of time – especially ones that they have never accessed before – will raise a red flag.

What it means: Someone is behaving out of the ordinary, and it’s possible an attacker has compromised this user account. It might mean that they’ve accessed the network – and are now looking for data to steal.

Where it works: Directory Services

How Varonis Protects You From Encryption Downgrades

Strong encryption is vital to keeping username and passwords safe on our network, but unfortunately it’s not a foolproof solution. The latest versions of AD use AES encryption to protect Kerberos tickets, but attackers have figured out how to make AD use the much easier to crack RC4 encryption instead. This is an encryption downgrade attack – or a Skeleton Key attack – and Varonis has a threat model that detects this kind of threat.

Threat Model: Encryption downgrade attack

How it works: Varonis monitors AD logins, and each AD login contains some information about what encryption level used to login. Any increase in the number of logins at lower encryption levels triggers an alert.

What it means: The attackers are likely trying to reduce the encryption level in order to bypass Active Directory. They might have been able to deploy a skeleton key, which – you guessed it: allows them to authenticate as any user.

Where it works: Directory Services

How Varonis Detects Threats Against Kerberos

If you are using AD, you are using Kerberos; if you are using Kerberos there are a few vulnerabilities you need to be aware of. Varonis is watching for activity related to those vulnerabilities.

Threat Model: Potential pass-the-ticket attack

How it works: Varonis analyzes Active Directory logs for evidence of access to a resource that bypassed the standard Kerberos process and proper authorization.

What it means: Someone is trying to break into your network – unless your new interns are on the Red Team. An attacker is likely using a stolen ticket to get access to resources. One possible attack is the Golden Ticket attack, which means you have a lot of clean-up work ahead of you to contain that threat.

Where it works: Directory Services

With hundreds of built-in threat models, DatAlert detects everything from golden ticket attacks to abnormal lockout behavior to DNS poisoning. You can take automatic action to disable a compromised account, kill active sessions, and even send alerts to your SIEM for further analysis and correlation.

Understanding Active Directory is vital to protecting companies from data breaches, and active monitoring of Active Directory can be the difference between an attempt and data theft.

Get a 1:1 demo of Varonis and discover how we do data security differently.

CryptoLocker: Everything You Need to Know

CryptoLocker

What is CryptoLocker?

CryptoLocker is by now a well known piece of malware that can be especially damaging for any data-driven organization. Once the code has been executed, it encrypts files on desktops and network shares and “holds them for ransom”, prompting any user that tries to open the file to pay a fee to decrypt them. For this reason, CryptoLocker and its variants have come to be known as “ransomware.”

Malware like CryptoLocker can enter a protected network through many vectors, including email, file sharing sites, and downloads. New variants have successfully eluded anti-virus and firewall technologies, and it’s reasonable to expect that more will continue to emerge that are able to bypass preventative measures. In addition to limiting the scope of what an infected host can corrupt through buttressing access controls, detective and corrective controls are recommended as a next line of defense.

Cryptolocker can enter through

FYI, this article is CryptoLocker specific. If you’re interested in reading about ransomware in general, we’ve written A Complete Guide To Ransomware that is very in-depth.

Update September 2018: Ransomware attacks have decreased significantly since their peak in 2017. CryptoLocker and it’s variants are no longer in wide distribution, and new ransomware has taken over. Ransomware has evolved as more of a targeted attack instead of the previous wide distribution model, and is still a threat to businesses and government entities.

What Does CryptoLocker Do?

On execution, CryptoLocker begins to scan mapped network drives that the host is connected to for folders and documents (see affected file-types), and renames and encrypts those that it has permission to modify, as determined by the credentials of the user who executes the code.

CryptoLocker uses an RSA 2048-bit key to encrypt the files, and renames the files by appending an extension, such as, .encrypted or .cryptolocker or .[7 random characters], depending on the variant. Finally, the malware creates a file in each affected directory linking to a web page with decryption instructions that require the user to make a payment (e.g. via bitcoin). Instruction file names are typically DECRYPT_INSTRUCTION.txt or DECRYPT_INSTRUCTIONS.html.

As new variants are uncovered, information will be added to the Varonis Connect discussion on Ransomware.  For example, a variant known as “CTB-Locker” creates a single file in the directory where it first begins to encrypt files, named, !Decrypt-All-Files-[RANDOM 7 chars].TXT or !Decrypt-All-Files-[RANDOM 7 chars].BMP.

How to Prevent CryptoLocker

The more files a user account has access to, the more damage malware can inflict. Restricting access is therefore a prudent course of action, as it will limit the scope of what can be encrypted. In addition to offering a line of defense for malware, it will mitigate potential exposure to other attacks from both internal and external actors.

While getting to a least privilege model is not a quick fix, it’s possible to reduce exposure quickly by removing unnecessary global access groups from access control lists. Groups like “Everyone,” “Authenticated Users,” and “Domain Users,” when used on data containers (like folders and SharePoint sites) can expose entire hierarchies to all users in a company. In addition to being easy targets for theft or misuse, these exposed data sets are very likely to be damaged in a malware attack. On file servers, these folders are known as “open shares,” if both file system and sharing permissions are accessible via a global access group.

Although it’s easiest to use technologies designed to find and eliminate global access groups, it is possible to spot open shares by creating a user with no group memberships, and using that account’s credentials to “scan” the file sharing environment. For example, even basic net commands from a windows cmd shell can be used to enumerate and test shares for accessibility:

    • net view (enumerates nearby hosts)
    • net view \\host (enumerates shares)
    • net use X: \\host\share (maps a drive to the share)
    • dir /s (enumerates all the files readable by the user under the share)

These commands can be easily combined in a batch script to identify widely accessible folders and files. Remediating these without automation, unfortunately, can be a time-consuming and risky endeavor, as it’s easy to affect normal business activity if you’re not careful. If you uncover a large amount of accessible folders, consider an automated solution. Automated solutions can also help you go farther than eliminating global access, making it possible to achieve a true least-privilege model and eliminate manual, ineffective access-control management at the same time.

How to Detect CryptoLocker

CryptoLocker example

If file access activity is being monitored on affected files servers, these behaviors generate very large numbers of open, modify, and create events at a very rapid pace, and are fairly easy to spot with automation, providing a valuable detective control. For example, if a single user account modifies 100 files within a minute, it’s a good bet something automated is going on. Configure your monitoring solution to trigger an alert when this behavior is observed. Varonis DatAlert monitors and tracks file system behavior for ransomware attacks out-of-the-box. There is no need for extra configuration if Varonis is monitoring your data.

If you don’t have an automated solution to monitor file access activity, you may be forced to enable native auditing. Native auditing, unfortunately, taxes monitored systems and the output is difficult to decipher. Instead of attempting to enable and collect native audit logs on each system, prioritize particularly sensitive areas and consider setting up a file share honeypot.

A file share honeypot is an accessible file share that contains files that look normal or valuable, but in reality are fake. As no legitimate user activity should be associated with a honeypot file share, any activity observed should be scrutinized carefully. If you’re stuck with manual methods, you’ll need to enable native auditing to record access activity, and create a script to alert you when events are written to the security event log (e.g. using dumpel.exe).

If you’re PowerShell inclined, we’ve written a bit on how to combat CryptoLocker with PowerShell.

If your detective control mechanism can trigger an automated response, such as disabling the user account, the attack is effectively stopped before inflicting further damage. For example, a response to a user that generates more than 100 modify events within a minute might include:

  • Notifying IT and security administrators (include the affected username and machine)
  • Checking the machine’s registry for known keys/values that CryptoLocker creates:
    • Get-Item HKCU:\Software\CryptoLocker\Files).GetValueNames()
  • if value exists, disable user automatically.

If recorded access activity is preserved and adequately searchable, it becomes invaluable in recovery efforts, as it provides a complete record of all affected files, user accounts, and (potentially) hosts. Varonis customers can use the output from report 1a (as described here) to restore files from a backup or shadow copy.

Depending on the variant of CryptoLocker, encryption may be reversible with a real-time disassembler.

Ransomware Safety Tips

Ransomware safety tips

  • Update your antivirus and endpoint protection software – these solutions can help detect certain types of ransomware and prevent it from encrypting your files.
  • Avoid phishing scams – phishing emails are the most prevalent delivery mechanism for ransomware.
  • Keep backups of your documents – it’s much faster and easier to recover your documents from a backup than it is to decrypt them, if they’ve been compromised in a ransomware attack.
  • Commit to a zero-trust/least privilege model – ransomware can only affect the folders a user can write to. A least privilege model limits that access to only what’s absolutely necessary.
  • Monitor file activity and user behavior to detect, alert and respond to potential ransomware activity.

New ransomware variants are popping up all the time – luckily our dedicated security forensics team does the legwork for you and diligently updates the ransomware signatures that Varonis detects. See how it works with a free 1:1 demo and learn more about how our ransomware defense architecture is designed to protect enterprise data from zero-day attacks beyond the endpoint – catching ransomware that traditional perimeter security doesn’t see.

Cerber Ransomware: What You Need to Know

cerber ransomware

What is Cerber?

Cerber ransomware is ransomware-as-a-service (RaaS), which means that the attacker licenses Cerber ransomware over the internet and splits the ransom with the developer. For a 40% cut of the ransom, you can sign-up as a Cerber affiliate and deliver all the Cerber ransomware you want. Most ransomware doesn’t use this service paradigm. Typically, an attacker would adapt and deliver the ransomware and keep all of the money. By setting up Cerber as RaaS the developer and partner are able to send more attacks with less work.

Cerber is an example of evolved ransomware technology. The author of the ransomware offloads the work of finding targets and infecting systems to a partner in exchange for a cut of the profit. The partner gets a highly functional piece of software they are free to distribute, and bitcoin keeps the exchanges all anonymous and difficult to track.

How Do You Recognize Cerber Ransomware?

If the screenshot looks like your desktop wallpaper, you’ve been infected with the Cerber ransomware.

Of course, if you do see that screen, it might be too late to save your files. You can try to pay the ransom and hope they send you the decryption key, but many people don’t. Cerber and ransomware are things that fall under the “ounce of protection equals a pound of cure” paradigm. Your best bet is to avoid infection in the first place.

How Do You Remove Cerber Ransomware?

The best and most complete option to remove Cerber ransomware is to rebuild your operating system from a backup. If you have a recent backup, you’ll also be able to recover your encrypted files. As Ripley said, “Nuke it from orbit, it’s the only way to be sure.”

Current Anti-Virus programs can detect most ransomware including Cerber, and prevent it from running. Once Ransomware has started to encrypt your files, take the affected computer offline to prevent it from spreading to other computers or network drives.

One of Cerber’s particulalry nasty tricks is that it’s easy to wrap inside other delivery mechanisms. For example, you could download a rootkit that can disable your Anti-Virus before it downloads and activates Cerber. After an infection, you can remove the Cerber ransomware, but that doesn’t necessarily mean you removed the malware that delivered the ransomware to your computer.

No matter what you do with the ransomware itself, you aren’t going to be able to get the files decrypted. Cerber uses RSA encryption, and it’s not feasible to crack that encryption in a timely manner – even for the most sophisticated computer. Hopefully, you have a good recent backup of your important documents.

How Do You Prevent Cerber Ransomware?

Cyberthieves distribute ransomware by phishing email or infected websites. The best way to prevent Cerber (or any ransomware) attacks is by practicing good cybersecurity. Here are a few tips:

  • Don’t get phished.
  • Keep your Anti-Virus software updated.
  • Backup your documents regularly.

Varonis DatAlert provides immediate response to limit ransomware attacks in progress that threaten your most important data.

Six Cerber Ransomware Statistics

cerber ransomware statistics

  • At its peak in early 2017, Cerber accounted for 26% of all ransomware infections.
  • In July 2016, about 150,000 windows users were infected by Cerber through 161 identified campaigns.
  • Cerber generated $2.3 million (estimated for attackers in 2016).
  • Cerber developers released updates almost weekly, which kept the ransomware out in the world for longer than usual.
  • In the first half of 2018, ransomware infections have dropped by 42% and 50% for businesses and consumers, respectively.
  • There have been 0 reported Cerber ransomware attacks in 2018 as attackers move to newer ransomware like GandCrab, SamSam, and Spartacus.

Get a 1:1 demo to learn how to set up alerts to trigger on known ransomware variants like Cerber, recognize ransomware activity, and stop cyberattacks before it’s too late.

What is Incident Response? A 6-Step Plan

Incident Response 6-Step Plan

“We don’t rise to the level of our expectations, we fall to the level of our training.” – Archilochus

Incident Response is the art of cleanup and recovery when you discover a cybersecurity breach. You might also see these breaches referred to as IT incidents, security incidents, or computer incidents – but whatever you call them, you need a plan and a team dedicated to managing the incident and minimizing the damage and cost of recovery.

Some organizations call this team the Computer Security Incident Response Team (CSIRT) – there are other permutations of that acronym out there like Security Incident Response Team (SIRT) or Computer Incident Response Team (CIRT). The mission of this team is the same no matter what you call it – to enact the company’s established incident response plan when the bat-signal goes up.

You do have a company approved incident response (IR) plan, right?

Importance of Incident Response

If you work in data security, you deal with security incidents on a day-to-day basis. Occasionally, a minor security issue turns out to be a real live panic situation. When the bat-signal does light up will everyone know what to do? Will every CSIRT member know their role and responsibilities and follow the approved plan?

When the stakes get high and the pressure intensifies, the CSIRT will perform as they have practiced. If there’s no plan in place, there’s no guarantee they’ll be able to properly respond to a cybersecurity incident. The IR plan defines how to identify, contain, and manage data security incidents.

However, simply having an IR plan isn’t enough: the CSIRT team needs to run practice scenarios so they are adequately prepared for the real thing.

On top of all that, there is often a time crunch. Data breach notification laws are becoming more common: the GDPR, for instance, requires that companies to report data security incidents within 72 hours of discovery. California and Colorado are enacting similar rules in the US, and that trend is likely to continue.

6 Steps to a Successful Incident Response Plan

Incident Response Plan

SANS published their Incident Handler’s Handbook a few years ago, and it remains the standard for IR plans. It’s a 6-step framework that you can use to build your specific company plan around.

  1. Preparation: Your CSIRT needs to perform like a finely tuned machine when the time comes, and that takes work. Define a corporate security policy: this typically includes acceptable use of company data, consequences for security violations, and definitions on what qualifies as a security incident. Define a step-by-step guide of how the CSIRT should handle a security incident, including documentation of incidents and both internal and external communications.
  2. Identification: Define what criteria activates the CSIRT. It could be a specific kind of issue – like “found a random USB drive on the floor” or a Varonis DatAlert “Brute Force Attack Detected” that triggers the IR plan. It could also be a cumulative set of circumstances that trigger the plan: for example, an abnormal access alert combined with an alert on an unusual upload to a cloud storage site in the same hour might be a trigger.
  3. Containment: Contain the threat. There are two types of containment: long and short. Short-term containment is an immediate response, stopping the threat from spreading and doing further damage. Back-up on all affected systems to save their current states for later forensics. Long-term containment includes returning all systems to production to allow for standard business operation, but without the accounts and backdoors that allowed for the intrusion.
  4. Eradication: Establish a process to restore all of the affected systems. A good starting place is to reimage all systems involved in the incident and remove any traces of the security incident. These steps should include the specifics about the disk cloning software and images your company has validated. Lastly, update your defense systems to prevent the same kind of security incident from occurring again.
  5. Recovery: Determine how to bring all systems back into full production after verifying that they are clean and free of any nastiness that could lead to a new security incident.
  6. Lessons Learned: Review the documentation of the incident with the CSIRT for training purposes. Update the IR plan based on feedback and any identified deficiencies.

Who is Responsible for Incident Response?

Incident Response

Whatever you call your CSIRT team, they need to be a well-rounded team of professionals. They could be full-time security practitioners, or may have other job responsibilities in the organization and their assignment to CSIRT is a secondary role.

Some of the roles on a CSIRT team are:

  • Incident Response Manager: The lead of the CSIRT team that oversees the IR plan in action.
  • Security Analysts: The ground troops responsible for threat neutralization and containment of an active security incident.
  • Threat Researchers: The team responsible for providing research and intelligence to add context to the security incident. They often search for other incidents and analyze logs for other hints and clues about the incident.

In addition to the primary roles, you may want to include some cross-functional support from other areas of the company:

  • Management: The management team provides resources and buy-in to the CSIRT team and IR plan.
  • Human Resources: HR is often brought in to support the CSIRT efforts if an employee is involved.
  • General Council: Compliance and regulation are an integral part of data security, so get the lawyers involved – possibly as part of the full-time team. You might also have a full-time compliance officer fulfill this role.
  • Public Relations: PR can help manage communications after an incident, especially now that data breaches need to be public information so quickly.

What to Do After a Cyber Incident?

The dust settles, the bad guys are defeated, and the CSIRT team followed the IR plan to the letter. What next? Take stock and resupply for the next encounter. Re-run vulnerability and risk assessments and close any new gaps in security.

Tighten up the IR plan or add new forensics or monitoring. Implement the full Varonis Data Security Platform to add best-in-class data security analytics for advanced warning and behavioral analysis of all your data.

Varonis Powers Up a CSIRT

Varonis monitors your data, VPN, DNS, email, and more to catch cybersecurity threats before they become data breaches. Our threat models detect behaviors that match known attacks across the cybersecurity kill chain and warn on deviations from normal behavior patterns. It would take months (or likely years) for a CSIRT to code comparable threat models on their own.

Varonis enables teams to visualize security threats with an intuitive dashboard and investigate security incidents – even track alerts and assign them to team members for closure. You can even incorporate rich context and data security intelligence from Varonis into your favorite SIEM for better breach detection.

Get a 1:1 demo to see how customers use Varonis as part of their incident response strategy – it’s a game changer for incident response.

What is a Distributed Denial of Service (DDoS) Attack?

DDoS Attack

A Distributed Denial of Service (DDoS) attack is an attempt to crush a web server or online system by overwhelming it with data. DDoS attacks can be simple mischief, revenge, or hactivism, and can range from a minor annoyance to long-term downtime resulting in loss of business.

Hackers hit GitHub with a DDoS attack of 1.35 terrabytes of data per second in February of 2018. That’s a massive attack, and it’s doubtful that it will be the last of its kind.

How Does a DDoS Attack Work?

DDoS attacks most often work by botnets – a large group of computers that act in concert with each other –simultaneously spamming a website or service provider with requests.

Attackers use malware or unpatched vulnerabilities to install Command and Control (C2) software on user’s systems to create a botnet. DDoS attacks rely on a high number of computers in the botnet to achieve the desired effect, and the easiest and cheapest way to get control of that many machines is by leveraging exploits. The recent DYNDNS attack exploited WIFI cameras with default passwords to create a huge botnet.

Once they have the botnet ready, the attackers sends the start command to all of their botnet nodes, and the botnets will then send their programmed requests to the target server. If the attack makes it past the outer defenses, it quickly overwhelms most systems, cause service outages, and in some cases, crashes the server. The end-result of a DDoS attack is primarily lost productivity or service interruption – customers can’t see a website.

While that may sound benign, the cost of a DDoS attack averaged $2.5 million in 2017. Hackers engage DDoS attacks for anything ranging from childish pranks to revenge against a business to express political activism.

Common Types of DDoS Attacks

Application Layer Attacks

Application layer DDoS attacks aim to exhaust the resources of the target and disrupt access to the target’s website or service. Attackers load the bots with a complicated request that taxes the target server as it tries to respond. The request might require database access or large downloads. If the target gets several million of those requests in a short time, it can very quickly get overwhelmed and either slowed to a crawl or locked up completely.

An HTTP Flood attack, for example, is an application layer attack that targets a webserver on the target and uses many fast HTTP requests to bring the server down. Think of it as pressing the refresh button in rapid fire mode on your game controller. That kind of traffic from many thousands of computers at once will quickly drown the webserver.

HTTP Flood Attack Example
Protocol Attacks

Protocol DDoS attacks target the networking layer of the target systems. Their goal is to overwhelm the table spaces of the core networking services, the firewall, or load balancer that forwards requests to the target.

In general, network services work off a first in, first out (FIFO) queue. The first request comes in, the computer processes the request and then it goes and gets the next request in the queue so on. Now there are a limited number of spots on this queue, and in a DDoS attack the queue could become so huge that there aren’t resources for the computer to deal with the first request.

A SYN flood attack is a specific protocol attack. In a standard TCP/IP network transaction, there is a 3-way handshake. They are the SYN, the ACK, and the SYN-ACK. The SYN is the first part, which is a request of some kind, the ACK is the response from the target, and the SYN-ACK is the original requester saying “thanks, I got the information I requested.” In a SYN flood attack, the attackers create SYN packets with fake IP addresses. The target then sends an ACK to the dummy address, which never responds, and it then sits there and waits for all those responses to time out, which in turn exhausts the resources to process all of these fake transactions.

SYN Flood Attack

Volumetric Attacks

The goal of a volumetric attack is to use the botnet to generate a major amount of traffic and clog up the works on the target. Think of like an HTTP Flood attack, but with an added exponential response component. For example, if you and 20 of your friends all called the same pizza place and ordered 50 pies at the same time, that pizza shop wouldn’t be able to fulfill those requests. Volumetric attacks operate on the same principle. They request something from the target that will vastly increase the size of the response, and the amount of traffic explodes and clogs up the server.

DNS Amplification is a kind of volumetric attack. In this case, they are attacking the DNS server directly and requesting a large amount of data back from the DNS server, which can bring the DNS server down and cripple anyone that is using that DNS server for name resolution services.

DNS Amplification Example

DDoS Attacks Today

Just like everything else in computing, DDoS attacks are evolving and becoming more destructive to business. Attack sizes are increasing, growing from 150 requests per second in the 1990s – which would bring a server of that era down – to the recent DYNDNS attack and GitHub attack at 1.2 TBs and 1.35 TBs respectively. The goal in both of these attacks was to disrupt two major sources of productivity across the globe.

These attacks used new techniques to achieve their huge bandwidth numbers. The Dyn attack used an exploit found in Internet of Things (IoT) devices to create a botnet, called the Mirai Botnet attack. Mirai used open telnet ports and default passwords to take over wifi enabled cameras to execute the attack. This attack was a childish prank but presented a major vulnerability that comes with the proliferation of the IoT devices.

The GitHub attack exploited the many thousands of servers running memchached on the open internet, an open-source memory caching system. Memchached happily responds with huge amounts of data to simple requests, so leaving these servers on the open internet is a definite no-no.

Both of these attacks show a significant risk of future exploits, especially as the IoT universe continues to grow. How fun would it be for your fridge to be part of a botnet? On the bright side, GitHub wasn’t even brought down by the attack.

What’s more, DDoS attacks have never been easier to execute. With multiple DDoS-as-a-Service options available, malicious actors can pay a nominal fee to “rent” a botnet of infected computers to execute a DDoS attack against their target of choice.

How to Mitigate a DDoS Attack

How did GitHub survive that massive DDoS attack? Planning and preparation, of course. After 10 minutes of intermittent outages the GitHub servers activated their DDoS mitigation service. The mitigation service rerouted incoming traffic and scrubbed the malicious packets, and about 10 minutes later the attackers gave up.

In addition to paying for DDoS mitigation services from companies like CloudFlare and Akamai, you can employ your standard endpoint security measures. Patch your servers, keep your memchached servers off the open internet, and train your users to recognize phishing attacks.

You can turn on Black Hole Routing during a DDoS attack to send all traffic to the abyss. You can set up rate limiting to cap the number of requests a server gets in a short amount of time. A properly configured firewall can also protect your servers.

Varonis monitors your DNS, VPN, Proxies, and data to help detect signs of an impending DDoS attack against your corporate network. Varonis Data Security Analytics track behavior patterns and generate warnings when current behavior matches a threat model or deviates from standard behavior. This can include malware botnet attacks or significant increases in network traffic. Get a live 1:1 demo to see how Varonis protects your data from DDoS attacks and more.