As the new year approaches, it can be difficult to remember all the cyberattacks the world has faced in the past year, let alone prepare for what the new year may bring. With this in mind, I’ve come up with a list of best-practice tips to help prevent, or at minimum detect, a cyberattack.
Given the many types of cyber attacks out there, it can be difficult to know how to best approach the various cyberattacks. Firstly, let’s go over two types of attacks to keep an eye out for, then let’s go over ways you can prevent these types of attacks.
A DDoS attack is a special form of cyber attack that focuses on the interruption of a network service. This is achieved when an attacker sends high volumes of traffic or data through the target network until the network becomes overloaded (thus denying service). You can think of this in terms of a juggler. The juggler may be able to juggle very well with only three or four items, but if someone were to throw more items at the juggler, he could lose control and drop everything; this is basically what happens when a network becomes overloaded.
DDoS tend to be the easiest to identify, but can often come in under the guise of something else. In a reflective DDoS attack, for example, the bulk of traffic is not coming from one source IP, but from hundreds, thousands, or millions depending on the depth of the attack. In the case of the Tumblr outage last week, the DDoS attack caused many to be unable to connect to the site, while others experience extremely high latency.
A data leak is, as it sounds, the leaking of data from an organization or an individual. These types of attacks are really a result of other types of attacks. Among these other attacks are phishing attacks (where malicious actors attempt to gain sensitive information like passwords by disguising as a trustworthy entity, like a bank), malware (whereby malicious actors use software embedded on a users’ computer to gain information from the system, including password details, account information, or personally identifiable information (PII; like social security numbers), and unpatched software vulnerabilities (whereby malicious actors take advantage of unpatched software on computer systems to retrieve information from such systems). Through such mechanisms, cyberattacks, like COMELEC or the breach on the US Office of Personnel Management, become more likely.
What to look for to prevent and detect cyberattacks.
Both DDoS and Data Leaks are becoming more and more common. As I mentioned previously, just last week Tumblr fell pray to a DDoS attack leaving its users unable to access their content. In more severe cases, as was the case of the DDoS on Dyn, a portion of the Internet became inaccessible, specifically large sites like Twitter and Etsy.
So, what’s one to do about such attacks? Well according to RFC 3704, much of the groundwork to preventing DDoS has already taken place. Essentially, Unicast Reverse Path Forwarding (RPF) as defined in RFC 3704 is an “evolution of the concept that traffic from known invalid networks should not be accepted on interfaces from which they should never have originated.” In other words, don’t allow traffic through if it is coming from a source where it couldn’t be coming from. The primary principle here is that packets are only forwarded if they come from the router’s best route to the source of a packet, ensuring that:
- packets coming into an interface come from (potentially) valid hosts, as indicated by the corresponding entry in the routing table.
- packets with source addresses that could not be reached via the input interface can be dropped without disruption to normal use, as they are probably from a misconfigured or malicious source.
There are three modes in RPF, and you can learn more about them here.
Now, while RPF resolves many issues with DDoS attacks, it doesn’t prevent or provide an answer to data leaks. In order to resolve this, we need effective monitoring solutions to see where and how traffic is moving throughout the network. The easiest and arguably most effective method is to use the NetFlow or IPFIX data available from your existing network switches, routers, and firewalls. This data will provide you the mechanism to detect where malicious actors are taking your data and from which devices. Additionally, it will help you identify misconfigured devices.
There are a few things that need to be done further though, to prevent cyberattacks in 2017. Education is a critical factor in preventing cyberattacks. Firstly, it is important to be on guard at all times when clicking on links in emails. Malicious emails are a prime source for infecting machines on a network. Educating employees about the importance of phishing is very important. We’ve created a game to help educate the public about phishing attacks called Click Click Phish. Secondly, reviewing network patterns and understanding your current network will help you more easily detect when something is awry.
So now that we know some steps we can take, let’s look to the new year, with all its challenges, with hope, for we know there are cyberattacks out there, but we are now more prepared.
Happy New Year!