Commentary from Darktrace on DDoS
attacks on StarHub
attacks on StarHub
Date: 26 October 2016
By Sanjay Aurora, Managing Director, Asia-Pacific,
Darktrace
Darktrace
Why would hackers target StarHub’s DNS?
What is there to gain?
What is there to gain?
DDoS victims may never learn what truly motivated an attack. However, what
we’ve seen is such attacks can serve as a distraction, performed by adversaries
to draw attention away from other intrusions that they simultaneously
perform within the organisation’s network environment, such as delivering
malware, opening a route into a key enterprise subscriber or perpetrating a
large-scale ransomware attack.
we’ve seen is such attacks can serve as a distraction, performed by adversaries
to draw attention away from other intrusions that they simultaneously
perform within the organisation’s network environment, such as delivering
malware, opening a route into a key enterprise subscriber or perpetrating a
large-scale ransomware attack.
In this sense, DDoS is used to achieve maximum damage
with minimum effort, causing widespread disruption and panic, with underlying
motivations for financial gain or to extract sensitive information and data.
Above all else, the reputational damage caused by successful cyberattacks can
have long-term business implications.
with minimum effort, causing widespread disruption and panic, with underlying
motivations for financial gain or to extract sensitive information and data.
Above all else, the reputational damage caused by successful cyberattacks can
have long-term business implications.
Should the other telcos or ISPs be worried? And why?
The core infrastructure of telecommunications
companies is a very desirable target for cybercriminals. Having said that,
gaining access is extremely difficult and requires deep expertise in specialist
architecture. This is therefore often initiated by highly-skilled and
well-resourced international advanced persistent threat (APT) groups or
nation-state attackers, who have strong interest in obtaining inner network
access to intercept calls and data, or control, track and impersonate
subscribers.
companies is a very desirable target for cybercriminals. Having said that,
gaining access is extremely difficult and requires deep expertise in specialist
architecture. This is therefore often initiated by highly-skilled and
well-resourced international advanced persistent threat (APT) groups or
nation-state attackers, who have strong interest in obtaining inner network
access to intercept calls and data, or control, track and impersonate
subscribers.
What ISPs should be wary of, is the possibility of
similar DNS amplification attacks on a more regular basis, given that they
require relatively little skill and effort but can cause a large amount of
damage. This makes them increasingly popular among hackers.
similar DNS amplification attacks on a more regular basis, given that they
require relatively little skill and effort but can cause a large amount of
damage. This makes them increasingly popular among hackers.
DNS-based DDoS amplified attacks can impact networks by
saturating bandwidth with malicious traffic. They can also generate a spike in
support calls due to service disruption, impacting an operator’s costs, and
giving customers a poor user experience that causes attrition, in turn
impacting revenue.
saturating bandwidth with malicious traffic. They can also generate a spike in
support calls due to service disruption, impacting an operator’s costs, and
giving customers a poor user experience that causes attrition, in turn
impacting revenue.
What can local organisations do to
safeguard themselves from such attacks?
safeguard themselves from such attacks?
Where DDoS attacks are concerned, companies are often
either victims of the attack – like StarHub, or unwilling participants –
through compromised external data centres or computers and routers from
enterprise subscribers that become ‘zombie machines’. This means that all
organisations are equally vulnerable and one company’s IT resources can be used
against another.
either victims of the attack – like StarHub, or unwilling participants –
through compromised external data centres or computers and routers from
enterprise subscribers that become ‘zombie machines’. This means that all
organisations are equally vulnerable and one company’s IT resources can be used
against another.
To prevent IT resources and devices from becoming
unwilling accomplices in botnet attacks, organisations must have full
visibility of unusual behaviours and movement within their network
environments. Attacks like the ones against StarHub prove once again that
traditional rule- or perimeter-based cybersecurity approaches that look for
pre-identified or ‘known’ threats are no longer working. All organisations,
including ISPs, experience thousands of minor incidents daily and it is
impossible to manually keep up. They must therefore rely on new technologies
like unsupervised machine learning and advanced algorithms that detect these
incidents in real-time and point out which incidents are early indicators of a
more serious and ‘unknown’ threat.
unwilling accomplices in botnet attacks, organisations must have full
visibility of unusual behaviours and movement within their network
environments. Attacks like the ones against StarHub prove once again that
traditional rule- or perimeter-based cybersecurity approaches that look for
pre-identified or ‘known’ threats are no longer working. All organisations,
including ISPs, experience thousands of minor incidents daily and it is
impossible to manually keep up. They must therefore rely on new technologies
like unsupervised machine learning and advanced algorithms that detect these
incidents in real-time and point out which incidents are early indicators of a
more serious and ‘unknown’ threat.
Finally, we cannot rule out the possibility that the
DDoS attack was caused by the IoT botnet ‘Mirai’, given that the source code
has been released online and there has since been a rise in attacks of similar
nature. IoT devices have never been more a part of our lives in and outside of
work. Although IoT is making our lives easier, it’s also putting us at risk –
as it is becoming painfully apparent how easy it is to hack them.
DDoS attack was caused by the IoT botnet ‘Mirai’, given that the source code
has been released online and there has since been a rise in attacks of similar
nature. IoT devices have never been more a part of our lives in and outside of
work. Although IoT is making our lives easier, it’s also putting us at risk –
as it is becoming painfully apparent how easy it is to hack them.
This brings to light our need to have better visibility
into both existing and new technology, and the environment in which they are
becoming entrenched. If we don’t take steps to do this now, we’ll continue
seeing a growing pool of vulnerable devices that can be harnessed for malicious
botnet attacks.
into both existing and new technology, and the environment in which they are
becoming entrenched. If we don’t take steps to do this now, we’ll continue
seeing a growing pool of vulnerable devices that can be harnessed for malicious
botnet attacks.
For the LATEST tech updates,
FOLLOW us on our Twitter
LIKE us on our FaceBook
SUBSCRIBE to us on our YouTube Channel!
