In recent years, distributed denial of service (DDoS) attacks have become more frequent and sophisticated. Attackers continue to find new ways to flood target networks with massive-scale attacks that have grown exponentially and crossed the terabit attack rate.

Radware executive Itay Raviv suggests this has become a major concern for enterprises and carriers worldwide, as the impact of these hyper volumetric DDoS attacks can be devastating. They cause extended downtime, financial losses and reputational damage.

That’s why it’s critically important that organisations are prepared to detect and mitigate these vicious attacks and why deploying the right type of mitigation platform is so important.

The Terabit DDoS attack era is here to stay. One of the emerging trends of DDoS attacks is hyper volumetric floods. These attacks generate traffic of more than a staggering 1Tbps (terabits per second).

A significant threat to organisations, terabit DDoS attacks can quickly overwhelm a network infrastructure and disrupt critical services.

Some of the largest recorded volumetric attacks include:

• Google Services was targeted with a volumetric attack of 2.54Tbps.
• Amazon AWS Infrastructure was targeted with a 2.3Tbps attack.
• Microsoft Azure reported three terabit attacks: one of 3.47Tbps and two others that were more than 2.5Tbps.

In May 2021, Radware successfully mitigated a hyper volumetric DDoS attack that peaked at almost 1.5Tbps. This volumetric carpet-bombing attack against the targeted subnet lasted for 36 hours. It had a sustained throughput of over 700Gbps for more than eight hours.

The total volume generated by this attack was 2.9Pbps, which was one-and-a-half times the information contained in all U.S. academic research libraries. And it was all successfully blocked.

Terabit volumetric floods are here to stay, and a proper mitigation device is a must for organisations to protect themselves.

Nielsen’s Law of Internet Bandwidth states that a user’s bandwidth grows 50% each year. It has held true for the past 40 years, from 1983 to 2023. This, along with 5G and 6G networks moving forward, proves human consumption and speed rate demands are enormous. Rest assured this won’t slow down any time soon.

To support this increasing demand, data centres, carriers, service providers and cloud platforms must keep up with the vast amounts of data. They have already adopted the latest network technology that has introduced 400G network infrastructure for high bandwidth and faster data transmission speeds.

What’s needed is a DDoS mitigation platform that will support these high throughput rates. They will need to keep up with the demanding throughput by having 400G data ports that can sustain and process detection and mitigation.

So how can organisations protect themselves against Terabit DDoS attacks? The answer lies in implementing a scalable and robust state-of-the-art DDoS mitigation solution with protection level tiers. The solution should include:

Multi-layered protection:  A multi-layered approach is crucial in mitigating Terabit DDoS attacks. This involves deploying a combination of the right network infrastructure, a mitigation appliance that can handle ultra-high-end rates and cloud-based solutions to ensure a diverse range of defences.

Traffic scrubbing:  This involves filtering out malicious traffic from legitimate traffic, enabling a network to remain online during an attack. A dedicated and robust DDoS mitigation hardware platform is great for combating Terabit DDoS attacks, but it isn’t enough.

On the software side, a behavioural DDoS countermeasure approach is needed to make sure attacks are quickly detected and traffic is automatically filtered. This lets legitimate traffic in while keeping attack traffic out.

High port density, scale and performance:  To handle huge amounts of traffic, whether during peacetime or while under attack, the mitigation platform hardware and software must be capable of handling high volumetric rates; very few can accomplish this.

Picking the right platform is key. Whether deploying the detection and mitigation platform inline or out-of-path will ensure a sustainable, clean and DDoS-free environment for customers.

To protect large network infrastructures, such as carriers, Tier-1 service providers and large enterprises, the mitigation platform must support high port density to inspect incoming traffic, remove threats and pass legitimate traffic to the protected network without creating a bottleneck.

It should include several 100G data ports, and, if possible, 400G data ports. This will enable it to accommodate large network infrastructures.

Having high visibility and simplified management are crucial aspects of a DDoS mitigation platform. High visibility of the network and packet flow ensures that network administrators have clear and concise information, whether during peacetime or during an attack.

Information should include the attack’s origin, the type of attack and the impact on the network. This information is vital in helping administrators make informed decisions on how to best mitigate the attack and reduce damages.

Additionally, simplified management makes it easier for administrators to efficiently configure and manage the DDoS mitigation platform. This is particularly important in high-pressure situations where time is of the essence; the faster mitigation is implemented, the better.

Having the right management solution to provide visibility and control over high-end mitigation platforms is critical. The right high-end mitigation platform, along with a great management and analytics system, ensures organisations can protect their networks effectively and efficiently from Terabit DDoS attacks.

Doing so will minimise disruptions to operations and ensure systems and customers remain up and running and are secure.

Cloud security evangelist at Gigamon, Stephen Goudreault, advises that as with all technology, new tools are iterations built on what came before, and classic network logging and metrics are no different.

He says that tooling, instrumenting and monitoring of network traffic are virtually unchanged across the private cloud and on-premises. Many of the logs and metrics in use today are nearly two decades old and were originally designed to solve for billing, among other problems.

“Visibility into traffic flow patterns was an added bonus. Traffic logging just happens to be the use case that has endured,” says Goudreault. “However, this reliance on established methods has left some vulnerabilities in network and port spoofing.”

But what is port spoofing and why is it important?

Like application and data visibility on the network, many rules and RFCs now in use were written over a decade ago and describe how something ‘should’ work, although there are no real rules enforcing that.

This provides a lot of flexibility for possible deployments that are rarely used. When an application or service is misconfigured or if a bad actor wants to evade detection, even the slightest changes to standard ports can hamper most current visibility and detection schemes.

Port spoofing is a known technique, and MITRE ATT&CK has a whole category dedicated to this kind of evasion.

One of the most common and versatile examples of evading visibility is using Secure Shell (SSH) protocol on non-standard ports. SSH is usually assigned to port 22.

Security tools assume SSH traffic will use port 22, and nearly every security team in the world keeps that port tightly locked down. Common practice is to block this port at the perimeter and call things secure. Easy, right?

Not so fast. What if a bad actor changed the default port on their SSH traffic? Port 443 is widely used for HTTPS/TLS and is nearly always kept open.

HTTPS traffic is ubiquitous in the modern enterprise, for both business critical and personal activities. IT firewalls are not going to routinely block port 443/HTTPS, thus making it an ideal point of entry for attackers.

Changing SSH to operate on 443 is a simple task. There are many forums that provide detailed instructions on legitimate and illegitimate reasons to do this. Almost all modern cloud visibility tools will report the traffic as what it appears to be, not what it actually is.

Even workloads in the cloud can misidentify their own connections. An active SSH session can be misreported as TLS because the Linux OS assumes the type of connection based only on the port.

The network gets it wrong, and the operating systems tools get it wrong as well by reporting this traffic as a known known.

Nearly all traffic is assessed by its TCP and UDP ports today. This leads to many assumptions as to the nature of the traffic. This is true in the public cloud, in private cloud, and on-prem.

In today’s ever more security-conscious world, making assumptions about the nature of traffic isn’t as safe as it once was. SSH is a very powerful tool that threat actors can use for file transfers, tunnelling, and lateral movement across any network.

This is just one example of how a single tool can have many uses. Factor in other applications and protocols, and the realisation of how much can’t be seen becomes daunting. MITRE has its own category for port spoofing, and the trend is only growing.

East-West traffic requires deep observability too. Next-generation firewalls (NGFWs) have solved for this problem on-premises at perimeters points. The public cloud, however, is a different story, and this problem has yet to be solved at scale for East and West or laterally.

VPC flow logs only record the conversations that took place along with the port number, without really knowing what application or protocol was in use. Deep observability with deep packet inspection investigates the conversation and can properly identify the applications and protocols in use.

My company calls this application intelligence, which currently identifies more than 5,000 applications, protocols, and attributes in network traffic inspection.

Application metadata intelligence doesn’t just look at outer headers, it also looks deeper into the packet. We look deep into the unique characteristics of the packet that define a given application. This is called deep observability.

If an attacker is connecting via SSH from workload A to workload B in the same subnet, my company’s deep observability pipeline, using application intelligence, sees the traffic for what it really is and reports it to the security tools.

In this case, we can alert tech that there is SSH traffic masquerading as web traffic on port 443. This depth of observability can be easily spanned East and West across your entire enterprise including the public cloud and container-to-container communications.

In the public cloud, deep packet inspection has a unique set of challenges. There is no broadcast, and to inspect traffic there either needs to be a security VPC to funnel traffic through or traffic mirroring.

The second and less complicated option is to mirror the traffic to appropriate tools. Gigamon solves for this second solution. The benefits include less deployment complexity and operational friction without impairing performance as an inline inspection path would.

The known knowns are that developers will continue to run fast, DevOps will inadvertently deploy unknown or misconfigured applications, and threat actors will continually seek to exploit these vulnerabilities to create blind spots.

SecOps will try to verify rules and protections, which can only really be accomplished with deep observability with network-derived intelligence and insights.

If an organisation can’t detect a simple use case of SSH on a non-standard port, what other known unknowns could be lurking in its hybrid cloud infrastructure?

As has been reported worldwide recently, Microsoft has disclosed a zero-day (CVE-2023-23397) on email and comms platform Outlook.

Mandiant research has linked the zero-day to Russian threat actor APT28.

CVE-2023-23397 is a vulnerability in the Outlook client that requires no user interaction and for which proof of concept exploits are now widely available. Mandiant Threat Intelligence considers this a high-risk vulnerability due to the possibility of privilege escalation with no user interaction or privileges required for exploitation. Following exploitation an attacker could authenticate to multiple services and move laterally. Exploitation of the zero-day is trivial and it will likely be leveraged imminently by actors for espionage purposes or financial gain.

Mandiant believes the zero-day has been used for almost a year to target organisations and critical infrastructure. These targets could facilitate strategic intelligence collection as well as disruptive and destructive attacks inside and outside of Ukraine.

Mandiant has created UNC4697 to track early exploitation of the zero-day. The vulnerability has been in use since April 2022 against targets across government, logistics, oil/gas, defence, and transportation industries located in Poland, Ukraine, Romania, and Turkey.

Mandiant anticipates broad, rapid adoption of the CVE-2023-23397 exploit by multiple nation-state and financially-motivated actors, including both criminal and cyber espionage actors. In the short-term, these actors will race against patching efforts to gain footholds in unpatched systems.

Proof-of-concepts are already widely available for the zero-day which requires no user interaction.

In addition to the collection of intelligence for strategic purposes, Mandiant believes this zero-day was used to target critical infrastructure inside and outside of Ukraine in preparation for potential disruptive or destructive cyberattacks.

Note that this vulnerability does not affect cloud-based email solutions.

John Hultquist, Head of Mandiant Intelligence Analysis – Google Cloud, said of the zero-day:

“This is more evidence that aggressive, disruptive and destructive cyberattacks may not remain constrained to Ukraine and a reminder that we cannot see everything. While preparation for attacks do not necessarily indicate they are imminent, the geopolitical situation should give us pause.”

“This is also a reminder that we cannot see everything going on with this conflict. These are spies and they have a long track record of successfully evading our notice.”

“This will be a propagation event. This is an excellent tool for nation-state actors and criminals alike who will be on a bonanza in the short term. The race has already begun.”

Adversary Operations has created UNC4697 to track exploitation of the zero-day which has been publicly attributed to APT28.

APT28 is a Russian military intelligence (GRU) actor that regularly carries out cyber espionage and information operations within and outside of Ukraine. APT28 frequently collaborates with the GRU actor Sandworm, who is responsible for disruptive and destructive attacks.

NEC Australia, a leading cyber security solutions and services company, has partnered with Exabeam, a global cybersecurity leader and creator of New-Scale SIEM™ for advancing security operations, to provide a full spectrum threat detection, investigation, and response (TDIR) service to the Australian market.

NEC’s Managed SIEM + XDR service leverages the Exabeam Security Operations Platform to provide a cloud-scale security information and event management (SIEM) solution along with extended detection and response (XDR). NEC’s managed service supports both government and enterprise customers to gain extended visibility, detailed user and entity analysis, and effective threat detection and response across all areas of their IT environments.

Connell Perera, National Portfolio Manager Security, NEC Australia, said: “After a thorough analysis of leading SIEM and XDR technology vendors, including consulting our global cybersecurity network, we were excited to partner with Exabeam. Exabeam enables NEC Australia to effectively manage exposure to cyberattacks across our customers’ distributed, complex networks whilst meeting regulatory and industry compliance requirements.”

“There is no doubt that Australia is facing a rise in cyberthreats. Anomalous behaviours are becoming even more prevalent across the spectrum of industries and critical infrastructure. It is essential for organisations to partner with a trusted, well-resourced service provider to counter these threats. It is an honour to work with NEC to help make that happen,” concludes Gareth Cox, VP of Sales APJ, Exabeam.

NEC’s managed service offerings are built upon industry-leading technologies that deliver mutual value. As such, each service has been fully defined, scoped, and built to cater for the Australian marketplace with a unique value proposition and benefits to NEC customers.

Powered by Exabeam, NEC’s SIEM + XDR solution is designed to provide a 24x7x365 ‘endpoint to cloud’ security monitoring for both NEC clients and NEC Australia’s own network and systems infrastructure, plus cloud services and more.

The service focuses on identifying unusual and suspicious behaviour through real-time visibility of threats mapped to the global threat landscape. The Exabeam platform provides all key elements of the SIEM + XDR service. This includes advanced real-time and historical log correlation, security log management and retention, and advanced behaviour analytics that leverage threat intelligence to provide greater context of the security posture of an environment.

NEC’s Managed SIEM + XDR service will leverage all components of the Exabeam Security Operations Platform, which include:

• Cloud-scale Security Log Management
  A cloud-native data lake architecture to securely ingest, parse, and store security data at scale from any location, providing a lightning-fast search and dashboarding experience across multi-year data.

• Powerful Behavioural Analytics
  Over 1,800 rules and 750+ behavioural model histograms automatically baseline normal behaviour of users and devices to detect, prioritise, and respond to anomalies based on risk.

• Automated Investigation Experience
  An automated experience across the TDIR workflow which reduces manual routines, accelerates investigations, reduces response times, and ensures consistent, repeatable results.

Sean Abbott, Director Channel and Alliances for Asia-Pacific at Exabeam, said of the partnership: “Our strategic partnership with NEC provides Exabeam with a local connection to a true powerhouse in the global systems integrator space. We’re excited for the numerous possibilities opening for Exabeam in untapped markets.”

To learn more about the Exabeam New-Scale SIEM portfolio of products, visit https://www.exabeam.com/product/

Radware® has introduced a next-generation cloud application security centre as part of its cloud security service growth initiative, which is focused on innovation and scalability.

The new security centre, in Tel Aviv, Israel, home to the company’s headquarters, complements the company’s existing cloud DDoS scrubbing centre, also in Israel.

The addition of the new centre follows the recent rollout of facilities in Australia, Canada, Chile, Italy, New Zealand, Taiwan, and the United Arab Emirates. The facilities are part of Radware’s worldwide cloud security service network, which includes more than 50 security centres and delivers an attack mitigation capacity of 12Tbps.

The centres are designed to reduce traffic latency as well as increase service redundancy and mitigation capacity to help customers defend against denial-of-service attacks, web application attacks, malicious bot traffic, and attacks on APIs. They also help increase resiliency and comply with offshore data routing requirements.

“Radware’s security centres deliver a global footprint, network and application security, true multi-tenant service, as well as high resiliency,” said Zion Zvi, CEO at Trustnet, a leading integration and consulting company in the field of information and cyber security. “Radware’s latest cloud expansion offers a great service to Israeli organizations in need of rapid response times and scalable protection.”

The Israeli cloud application security centre supports Radware’s 360-degree Cloud Application Protection Service, which spans from the browser side to the server side. The best-of-suite offering includes the company’s cloud-based web application firewall, bot manager, API protection, application-layer DDoS protection, and its recently released client-side protection.

To deliver a higher level of application security with lower false positives, the security is based on automated, machine-learning based algorithms that learn legitimate user behavior and then separate malicious and legitimate traffic. Dozens of Israeli customers rely on Radware’s cloud security services.

According to Radware’s 2022 Global Threat Analysis Report, the number of DDoS attacks rose by 150% compared to 2021. Web application and API attacks increased 128% year over year, significantly out pacing the 88% increase in attacks between 2020 and 2021.

“Fuelled by the increasing frequency and sophistication of cyber attacks and strong business demand, we continue to expand our global cloud security footprint across major geographies,” said Haim Zelikovsky, vice president of cloud security services for Radware.

“The cloud security centres combine state-of-the-art protection and ultra-high bandwidth performance to defend against the most harmful network and application attacks.”

Industry analysts such as Forrester Research, Gartner, GigaOm, KuppingerCole and Quadrant Knowledge Solutions continue to recognise Radware as a market leader in cyber security. The company has received numerous awards for its application and API protection, web application firewall, bot management, and DDoS mitigation solutions.

Deep observability company Gigamon has announced new research findings from IDC, conducted with more than 900 IT leaders globally, which offers CIOs, CISOs and their IT organisations insights to drive performance, protection and productivity with observability across their digital infrastructures.

The IDC White Paper* also affirms that harnessing the power of network-derived intelligence and insights is critical in detecting today’s increasingly sophisticated security threats across hybrid and multi-cloud infrastructure.

With 95 percent of organisations claiming to have experienced a ransomware attack in 2022,  security remains top of mind for IT leaders regardless of their industry. According to the IDC White Paper, over 60 percent of respondents believe that today’s observability solutions serve narrow requirements and fail to provide a complete view of current operating conditions.

To address today’s rapidly evolving security requirements, enhancing traditional observability capabilities that rely on metrics, events, logs, and traces (MELT) with real-time network-derived intelligence and insights is essential to mitigate security risks across hybrid and multi-cloud infrastructure.

Only with this deep observability can organisations find the greatest value from observability across both on-premises systems and cloud services, core and edge components, and cybersecurity functions.

“Networking, cybersecurity and observability are becoming intertwined. IT organisations are looking to leverage an immutable source of truth and more collaborative management efforts to break down siloed technology approaches, position themselves for long-term success, and, ultimately, deliver the best possible business outcomes,” said Mark Leary, research director with IDC.

“Deep observability must be prioritised as IT organisations look to fully realize the transformational promise of a resilient and responsive digital infrastructure and continually maintain a strong security posture to meet today’s digital business requirements.”

Key findings:

• The top cited benefits of observability include security (34 percent), staff productivity (33 percent), and digital/user experience (25 percent).Observability also delivers a mix of both tactical (e.g., resolution, continuity, tracking) and strategic (e.g., experience, governance, innovation) benefits.
• Over 75 percent of organisations use or plan to use deep observability solutions to support automation efforts in future years. Deep observability can enable a hierarchical platform-based approach in which detailed data and artificial intelligence (AI)/machine learning (ML)–driven analysis can produce a single source of truth, converge data and tools, and enable talent to deploy, operate, repair, and enhance digital infrastructures in a timely manner.
• The market will see increased investments in cloud services over the next few years, with over half of respondents (51 percent) citing it as a priority. In fact, 72 percent of organisations strongly agree that cloud service intelligence should be leveraged to optimise costs and secure information. Cost from technical debt and the complexity of supporting multiple generations of infrastructure are some of the biggest barriers for organisations in achieving their digital infrastructure resiliency goals.
• Network-derived intelligence can support adherence to SANS 20 Critical Security Controls, potentially eliminating 98 percent of possible attack vectors. Today, over 50 percent of respondents state that they actively share network intelligence across IT teams, and more than 60 percent of organisations are making progress in leveraging these insights in their security management practices.

“Over 90 percent of organisations operate in a hybrid and multi-cloud world, yet security blind spots remain a significant barrier for technology leaders looking to get the most out of their cloud investments,” said Chaim Mazal, Gigamon’s chief security officer.

“This research not only points to the critical role that deep observability plays in securing complex cloud environments but the necessary convergence of NetOps and SecOps teams in fortifying modern cybersecurity practices. Gigamon is leading the industry into the next stage of observability, rooted in cross-functional team collaboration, proactive detection, and threat remediation.”

The findings are based on a survey, conducted by IDC, of over 900 global IT leaders across North America, APAC, and EMEA, which included a mix of major industries (financial, manufacturing, retail/wholesale, healthcare, transport/utilities, education, government, and professional services).

All respondents held roles of manager or above, with key decision-making responsibilities for observability functions and solutions that span across IT operational domains, including networking, security, and cloud.

For detailed survey results, click here. To learn more about the Gigamon Deep Observability Pipeline and how it can help your organization navigate its multi-cloud journey click here.

*Doc. #US49816122, November 2022