To disrupt the activities of various organisations, cybercriminal groups are deploying increasingly sophisticated denial-of-service attacks. These attacks, which take account of the business context, target critical web applications in particular. To deal with the threat, we need to prepare in advance by adopting a risk-based approach.
For a cyber-attacker, one of the main challenges is to be able to cause harm as effectively as possible, i.e. by optimising the resources mobilised to disrupt the activity of the targeted organisation. With this in mind, hackers are constantly improving their approaches. This has been particularly evident in recent months in the implementation of so-called Denial of Service (DDoS) attacks. Traditionally, these attacks consist of directing data flows to a specific IP address or range of addresses, with the aim of saturating the connectivity of a specific application or company and paralysing it,’ comments Nicolas Villatte, Head of CyberDefence at POST Luxembourg. Since the start of Russia's special operation in Ukraine, we have seen that DDoS attacks have become more sophisticated, to the extent that the protection elements normally used are no longer sufficient.
Attacks targeting applications
How are these ‘new DDoS attacks’ different? ‘The attackers are not just focusing on the volume aspect. They are also incorporating an application dimension into their approach to carry out asymmetric attacks’, continues the cybersecurity expert. The idea is to target web applications with requests optimised to generate a heavy load on the system. It's no longer just a question of saturating the lines, but also of stressing the web servers to the point of bringing them down.
With this type of attack, it is no longer necessary to generate a large volume of data to disrupt the availability of a service.
Threats that are harder to stop
To achieve their goals, attackers first carry out reconnaissance to identify application requests that require server power or database queries,’ continues Nicolas Villatte. Faced with a traditional DDoS attack, it was fairly simple to separate legitimate traffic from non-legitimate traffic. In this case, it's much more complex. The attack is carried out in the specific context of the organisation by imitating a legitimate user. It is therefore more difficult to distinguish legitimate requests from those that are not.
Faced with an attack, it may be tempting to block traffic from suspect countries. However, we mustn't forget that some legitimate users may be there. Certain services may also depend on IT platforms established in these countries. ‘To identify illegitimate traffic, we need to carry out more detailed analyses of the activity involved. The aim is to detect patterns that correspond to suspicious approaches so that we can specifically block the requests that correspond to them’, comments Nicolas Villatte.
Preserving critical services
It is when it comes to incident response that we need to step up our efforts to prepare properly. Above all, it's a question of correctly understanding what's at stake, starting with a proper identification of critical services,’ explains Nicolas Villatte. This allows us, for example, to consider ways of absorbing the additional traffic. One of these is to base critical services on an environment that can evolve dynamically as the number of requests changes.
Managing these threats means implementing a risk-based approach, assessing not only the impact of a possible incident, but also the costs associated with preventing and managing them,’ continues Nicolas Villatte. Strengthening the capacity to absorb an increase in requests, at least as far as critical services are concerned, means rethinking the architecture. The resources mobilised to deal with the attack also represent additional costs.
DEEP's teams can help you analyse your risks and transform your environment to cope with this type of attack.
Preparing and strengthening detection capabilities
It is also necessary to put in place appropriate procedures and to determine the roles and responsibilities of everyone within the organisation, so as to be able to react effectively in the event of a problem. Having incident response plans in place means you can be ready when an attack occurs, make the right decisions and limit the impact,’ adds Nicolas Villatte. Nor should we forget that, beyond the disruption they cause, denial-of-service attacks are often used to draw attention elsewhere with a view to causing harm elsewhere. It is therefore essential to strengthen our detection capabilities.
