As attackers move up the stack to increasingly focus on credentials, consoles, and APIs, it may be tempting for network and security practitioners to relax. After all, your focus in on the bottom of the stack, not the top.
But be warned, attackers are not ignoring you or your network. DDoS, amplification attacks, and more are still targeting network infrastructure. Your domain.
To wit, a Kaspersky DDoS Protection report found that SYN-based attacks compromised most DDoS attacks in 2019. But UDP, TCP, and even ICMP still show up amongst attack vectors. HTTP comprised just 3.3% of DDoS attacks.
While application attacks may be the cause of most breaches, DDoS is still a significant force in causing outages. Outages that, in an app economy, can cost the company millions.
Sophisticated attacks on a business often take advantage of network infrastructure attacks to mask their real intentions. In other cases, DDoS attacks can be used as reconnaissance - teasing out the more lucrative targets by forcing organizations to expose what apps they value most. As availability to critical apps and APIs are threatened, access to other apps can be restricted - clearly identifying the real targets.
And we can't really discuss infrastructure attacks today without mentioning the sudden target-rich environments offered by remote access thanks to COVID-19. With more companies than can be counted opening access to remote workers as rapid response to changing social restrictions, security is often an afterthought.
All this combined make network infrastructure visibility a key component to successfully securing every connection. But that visibility can be elusive when you have apps and infrastructure spread across multiple cloud and data center properties.
The current state of visibility is, according to the latest NetDevOps survey, primarily enabled via two stalwart protocols: SNMP and ICMP. Both are available in public cloud properties, though implementation difficult varies based on provider and infrastructure. About a quarter of respondents take advantage of API and streaming telemetry.
All are important sources of operational data and can provide the insights needed to recognize anomalies that might indicate an impending - or ongoing - attack. But data itself cannot provide that insight. Visualization, correlation, and deeper analysis are required in order to detect and even predict incidents that can spread from one property to another.
It is encouraging to note, then, that respondents cited event correlation rule engines as the second most used method of anomaly detection, behind simple up/down/threshold alerts. The use of AI/ML is in an impressive third place.
The ability to correlate telemetry across the data center and public cloud infrastructure is an important part of detecting and addressing attacks that can not only span - but spread. Probing attacks in the public cloud might indicate a forthcoming attack on the data center - or vice versa. A DDoS attack on-premises might be an indicator of a higher-layer attack planned on apps hosted elsewhere. The art of misdirection is one of Sun Tzu's famous advice:
“All warfare is based on deception. Hence, when we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.” ― Sun Tzu, The Art of War
Visibility into infrastructure - in the data center and in the cloud - is an important part of application and corporate security practices. Only with visibility - and the ability to quickly analyze data - will network and security operators be able to maintain the positive security posture necessary to fend off the increasingly sophisticated attack methods of those who exploit network infrastructure for fun and profit.
Stay safe out there. Personally, and operationally.