Phil Williams, Principal Cloud Solutions Architect, explains how to evaluate your exposure to DDoS attack and how to best shape your defenses to budget requirements.
5. ANDREAS LINDH
• Swedish infosec practitioner.
• Graciously provided permission to reference his material.
• @addelindh on Twitter.
• You really should follow him (on Twitter, not in real life).
HIS PRESENTATION
• March 2015, Heidelberg, Germany.
• Really good!
• You should find and watch it.
First, some food for thought
6. “An attacker only needs to find
one weakness while the
defender needs to protect all of
them all of the time.”
“A skilled and motivated
attacker will always find a
way.”
“Attackers have bosses and
budgets too.”
7. 1. If the cost to attack is less than the value of your information / Lack of
Service to the attacker, you will be attacked.
2. You don’t need to protect against everything.
3. The attacker’s greatest strength is time.
4. Your greatest strength is space.
5. You need to increase the cost of a successful attack to a point where it’s
no longer profitable to the attacker.
Some Principles of Defender Economics
BREAK THE ATTACKER’S BUDGET
WITHOUT BREAKING YOUR OWN.
8. “1. If the cost to attack is less than the value of your
information to the attacker, you will be attacked.”
10. “3. The attacker’s greatest strength is time.”
Attacker chooses:
• When to start attacking.
• When to stop attacking.
• Which days to be active.
• Which times of day to be
active.
• Speed / size of attack.
• The timeline for any public
announcements they make.
Defence issues:
• Defender has limited timeline
awareness.
• Controls which are slower to
respond than attacker’s
evasion speed are of limited
value.
• 24x7 operation is much more
expensive for defence than
attack.
11. “4. The defender’s greatest strength is space.”
Defender designs, builds and operates the
infrastructure, applications and security controls.
DEFENDER SETS THE BUDGET FOR A
SUCCESSFUL ATTACK.
Attacker: goose.
Target: humans.
Controls: Window + sign (cheap, effective).
Budget: bread for 2 x penetration geese, 8x5 hours of operation.
Now on to the Applied Defender Economics part of the preso. Andreas Lindh is a nice guy, very smart, follow him, did a talk a few months ago. Our talk is inspired by his, we’re not using his content but we have his blessing anyway if anyone asks.
By all means remove this slide if you want but if anyone challenges you, I do have Andreas’ written permission.
Let’s start with some truisms. I normally show them one by one, ask if people agree that they’re true. Be prepared to discuss. First one is usually unanimously true, second one starts a discussion. I end it by saying “Let’s assume it is true – why then do we go to work in the morning if there’s always a way for an attacker to get in? It’s because… [CLICK] attackers have bosses and budgets too”
Let’s establish some principles (1, 2 and 5 come from Andreas and work by Dino Dai Zovi, 3 and 4 are mine).
Organisations who don’t think about these either explicitly or implicitly end up like this guy – clinging desperately to their traditional security controls like AV and firewall, hoping and praying for them to step in and actually do something useful. Meanwhile the attacker is just going at them with nothing to stop them.
So I quickly step through the principles because we go into more detail on the following slides.
Common mistake in risk management equations is to use the value of data TO YOU. Instead you should use the value of data to AN ATTACKER. A lot of organisations are under-spending on controls because their data is worth much more to an attacker than it is to themselves. Use the example of hotel check-ins which have long and detailed forms asking for all kinds of PII, but in reality all they need is a CC authorisation. Mention how a lot of hotel staff don’t even ask you to fill in all these details any more but some still do out of habit – they’re collecting data they don’t need which is of no value to them but worth a lot to an attacker.
Remember our goal is to break the attacker’s budget – this helps us to understand what that budget might be, both qualitatively and quantitatively.
(Replace these with screenshots of examples relevant to your audience)
Shock! Horror! A security vendor who isn’t telling you you need to protect against everything all the time! As defenders we should invest wisely in controls. If your website is purely informational but you maintain a database of customer records, don’t listen to the DDoS vendor when he comes knocking, spend that money on database activity monitoring instead. If on the other hand you do most of your business through your website in the cloud and your staff are mostly mobile – why on earth would you spend $$$ on a perimeter IPS?
Remember, our constraint is not to break our own budget, this helps.
This should be fairly obvious, especially to anyone who has ever done pen testing or red teaming (or actually hacked something) but so many defenders seem oblivious to this and it’s fundamentally important.
But it’s not all bad. As defenders our control of the “battlespace” means that we are setting the budget for a successful attack. That’s what we do when we buy, implement and operate security controls. We’re not trying to block everything all of the time from all adversaries – that’s not possible for anyone – we’re saying to our chosen adversaries that “the bar for getting to our data is here; you need to spend that much for your attack to be successful” and if they don’t have that much bread, we win.
As this image shows… bandwidth (or rode width) do not help as the firewall needs to have the capacity to cope
Make sure they GET the difference ! Why an ISP based cant work for layer 7
Also you can explain that while the volumetric attacks are getting bigger quarter on quarter application layer attacks are CHEAPER for the ATTACKER. We are seeing in the region of 20% more application layer attacks Q1 2016 than volumetric and this is up about 10% on Q4 2015