Written by Gareth Jehu, Global Operations Director, Com Laude Group
I had the pleasure this month to spend a few days as a guest of Neustar at their HQ in Sterling, Virginia where they hosted a product roadmap workshop. The event was led by Rodney Joffe, Neustar’s esteemed SVP, Fellow, Security CTO and National Security Executive who carries this official job title but is unofficially and affectionately known as ‘Corporate Curmudgeon’ which, he tells me is a title he has earned by reputation having now spent over 40 years as a leading technologist with a stubborn resolve and trust in his own judgement. This resolve once led him to gain the honour of being the only person to ever have been frog marched out of an IETF meeting for presenting, what was considered in the 1990s, to be almost heretical views on geographical load balancing of DNS. His work resulted in the invention of DNS Anycasting, developed by his company UltraDNS and rest as they say is history.
The event was attended by CISOs and technology executives from some of the world’s leading brands in the travel, online gaming, finance and entertainment sectors all of whom share a common bond of mitigating their company’s risk of falling foul of nefarious cybercrime which threaten at best to disrupt and at worst destroy brand reputation and ability to operate and trade.
Through a series of informative and interactive presentations, Neustar shared their strategic view on the cyber landscape and the need for threat data feeds which will provide organisations with information and intelligence that can be used in real time to trigger “always on” defence mechanisms against cyber threats. The challenge right now lies in the speed with which the bad guys are moving – newly registered domain names can service malware or botnet attacks within minutes of registration, long before such names start appearing on the data feeds and security services commonly used to either monitor or blacklist activity on the corporate firewall with the same names disappearing just as quickly as they arrived. By applying machine intelligence to the vast databank available through the activities of their registry, security, marketing, risk and compliance and telephony carrier businesses, Neustar have been able to accurately spot trends and relationships that are helping provide its customers with intelligence to improve their security posture and mitigate against attacks.
As an example, through an analysis of registration activity across the 300+ top level domains that they operate, they were able to overnight suspend nearly 12,000 domain names on the basis they were showing traits of being associated with cybercrime. It is interesting but not surprising that Neustar did not receive a single complaint from any of the registrants of these names which I guess is a sign that they were on the money with conclusions drawn from the data mining.
Underpinning the intelligence from their data feeds is a technology stack that can be used in conjunction with existing inhouse or outsourced systems and controls to further strengthen security posture. The UltraDNS platform developed by Joffe continues to be a cornerstone in the suite of products that keep DNS traffic and resolution healthy, highly available and protected from volumetric DDoS attacks. The platform is evolving however to combat the newer threats of DNS exfiltration and tunnelling where the bad guys are using DNS as a channel to steal sensitive and confidential data.
At the application layer, SiteProtect NG, combines DDoS mitigation with their Web Application Firewall to keep websites up and running and capable of seamlessly handling volumetric and more sophisticated bot and malware attacks.
The benefits of utilising these products became more evident on a tour of the Neustar Network and Security Operations Centre. These centres are manned 24/7 and 365 by teams of experienced technical analysts and engineers who apply the essential layer of human judgement to the process of monitoring traffic activities and managing attack incidents. Huge monitors in the centre provide a very visual display of the frequency and intensity with which attacks occur and how these are efficiently dealt with by 14 globally distributed scrubbing centres. The centres analyse data during attacks, only allowing the good traffic through to its destination with bad traffic directed to the digital rubbish bin. Whilst being given the guided tour, I witnessed a 60Gbps attack in real time which would have been catastrophic for the affected client however with mitigation in place, it was business as usual.
It’s not always the bigger volumetric attacks that are a cause for concern however and Neustar’s research suggests a trend towards smaller scale attacks of 5Gbps or less which represents a 150% increase compared to observed attacks of this size in 2018. These smaller scale attacks are very often a diversionary tactic used by attackers to distract security operations away from the main target.
Well, it is clear that the bad guy threat is not going away any time soon and they constantly adapt and change, getting more sophisticated in their attempts to exploit corporate and consumer vulnerabilities. To combat this trend, the good guys need to up their game, stay alert and do everything that is economically possible to implement suitable controls to monitor and block these threats.
At Com Laude, we provide strategic and tactical advice, tools, reporting and support for effective domain name portfolio management and protecting your online brands and IP from infringement and exploitation. To compliment these services, the strategic alliances we have forged with companies like Neustar, who bring years of expertise and investment in the development and provision of security technologies that can in Joffe’s words at the most basic level “Stop the bad traffic and allow the good”, can further enhance your overall security posture through applying industry leading technology and controls to help keep your crown jewel systems and services always on.
The simple answer is “No” as this is the holy grail for anyone carrying responsibility for information security, but we have many practical and economical options available to us to aid the mitigation process.
As a minimum, we should all take the threat seriously and put in place budget, resource, processes and controls that are appropriate for your business and its risk appetite. Accreditations and certifications like ISO27001, SOC 2 and Cyber Essentials can be used as a framework for security best practice whilst associated controls can be both in house developed and implemented and externally sourced through the use of products and services such as those described in above.