The Current Threat Landscape
According to the European Commission’s State of the Union, digital threats and cyber-crime are continuing to evolve at a rapid pace. Over the past few years, ransomware attacks have increased by 300%, and the impact of cyber-crime has risen fivefold since 2013. Unfortunately, the U.K has already been witness to these effects first hand. Just last year, a DDoS attack performed by bots took down a significant chunk of the internet – including leading websites such as Twitter, the Guardian, Netflix, Reddit and CNN.
The worst part? This wave of hacking doesn’t seem to be going anywhere—and it’s only getting stronger. Today’s hackers are quickly becoming smarter, tougher, and more creative, aided by access to high powered commodity computing power. This level of sophistication has been particularly obvious in the way DDoS attacks have been surfacing.
In the past, cyber criminals would orchestrate a brute force DDoS attack to cause as much damage as possible within a short period of time. Today, cyber criminals are achieving higher levels of success against organisations through more targeted and frequent attacks.
According to Neustar’s recent Global DDoS Attacks & Cyber Security Insights Report, 52 percent of brands that suffered a DDoS attack also reported a virus, while 35 percent reported malware, 21 percent reported ransomware and 18 percent reported lost customer data. Beyond that, 75 percent of respondents recorded multiple DDoS attacks following an initial assault on their brand’s network.
The Next Wave of Attack
Unfortunately, volumetric attacks only form part of today’s internet security challenge. With the evolution of technology and the mass expansion of the internet, today’s average web hacker has the ability to carry out various attacks with minimal effort through undetected vulnerabilities and security gaps.
This has been especially apparent as IoT devices expand, with 76% of organisations suffering a DDoS attack though their IoT connections in the past year. And while DDoS attacks continue to command great attention amongst IT and cybersecurity professionals, cyber criminals have quite literally and figuratively managed to slip through the cracks, resulting in web application layer threats that are equally, if not more, damaging than a typical DDoS attack.
Web application layer attacks, or ‘layer 7’ attacks as they’re often called, are a direct result of a hacker spotting a vulnerability in an existing program within an organisations web presence. These attacks, often led by ‘black hat hackers’ are more specific than DDoS attacks, with a precisely crafted approach to damage vulnerable software. Application attacks are also the most difficult attacks to detect and provide little to no advance warning before they create chaos on an organisation’s application.
Effects on the Future
These sort of intense web attacks not only have devastating effects on the businesses involved, but they could cost the global economy upwards of $120bn (£92bn) – as much as catastrophic natural disasters such as Hurricanes Katrina and Sandy.
On a slightly smaller scale, with the upcoming implementation of GDPR, businesses across Europe risk losing not only sensitive consumer data, but millions of euros in non-compliance related fees. This is due to the fact that once GDPR is implemented, businesses have the responsibility to follow tightly constructed cybersecurity practices that require top-notch data security. If this isn’t done, those businesses could be liable for upwards of €20 million in fees, or 4% of their total net income, depending on the company. Either way, it’s an amount that can be completely detrimental to the future success of any company.
The upcoming GDPR standards have put an extra level of pressure on businesses everywhere, many of which are now scrambling to be compliant in time, as well as mitigating the threat of inevitable attacks on their network, including those directed at the web application layer.
It is encouraging though, that most businesses seem to have taken the initiative and are starting to invest in proactive defense technologies. So much so that just this past year, protection against application layer threats has increased significantly with Web Application Firewall (WAF) solution deployments nearly tripling among respondents.
Protecting Against Attacks
There are various tools to combat web application layer threats and DDoS attacks. These include anything from using including appliance hardware to cloud services and hybrid deployments. With that said, layered defenses are considered to be the most common form of defense against these sorts of attacks. In addition, sophisticated investments involving appliances, third-party services, and hybrid configurations that use a combination of hardware and cloud-based mitigation, have increased in the past few years. So much so that 65% of respondents in the Neustar report, reported having at least one of these solutions in place.
However, what is quite noticeable is the steady rise in Layer 7 protection. Over the past twelve months, industry experts have seen a huge spike in the deployment of web application firewalls, or WAF. Quite simply, a web application firewall protects users by filtering, monitoring, and blocking HTTP traffic to and from a web application.
This defence has proven so popular that organisations that have added WAF have nearly tripled in the past seven months and more than quadrupled from this time last year, according to the report. This rise has solidified the necessity in needing protection from what has quite rapidly become the most exploited layer in the network stack, especially relative to the vulnerabilities beyond DDoS alone.
Overall, as the threat landscape evolves and attackers continue to refine their capabilities, it’s extremely important that business’s make cyber security a top-level priority. By utilising a combination of defences, including the latest transformative services in line with traditional approaches, businesses have the opportunity to stay one step ahead of cyber criminals. Not only will this protect businesses from losing millions of euros and critical consumer data, but it will preserve consumer confidence—something that every business can benefit from.
James Willett, Senior Vice President of Products at Neustar
Image Credit: ESB Professional / Shutterstock