December 19, 2017
Cyber Threats: Big One Is Out There
by John Farley and Judy Selby
A year after the Marai malware took some major websites down for a day, experts warn that Reaper could take down the entire internet.
Approximately a year after the zombie malware Marai took some major websites off-line for much a day, cybersecurity researchers recently identified a potentially more potent threat called Reaper. Experts warn that Reaper has the capability to take down the entire internet.
Marai Zombie Malware
In late 2016, an online infrastructure firm called Dyn was the victim of a massive distributed denial of service (DDoS) attack attributed to Marai, an IoT attack malware. The DDoS attacker deliberately overloads a target server with an abnormal amount of traffic, using an army of infected computers, known as a “botnets,” to carry out the information requests. This often results in a crashed server, knocking the target website offline, effectively disrupting normal business. As more and more common household devices become connected to the internet, attackers are able to leverage an ever-growing army of devices to carry out these attacks.
Marai weaponized IoT devices, such as digital video recorders (DVRs), wireless routers and CCTV cameras, by exploiting factory-default or hard-coded usernames and passwords. A number of Dyn’s high-profile clients, including Twitter, Amazon and Netflix, were taken offline.
The Grim News About Reaper
CheckPoint, an Israeli cybersecurity firm, has said that the Reaper IoT malware is “forming to create a cyber-storm that could take down the internet.” Reaper is exponentially more dangerous than Marai because it exploits at least nine security vulnerabilities across a wider range of devices. Those vulnerabilities are identified on the CheckPoint website.
CheckPoint warned that Reaper is expanding “at a far greater pace and with more potential damage than the Marai botnet of 2016,” and it estimated that more than a million organizations worldwide already have been affected. Noted cyber security reporter Brian Krebs further noted: “It’s a safe bet that whoever is responsible for building this new Reaper IoT botnet will have more than enough firepower capable of executing Dyn-like attacks at internet pressure points. Attacks like these can cause widespread internet disruption because they target virtual gateways where third-party infrastructure providers communicate with hordes of customer Web sites, which in turn feed the online habits of countless internet users.”
See also: How to Keep Malware in Check
Cost of a DDoS Attack
For many victims of a DDoS attack, lost internet traffic can equate to staggering costs and lost revenue. According to a survey Dyn sponsored and published in August 2016, the majority of companies surveyed calculate that an internet outage costs them a minimum of $1,000 per minute.
Today’s connected enterprises definitely should fear the Reaper (apologies to 1970s rock band Blue Oyster Cult). But there are a number of steps companies can take to mitigate the risk of being taken offline by Reaper or other IoT attack malware. And because 100% prevention against the risk is impossible, companies also should consider transferring the residual risk through insurance.
Avoid or Mitigate the Impact of a DDoS Attack
There are several strategies an organization can deploy to prevent a DDoS attack or at least mitigate the effects of one, including:
- Set traffic thresholds: Companies can track how many users typically visit their website on any given day, hour and minute. Volume can change based on a number of factors. By having this historical knowledge, thresholds can be installed and real-time alerts can be generated to advise of abnormal traffic.
- Blacklist and whitelist: Control who can and cannot access your network with whitelists and blacklists for specific IP addresses. However, be mindful that certain IP addresses may generate false positives and be blacklisted when they are in fact legitimate traffic. By temporarily blocking traffic, a business can see how it responds. Legitimate users usually try again after a few minutes. Illegitimate traffic tends to switch IP addresses. A good resource to help begin the process of whitelisting and blacklisting can be found on the DNS whitelist. Here you will find IP addresses, domain names and e-mail contact addresses. Each IP address is given a trustworthiness level score.
- Reroute traffic with additional servers. By having additional servers on standby to handle an abnormal increase in traffic, a business can improve the odds against one server being overwhelmed. While this is likely the most cost-effective method, it is difficult to tell how many might be needed because the size of the attack can vary.
- Consider using content-delivery networks (CDN). This method involves using external resources to identify illegitimate traffic and diverting it to a cloud-based infrastructure.
- There may be contractual obligations that are affected during and after a DDoS attack. As such it is important to review contractual liability implications with customers and business partners. Review contracts with an eye toward the following:
Revise unfavorable service-guarantee language due to downtime resulting from a DDoS attack. Allocate liability for potential outages as appropriate. Clauses that require security-incident notification under contract may be detrimental, especially when not required by law. Be sure your attorney reviews language related to this specific issue.
- Terminate traffic as soon as a DDoS attack starts. Terminate unwanted connections or processes on servers and routers and tune their TCP/IP settings. If the bottleneck is a particular feature of an application, temporarily disable that feature.
- Analyze traffic and adjust defenses. If possible, use a network-analyzer tool to review the traffic. Create a network-intrusion-detection system signature to differentiate between benign and malicious traffic. If adjusting defenses, make one change at a time, so you know the cause of the changes you may observe. Configure egress filters to block the traffic your systems may send in response to DDoS traffic, to avoid adding unnecessary packets to the network.
- Notify and activate your incident-response team, if one is already in place. Contact the company’s executive and legal teams. Upon their direction, consider involving law enforcement and collaborate with your business-continuity/disaster-recovery team.
- Create a communication plan. A company can easily become overwhelmed with inquiries from customers, business partners and media during a DDoS attack. Create a status page with a statement explaining the circumstances of the event. In addition, a template letter can be created to automatically respond to customers that contact a business for information.
- During a DDoS attack, immediate efforts should be made to document facts in an incident report. It should be used to document what happened, why it happened, decisions made and how the organization will prevent future attacks. Review and document the load and logs of servers, routers, firewalls, applications and other affected infrastructure. The incident report may be read by a wide audience, and it is therefore important that it’s written in a language that is not overly technical.
For companies that are either the direct target of a DDoS attack or that are indirectly affected by an attack on a third party, significant business interruption costs, including lost income and other expenses, can be incurred. Consequently, affected companies should scrutinize their insurance policies to determine if they have coverage under either scenario.
Because there is no standard cyber insurance policy form, it is important for the insured to review its specific policy form and determine whether it provides coverage for a DDoS attack. Here are some issues to consider in that regard:
- DDoS Provisions.
- Is there an exclusion for DDoS attacks;
- Is coverage limited to attacks targeted at the insured’s network;
- Is there broader coverage for an attack that indirectly affects the insured;
- Does the definition of “security event,” “security failure” or any relevant similar term include or exclude a DDoS attack?
- Business Interruption Coverage.
- Is coverage triggered only following a direct attack on the insured company;
- Is contingent business interruption coverage available;
- How long is the business interruption waiting period;
- Is coverage triggered only by a complete business interruption or also by a degradation in business operations caused by the DDoS attack;
- Is there coverage for professionals, including accountants retained by the policyholder, required to calculate and submit the claim?
Insureds are urged to consult with experienced insurance brokers and advisers to ensure that they obtain appropriate coverage for losses resulting from a DDoS attack. Cyber insurers often are open to negotiation of their policy forms, so insureds are encouraged to work with their insurance professionals to optimize coverage.
See also: How to Immunize Against Cyber Attacks
Further, business interruption insurance may not be made available for every company. Companies can make themselves a better candidate for coverage by implementing a strong disaster recovery/business continuity plan.