Tag Archives: dyn

Cyber Threats: Big One Is Out There

Approximately a year after the zombie malware Marai took some major websites off-line for much a day, cybersecurity researchers recently identified a potentially more potent threat called Reaper. Experts warn that Reaper has the capability to take down the entire internet.

Marai Zombie Malware

In late 2016, an online infrastructure firm called Dyn was the victim of a massive distributed denial of service (DDoS) attack attributed to Marai, an IoT attack malware. The DDoS attacker deliberately overloads a target server with an abnormal amount of traffic, using an army of infected computers, known as a “botnets,” to carry out the information requests. This often results in a crashed server, knocking the target website offline, effectively disrupting normal business. As more and more common household devices become connected to the internet, attackers are able to leverage an ever-growing army of devices to carry out these attacks.

Marai weaponized IoT devices, such as digital video recorders (DVRs), wireless routers and CCTV cameras, by exploiting factory-default or hard-coded usernames and passwords. A number of Dyn’s high-profile clients, including Twitter, Amazon and Netflix, were taken offline.

The Grim News About Reaper

CheckPoint, an Israeli cybersecurity firm, has said that the Reaper IoT malware is “forming to create a cyber-storm that could take down the internet.” Reaper is exponentially more dangerous than Marai because it exploits at least nine security vulnerabilities across a wider range of devices. Those vulnerabilities are identified on the CheckPoint website.

CheckPoint warned that Reaper is expanding “at a far greater pace and with more potential damage than the Marai botnet of 2016,” and it estimated that more than a million organizations worldwide already have been affected. Noted cyber security reporter Brian Krebs further noted: “It’s a safe bet that whoever is responsible for building this new Reaper IoT botnet will have more than enough firepower capable of executing Dyn-like attacks at internet pressure points. Attacks like these can cause widespread internet disruption because they target virtual gateways where third-party infrastructure providers communicate with hordes of customer Web sites, which in turn feed the online habits of countless internet users.”

See also: How to Keep Malware in Check  

Cost of a DDoS Attack

For many victims of a DDoS attack, lost internet traffic can equate to staggering costs and lost revenue. According to a survey Dyn sponsored and published in August 2016, the majority of companies surveyed calculate that an internet outage costs them a minimum of $1,000 per minute.

Protective Measures

Today’s connected enterprises definitely should fear the Reaper (apologies to 1970s rock band Blue Oyster Cult). But there are a number of steps companies can take to mitigate the risk of being taken offline by Reaper or other IoT attack malware. And because 100% prevention against the risk is impossible, companies also should consider transferring the residual risk through insurance.

Avoid or Mitigate the Impact of a DDoS Attack

There are several strategies an organization can deploy to prevent a DDoS attack or at least mitigate the effects of one, including:

  • Set traffic thresholds: Companies can track how many users typically visit their website on any given day, hour and minute. Volume can change based on a number of factors. By having this historical knowledge, thresholds can be installed and real-time alerts can be generated to advise of abnormal traffic.
  • Blacklist and whitelist: Control who can and cannot access your network with whitelists and blacklists for specific IP addresses. However, be mindful that certain IP addresses may generate false positives and be blacklisted when they are in fact legitimate traffic. By temporarily blocking traffic, a business can see how it responds. Legitimate users usually try again after a few minutes. Illegitimate traffic tends to switch IP addresses. A good resource to help begin the process of whitelisting and blacklisting can be found on the DNS whitelist. Here you will find IP addresses, domain names and e-mail contact addresses. Each IP address is given a trustworthiness level score.
  • Reroute traffic with additional servers. By having additional servers on standby to handle an abnormal increase in traffic, a business can improve the odds against one server being overwhelmed. While this is likely the most cost-effective method, it is difficult to tell how many might be needed because the size of the attack can vary.
  • Consider using content-delivery networks (CDN). This method involves using external resources to identify illegitimate traffic and diverting it to a cloud-based infrastructure.
  • There may be contractual obligations that are affected during and after a DDoS attack. As such it is important to review contractual liability implications with customers and business partners. Review contracts with an eye toward the following:
    Revise unfavorable service-guarantee language due to downtime resulting from a DDoS attack. Allocate liability for potential outages as appropriate. Clauses that require security-incident notification under contract may be detrimental, especially when not required by law. Be sure your attorney reviews language related to this specific issue.
  • Terminate traffic as soon as a DDoS attack starts. Terminate unwanted connections or processes on servers and routers and tune their TCP/IP settings. If the bottleneck is a particular feature of an application, temporarily disable that feature.
  • Analyze traffic and adjust defenses. If possible, use a network-analyzer tool to review the traffic. Create a network-intrusion-detection system signature to differentiate between benign and malicious traffic. If adjusting defenses, make one change at a time, so you know the cause of the changes you may observe. Configure egress filters to block the traffic your systems may send in response to DDoS traffic, to avoid adding unnecessary packets to the network.
  • Notify and activate your incident-response team, if one is already in place. Contact the company’s executive and legal teams. Upon their direction, consider involving law enforcement and collaborate with your business-continuity/disaster-recovery team.
  • Create a communication plan. A company can easily become overwhelmed with inquiries from customers, business partners and media during a DDoS attack. Create a status page with a statement explaining the circumstances of the event. In addition, a template letter can be created to automatically respond to customers that contact a business for information.
  • During a DDoS attack, immediate efforts should be made to document facts in an incident report. It should be used to document what happened, why it happened, decisions made and how the organization will prevent future attacks. Review and document the load and logs of servers, routers, firewalls, applications and other affected infrastructure. The incident report may be read by a wide audience, and it is therefore important that it’s written in a language that is not overly technical.

Insurance Issues

For companies that are either the direct target of a DDoS attack or that are indirectly affected by an attack on a third party, significant business interruption costs, including lost income and other expenses, can be incurred. Consequently, affected companies should scrutinize their insurance policies to determine if they have coverage under either scenario.

Because there is no standard cyber insurance policy form, it is important for the insured to review its specific policy form and determine whether it provides coverage for a DDoS attack. Here are some issues to consider in that regard:

  • DDoS Provisions.
    • Is there an exclusion for DDoS attacks;
    • Is coverage limited to attacks targeted at the insured’s network;
    • Is there broader coverage for an attack that indirectly affects the insured;
    • Does the definition of “security event,” “security failure” or any relevant similar term include or exclude a DDoS attack?
  • Business Interruption Coverage.
    • Is coverage triggered only following a direct attack on the insured company;
    • Is contingent business interruption coverage available;
    • How long is the business interruption waiting period;
    • Is coverage triggered only by a complete business interruption or also by a degradation in business operations caused by the DDoS attack;
    • Is there coverage for professionals, including accountants retained by the policyholder, required to calculate and submit the claim?

Insureds are urged to consult with experienced insurance brokers and advisers to ensure that they obtain appropriate coverage for losses resulting from a DDoS attack. Cyber insurers often are open to negotiation of their policy forms, so insureds are encouraged to work with their insurance professionals to optimize coverage.

See also: How to Immunize Against Cyber Attacks  

Further, business interruption insurance may not be made available for every company. Companies can make themselves a better candidate for coverage by implementing a strong disaster recovery/business continuity plan.

Cyber Insurance: Coming of Age in ’17?

2016 was definitely the year of cyber insurance emergence. As large-scale attacks and disclosures of massive data-breaches were recurring, we realized once again that allocating tremendous efforts and resources to your cybersecurity defense does not provide any guarantee you won’t experience an incident.

Executives and security professionals are gradually accepting that it is not a matter of if but a matter of when their organization will be hit by a cyber-attack. With this understanding, many businesses acknowledge cyber insurance as an important tool in the multilayer cybersecurity defense approach and declare it is an essential part of their risk mitigation strategy.

See also: 10 Cyber Security Predictions for 2017  

Here are some of my personal predictions for the cyber insurance market this year:

  1. An increasing number of security vendors will provide insurance guarantees. 2016 signaled a new path in the cybersecurity industry as few emerging startups started to offer a cyber insurance coverage of as much as $1 million per organization that will be fully covered with their defense solutions (e.g. SentinelOne and Cymmetria). I expect this trend to intensify through 2017, and well-established vendors will gradually follow to offer a bundle of protection plus insurance.
  2. We will see an increase in the number of insurance companies that will start to offer cybersecurity services. As cyber insurance is emerging and as many new insurance companies are entering the market (currently, approximately 70 insurers offer stand-alone cyber insurance products), there is a race for the best cybersecurity talent to assess the risks and provide pre- and post-breach services as monitoring, incident response, forensics, etc. In this atmosphere, insurers will acknowledge the revenues they can make from cyber insurance and adjacent security services to their clients, and will (and already do) expand their teams with the cybersecurity professionals and tools through aggressive hiring and M&As.
  3. Cyber extortion coverage will take the lead as the most demanded cyber insurance product. Ransomware is exploding across geographies, industries and all sizes of businesses. Following the massive distributed denial of service (DDoS) attacks on Krebs on Security and Dyn, the IoT world is open to a new world of DDoS attacks that no load balancer can mitigate. I expect that cyber extortion will become the biggest problem for organizations and individuals and that it will surpass data breaches as the main threat.
  4. Adoption of advanced tools for risk assessment will increase. There is a high demand for tools that will give insurers an accurate, scalable and affordable risk assessment that will streamline the entire (mainly manual) questionnaire-based risk quantification methodology that is the common practice today.
  5. New regulations will be introduced and will support the expansion of the cyber insurance market. There are high chances that more U.S. states will introduce regulations that support internal risk assessments on a regular basis of third party vendors and enforce security policies on organizations as suggested by the new NY proposal for the big financial institutes that was released last September.
  6. The penetration rate of cyber insurance among SMBs will be the driving force in the industry. As awareness of cyber-attacks increases among small- and medium-sized business, they’ll realize that cyber insurance is an essential security tool, particularly because of their limited cybersecurity resources. I expect to witness higher percentages of the SMB segment that will purchase cyber insurance coverage, leading to an increase in total market size, as current estimates rely on low adoption rates in these segments.
  7. Insurers will introduce personal cyber insurance coverage. As ransomware becomes a threat to any operating system and any device, it is forecasted that it will gradually become a serious problem for individuals, as well, and will lead cyber insurance companies to offer personal cyber insurance coverage.

Cyber insurance is here to stay, and insurers, brokers, business and individuals will benefit as this market continues to evolve. Growth will be sustained mainly in the U.S. market and is highly likely to expand worldwide, especially in the EU as GDPR starts to be effective.

See also: Understand the Nuts and Bolts of Cyber

No matter which part of the IT security eco-system you fit into, you should explore the benefits cyber insurance can bring to you — revenues, financial hedge and cyber peace of mind.

3 Reasons Insurance Is Changed Forever

We are entering a new era for global insurers, one where business interruption claims are no longer confined to a limited geography but can simultaneously have an impact on seemingly disconnected insureds globally. This creates new forms of systemic risks that could threaten the solvency of major insurers if they do not understand the silent and affirmative cyber risks inherent in their portfolios.

On Friday, Oct. 21, a distributed denial of service attack (DDoS) rendered a large number of the world’s most popular websites — including Twitter, Amazon, Netflix and GitHub — inaccessible to many users. The internet outage conscripted vulnerable Internet of Things (IoT) devices such as routers, DVRs and CCTV cameras to overwhelm DNS provider Dyn, effectively hampering internet users’ ability to access websites across Europe and North America. The attack was carried out using an IoT botnet called Mirai, which works by continuously scanning for IoT devices with factory default user names and passwords.

The Dyn attack highlights three fundamental developments that have changed the nature of aggregated business interruption for the commercial insurance industry:

1. The proliferation of systemically important vendors

The emergence of systemically important vendors can cause simultaneous business interruption to large portions of the global economy.

The insurance industry is aware about the potential aggregation risk in cloud computing services, such as Amazon Web Services (AWS) and Microsoft Azure. Cloud computing providers create potential for aggregation risk; however, given the layers of security, redundancy and the 38 global availability zones built into AWS, it is not necessarily the easiest target for adversaries to cause a catastrophic event for insurers.

See also: Who Will Make the IoT Safe?

There are potentially several hundred systemically important vendors that could be susceptible to concurrent and substantial business interruption. This includes at least eight DNS providers that service over 50,000 websites — and some of these vendors may not have the kind of security that exists within providers like AWS.

2. Insecurity in the Internet of Things (IoT) built into all aspects of the global economy

The emergence of IoT with applications as diverse as consumer devices, manufacturing sensors, health monitoring and connected vehicles is another key development. Estimates state that anywhere from 20 to 200 billion everyday objects will be connected to the internet by 2020. Security is often not being built into the design of these products with the rush to get them to market.

Symantec’s research on IoT security has shown the state of IoT security is poor:

  • 19% of all tested mobile apps used to control IoT devices did not use Secure Socket Layer (SSL) connections to the cloud.
  • 40% of tested devices allowed unauthorized access to back-end systems.
  • 50% of tested devices did not provide encrypted firmware updates — if updates were provided at all.
  • IoT devices usually had weak password hygiene, including factory default passwords; for example, adversaries use default credentials for the Raspberry Pi devices to compromise devices.

The Dyn attack compromised less than 1% of IoT devices. By some accounts, millions of vulnerable IoT devices were used in a market with approximately 10 billion devices. XiongMai Technologies, the Chinese electronics firm behind many of the webcams compromised in the attack, has issued a recall for many of its devices.

Outages like these are just the beginning.

Shankar Somasundaram, senior director, Internet of Things at Symantec, expects more of these attacks in the near future.

3. Catastrophic losses because of cyber risks are not independent, unlike natural catastrophes 

A core tenant of natural catastrophe modeling is that the aggregation events are largely independent. An earthquake in Japan does not increase the likelihood of an earthquake in California.

In the cyber world consisting of active adversaries, this does not hold true for two reasons (which require an understanding of threat actors).

First, an attack on an organization like Dyn will often lead to copycat attacks from disparate non-state groups. Symantec maintains a network of honeypots, which collects IoT malware samples. A distribution of attacks is below:

  • 34% from China
  • 26% from the U.S.
  • 9% from Russia
  • 6% from Germany
  • 5% from the Netherland
  • 5% from the Ukraine
  • Long tail of adversaries from Vietnam, the UK, France and South Korea

Groups such as New World Hacking often replicate attacks. Understanding where they are targeting their time and attention and whether there are attempts to replicate attacks is important for an insurer to respond to a one-off event.

See also: Why More Attacks Via IoT Are Inevitable  

A key aspect to consider in cyber modeling is intelligence about state-based threat actors. It is important to understand both the capabilities and the motivations of threat actors when assessing the frequency of catastrophic scenarios. Scenarios where we see a greater propensity for catastrophic cyber attacks are also scenarios where those state actors are likely attempting multiple attacks. Although insurers may wish to seek refuge in the act of war definitions that exist in other insurance lines, cyber attack attribution to state-based actors is difficult — and, in some cases, not possible.

What does this mean for global insurers?

The Dyn attack illustrates that insurers need to pursue new approaches to understanding and modeling cyber risk. Recommendations for insurers are below:

  1. Recognize that cyber as a peril expands far beyond cyber data and liability from a data breach and could be embedded in almost all major commercial insurance lines.
  2. Develop and hire cyber security expertise internally — especially in the group risk function — to understand the implications of cyber perils across all lines.
  3. Understand whether basic IoT security hygiene is being undertaken when underwriting companies using IoT devices.
  4. Partner with institutions that can provide a multi-disciplinary approach to modeling cyber security for insurers, including:
  • Hard data (for example, attack trends across the kill chain by industry);
  • Intelligence (such as active adversary monitoring); and
  • Expertise (in new IoT technologies and key points of failure).

Symantec is partnering globally with leading insurers to develop probabilistic, scenario-based modeling to help understand cyber risks inherent in standalone cyber policies, as well as cyber as a peril across all lines of insurance. The Internet of Things opens up tremendous new opportunities for consumers and businesses, but understanding the financial risks inherent in this development will require deep collaboration between the cyber security and cyber insurance industries.