In this Tech Talks Daily Podcast episode, I sit down with Richard Hummel from NETSCOUT to delve into the ever-evolving DDoS threat landscape. Why has there been an explosion in hacktivist groups and DDoS attack activity this year, and what does this mean for organizations across all sectors? With over 1,200 hacktivist groups active in 2023 alone, the threat landscape is more challenging than ever.
We explore how geopolitical tensions are directly influencing attack strategies and targets, resulting in a continuous onslaught of sophisticated attacks that challenge traditional defense mechanisms. Critical infrastructure, particularly DNS servers, is being targeted with unprecedented frequency, posing significant risks to the stability of the internet itself.
Richard provides valuable insights into how attackers are employing more advanced tactics, including leveraging public cloud hosting to evade defenses and utilizing AI to generate potent attacks. He also highlights how global conflicts, elections, and political unrest directly trigger hacktivist activity, with adversaries often striking both sides of a conflict.
To help organizations defend themselves, Richard shares the importance of adopting a predictive defense strategy based on real-time threat intelligence, stressing that visibility into network traffic is critical. With proactive blocking of known adversary infrastructure and AI chatbots identifying new attack vectors, Richard outlines practical recommendations for staying ahead of the curve.
Tune in to understand the risks, challenges, and the strategies organizations can implement to bolster their defenses. Do you feel adequately prepared for this evolving threat landscape, or is your organization vulnerable to these increasingly sophisticated attacks? Listen and share your thoughts!
[00:00:00] Are you or your business prepared for the digital battleground of tomorrow?
[00:00:07] Well today, as the digital landscape continues to evolve, so does the nature of threats that
[00:00:13] challenge our security frameworks.
[00:00:16] So in today's episode of Tech Talks Daily, I'm going to welcome back to the show Mr Richard
[00:00:21] Hummel from Netscout.
[00:00:24] They are a pioneer in advancing security solutions, but Richard is a friend of the show.
[00:00:30] He's been on here many times before and once again he's going to be bringing deep insights
[00:00:34] into how DDoS attacks are not just becoming more frequent, but also more sophisticated.
[00:00:41] Driven by over 1,200 active hacktivist groups as of last year.
[00:00:49] So that number has probably increased even more.
[00:00:52] So I want to delve into how geopolitical tensions are shaping digital skirmishes and why traditional
[00:00:59] defences are being outmanoeuvred.
[00:01:02] So I invite you to join me today as we uncover the pressing necessity for a predictive defence
[00:01:07] strategy and enhance visibility into network traffic and also explore their latest threat
[00:01:15] report.
[00:01:17] So buckle up and hold on tight as I beam your ears all the way to Washington DC, where Richard's
[00:01:23] waiting to join us one more time.
[00:01:26] So a massive warm welcome back to the show, Richard.
[00:01:30] For anyone that missed our previous conversations, can you just tell everyone listening a little
[00:01:33] about who you are and what you do?
[00:01:37] Certainly thanks Neil and thanks for having me back as usual.
[00:01:40] So my name is Richard Hummel and I manage the research team over here at Netscout and
[00:01:44] we're primarily focused on the DDoS threat landscape.
[00:01:48] So threat intelligence can span anything from nation states to cyber criminals to hacktivism,
[00:01:54] but we're focused almost exclusively on the DDoS landscape, understanding adversaries,
[00:01:58] what they're doing, what vectors, what methodologies they're using, who they're targeting and just
[00:02:03] really what shenanigans they're up to.
[00:02:05] So that's what my team focuses on.
[00:02:08] Love the word shenanigans.
[00:02:09] Great use, sir.
[00:02:10] Glad you got that one in.
[00:02:11] I always love chatting with you and there's always a great new report with so many cool
[00:02:16] findings in there.
[00:02:17] And I've got to ask, I mean, if we look at all our conversations, how has the landscape
[00:02:21] of DDoS threats evolved in recent years, especially when looking at Netscout's latest findings?
[00:02:28] What makes the current situation particularly notable?
[00:02:31] Because this isn't your first rodeo, you've seen so many changes in your career, but what
[00:02:36] are you noticing now?
[00:02:37] If I had to put a finger on any one thing, it's the sustained, just continuous onslaught
[00:02:44] of hacktivism in the DDoS space.
[00:02:46] I mean, we've seen hacktivist activity in DDoS for many, many years, way longer than
[00:02:52] I've been in the career field.
[00:02:54] It's been a thing.
[00:02:55] But the reality is, is just so for instance, if I look at all of 2023 and I want to say
[00:03:01] just the total sheer number of adversaries out there that have a name for themselves
[00:03:07] and have claimed credit and or furnished proof of an attack against someone, we're talking
[00:03:12] more than 1200 different groups.
[00:03:15] I mean, that's that's insane, right?
[00:03:17] I mean, in Asian states and you think North Korean EPT or Iranian EPT or Russian EPT
[00:03:23] and you get a dozen groups, right?
[00:03:25] We're talking 1200 different groups claiming hacktivist activity and furnishing sites that
[00:03:31] show, hey, the website's down or it's inaccessible or latency has been impacted.
[00:03:36] That's just in 2023.
[00:03:38] And this really started when Chilnet came out and attacked Ukraine at the start of
[00:03:46] that conflict. And before that, we saw Lazarus Barmata, we saw Fancy Lazarus, we saw
[00:03:53] Armada Collective, Lizard Squad, there's Operation Ebbabil, like all these things going
[00:03:57] back many, many years.
[00:03:58] But if you think back to what happened then, it's like you hear about one group at a
[00:04:03] time and then you hear about another group and then you hear about another group.
[00:04:06] We're talking like 1200 groups operating simultaneously with many of these things, these
[00:04:11] groups being highly prolific.
[00:04:13] So we think Anonymous Sudan, Chilnet, NoName57, you have Russian Cyber Squad, you have
[00:04:19] Anonymous Collective. I mean, you have all of these different groups that they're not
[00:04:23] quiet. It's not like they're giving limelight to one versus the other.
[00:04:26] Now, there are some that have much more activity, but I mean, that's to me, that's the
[00:04:32] biggest sea change that I've seen in DDoS in the six and a half years that I've been
[00:04:36] tracking DDoS.
[00:04:38] Wow, that's phenomenal.
[00:04:39] 1200 groups.
[00:04:41] So if we look across those 1200 groups there, what are the key trends in DDoS attack
[00:04:48] methodologies and what type of industries are most at risk looking at your report?
[00:04:54] Who isn't at risk?
[00:04:55] I mean, let's face it, like DDoS attacks, they don't have one victim.
[00:05:00] They have hundreds or millions of victims.
[00:05:04] When you think about what these hacktivists want to do, they want to sow chaos.
[00:05:09] So they're going to go after things that are going to cause chaos.
[00:05:12] Let's go to, I'll just give you a couple of examples.
[00:05:15] Anonymous Sudan and No Name, as well as I think Team Bangladesh and maybe a couple of
[00:05:20] others have gone after airlines and they've targeted public websites belonging to
[00:05:26] airlines. But what's interesting here is that the actual websites that matter, right,
[00:05:30] the things that are going to do air traffic control, the things that are going to secure
[00:05:34] your flight, all of these things are pretty well secured.
[00:05:37] Right. It would take a monumental effort to take these things down or to infiltrate.
[00:05:43] So what they're doing is they're going after websites or like sub websites or sub
[00:05:48] domains, or they're going after fringe sites associated with it.
[00:05:52] But the thing is, is what what does media key on these airlines had websites that were
[00:05:57] taken down by X?
[00:06:00] Right. So it doesn't even matter that the primary main websites that do all of the
[00:06:05] important things are totally completely fine.
[00:06:08] Some website went down.
[00:06:10] It empowers the adversary.
[00:06:12] It allows them to get limelight.
[00:06:14] And they keep doing this over and over again.
[00:06:16] So they're so in chaos, they're showing paranoia.
[00:06:18] Well, if they took down that website, what about if they took down this over here?
[00:06:22] Like, am I safe to fly?
[00:06:23] Should I just drive? Right.
[00:06:25] The same is true for hospitals.
[00:06:26] The same is true for education, for government.
[00:06:28] I mean, all of these different things.
[00:06:31] These adversaries are just hammering things that are going to cause discord or they're
[00:06:36] doing it because it supports their ideology.
[00:06:39] So Anonymous Sudan, anything that's that's pro-Muslim.
[00:06:42] If you're anti-Muslim, guess what?
[00:06:44] You're a target. No name.
[00:06:46] If you're against Russia in any way, shape or form or you aid Ukraine in any way, shape
[00:06:50] or form. Guess what?
[00:06:51] You're a target. And so it really just it varies so much.
[00:06:56] Those same 1200 groups targeted will claim that to have targeted with furnished proof
[00:07:02] more than 1500 different websites in the second half of 2023 across 50 different
[00:07:07] countries. So it's not even like there's one country.
[00:07:09] It's not like it's just the US.
[00:07:10] It's global phenomena here.
[00:07:13] And so the reality is, is every industry, every country, every demographic should assume
[00:07:18] that at some point in time they can experience this, especially if they're going to make
[00:07:23] any public claims whatsoever.
[00:07:26] That's against any of these activists ideologies and with 1200 groups, you can imagine
[00:07:30] they have an ideal for everything.
[00:07:31] Right. So who's at risk?
[00:07:34] Pretty much everybody.
[00:07:36] Wow. Oh, man, that's I'm going to sleep tonight.
[00:07:38] But of course, the report also mentions just to make matters slightly worse and
[00:07:43] uncomfortable that there's an increasing sophistication in these DDoS attacks as well.
[00:07:48] It's no longer just script kiddies and people like that.
[00:07:52] So can you discuss some of the challenges that this sophistication gap poses, especially
[00:07:57] for traditional defense mechanisms?
[00:07:59] Is it because these groups have access to AI to aid them or is it something else?
[00:08:05] I mean, you bring up a good point with AI and I'll touch on that in just a moment.
[00:08:08] But let me give you a contrast between two groups.
[00:08:11] Yeah. So you have anonymous Sudan, who is pretty prolific.
[00:08:15] And in fact, at the beginning of 2023, they were the predominant group out there watching
[00:08:20] attacks somewhere around February time frame of 2023.
[00:08:24] They had tapered off and no name 57 came and took over the limelight.
[00:08:29] The difference between these groups is almost night and day.
[00:08:32] Anonymous Sudan is a group of individuals that will leverage DDoS for higher services.
[00:08:37] They'll use the typical tried and true reflection amplification DDoS attacks that we've
[00:08:42] seen for decades. There's nothing new.
[00:08:44] There's nothing novel.
[00:08:46] The exception might be that maybe they find targets that are a little less protected than
[00:08:51] others. And so they succeed in some cases or they just have a thousand people launching
[00:08:56] attacks from 300 different Booter Strasser services, all trying to take down a plethora
[00:09:01] of targets, which we've seen.
[00:09:03] When anonymous Sudan would say, hey, we're going to go out for so and so, we wouldn't
[00:09:07] just see a few attacks here and there.
[00:09:08] You would typically see hundreds, if not thousands of attacks just swarming during that
[00:09:12] time period. So they just launched just basically the kitchen sink.
[00:09:17] All kinds of vectors. I mean, sometimes 20 plus vectors or attack types against these
[00:09:22] targets. So that's from my perspective, that's pretty easy to handle.
[00:09:26] Anybody that has DDoS protection out there knows that volumetric attacks can be mitigated
[00:09:31] pretty easily, whether it's using flow spec or it's using a scrubbing center, intelligent
[00:09:36] intelligent DDoS mitigation scrubbing centers.
[00:09:38] There's ways to do this because we've been battling these things for multiple decades.
[00:09:43] NoName, on the other hand, have changed the game a little bit.
[00:09:47] Not only do they not use a typical reflection amplification attacks, they are launching
[00:09:52] attacks from infrastructure that is somewhat novel.
[00:09:56] So what they have done, I don't remember exactly when they did this.
[00:10:00] I'd have to go back at my timeline.
[00:10:02] At some point in time, they released some custom script called DDoS.
[00:10:07] This is a script that you can run.
[00:10:08] It's written in Go. You can deploy it on pretty much any platform there is.
[00:10:12] What they have done is gamified the infrastructure.
[00:10:16] So they have put out a call to arms to essentially the whole underground and said,
[00:10:21] here's our code.
[00:10:23] Anybody that spins up infrastructure that we can use to launch attacks with our code
[00:10:29] will gain points.
[00:10:31] And you have a leaderboard and whoever is at the top of that leaderboard will get a custom
[00:10:35] digital currency that NoName has put together.
[00:10:39] And so now you have these operators that have an incentive to run these things.
[00:10:43] And so what we've seen is changes in how they're hosting that infrastructure.
[00:10:48] If you look at it on the Sudan, it's just using legitimate devices on the Internet that
[00:10:51] could reflect and amplify traffic.
[00:10:53] But if you look at NoName, they're using infrastructure in bulletproof hosting providers.
[00:10:58] These are providers that are highly resilient, resistant to takedowns.
[00:11:02] They let their users do whatever they want.
[00:11:04] And so you'll typically see NoName activity coming from these things.
[00:11:07] It's pretty static. Like these IP addresses are there.
[00:11:09] They're there to stay and they're launching attacks.
[00:11:12] But on the other hand, you see a lot of public cloud hosting being used by these
[00:11:18] adversaries. So what they will do is they will spin up free hosting accounts.
[00:11:24] They will deploy the DDoS code and they will just allow attacks to be sent out through
[00:11:29] those public cloud hosting providers.
[00:11:30] Now, they may not last very long.
[00:11:32] And most of these public cloud hosting providers would detect that outbound malicious
[00:11:36] activity and shut it down pretty quickly.
[00:11:37] But even a few hours, if you have a thousand people spinning these things out for just a
[00:11:41] few hours, I mean, you can watch a lot of attacks in that time period.
[00:11:45] And so that's what these guys are doing now from the security side.
[00:11:50] I can go back a decade in my career here.
[00:11:53] And many times when you're thinking about how do I block indicators of compromise?
[00:11:58] So in this case, DDoS infrastructure.
[00:12:01] Oftentimes you want to default to blocking the domain because the domain is going to be
[00:12:05] registered to that person, whereas an IP address could be hosting multiple things.
[00:12:08] Right. So if the adversary is not hosting a domain, but they're launching attacks from an
[00:12:13] IP address, that's a cloud hosting provider.
[00:12:16] How many additional users are on that same IP address?
[00:12:20] So typically what we do in security is there are certain hosting providers you trust more
[00:12:24] than others. And so sometimes you will put an allow list in place that says if the IP
[00:12:30] address belongs to these hosting providers, don't send it out in my intelligence feed.
[00:12:33] I don't want to block this because I'm going to block thousands of different websites or
[00:12:36] users. Well, guess what?
[00:12:38] If the adversary is there launching attacks from those things and you allow listed those
[00:12:43] IP addresses are going to get straight through.
[00:12:45] And so that sophistication level is quite different than what we've seen in the past.
[00:12:50] Now, let's not just say that adversaries haven't done something similar, but at the scale
[00:12:53] of which NoName is doing, I've not seen it before.
[00:12:57] So it's a very clear contrast between the different sophistication of these two groups.
[00:13:02] And unfortunately, we are in an era of increased global conflict.
[00:13:07] It's something we see an escalate almost on a daily basis now.
[00:13:10] So I suppose predictably your report at Netscout covers a whole range of geopolitical
[00:13:19] tensions and how they're shaping the DDoS threat landscape.
[00:13:22] But how are you seeing these tensions influence the strategies of cyber adversaries?
[00:13:28] And what can organizations caught in the eye of the storm here, how can they mitigate some
[00:13:32] risks stemming from these motivations when they unwittingly become part of the...
[00:13:38] They become the big... There's a big target over them, isn't that?
[00:13:41] Right. So I've looked across probably a decade worth of attacks.
[00:13:48] Yeah. And what we used to see in the geopolitical space was the occasional adversary
[00:13:54] launching attacks against their opponent or the occasional hacktivist that would just cause a
[00:13:58] little bit of discord. What we're seeing now is nearly every single global conflict, every
[00:14:05] single major event, everything in the gaming world that has a massive prize pool, all of
[00:14:11] these different... Hey, this prime minister said this, this person said this about NATO,
[00:14:15] this person's joining that group.
[00:14:18] All of that stuff now makes a reflection in the digital space.
[00:14:24] For instance, we're going to have a blog come out after a threat report sometime the last
[00:14:29] week of April looking at Sweden and you can actually track all of the spikes that we see
[00:14:35] in DDoS attacks against Sweden to specific comments or actions made in their bid to join
[00:14:41] NATO. The same is true of France.
[00:14:45] You can actually track it to the day February 14th and 15th saw some of the highest peaks
[00:14:52] of DDoS attacks against France, the same point in time where it was said we're going to
[00:14:58] stand with Ukraine and also Anonymous Sudan said we are going to attack you because of
[00:15:03] this. And that's what we're seeing across the board.
[00:15:06] And it's not even that it's one country in particular.
[00:15:09] For instance, Russia, Ukraine.
[00:15:10] Russia saw just as many attack increases, if not more than Ukraine did.
[00:15:15] You look at Israel and you look at the state of Palestine right now.
[00:15:19] Geographically speaking, both of those geographic regions are experiencing a certain DDoS
[00:15:24] attacks. You look at all of these things, whether it's look there's several different
[00:15:29] elections happening. There's protests with those elections.
[00:15:32] There's runoff elections.
[00:15:33] There's coups happening all over the world.
[00:15:36] When you look at the DDoS space digital world, you see that and it basically is a
[00:15:42] reflection of what is happening in the real space.
[00:15:45] So what we can infer from this, any time there is something big happening, expect that
[00:15:50] there's going to be something in the cyber world to match it.
[00:15:54] And so as long as organizations, service providers, governments, various entities realize
[00:15:59] that, hey, if I'm going to make this bold statement, if I'm going to make this move or
[00:16:05] I'm going to toss my support over here, you need to know that you're likely going to come
[00:16:09] under scrutiny and possibly experience a storm of attacks.
[00:16:13] And as long as we understand that and we are ready and prepared for those attacks, chances
[00:16:17] are you're going to be just fine.
[00:16:19] Most of the attacks in the DDoS space, as long as you're prepared, you're going to
[00:16:23] weather 80 to 90 percent of them.
[00:16:25] Occasionally you're going to have some stuff get through.
[00:16:28] If no one comes through with a very high powered application layer attack, then maybe
[00:16:32] they'll get through because you're not configured exactly properly or you've never
[00:16:36] experienced that before and you haven't tuned appropriately.
[00:16:39] Or they find the one thing that you decided not to secure and take that down.
[00:16:43] So that will still happen.
[00:16:45] But the large majority of these things can be stopped with a little bit of preparation.
[00:16:49] So my call to action for anyone that listens to this is if you are going to be in the
[00:16:54] public space anywhere, whether you make a statement or not, assume that somebody will
[00:17:00] likely find an issue with what you're doing and want to attack you at some point.
[00:17:05] So make sure you're prepared.
[00:17:07] Well, that is such a powerful point.
[00:17:09] And as a result, of course, DDoS attacks are increasingly targeting critical
[00:17:13] infrastructure and DNS servers, etc.
[00:17:16] So what are the potential long term repercussions on global Internet stability
[00:17:23] and security?
[00:17:24] Because it does seem we're seeing more and more attacks like this.
[00:17:26] We're seeing huge websites going down on a weekly basis as well.
[00:17:32] What do you think this means about the future and that stability that we maybe take
[00:17:35] for granted sometime?
[00:17:37] Yeah, the thing is, is we have to get better globally about pooling our resources to
[00:17:42] stop these things. There have been some global efforts.
[00:17:45] Source address validation across service providers is one.
[00:17:48] In other words, we want to stop any kind of spoofed traffic because if you launch
[00:17:53] volumetric DDoS attacks, you have to spoof your victim.
[00:17:56] Right. You're saying that this is me when it's not you.
[00:17:59] So if you shut down the ability to do spoofing on a network, you can no longer initiate
[00:18:03] the DDoS attack. And so that actually happened back in February of 20,
[00:18:08] 2022.
[00:18:10] And you can actually see that volumetric attacks used to be the preferred method when
[00:18:15] that went into place. And a lot of these large service providers implemented that global
[00:18:18] change. You saw direct path attacks, things that are not using spoofed initiation
[00:18:23] traffic surge and then the volumetric stuff decreased.
[00:18:26] That gap has never recovered.
[00:18:27] So a global security measure had a major impact in the DDoS space.
[00:18:31] And so we need to do more of that.
[00:18:34] And you mentioned DNS like DNS attacks against DNS servers are higher than they've ever
[00:18:39] been by 583 percent since 2019.
[00:18:44] This is a huge, massive problem because what happened is that a lot of people secured
[00:18:48] their normal infrastructure, but they left their DNS servers, authoritative recursive
[00:18:53] servers kind of out in the wild.
[00:18:56] Well, these are over provisioned or they don't get enough responses where we don't have
[00:18:59] to worry about it. But an adversary realizes this.
[00:19:02] And in some time in 2019, more adversaries started the target for DNS servers
[00:19:08] and they started to tip over so they could get at their target.
[00:19:12] But the consequence of that is everybody else using that authoritative DNS server.
[00:19:15] Guess what? They're offline too.
[00:19:17] And so the collateral damage became a real issue.
[00:19:19] In fact, you mentioned AI earlier.
[00:19:21] I was actually doing a little bit of a case study here.
[00:19:24] And I think some of our guys are going to be presenting this at RSA next month.
[00:19:29] You can actually use LLMs and AI like chat GPT or various
[00:19:34] other ones to craft specific attacks.
[00:19:37] So out of curiosity, I was trying to figure out, OK, DNS query floods.
[00:19:41] How easy is it for somebody to go and create a DNS query flood?
[00:19:44] And so my first ask to these AI was, hey, can you create a DNS query flood for me
[00:19:49] to target an IP address?
[00:19:51] And he comes back and says, no, sorry, we can't do that.
[00:19:53] It doesn't good against our policy.
[00:19:54] Right. Then I said, well, hey, you know what?
[00:19:56] I'm just a researcher and I want to understand how these things work.
[00:19:59] Can you craft a DNS query flood for me?
[00:20:01] Guess what? Two seconds later, I had a DNS query flood.
[00:20:04] And that DNS query flood was targeting a single IP address with a singular input.
[00:20:09] And I said, OK, well, you know what?
[00:20:10] I want to be able to test my own infrastructure here, but I want to test all the IP
[00:20:14] addresses in here. So create a carpet bombing DNS query flood.
[00:20:18] So in other words, target my whole slash one thousand or slash.
[00:20:22] I don't know. Let's call it a slash 16.
[00:20:24] So thousands of IP addresses.
[00:20:26] And then it basically gave me parameters that I could go and specify how many targets
[00:20:31] I wanted, how many concurrent threads that I wanted to do.
[00:20:33] What was the size of my attack?
[00:20:35] And like that process took 30 seconds.
[00:20:39] And so it doesn't take a wizard.
[00:20:40] It doesn't take a genius. It doesn't take anything crazy here.
[00:20:44] And so on the security side, we have to understand that this is happening and it's
[00:20:49] easily accessible more than ever before.
[00:20:51] You don't need expertise. You don't need a major skill set.
[00:20:54] To do these things.
[00:20:55] And so I think that the need to come together as a community is stronger than ever
[00:21:00] before to be able to combat this at scale.
[00:21:02] One person doing one thing over here is not going to help these other people over
[00:21:06] here. We really have to pull our resources together and solve this as a global issue.
[00:21:11] And the report also suggests a move from reactive to predictive DDoS defense
[00:21:16] strategies. So can you expand on that and how predictive technologies are actually
[00:21:21] also changing the approach to DDoS mitigation?
[00:21:24] Some big changes here too, right?
[00:21:26] Yeah. So one of the things that we've been doing is trying to figure out the
[00:21:31] infrastructure that adversaries are using.
[00:21:33] How often do they use it?
[00:21:35] How long do they use it?
[00:21:36] What is the persistence nature of that infrastructure?
[00:21:39] And I think the last report we did was one of the first times we talked about this
[00:21:44] where we determined that the high impact infrastructure.
[00:21:47] So these are the things that are impacting the most amount of our customers with the
[00:21:51] most amount of attacks for the longest period of time.
[00:21:54] There is a 90 percent persistence ratio of those things for more than a month.
[00:21:59] So you can you can basically there's this weird balance here where on one hand you
[00:22:03] have to be a little bit reactive because an adversary can literally throw anything at
[00:22:07] you out of the blue.
[00:22:09] There's no way to understand in their head what they're going to do before they do
[00:22:13] it. Right. We're not omniscient.
[00:22:14] And so there is this level of reactivity there where the moment we see them leverage
[00:22:19] something, we may have already known about that infrastructure, but it was just kind of
[00:22:23] sitting dormant. And this is true for all of our reflection amplification vectors.
[00:22:28] If I were to push every single IP address that could potentially launch one of these
[00:22:33] attacks, we're talking like 500 million IP addresses.
[00:22:36] Nobody in their right mind would ever block 500 million IPs.
[00:22:39] And you wouldn't want to because most of that's legitimate infrastructure.
[00:22:43] So the reactive part here is as soon as we see that any one of those 500 million go
[00:22:48] active, that now becomes an active attacker.
[00:22:51] And so from that point on, it is now predictive because any other attacks they launch
[00:22:57] from that are then going to be stopped using threat intelligence.
[00:23:01] And because we know this is highly persistent infrastructure, we're basically saying for
[00:23:05] the next month, the infrastructure they're using to launch these really high, impactful
[00:23:09] things you're going to be OK from.
[00:23:11] And so that's the predictive nature.
[00:23:13] Now, are we ever going to get omniscient and actually know what they're going to do
[00:23:16] ahead of when they do it? Probably not.
[00:23:18] I don't think anybody can do that.
[00:23:20] But there are ways that we can use the different trends, the technologies, the bellwethers
[00:23:25] so we can look at it when an adversary is starting to probe a new port protocol.
[00:23:29] What are they looking for? Maybe we can get ahead of them.
[00:23:31] We've started to do that a little bit with some of these vectors.
[00:23:34] When we see, hey, you know what, there's this new port that is not currently assigned to
[00:23:38] anything, but man, they're hammering it.
[00:23:41] Can we look at that packet?
[00:23:42] Can we look at that traffic and say, hey, they're doing these things and it's causing
[00:23:46] this amplified response.
[00:23:48] So now we can understand that, hey, you know what, if they weaponize this, it's going to
[00:23:51] be a new reflection amplification vector.
[00:23:53] And so we can then start scanning for and we can start identifying the infrastructure
[00:23:58] before it hits the wild.
[00:24:00] And that's predictive nature.
[00:24:02] And so there's several things in several steps that we're doing to try to get ahead of
[00:24:06] the adversary or at least be as immediate in our reactive response as possible so that
[00:24:11] we can then solve for the future.
[00:24:14] And for any business leader listening to our conversation today, they are now officially
[00:24:20] concerned, they want to improve their defense strategy, maybe they don't know where to
[00:24:24] start. Are there any actionable recommendations that you could provide from everything
[00:24:30] that you've learned at NETSCOUT for any organization looking to enhance their defenses
[00:24:34] in light of some of these evolving threats?
[00:24:37] We have their ear right now.
[00:24:39] What would you advise for them?
[00:24:41] So the number one thing that I will say to any company, any enterprise out there is
[00:24:46] visibility is the single most important aspect of anything you can do.
[00:24:51] In security, we used to say prevent, prevent, prevent.
[00:24:53] Now we understand that you can't prevent.
[00:24:55] There's just no way to prevent every possible avenue, every threat.
[00:24:59] And so what you want next is visibility.
[00:25:01] How fast can I find a threat against me?
[00:25:04] How fast can I find something that is impacting me and how fast can I remediate that?
[00:25:09] Visibility is the single most important part of that.
[00:25:12] And if you're looking for visibility, NETSCOUT is your leader in visibility on the
[00:25:19] network. This is where NETSCOUT got started 30 years ago, is giving visibility into
[00:25:24] organizations so that you can truly understand everything from the edge of your
[00:25:29] network down into the deepest backbone of your network.
[00:25:31] And the thing is, is packets don't lie.
[00:25:34] If an adversary is coming at you externally, guess what?
[00:25:37] That's a packet. If an adversary is inside your environment and spreads laterally, guess
[00:25:41] what? That's a packet. If an adversary is trying to exfil data from inside to outside,
[00:25:44] guess what? That's a packet. So as long as you have visibility on your network, you can
[00:25:50] make informed decisions about what you need to do.
[00:25:52] That visibility is also going to let you know that, hey, you know what?
[00:25:54] We are a threat or we are at risk with DDoS attacks.
[00:25:58] So in addition to that visibility, now I need to make sure that I'm prepared to handle
[00:26:01] DDoS attacks going forward.
[00:26:03] And so oftentimes I'll hear customers say, or sorry, non-customers, but maybe we're in a
[00:26:07] POC or maybe I'm talking to folks trying to get them engaged.
[00:26:11] Oh, DDoS, we don't get attacked by DDoS attacks.
[00:26:14] Like great. How do you know?
[00:26:16] Oh, our stuff doesn't go down.
[00:26:18] Right. Well, how do you know?
[00:26:19] They don't know because they don't actually know what's on their network.
[00:26:22] They don't know what's hitting them from a network perspective.
[00:26:23] Now, they could be getting DDoS attacks.
[00:26:26] They could be experiencing lag in some places.
[00:26:28] Maybe some of their employees are like, hey, I can't connect for 20 minutes.
[00:26:32] Well, they might not send an IT ticket for that.
[00:26:34] They're going to be like, hey, that's a 20 minute break or I'm going to go on a coffee
[00:26:36] break. So they may never report that.
[00:26:39] So you could very much be impacted and not really know it because it's not having
[00:26:43] significant public facing takedown efforts.
[00:26:46] And so getting visibility on your network is going to really solve that problem.
[00:26:50] And if we have one eye on the future for a moment, are there any other key areas of
[00:26:55] innovation or improvement in DDoS defense that you think will become crucial in the
[00:27:01] months and maybe even years ahead?
[00:27:04] I think that some of what we're doing with this adversary intelligence is really key.
[00:27:09] It used to be that for a long time you would say, you know what, as a service provider,
[00:27:13] I'm going to set my bandwidth throughput thresholds and I'm just going to call it a
[00:27:16] day. If anything exceeds this, then I'm going to call it a day.
[00:27:19] If anything exceeds this, then I want to block.
[00:27:22] Well, you know what? There's a lot of downstream that are getting impacted by those
[00:27:26] attacks. But the service provider says, you know what, it's not really impacting most of my
[00:27:29] customers. It's going to cost me more to mitigate everything.
[00:27:33] And so I'm just kind of let some of that stuff through.
[00:27:36] And service providers have to make that ROI decision, right?
[00:27:39] What's most effective for them across all of their customer base?
[00:27:43] And that's an ongoing conversation.
[00:27:44] Well, what if you can use threat intelligence that says, you know what, I'm not going to
[00:27:49] just mitigate the one gigabit stuff.
[00:27:52] I'm going to look specifically at bad guy infrastructure and I'm going to squeeze that
[00:27:57] infrastructure such that any traffic coming from them can never achieve those
[00:28:02] high bandwidth throughput watermarks that are previously had.
[00:28:05] And so using that predictive threat intelligence where we just kind of walk through as a
[00:28:10] means to do DDoS detection, I think is huge.
[00:28:14] And it's something that we've recently gone live with in some of our products specifically
[00:28:18] so customers can then look at just bad guy infrastructure and say that I'm going to
[00:28:24] get ahead of the game and I'm never going to let them exceed a bandwidth throughput
[00:28:28] threshold that I have over here for the rest of my customers.
[00:28:30] And so to me, that's a huge game changer.
[00:28:33] And then the other side of this would be what are we talked about with the DNS stuff?
[00:28:38] Most of the time, DNS is a target because it's not protected.
[00:28:43] And so that's changing.
[00:28:45] More and more people are realizing that they need to have protection on DNS servers, but
[00:28:50] it's not moving fast enough.
[00:28:51] And so adversaries are still succeeding at these attacks.
[00:28:54] They're ramping up these attacks and they're going to continue to do so until they
[00:28:57] realize it's a non target.
[00:29:01] So we need to make sure that we're proactive here.
[00:29:03] We're securing our DNS assets.
[00:29:05] We're specifically looking to scrub bad traffic from our networks to allow the rest of
[00:29:10] our users to operate in peace.
[00:29:13] Well, I think that's a powerful moment to end on.
[00:29:15] And I cannot thank you enough for coming back on the podcast.
[00:29:18] But before I let you go the drill now, I always ask my guests to leave one final gift.
[00:29:23] So is there a book that you'd like to add to our Amazon wish list?
[00:29:27] It's been a while since we last spoke.
[00:29:28] Anything you'd like to add to our reading list?
[00:29:31] It's not a self-help or it's not like a nonfiction book.
[00:29:35] And if I wasn't having my green screen here, as Neil was talking about before we started
[00:29:40] here, you would see that I have marbles on my wall.
[00:29:43] There is a book that I read when I was 12.
[00:29:46] I think it had just been released by Troy Denning.
[00:29:48] It's called Star by Star.
[00:29:49] It's a Star Wars book in the old extended universe.
[00:29:53] When I read that, I wasn't an avid reader.
[00:29:55] I was more go outside, get on my skates, get on my skateboard, just play outside, climb
[00:30:00] the trees, break my arm, that kind of thing.
[00:30:01] I was very much an outdoors kid.
[00:30:04] When I read Star by Star, the way that Troy Dennings just threaded the world and just
[00:30:10] had this amazing visual aspect of a space opera, it just hooked me.
[00:30:15] And from then on, I have been a voracious avid reader of sci-fi and fantasy.
[00:30:20] And all thanks to that one book, a friend saying, hey, you should read this at 12
[00:30:25] years old. And since then, I can't even count how many science fiction I've read or
[00:30:29] written. And so it's just there's so much that I could go back to.
[00:30:33] But that one book was the catalyst for me to enjoy reading for pleasure.
[00:30:39] Oh, what a great choice.
[00:30:40] I'll get that added straight to our Amazon wishlist for people to check out.
[00:30:44] And we covered so much today.
[00:30:47] And for anybody listening just wants to find out more information about that threat
[00:30:50] intelligence report, maybe even take a look or just find out more information about
[00:30:55] NETSCOUT and the work you're doing and contact your team.
[00:30:58] Where would you like to point everyone listening?
[00:31:00] So NETSCOUT.com slash threat report, it's highly interactive.
[00:31:04] There's some more interactivity than we've ever had before.
[00:31:07] For instance, you can choose through a bunch of different industries in the
[00:31:10] enterprise to figure out what kind of threats they're facing.
[00:31:13] So there's some really cool things and I definitely encourage you guys.
[00:31:15] We've completely redesigned the landing page.
[00:31:17] So explore it.
[00:31:19] Have fun. And any questions.
[00:31:20] We also have ask Acert at NETSCOUT.com.
[00:31:23] So anybody can send in questions.
[00:31:26] And typically when we get questions from Ask Acert, we'll try to do videos, two or
[00:31:30] three minute videos explaining those questions.
[00:31:33] Oh, that's an incredibly cool idea.
[00:31:35] I would urge anyone listening to do that.
[00:31:37] And we we covered a lot today from DDoS attack activity ties to the leadership
[00:31:42] elections. I was reading only a few days ago, something like half the planet, four
[00:31:46] billion people going to elections this year.
[00:31:49] And no surprise that these DDoS attack campaigns like No Name, Anonymous, Sedan
[00:31:53] and twelve hundred other groups out there absolutely blow my mind.
[00:31:57] But thanks as always for bringing everyone up to speed.
[00:32:00] Absolutely, Neil. Thanks for having me.
[00:32:02] It's been a pleasure.
[00:32:04] Now, as we conclude today's insightful discussion with Richard around the evolving
[00:32:09] DDoS threat landscape, I think it's clear that the stakes are higher than ever.
[00:32:14] And with critical infrastructure increasingly in the crosshairs, combined with the sheer
[00:32:19] volume of attacks that are skyrocketing right now, the urgency for organisations to
[00:32:25] adopt advanced predictive security measures has never been more apparent.
[00:32:31] So what steps will you take to safeguard your digital frontiers?
[00:32:36] Have you considered how visibility into your network traffic could hold the keys to
[00:32:42] an improved, enhanced defence strategy?
[00:32:46] Well, this is where I invite you to share your thoughts.
[00:32:48] Join the conversation on how we can collectively fortify our defences against these
[00:32:54] increasingly sophisticated threats of tomorrow.
[00:32:57] So email me, techblogwriteratoutlook.com, Twitter, LinkedIn, Instagram, just at
[00:33:02] Neil C. Hughes.
[00:33:03] Let me know your thoughts.
[00:33:04] And I also cordially invite you to join me again tomorrow where we'll do it all again
[00:33:09] and explore a completely different topic.
[00:33:13] But that's it for today.
[00:33:14] So thank you for listening as always.
[00:33:16] And until next time, don't be a stranger.