What NETSCOUT's Threat Intelligence Report Means For Every Security Leader

[00:00:00] It's not your fault that your agentic AI systems are acting outside of compliance. There are just too many data sets to guardrail them all. But with Denodo, you can now organize your hundreds of data sources into one layer and govern your agents with a single approach. Try it now with Denodo by visiting denodo.com to learn more.

[00:00:31] How vulnerable is the internet when anyone with a chatbot and a grudge can suddenly launch a sophisticated cyber attack against you? Well, today on the Business of Cybersecurity podcast, I'm joined by Darren Anstey, CTO for Security at NETSCOUT.

[00:00:51] A company with visibility into hundreds of terabits of internet traffic and millions of DDoS attacks every single year. And he's someone that spent more than two decades tracking the evolution of distributed denial of service attacks. And in today's conversation, we're going to examine a threat landscape that is changing at an alarming pace.

[00:01:15] Because we're going to talk about NETSCOUT's latest threat intelligence findings, including the rapid rise of AI-powered DDoS for Hire platforms. Platforms that now allow unskilled attackers to orchestrate a complex campaign using simple natural language prompts. And Darren will explain why conversational AI is actually lowering the barrier to entry for cybercrime and how threat actors are operating more like modern businesses.

[00:01:45] And why service providers are suddenly facing huge reputational and operational risks from compromised customer devices that are generating outbound attack traffic at terabit scale. And we'll also discuss hacktivist groups, the growing collaboration between threat actors, the risks facing critical infrastructure ahead of major global events like the World Cup in the US. And also discuss why reactive cybersecurity strategies are quickly becoming outdated.

[00:02:15] Because Darren is going to be sharing practical advice for security leaders today that are looking to strengthen their resilience before that next wave of AI-assisted attacks arrive. So if you've been hearing executives casually mentioning AI guardrails and governance without fully understanding the risks underneath, I'm hopeful that this conversation will give you lots to think about. But enough scene setting for me. Let me reintroduce you to Darren right now.

[00:02:45] So a massive warm welcome back to the show. It's always a pleasure to speak with you. But can you just remind everyone listening a little about who you are and what you do? I'm Darren Anthony. I'm the CTO for security at NetScout. I've been at NetScout since 2003 through their acquisition of Arbor Networks back in 2015. So I've been very focused on the distributed denial of service attack kind of threat space for the last, well, 20 plus years now.

[00:03:14] And not only that, I also believe there is a new NetScout threat intelligence report. This time around shows a staggering surge in dark web discussions around malicious AI tools, etc. But tell me a little bit more about that report and some of the findings in there. So every six months we publish our NetScout threat report. It's kind of split into, I suppose, two separate areas.

[00:03:40] There's a lot of statistics in there based on the unique visibility that we have of what's going on across the Internet. That visibility is fed back to us by our customers. About 540 service providers, a couple of thousand enterprises feed data to us every hour on the traffic on their networks and also on the kinds of distributed denial of service or DDoS attacks that they see. That gives us visibility into about 800 terabits per second of traffic.

[00:04:09] We get about 8 million DDoS attacks reported to us every six months. So there's a lot of data in the report around the nature of attacks, attack vectors, where they're going, where they're coming from and the changes that we see there. And then the second part of the report, I suppose, is more analysis from our threat research team who are looking at, you know, the hacktivist groups and what they're doing, how they're targeting, what, you know, the kinds of methodologies and tools they're using.

[00:04:39] But then also they're looking at things like the DDoS for hire services. And as you rightly pointed out, the big one from the last threat report was the integration of AI chatbots into those DDoS for hire services to make it even easier to launch sophisticated attack campaigns. So, yeah, that's kind of the overview of the threat report itself. And I'm so glad that you brought that up because I've been to, I think, at the time of recording, I've been to 15 tech events this year.

[00:05:07] And predictably, every single one of them is about AI agents and, hey, you can release 100 or thousands of different AI agents out there. Whenever I challenge them on it and say, what about security? They'll say things like guardrails and governance. They'll tick those boxes and up they go, you know. But it still makes me incredibly nervous.

[00:05:27] So, for people listening and being to all these tech conferences as well and hearing this narrative, can you expand on how conversational AI assistants fundamentally changed the DDoS for hire landscape for unskilled threat actors? Because it's something we need to talk about, right? Yeah. So, I mean, I always hark back to 2012 for this. So, apologies for the history lesson. But if we go back then, there was an attack campaign called Operation Ababil, which targeted the North American financial sector. It was well publicized at the time.

[00:05:57] The people behind that went after some really big U.S. financial institutions. And they were kind of the first well-publicized campaign where there was a lot of active reconnaissance of the targets in terms of the infrastructure, the applications, the dependencies, all of those things. They then tailored the attack vectors they were going to use based on that reconnaissance. And then they monitored the effectiveness of those attack vectors and changed them if they weren't working.

[00:06:24] And they could do that because they really knew what they were doing and they were well-resourced. So, they had the skills and the capability fundamentally. Since then, over the last, I suppose, what, 10, 13, 14 years or so, those capabilities have kind of been integrated into the DDoS for Hire services.

[00:06:43] And a couple of years ago in a Netscout threat report, we put a lot of screenshots into the report of some of the DDoS for Hire services where we kind of emphasized that you could sit there in your chair and you could point and click in a nice graphical user interface to recon a target. You'd get the results. You could pick the attack vectors that you wanted to use and launch those attack vectors. You could change the attack vectors if the attack wasn't effective. And it was all through a nice graphical user interface. So, pretty much anyone could do it.

[00:07:12] But you had to understand what you were doing to do that. What we've seen now is that there are chatbots out there that are fronting these services where you can effectively just say, I would like you to disrupt, you know, this target during business hours tomorrow. And the chatbot will then orchestrate effectively the reconnaissance, looking at the results, picking the right attack vectors, figuring out what time business hours are in the geolocation of your target,

[00:07:38] and then launching the attack at the appropriate time in the appropriate way. So, you no longer even need to understand the results that the user interface is presenting to you of that reconnaissance. You no longer need to understand which attack vectors map into that reconnaissance because it just does it all for you. So, it really does take away the kind of last vestiges of you having to know what you're doing to launch more sophisticated attack campaigns. And talking to our service provider customers, we had a customer event last week.

[00:08:08] We are seeing more of these more sophisticated attack campaigns. You know, service providers used to see them a few times a year. They're seeing attacks all the time, but they'd see these focused, sophisticated attack campaigns a few times a year. Now they're seeing them at least once a month. And we anticipate that, you know, this is going to continue to increase as more of these tools integrate these chatbots and as they make the chatbots more freely available.

[00:08:34] So many big talking points there because we are seeing a massive shift this year where bad actors can orchestrate complex attacks using simple language prompts. And I'm curious, with AI lowering the barrier to entry so drastically, what does this democratization of cyber attacks mean for that average business, the average size business and business leaders listening there? What should they be doing to prepare against stuff like this? Well, the key thing is preparation.

[00:09:01] Because, you know, if you're targeted by one of these attack campaigns, you know, trying to react without having done any of the preparation around making sure you've got the right services, the right technologies, the right operational processes in place is going to be a scramble. So preparation really is key. But I suppose the key thing really is to understand, you know, your risk as an organization. What does your threat surface really look like?

[00:09:26] And the big change, I think, there over the last 12 to 18 months is that you have to look beyond not just the infrastructure that you manage as an enterprise now, but also the dependencies within your digital supply chain. What we're seeing now is that attackers, if you are a well-defended organization, they will figure that out quite quickly and they will look for other things that you are dependent upon.

[00:09:53] So, you know, is your primary web service that you offer to your customers or the APIs that your customers access, are they reliant on some other back-end service that's outside of your control? Or is there something you're reliant on that's two steps away? Because attackers are now going after that broader threat surface. They're going up the supply chain because they know that some of those smaller organizations may not be as well-defended and they stand more chance of knocking them over and then by virtue of that, knocking you over.

[00:10:23] So, understanding your threat surface, understanding the risks that different aspects of that threat surface pose to you. So, what does it cost if this fails? What does it cost if this fails? What is the business impact if those things happen? That's hugely important. And then the second thing is making sure that you have got the right services and technologies in place.

[00:10:43] You know, most medium to large enterprises now have DDoS protection services from either their service provider or from what's called a carrier agnostic DDoS protection provider. So, people generally go with those if they've got multiple service providers and they don't want to buy multiple services. You go for somebody that's a kind of tier above, if you see what I mean. So, you need to make sure that's there to deal with the big attacks. But you also do need on-prem defensive capability. Those services take a while to react.

[00:11:13] They won't see a lot of the small and more sophisticated stuff. So, you need on-prem defenses in place that really focus in on your traffic and your environment so that you can block those more sophisticated attacks before they have an impact. You know, if you look at the threat report, almost three quarters of attacks are less than a gig in size. You know, 60% last less than 10 minutes. There's a lot of small, short-lived stuff going on out there, you know, that the big services won't react fast enough to or may not even see.

[00:11:43] But they will still cause an impact for an enterprise, especially to infrastructure like load balancers and firewalls and things like that. So, that on-prem layer of defense is hugely important. And, of course, while we're recording this today, we were both talking before we hit record about the sweltering temperatures here, 30 degrees Celsius or another 90 Fahrenheit for our U.S. friends listening.

[00:12:07] But, of course, we're only four months away from the holiday season, those big Black Friday sales, etc. It's just around the corner, isn't it? I think businesses do need to prioritize this sooner rather than later. Yeah, and, of course, between now and then, you've got the World Cup as well for our U.S. friends. So, you know, there is an enormous threat surface around the World Cup.

[00:12:31] Major sporting events always attract a lot of DDoS attack activity, especially if there's any geopolitical sensitivities around the sponsors or around where the games are being hosted or anything like that. And, of course, there is a lot of geopolitical conflict around the world at the moment. So, there has been a lot of preparation for defending, you know, the World Cup.

[00:12:54] But, you know, that's going to be the next big test of defensive capability, I suppose, because the threat surface there is enormous. It's not just, you know, the World Cup itself. It's the sponsors. It's the transport infrastructure. It's the payment portal so that you can buy merchandise, buy drinks in stadiums, all of those kinds of things. And that's before you get to content distribution, which is kind of a global threat surface. So, yeah, there's lots going on around that as well at the moment.

[00:13:23] And with outbound DDoS traffic now becoming this massive industry-wide challenge, especially with compromised customer equipment recently seen generating floods exceeding, I think, one terabytes, was it, I think? I mean, what is the operational and reputational risk for service providers that are hosting these infected devices too? Yeah. So, this is a bit of a wake-up call for a lot of operators.

[00:13:48] I mean, there has been compromised subscriber infrastructure in ISP networks forever. You know, if you go back to the noughties, people had compromised Windows workstations and things like that. And those compromised devices have long been generating outbound DDoS attacks. But for most service providers, that was kind of noise on their networks. So, the attack traffic was coming from them, going somewhere else, wasn't impacting their ability to deliver service.

[00:14:15] So, when they assessed their business risk, you know, it didn't really warrant any investment in monitoring or mitigation or those kinds of things. Fast forward to now, and well, six to nine months ago, and you've got the advent of the Turbo Mirai botnets, which are kind of the latest class of Mirai botnets. So, these are the kind of multiple evolutions on from what we saw in 2016. Now, these botnets are different in that they are bigger. So, you're talking millions of IoT devices.

[00:14:45] And they're bigger because they are compromising a broader set of things. So, you know, we've always talked about CCTV cameras, DVRs, compromised subscriber CPE. These botnets have managed to get inside home networks and other networks through the NAT, effectively, via VPNs, via proxies that people have installed to get around things like content geofencing and things like that. So, they've gotten in, they've compromised a much bigger set of devices.

[00:15:15] And, of course, we've all got high-speed internet connectivity today. You know, gig to the home is not unusual. So, when you get that combination of massive numbers of devices and high-speed internet connectivity, you get enormous DDoS attacks, like the 30 terabits we saw before Christmas, four giga packets per second. You know, that's almost an order of magnitude bigger than anything that has ever been seen before across the internet. The challenge for a lot of service providers is these compromised devices are in their subscriber populations.

[00:15:44] So, whereas previously that outbound attack traffic was noise, now you've got thousands, tens of thousands, hundreds of thousands of devices all sending that traffic outbound through your network at the same time. And as you pointed out, we are aware of multiple operators that had over a terabit of outbound attack traffic on their networks. Now, that causes problems. It causes problems at the customer aggregation edge. You can get congestion.

[00:16:11] And, at that point, you've got whole markets that are having service issues. From an operator's perspective, that is very bad from a reputational perspective. And, of course, that drives customer churn. And it's also very bad from a cost perspective because everybody phones up to find out why their internet service isn't working. And each of those calls, each of those interactions costs money. But beyond that, you also have the problem that these are what are called direct path attacks.

[00:16:39] So, the attack traffic is coming from the compromised device to the target. So, when the target gets the attack and it disrupts their business or causes a problem, they can look at the source address of that traffic. And they can say, hang on a minute. That source address is registered to that service provider over there. And I've got a terabit of traffic. And it's all coming from that service provider over there.

[00:17:01] And, again, that is reputationally very bad for that service provider because they're now associated with having a lot of bad traffic coming from their network. But also, there has been discussion now, although we haven't seen anything happen yet, about the legal side of this. You know, is there any liability, you know, for generating these very large attacks? So, things are changing here.

[00:17:25] And what we're seeing from talking to our customers is that they are now starting to more proactively monitor and mitigate outbound DDoS attacks, primarily because of the impact they've seen to their own businesses. So, you know, they've reassessed that business risk and they've gone, hang on a minute. This is a bigger problem than we'd thought in the past. Now, things have changed. We need to be putting monitoring and mitigation capabilities in place.

[00:17:49] So, it's almost like, you know, they used to have an umbrella that covered them from the problems coming down from the sky. Now, they have to worry about the rain splashing up from the pavement as well, fundamentally. So, yeah, you need to cover the whole environment. Wow. And it's also important to highlight as well, despite the recent coordinated international law enforcement takedowns, we've seen a lot of those. Activist groups still remain highly active, often claiming hundreds of attacks in a single month.

[00:18:17] So, how are these actors adapting to evade authorities and maintain their level of resilience this year? So, you know, they're doing all of the things that are common sense, I suppose. You know, you don't have a single point of failure. So, you don't have one person that's controlling it. You make sure multiple people can control the infrastructure that's available to you.

[00:18:38] When you invest in building out the infrastructure that's available to you, you make sure there are fallback mechanisms within the malware that you're using, within the capabilities that you're deploying, so that if your primary command and control servers go away, you've still got a way of reaching out to that infrastructure at a later date and bringing it back into the fold to your new command and control infrastructure. So, they're using these kind of well-understood mechanisms to do that.

[00:19:34] It's higher than it was to start with. So, takedowns work. And obviously, you know, in some cases there are arrests as well. So, you are taking people off the street that are behind this stuff. But the impact to the threat landscape tends to be fairly transitory. So, things tend to come back fairly quickly, unfortunately. And threat actors are also increasingly scaling their operations, ironically, like legitimate enterprises, even forming partnerships to launch collaborative campaigns.

[00:20:04] How is that highly collaborative threat landscape? How is this amplifying the risks for critical infrastructure? Because it's something I've not seen before. No, I mean, this seems to be – so, in some ways it's new and in some ways it's not. So, historically, if you look at the way that bad actors have shared information, that's been there for a long time.

[00:20:25] So, you know, in terms of sharing code for malware, in terms of sharing the lists that we use to amplify reflection amplification attacks when they were dominant through the kind of 2010 to 2022 period, there was a lot of sharing going on across the community there. But we didn't see them kind of teaming up fundamentally to go after a given target. That is something we are now seeing.

[00:20:49] And, you know, given the proliferation of the ideologically motivated hacktivist groups that are out there, where you can find a similarly motivated partner, let's say, who has a different set of capabilities to use. So, maybe they're using a different set of infrastructure to generate their attacks. Maybe they're using a different set of attack vectors. Because working with them can really amplify the amount of attack traffic that you can generate.

[00:21:14] So, you're referring to the collaboration we saw between Chemus Plus and DDoS 54, I'm guessing, where, you know, we hadn't seen very large attacks from either of them. And then they got together and suddenly we saw an attack up at about 44 gigabits per second, which is not life-altering in terms of, you know, the scale that we've seen from, you know, the Azuru botnets and things like that. And then, you know, the Mirai botnets up at terabits per second.

[00:21:38] But it's enough to have a very significant impact to a target, especially in, you know, the parts of the world where they were targeting. So, yeah. And you've seen or overseen many of these reports throughout your career. I'm curious, did anything surprise you in this one? So, this one, I would say, when it came to looking at the attack vector side of things, the trends that we've seen in this one are kind of aligned with what's been going on over the last few years.

[00:22:08] So, continued growth in the use of carpet bombing as it's integrated into DDoS for Hire services, the Turbo Mirai botnets, things like that. More use of multi-vector attacks again because that's integrated into the DDoS for Hire services and the botnets that are out there. More use of kind of TCP flood-style attack vectors because direct path attacks are now dominant from bots. So, really continuing trends, I would say, there.

[00:22:36] The hacktivist side of things, again, is kind of a continuing trend. You know, since Russia, Ukraine, and now with the Middle East, there has been huge proliferation in both the number of groups using DDoS and the number of attacks that they generate. Yes, their targeting tends to split between those that want to actually cause disruption and those that just want to make a noise and raise their profile. But, you know, those trends have been ongoing for a while and have continued.

[00:23:05] I think the big change to me for this one was the AI chatbot integration. You know, we're all used to using AI now on our phones or even in security tools that we have, you know, within our security stacks to deal with certain things or to help analysts work faster, that kind of stuff. But the speed with which this has been integrated into the DDoS for higher services and the capability that it has, that was a bit of a surprise, let's say.

[00:23:31] You know, I knew it was coming, but I didn't think we'd see it quite yet. And I didn't think it would have the level of capability that it has quite yet. But it does show you that, you know, these people are very innovative and, you know, anything that you can do on the good side of stuff. I mean, I play a lot with AI. They can do as well. They just have, you know, slightly more nefarious outcomes in mind. So, yeah.

[00:23:56] Defending against today's evolving threats increasingly requires AI power, threat intelligence and autonomous defense mechanism. So, to give everyone listening an actionable takeaway, so to speak, are there any immediate steps that security leaders should be taking to shift from that reactive mitigation to this kind of proactive adaptation that we're seeing? Yeah. So, I think the intelligence side of things is hugely important.

[00:24:25] You know, the way in which DDoS attack infrastructure is used and reused. Well, I just said it is reused. Yeah. People build out these botnets. You know, they may have millions of devices in them. They won't use all of the botnet at any one time in any one attack. They'll use 100,000 hosts here and 100,000 hosts there so that they can move where the attack is coming from around to make it harder to mitigate. And also to make sure that they're generating attack traffic usually nearer to the geolocation of where the target is.

[00:24:54] Because, again, that can make it harder to block. But, you know, these kind of, I suppose, the way in which it's reused means that you can build up clusters of information around where the infrastructure is and what the infrastructure is. If you can do that in a timely enough manner and push that down into defensive technologies, then that can really accelerate both the detection of attacks and the mitigation of attacks.

[00:25:23] Because, you know, in advance where the attack might come from. And if it starts, you can go, yeah, that's, you know, I don't need to wait and find out if that's a false positive. That's been involved in an attack before. The attack, look, that traffic looks like attack traffic. I'll just get rid of it right now. So it enables you to be more proactive. You also, though, need to be conscious of the fact that the attacks that are going on right now are multi-vector. There is more use of things like rotation and randomization in the attack vectors.

[00:25:50] And that means that the tools that you're using or the technologies or the platforms or the services that you've got in place to defend against DDoS have to be adaptive in their own right. They need to be constantly reassessing what's going on. They need to be making sure the right threat intelligence is being applied based on the attack vectors that are being used. They need to be proactively monitoring what they are passing to make sure nothing is leaking through that looks unusual.

[00:26:16] And again, what you really want there is a kind of a closed feedback loop where the technology that you're using is doing that, assessing whether anything is leaking through. But then also making recommendations, if it sees anything leaking through, about changes to its own configuration and potentially also automating those changes so that you are completely defended from attack. In the fastest possible way with the lowest possible operational overhead. Wow. So many big takeaways from our conversation today.

[00:26:45] And for anyone listening who wants to dig a little bit deeper into that threat intelligence report or indeed keep a lookout for the latest information findings and coming out of Netscout. Where would you like me to point everyone listening? Please just go to our website, go to the research tab and you can get to our threat report there. You can download it or you can look at it online. And you'll also, as well as seeing a lot of global findings, you can look at what's going on regionally as well and things like that.

[00:27:15] And if you're really interested, you can go to the horizon part of that area of the website and you can actually look at live DDoS activity around the world. You can filter it down to your region and see exactly what's going on. Oh, wow. Incredibly cool. I'm going to be checking that out at the end of our conversation. And I will add a link to everything that you mentioned there in the blog post associated with this episode at techtalksnetwork.com. I urge everyone listening to check that out and feedback to me and let me know your thoughts or Darren, of course.

[00:27:45] I will include a link to his LinkedIn. But Darren, a huge thank you as always for taking the time to come on and speak with me. Always a pleasure. And I look forward to speaking with you again very soon. Thanks for having me. Always a pleasure. So a big thank you to Darren for joining me on the podcast today and sharing such candid insights into how AI is reshaping that DDoS threat landscape.

[00:28:08] And one of the big standout takeaways there is just how quickly cyber criminals are adopting the exact same AI tools and automation strategies that businesses are racing to embrace themselves. And this idea that sophisticated attacks can now be launched through simple conversational prompts. This is something that should concern every business leader, especially if they're still treating cybersecurity as a reactive exercise.

[00:28:33] So if you want to learn more about NetScout's latest threat intelligence research that Darren recommended to just go straight to the research section of the NetScout website, where you can access the full report and even monitor live DDoS activity around the world. But I will also, as promised, put links on the blog post associated with this episode too. But as always, love to hear your thoughts on today's episode.

[00:28:57] Are you and your business moving fast enough to prepare for AI-assisted cyber attacks? Or are organisations still underestimating how quickly the threat landscape is changing? As always, techtalksnetwork.com. Send me a message. I'd love to hear from you and hear your insights and experiences. But we're out of time once again. Where does the time go? I will be back again very soon with another guest. But big thank you to Darren.

[00:29:25] And even bigger thank you to each and every one of you for listening. Speak with you soon. Bye for now. Bye for now. Bye for now.