The importance of protecting business apps in the cloud
Firewalls are generally viewed as the tactical response to keeping attackers out of corporate networks. They're the walls around the castle, so to say, the sandbags along the river, the firebreak in the wilderness trying to stop a rampaging fire.
But, firewalls have long served a dual purpose in the enterprise; that is, they have also controlled access from the inside out. Early on this was used to gate access to the adolescent Internet and continues to be a mechanism for enabling preventative measures against "phone home" attempts by malware and viruses that have managed to infect internal assets.
"Today, the prevalence of cloud-based productivity apps requires inside-out access. And if we're using cloud-based apps, we need access to the Internet," continues Lorie MacVittie, principal technical evangelist at F5 Networks. "Salesforce.com. Concur. Google Docs. Social media. The list of applications that reside outside the enterprise to which the business needs access goes on and on and continues to grow."
Business is inarguably dependent on the cloud. That means disruption of access to those services is devastating to productivity, which is one of the key performance indicators in any business.
BlackNurse made waves at the end of 2016 as a type of distributed denial of service (DDOS) attack that targets firewalls that are vulnerable to a "ping flood attack".
Making it personal: why cyber security for connected cars is a matter of life and death
"An attack like BlackNurse, which is relatively easy to conduct and requiring little more than a single laptop, is incredibly disruptive in spite of its relative simplicity.
"The goal of such attacks is simple: resource consumption. Low and slow attacks, whether targeting firewalls or Web servers, are designed to tie up resources so the device cannot respond to legitimate requests. The problem is that such attacks are often more difficult to detect than their volumetric cousins. High volumes of traffic are noticeable. It sets off alarms and red lights and people immediately understand what is going on. We've focused a lot of energy in the past ten years to understanding how to combat such attacks and are luckily getting better at doing so," says MacVittie.
But detecting a low and slow attack is more difficult, she warns. "The CPU suddenly pegs at 100% and stops responding. Could be a software problem. Could be a hardware problem. Could be a lot of things. Sifting through logs to find the low volume of packets representative of this kind of attack is akin to the needle in a haystack problem," points out MacVittie.
According to researchers, the BlackNurse attacks generate only 15 to 18 Mbps. There's no "G" in that measure. That's about 40 to 50K packets per second, which is nothing to modern firewalls. Conversely the DDOS attack recorded against Dyn measured in the 1 Tbps range. That's a "T", which is bigger than "G" and much larger than "M".
"The answer to such attacks is usually to move apps to the cloud where firewall services are not constrained by such antiquated concepts as ‘limited resources' and are able to scale effortlessly and automatically. Except it's not. That is because the business still has employees behind the corporate firewall that have to access those apps (and others). And it is their access that is being disrupted when the target is the corporate firewall that stands between them and ‘the cloud'. It is productivity that suffers," highlights MacVittie.
Businesses need to recognise the potentially perilous state caused by attacks that disrupt outbound traffic as well as inbound.
While BlackNurse has a fairly simple mitigation already, there are likely to be others that are not so simple to mitigate. And, in a world where we depend as much on the apps inside the firewall as those outside it, we need to take a close look at the possibilities of such attacks.
"If you haven't yet, then it's past time to evaluate how dependent your business is (or will be) on apps ‘in the cloud' and how to best protect access to them in the face of threats designed specifically to deny business from going about its daily, well, business," concludes MacVittie.