Dyn, DDoS and Third Party Risk

Dot Com Bubble Burst

In the early 2000s, the once promising Internet bubble came crashing down, causing the economy to go into a tailspin and recession. At the time, many pundits analyzed this and thought that the Internet was just a fad and was not going to affect our everyday lives. However, what we have learned in the 15-16 years since the dot com bubble burst is that we as a society tend to overreact to these lessons and make dramatic interpretations of negative events.

Since then, the Internet has slowly, steadily and completely disrupted our lives. We live in a constantly connected world. We transact commerce, listen to music, watch our favorite TV shows, and read our favorite publications over the Internet, and we communicate with our friends, family, and sometimes even celebrities over the Internet.

Impacts of the Dyn (News - Alert) Distributed Denial of Service (DDoS) Attack

When we consider all of the day-to-day functions we do through the Internet, it’s really interesting to see how this attack played out with the DDoS attack at Dyn on Friday, October 21, 2016. Dyn is a provider of Domain Name System (DNS) services. DNS services act like a telephone book for the Internet. It takes the URLs typed into the URL bar on our browser and understands which IP addresses are needed to find and connect with the right servers so that the Web browser can deliver the right content. A Distributed Denial of Service (DDoS) attack, which was the type of attack on Dyn, overloads the DNS with too many requests, simultaneously making it impossible to complete any of the requests. This attack is what shut down a lot of Internet traffic across the United States as well as in parts of Europe.

When we look at what happened Friday, we quickly realize that the Internet has completely disrupted our lives. Many were unable to perform routine commerce transactions on sites such as Amazon and Airbnb. We listen to music over the Internet, but Spotify (News - Alert) was impacted as well. We watch TV over the Internet, but millions of Netflix accounts were down. We read our favorite publications on the Internet, but even the New York Times and other news websites were unresponsive for hours due to the attack. Our lives and our businesses revolve completely around the Internet.

My partner in crime, Chris Sullivan, commented on this last Friday by saying, “The really frightening part of this is not that we will be struggling with these new attacks for some time, but that the underlying weakness which makes them successful can and will be used to unleash more serious attacks that steal credit cards and weapon designs, manipulate processes like the SWIFT global funds transfers, and even destroy physical things like the 30,000 PCs at Saudi Aramco.” The impact of an attack like this is huge when you think about all the transactions made over the Internet from the perspective of personal, corporate, and military and diplomatic relations.

Putting this in Perspective and things to Consider for Internal IT and Security Teams

Based on what took place on Friday with Dyn, there is a strong temptation to overreact like in the early 2000s, and for companies to say they will no longer outsource DNS services and will instead manage all of this in-house. The paranoia may influence some to go so far as to say they will insource all IT and stop using cloud services and any outsourced IT vendor of any kind.

But the reality is that outsourced IT services such as DNS, Cloud, Hosting, and all as-a-Service solutions are here to stay. However, given how dependent we are and how interconnected we are as a society and as businesses, we need to put things into perspective and think about what safeguards we can put in place. As we often say at Core Security, it’s not a matter of if this will happen again, but when. Knowing that this will happen again, we need to think about what we can do to identify attack patterns before they start, detect an attack immediately when it does begin, and put in place remediation efforts to mitigate loss as soon as possible.

Given the situation on Friday, it raises some questions for me that I want to in turn raise to our industry as a whole such as:

• What governance processes do IT organizations have in place when working with any outsourced IT vendor?
• How do our internal security teams work directly with our cloud and other outsourced IT vendors?
• Do we know the exact security testing protocols that our outsourced IT vendors are using?
• Do you mandate auditing the security of your third party outsourced IT vendors?
• Do you know what security tools your vendors are using and do they align with the security policies you have put in place within your own organizations?

Things to Consider for Outsourced IT Vendors

The Internet has become a utility and those that provide outsourced IT services have become utility providers. We live in a world where “as-a-Service” vendors grow day-by-day. While Managed Service Providers, Outsourced DNS services, and other third party IT outsourcing functions continue to grow, the reality is that the shift in IT power is moving more and more towards the outsourced IT vendor and away from internal IT. However, with this power comes great responsibility.

In recent years, we’ve seen large corporations, especially in the retail sector as well as healthcare facilities and health insurance providers, be targets for attacks on their valuable data, such as payment cards and healthcare records. However, the attack demonstrated on Friday at Dyn shows that more and more, targets for attack will become those who provide third party IT services via the Internet. The reason is because they are even greater aggregators of data through commerce, entertainment, media, and other business services.

Given the situation, if you are an outsourced IT Services provider of some kind— whether it’s as a cloud application, hosting, or DNS service— what are some things you should consider to protect not only your customers but also your customers’ customers?

• Your customers are likely going to ask for more transparency about your own security protocols. Make sure you have documentation for security policies, processes, staffing, and tools you have in place to offer your customers.
• Establish your own internal Red Team to constantly hunt for vulnerabilities within your infrastructure. Given the amount of data you are aggregating about your customers and their customers, don’t be surprised if your customers ask to audit your protocols by doing their own Pen Testing or selecting a third party service to pen test your environment.
• Make sure that you are constantly scanning and prioritizing the vulnerabilities that need to be fixed within your environment and understand the how these vulnerabilities fit into a comprehensive attack path with pivot points between customer environments.
• Since your job is to administer IT services for companies, much of your employee base dedicated directly to administration of these very services are in fact Privileged Users, therefore establishing Privileged Account Management processes are critical.
• As Friday demonstrated, all businesses connected to the internet are targets for attack. Make sure you have a good understanding of any type of Access Risk within your company including Abandoned, Orphaned or Privileged access and what entitlements these accounts have.
• Friday also highlighted that it is absolutely critical to put in place Network Detection and Response tools to monitor DNS traffic for malicious activity. Anyone in the third party IT outsourcing chain lives in the world of providing DNS services in some way, shape, or form, so it is critical you are constantly monitoring that DNS traffic on all devices in your network.

While the attack on Dyn was unprecedented in scope and scale, and may have happened regardless of whether an organization had all the best practices in place, it serves as a reminder for us all to ask the hard questions, and make sure we are doing everything we can to make it as hard as possible for attackers to be successful in their attacks.

Conclusion

No matter what the “experts” thought in 2000, the Internet is clearly not going away and neither are third party IT outsourcing services. These realities are here to stay. However, it is incumbent upon all of us to think in terms of security and understand how everything we do may impact information security in this increasingly connected world. For IT and Security professionals, you need to rethink how you are interacting with and the security governance processes you have in place with any third party outsourced IT services. For third party outsourced IT service providers, you have great power and great responsibility to your customers and their customers. You must ensure you have a comprehensive security policy in place and be prepared to provide transparency to your customers about your organization, the tools you use, and the processes you have in place to respond to an inevitable cyber attack.