5 Questions-with Merike Käo, CTO Farsight Security, Inc.


Merike Käo

Chief Technology Officer at Farsight Security

Nation-State Cyberattack - Estonia

1) May 2017 marks the 10th anniversary of the first known nation-state cyberattack against a country, Estonia. At the time, why was this attack significant?

This topic has me walking down memory lane since I had arranged for a RIPE NCC meeting to take place in Tallinn, which happened to be in May 2007. During the cyberattack, I was able to help the Estonian CERT with trusted introductions and saw firsthand the effective defense against such a widespread attack. The cyberattacks against Estonia were significant for a variety of reasons.  The scale and coordination of the DDoS attacks was unprecedented, although the attacks themselves were not technically sophisticated. More importantly, it was the first time that an attack against a nation-state’s infrastructure was openly discussed – there had been insinuations of others in the past. The decision by the Estonian government to openly discuss their situation opened the door for international public discussions on the possible impact that cyberattacks could have on national security, and the classification of cyberattacks as a means of warfare. It also provided a real-world scenario for international discussions on what constitutes critical infrastructure protection, and encouraged governments and private industry to work together to identify and mitigate the risks against attacks on services that affect people’s daily livelihood.

2) What are the 3 primary lessons learned from the cyberattack against Estonia that can be applied by enterprises today?

Understand what data and services are critical to your environment and ensure you have best practices deployed for fundamental network hygiene. This includes understanding who has access to specific devices, data and applications and, in addition, have effective auditing in place to alert for any suspicious behavior that needs further investigation. Pay attention to your DNS. Know which domains are critical to your data and services and have monitoring in place to alert you when there are attempts to hijack critical domain names. Also monitor for any unusual high domain name query activities. Collaboration with international operational security teams and incident response teams is critical to defend against massive DDoS where attack traffic is sourced from all areas of the globe. Make sure you have a CSIRT team in your organization and network with your upstream providers. You want to have trusted contacts in place that can help with mitigation should you be so unlucky as to be the recipient of a lot of unwanted traffic.

3) DDoS attacks continue to plague enterprises today. Why haven't we made inroads in protecting organizations from these types of attacks?

While it is true that DDoS attacks continue to be a problem, I think there have been some improvements on raising awareness and some success in mitigation techniques.  You never hear about successful mitigations of DDoS attacks in the media, but certainly, in a few organizations, there have been successful defenses. These defenses are rooted in fundamental security practices, including filtering and rate limiting techniques along with adding more redundancy for critical services.

Despite some success, DDoS attacks will thrive as the number of devices that can be tampered with and utilized as sources for the DDoS traffic continues to grow. Why? Many new devices connecting to the Internet have very poor default security settings, and vendors are not transparent about their device default settings. Yet vendors can’t take all the blame here - organizations also are not diligent in changing default behaviors and following basic risk mitigation techniques.  If you look at the much talked about Mirai Botnet, it was effective due to exploiting the use of default passwords and sending credentials in cleartext.  There’s a lot more work to be done by equipment vendors and by organizations to operationally mitigate against DDoS attacks.  

4) What can the international Internet community do to reduce the risk of these types of attacks?

While some of my colleagues would argue that there has been enough education around DDoS attacks, I would argue that there has not been enough good education. The international Internet community needs to continue to collectively provide materials that will educate both developers of new devices and operators as to what constitutes a fundamental, good defense against DDoS.

There needs to be continued awareness of how DDoS traffic can be initiated. Christian Rossow has done some great work on describing how varying protocols can be utilized to create amplification attacks: http://www.christian-rossow.de/articles/Amplification_DDoS.php. Organizations need to be aware of how these protocols could be abused and make sure they have taken steps to not allow such abuse in their environments.

Spoofed traffic also continues to be a large factor in current DDoS attacks and more global effort needs to be put into implementing fundamental anti-spoof filtering techniques. To see if you are part of the problem and allow spoofed traffic through your network, look at downloading the tools created from the CAIDA Spoofer project: https://www.caida.org/projects/spoofer/

5) What can be done to reduce the DDoS vectors in new devices connected to the Internet?

Many devices get used for sources of DDoS traffic by exploiting some vulnerability. In recent events, these vulnerabilities have been related to known issues and, even worse, not following very basic security practices. I would like to see some kind of certifications for fundamental minimal security requirements. While I have heard many arguments surrounding certification efforts, I think the increased impacts of DDoS to critical life-threatening devices and data is a call for more action.

It is important to understand that not all devices have the same risk parameters and, therefore, should not be classified into the same categories. So there needs to be some dedicated thought as to how devices should be classified.  However, I do believe that most devices should have these three components to adhere to: don’t allow default usernames or passwords, use cryptographically protected protocols for device management and allow for software/firmware upgrades.

Stay in touch, subscribe to the Farsight Security Newsletter