Is DDoS being left out in the cold by regulations?
Table Of Contents−
This article is part of our Opinions section.
DDoS attacks have had a real field day in the news, recently overtaking ransomware to become the number one cyber threat in Europe. They’ve grown immensely in size and frequency and plagued many sectors. But one of the most notable trends is that DDoS attacks wielded by so-called ‘hacktivist groups’ with political motivations, largely targeting critical infrastructure, have surged by 55% over the last four years. Needless to say, they’ve catapulted into the forefront of many an IT leader’s mind and probably won’t vacate that spot anytime soon.
While a number of new cybersecurity regulations like the NIS2 Directive have and will come into play this year, how many include specific provisions for DDoS attacks? (Hint, it’s even lower than you think.) And what does this mean for organisations facing increasing numbers of DDoS attacks?
More DDoS, more problems
DDoS attacks are a pain to deal with at the best of times, and the associated costs of downtime are soaring. The average outage is estimated to cost a whopping $408,000, not to mention the reputational damage any outages cause to organisations.
Sectors including financial services, government entities and public utilities have all been facing an increasing frequency of attacks. According to research carried out earlier this year, the number of DDoS attacks on telecom networks alone has increased from one or two per day last year to well over 100 a day in most cases. By targeting telecom providers, these ‘hacktivists’ can take down large swathes of networks, impacting not only providers but many of their customers downstream as well. So not only are organisations facing potentially ruinous downtime costs, but telecom providers are also scrambling to avoid causing widespread disruption across the countries in which they operate.
As DDoS attacks continue to evolve with the likes of machine learning (ML) algorithms bolstering attack power, many organisations simply don’t have the defences in place to deal with the increasing intensity. Regulations haven’t necessarily been specific enough to address pain points related to DDoS. Gone are the days when monitoring incoming traffic against pre-determined DDoS thresholds would do the trick. Attackers now tend to favour the ‘low and slow’ method to avoid hogging the bandwidth and become essentially invisible to traffic monitoring detection methods. Yet, the Directive is devoid of any mention of this fact and gives no guidance as to the upgrades that organisations can (and should!) make to their DDoS defences to stay secure. It disregards the damage that small and frequent DDoS attacks can cause as they sneak under the radar, chipping away at service until it creaks to a halt.
An increasing use of botnets within DDoS attacks is also cause for concern, boosting attack size and variation. For example, the recent GorillaBot attacks have already totalled over 300,000 cyberattacks worldwide this year. Beyond the sheer volume of attacks, threat actors are also utilising a variation of attack methods, using User Data Protocol and TCP ACK Bypass floods to overwhelm networks. With tools like this readily available to cyber attackers, traditional protection methods like traffic monitoring are simply ineffective. As an EU-wide regulation, NIS2 boasts a wide reach and had the potential to prompt a full refresh of DDoS protection to meet these new challenges, yet failed to do so.
It could have encouraged organisations to take advantage of the swathe of cybersecurity benefits that can be gained from implementing AI and Machine Learning (ML) into their defences. Nearly 50% of enterprises are already doing so and the rest need to catch up. ML can be used as an instant boost to traditional methods of DDoS attack detection, replacing threshold-based models and bringing them up to par to meet this latest evolution of DDoS threats.
Standardise DDoS protection? I’d like to see you try (please!)
NIS2 is one of a number of cybersecurity regulations introduced this year to address this evolution of cyber attackers and their methods. In short, NIS2 provides legal measures to boost the overall level of cybersecurity in the EU to try and keep up with increased digitisation and the changing threat landscape. It’s a much-needed shot in the arm for general cybersecurity, but as is often the case, it’s not a cure-all solution, especially not when it comes to DDoS.
While the NIS2 Directive is one of the few (very few) incoming regulations with stipulations regarding DDoS protection, these are minimal at best. It requires organisations to manage DDoS risk (duh!) and respond to incidents promptly to minimise any potential impact on essential services and digital infrastructure. While nice additions, they’re all a bit wishy-washy. The most concrete requirement is the 72-hour window for organisations to report damaging DDoS attacks to authorities, which doesn’t exactly set the world alight.
With increased targeting of critical infrastructure and higher frequencies of attacks on the CSPs underpinning these services, mandatory requirements like these won’t hurt but they also won’t help much in the face of DDoS. Organisations should be constantly monitoring and updating their defences, especially for DDoS, and these regulations will act as a good prompt but should be seen as more of a starting point for DDoS protection, not the end goal. If regulators want to make a real impact in terms of DDoS protection, they need to get specific and encourage the move away from threshold-based models of detection.
NIS’d a bit?
NIS2 focuses on the big picture – on massive, devastating attacks that cause widespread disruption. And that’s not a bad thing. But it does severely neglect the damage that small and frequent DDoS attacks can cause flying largely unnoticed, at least until your service slows to a snail’s pace. And as ‘hacktivists’ continue to wield DDoS attacks as political statements, the pressure on DDoS defences is only set to grow, especially for critical infrastructure.
Future regulation should focus more on the specifics of DDoS protection, including provisions to move away from traditional traffic monitoring systems and towards more up-to-date AI-powered methods. With the rise in politically motivated ‘hacktivism’ attacks, tools such as algorithms will be an essential defensive tool, scanning data from threat intelligence feeds and social media to identify potential planned cyber threats.
More Opinions
- Is your workplace attracting staff and enabling your teams to succeed?
- Are fintechs winning the fight against money laundering? An honest look at the effectiveness of current AML strategies
- People first: The key to successful digital transformation
- How to run a successful app optimisation testing program
Donny Chong
NEXT UP
Rishi Mallik, Chief Growth Officer at Workato: “Sell how you would want to be sold to”
We interview Rishi Mallik, Chief Growth Officer at Workato, where he oversees all growth and revenue initiatives.
Why you need to upgrade Chrome now (and say thanks to Apple hackers)
Security expert Davey Winder explains why all users of Google Chrome, and browsers that use the Chromium engine, need to upgrade immediately and say a silent thank you to Apple hackers
AI hype vs AI reality: interview with Tolga Kurtoglu, Lenovo’s Chief Technology Officer
At Lenovo Tech World 24, we interviewed Lenovo’s newly installed Chief Technology Officer, Tolga Kurtoglu, to see if he could separate the AI hype from the AI reality