2017 Security Predictions and Themes

More of the same..

Simple attacks due to un-patched systems, mis-configurations, ‘standard’ app issues like SQL injection and Cross Site Scripting, phishing links etc. will continue to be the cause of the vast majority of breaches.

Advanced attacks will still make the headlines, even when just in terms of ‘it could have been xx nation using advanced methods’..  Advanced attacks will still be heavily promoted by vendors to sell products and services.

DDoS will continue to get bigger due to the increasing proliferation of insecure connected devices (cue first IoT reference!).

Big data and analytics will continue to be big.  Security use cases such as behaviour analysis across all the log data will continue to mature and start to show the value of “big data” from a security monitoring perspective.  Will need to work on moving from just behaviour monitoring in logs and alerting, to proactive blocking.  ‘Big data’ should start to become the ‘big brain’ that instructs the enforcement tools like IPS and end point agents (they will obviously continue to do their normal job as well).

IoT. I am waiting (note I don’t want there to be one!) for a serious incident in this space.  Not just the DDoS stuff, but actual direct harm to people from the hacking of cars or medical equipment.  This will shortly be followed by a LOT of knee jerk regulation.  No idea if this will happen in 2017 or later.  Unless something fundamental changes in how the devices covered in the wide IoT umbrella are developed, deployed and managed it will.

  • As a side note, we should stop just referring to IoT and start prefixing it with what we are actually referring to, in the same way as you have SaaS, IaaS, GovCloud etc. etc. for cloud ‘things’.  IoT is far to broad, and also has far too many different applications that will have vastly different security implications and requirements.

Blockchain.  Like IoT, no predictions list would be complete without something blockchain in it.  We are already seeing blockchain use cases expanding from currency to DRM and music management etc.  This will continue, it’s very much in the ‘hypecycle’ at the moment with everyone rushing to be at the front with use cases and ‘thought leadership’.  It would be great to see some really beneficial use cases – could a blockchain be used to track and guarantee that charity finances or food or medical supplies went to the right people?

Automation.  Combine environments that are becoming more complex and more dynamic (think DevOps, agile, containers, cloud etc.), increasing numbers of attacks, along with the much reported skills shortage and you have a perfect storm!  Automation will be key for organisations to stay secure.  Automating more of the basic security tasks will also enable better careers for the SecOps guys – they will have more time to focus on more advanced security issues and hunting for threats etc.

Simplification.  In a similar vein to the above, simplification must be a key strategy I’m talking from a security perspective, but this generally makes sense as well!  How many security conversations have started or ended talking about implementing a tool / solution?  We should be having more conversations about how we can rationalise the tooling we use.  How we can meet the security requirements of our organisation with the minimum set of tools and processes.  Thus with the maximum simplicity.

Likely millions of things will happen, that we can’t predict, but these are the current themes I am thinking about.

It would be great to hear your thoughts on the key security themes for 2017!


Denial of Service attacks part 2

My previous post on this topic covered the basics of DDoS in terms of what it is and the most commonly thought of attack type.
This post will cover some of the more interesting DDoS attacks that don’t rely just on the brute force approach of massive traffic volume to bring down a service, which attacks are also known as volumetric attacks.

The two categories of DDoS that will be covered in this post are known as RFC / Compliance Attacks and Compute Intensive Attacks.

RFC / Compliance Attacks

These typically work against vulnerabilities in either network protocols or web servers. Some examples of this form of attack are;
– Ping of Death; attacks and ICMP vulnerability
– Teardrop; works against TCP/IP fragmentation vulnerabilities in many implementations of the protocol suite
– Land; Spoof source address to send SYN packets to the host from it’s own IP address
– Apache Killer; TCP based attack against the Apache web server
– HashDoS (hash collision); attack that creates hashing collisions to DDoS various web and application servers

All of the above attacks exploit vulnerabilities in networking or application implementations and do not require a huge volume of traffic to potentially bring down a service.

As more detailed examples;
– Apache Killer; This relies on the fact that the byte range filter in some versions of the Apache web server allowed attackers to cause a DoS of the sever by sending it a header that covers multiple overlapping ranges.
– Hash DoS involves exploiting hash collisions to exhaust CPU resources. This is cause by the ability to force a large number of collisions via a single, multi parameter request.

Compute Intensive Attacks

These are attacks that typically exploit weaknesses in application workflows / process that allow certain interactions to use huge amounts of server resource or take inordinate amounts of time. Some examples of these are;
– HOIC; attacks by sending very Slow Gets, and Slow Posts
– Darkshell; send SYN, attacks HTTP idle timeout congestions
– Simple Slowloris; sends incomplete headers
– RUDY; Slow posts and long form field submissions
– Tor Hammer; sends very slow posts

These work my sending multiple slow or incomplete requests in parallel, this can quickly exhaust the web or application servers ability to service new requests without requiring a huge amount of bandwidth or resource from the attacker.

How have these evolved over the last few years?
– Initially stated with attacks like the original Slowloris that sends a very slow GET requests where the header is send extremely slowly such that it almost never actually completes. This has been very effective against the Apache web server
– Then there was the slow POST, as with the slow GET, this is a POST that is sent so slowly it almost never completes. This one is also affective against various flavours of IIS
– The most recent addition is the slow Read, where a large object is requested, then downloaded extremely slowly

These all enable the attacker to use up very many connections on the web or application server without the need for large bandwidth to be at their disposal.

There has been further tuning of these type of attacks to be specific against applications and databases that use similar techniques to make ‘legal’ requests of the system that lead to large resource requirements on the server. These can be targeted and fine tunes to cause maximum damage.

These types of attack are much more insidious than the volumetric attacks covered in the previous post as they need less resource at the attacker end so can be easier to launch. In addition the compute intensive attacks make use of allowable, normal application behaviour that is manipulated to cause a Dos condition. As such these attacks can be much harder to detect and block; at what point does a connection that is potentially just over a slow connection be identified as an attack?

This is where you have to start looking at advanced application layer defences that are tuned and configured specifically for the applications they are defending. This is another relatively large topic that I’ll likely cover in a later post, as we have now covered off the three usually identified categories of DDoS attack.


Denial of Service Attacks part 1

Denial of Service attacks (DoS) and Distributed Denial of Service attacks have the same purpose; to make the service in question unavailable to those trying to make use of it.

The type of attack most commonly associated with DoS / DDoS is that of bandwidth or resource exhaustion.  These are attacks where a malicious user or group sends a large enough volume of traffic to the service, usually a web site, such that it becomes unavailable to legitimate users.  These attacks are based on simple math, if a web service has the capacity to service 2Gb per second, and an attacker can consistently send greater than 2Gb per second then they can likely make the service unavailable to legitimate users (anti DoS measures not withstanding).  This also works in terms of server resource, if an attacker can send enough requests to overload the servers hosting a service they can make the service unavailable to legitimate users.

At its simplest, this type of attack originates from a collection of machines, likely a bot-net, all sending requests to a web service until the bandwidth that service has available is exhausted.

This type of attack has historically been very successful in taking down web sites / services for periods of time.  It is however an attack that has well defined methods of defending against and many vendors offer services to protect against it.  These usually take the form of high bandwidth ‘cleaning centres’ or ‘scrubbing centres’ that monitor traffic going to through them to their customers.  These employ various trafic analysis techniques and can block / clean very large volumes of traffic while still sending legitimate traffic onto the service that is under attack.

This type of attack is made considerably worse by the ability to amplify the attack such that a relatively small volume of source traffic can become a huge volume of traffic hitting the victim systems.  Examples of these amplification attacks are ‘Smurf’ and ‘DNS amplification’.  These attacks have received considerable press recently due to their successful and high impact use in things such as the Spamhaus attack;


This was billed as the ‘biggest DDoS attack in history’.

A good overview of DNS amplification attacks can be found here;


The success of these attacks highlights the need to ensure that all internet connected routers and DNS servers are correctly and securely configured.  Most (possibly all) of the amplification attacks rely on address source spoofing – they spoof the IP address of the victim systems as the source of the initial request so that the amplified replies go to this address, not the attackers.  I find it a shame that these types of attacks that rely on source address spoofing could largely be eliminated if devices were configured according to RFC 2267, published in 1998!


However, while these attacks are both common and insidious, they are the most simple form of DoS/DDoS attack.  They are also the most simple to defend against for all but the most massive attacks.

So that briefly covers the most commonly thought of Denial of Service attacks.  The next post will go into more details around the much more interesting, to me anyway, DoS attacks that work by attacking issues in TCP/IP stacks, and web server functionality etc.