In a major global CDN/edge services network, its CTO’s worst cyber-nightmares have come to life. What cybersecurity lessons abound for defenders?
In the past year, hactivist groups KillNet and Anonymous Sudan have targeted one of the largest edge networks in the world with varying techniques; rotating targets; attack automation; and application-layer DDoS attacks, among other tactics in their arsenal.
The impact of these hactivists’ malicious activities has been global. Additionally, the persistent threats coordinated by Anonymous Sudan, whose members could run a master class in attack automation, were responsible for some of the largest application-layer DDoS attacks in the past 12 months.
Facing much of the heat on the corporate side is Ajay Kapur, Chief Technology Officer, Applications & Security, Edgio — the CDN/edge network provider heavily targeted by the hacktivists. He gives CybersecAsia.net readers a deep dive into the harrowing experiences created by these formidable adversaries
CybersecAsia: Please share an overview and your perspective on hacktivist groups Killnet and Anonymous Sudan?
Ajay Kapur (AK): Although KillNet initially established themselves as providers of DDoS-for-hire services, they quickly transitioned to target critical infrastructure across the globe after the Russia-Ukraine conflict escalated into war.
Targeting national infrastructure and businesses within countries they deemed as pro-NATO, KillNet had garnered support from other DDoS gangs and broadcast their intentions across social media, often taunting their targets.
Despite using a good amount of off-the-shelf tools, KillNet was able to disrupt dozens of government websites, as well as defence contractors, healthcare organizations and banking systems.
In early 2023 KillNet was joined in mission by another hacktivist group called Anonymous Sudan. Seemingly motivated by religious and political views, Anonymous Sudan is accountable for orchestrating some of the most significant application-layer DDoS attacks witnessed within the past year, and they are still quite active today.
CybersecAsia: What tactics, techniques, and motivations are behind these threat groups?
AK: Starting first with KillNet, we have observed the group to primarily launch network and transport- layers 3 and 4 of the OSI model using multiple methods.
An often neglected yet pivotal aspect requiring safeguarding within an IT network is its origin. The original version of a given web page is stored on the origin server, and a key responsibility of a CDN service provider is to store, or cache, copies of the web pages on its edge servers, strategically positioned near the web application users. So:
- It is always advisable to implement holistic Web Application Security and DDoS scrubbing solutions built natively into an edge CDN to safeguard and counter direct-to-origin DDoS attacks
- A robust Web Application and API Protection solution will provide a range of safeguards against automated threats
- DDoS scrubbing will provide additional protection against high volumes of malicious traffic and divert it away before it can overwhelm critical portions of a network hosting applications and services
- Additionally, in the face of evolving threats, businesses can mitigate DDoS attacks better, by taking the following measures:
- Embrace holistic security: Such a security platform provides multi-layer protection to mitigate varying threat vectors. Security defenses are similar to a chain — it is only as strong as its weakest link. Therefore, it is important to implement security that uses a combination of detection methods (including machine learning) working together in a layered manner to mitigate all kinds of web-based threats- from automated bot attacks to custom attacks on API endpoints, and more.
- Leverage edge-based protection: Safeguard your network, applications, and origin by utilizing an edge-based DDoS protection solution, blocking threats closest to where they originate to keep bad traffic away. Be sure to choose a provider with a large network capacity (100+ Tbps) to ensure a factor of safety against tomorrow’s large scale attacks.
- Mandate continuous monitoring and preparedness: Enhance security responsiveness by considering a 24 x 7 Security Operations Center (SOC). Additionally, custom run books should be developed to give teams a guide as they combat inevitable attacks, and those same teams should practise each scenario as much as possible, because minutes matter when it comes to dealing with DDoS attacks.
CybersecAsia: Do you think the world is sufficiently prepared for the day when state-sponsored threats begin leveraging quantum computing and advanced AI to the point that most cybersecurity solutions and practices become redundant? What other dire scenarios are possible if cyber-attackers continue to grow in sophistication by leaps and bounds?
AK: While the global community is diligently researching the potential impact of quantum computing and advanced AI in cybersecurity, comprehensive preparedness remains a challenge.
Quantum computing’s potential to disrupt encryption methods and the rise of AI-driven attacks underscores the critical need for constant adaptation. AI-enhanced social engineering, autonomous malware, deepfake attacks, and automated assaults on critical infrastructure are concerning scenarios.
To stay ahead of potential threats, it is crucial to prioritize research, collaboration, ethical AI development, and robust cybersecurity practices.
CybersecAsia thanks Ajay for reliving his cyber experiences for the sake of educating the public at large.
