The ease of designing sophisticated cyber attacks has seen another sharp increase in attempts to bring down websites, according to a new report on cyber attacks. It underlines the need for agencies to rethink their defence strategy as they move to digitise services.
In its quarterly benchmark report on the State of the Internet, Akamai said web attacks in the fourth-quarter period of 2015 were up 40% on the previous quarter. Repeat attacks are now the norm and, yet again, threats have emerged from new parts of the world, this time Turkey.
Akamai operates a large-scale web delivery network that supports major websites needing to ensure industrial-level performance. This network gives Akamai strong visibility over about a third of all web traffic and a unique perspective on cyber threats globally.
According to the Akamai report, gaming (driven by competitors seeking to take down others) and software sites continue to receive the majority of attacks — about 77% of all reported incidents. Government was a target in just over 1% of activity. While proportionately small, public sector attacks actually numbered over 5.8 million for the quarter, meaning there was an annualised run rate of 23 million attacks worldwide against government.
The public sector in Australia has lagged on the digitalisation front. But as governments across the country now move to rapidly digitise public services — and to typically host these services in the cloud — the public sector is expected to see a significant increase in attacks.
Similarly, as agencies increase their use of web applications to engage with stakeholders and citizens, this opens another front for attack. The Akamai report showed another sharp increase in web application attacks, up 12% in the quarter, which was up 26% on the previous quarter. These range from WordPress plugins to exploiting weaknesses in popular web services.
Many of these services operate with passwords and are vulnerable to social engineering attacks — where employees are duped into giving over key credentials.
The shift to mobile as the preferred channel for citizen engagement is demanding a superior technical performance from agency sites. Citizens are notoriously impatient on mobile devices and are looking for government to deliver the type of speed and consistency other major private providers are offering. This requires a solution that can deliver a consistent performance and has a strong security backbone.
The pressure on performance comes as website download speeds in Australia actually deteriorated by an average of 3 seconds per page over the last year according to the Dynatrace Benchmark Report, partly caused by a sharp increase in the use of images.
More intense attacks, easier to perform
The Akamai report showed the intensity of the attacks also rose, with sites attacked for up to an average of 14.95 hours with a focus on core infrastructure. In the Q4 period there were five attacks of greater than 100gbps (billions of bits per second), compared with eight in the previous quarter and down from the record-setting 17 mega attacks of Q3 2014.
Looking over the data from the last 12 months, Akamai claims there are not many tools capable of larger-than-normal-attack bandwidth, and the capacity of standard tools that attackers use haven’t changed significantly. However, the sheer number of material attacks underlines a ubiquity of capacity, suggesting a broad rage of attack capacity is now institutionalised.
It comes as much of the required skills and technologies are now to be easily found on the so-called dark web. Using a Tor browser an attacker can easily source the advice, skills and technologies needed to mount a material attack. These sites look more like a standard e-commerce site, with recommendations and ability to auction off services to the highest bidder. Most of the activity sourced from these environments are criminals looking to sell, say, credit card data. Industry estimates suggest around four-fifths of activity is criminal. A recent academic study suggested around two-thirds of dark web activity is criminal.
The continued reporting of large-scale attacks means most sophisticated observers now believe enterprises should assume they are vulnerable and need a defence system that seeks to deny malicious attackers at the edge of the internet rather than wait for key data and infrastructure to be attacked.
This implies a very different cyber defence strategy than the traditional fortress approach that has typified government cyber defence approaches and a capacity to stop attacks well before they reach key data, applications and infrastructure.
With evidence that many malevolent actors are collaborating to launch attacks, Australia needs to consider adopting a much more co-ordinated approach to cybersecurity between security agencies, vendors, telcos and ISPs. In the United States there is a strong collaboration between the cyber community and government agencies, an issue a federal cybersecurity review is expected to report on next month when it publishes its report.
Concern about cyber terrorism has created a more robust defence posture in the US, and the recent Defence Force white paper predicted cyber terrorism is likely to rise — either through national actors or splinter political groups.