David Warburton, Principal Threat Evangelist at F5 Labs
The delayed Euro 2020 Championships kicked off this week, marking the start of one of the largest sporting events to take place in more than a year.
As with any event of this size, we can expect online activity to spike and cybercriminals tobe match fit and ready to go.
Here are some of the risks businesses should look out for during the Euros (and beyond!).
Defending against DDoS
While a DDoS attack can have a massive impact on any business, online gaming sites are especially vulnerable. In the lead-up to any match in the championship, the number of people participating in online activities related to the championship will increase and, through an almost infinite variety of options at their fingertips, continue throughout the game. Attackers know this and often adjust their tactics and timings accordingly.
DDoS activity is already on the rise. Data collected by the F5 Silverline Security Operations Center (SOC) and F5 Security Incident Response Team (SIRT) recently found that DDoS attacks were up by 55% between January 2020 and March 2021. A majority of those incidents (54%) used multiple attack vectors, suggesting a growing sophistication of increasingly determined attackers.
The most obvious motivation is financial gain, using the threat of a DDoS attack to hold them to ransom. Other potential motivations could include attacks on behalf of competitors, threat actors looking to use a DDoS attack as a diversion, or simply hackers looking to make a name for themselves.
The good news is that there are several ways to shore up your defenses. Increasingly, this involves stopping attacks from reaching the enterprise network by leveraging cloud-based managed services.
A solution like F5 Silverline DDoS Protection is a good example. Delivered via a cloud-based platform, it can detect and mitigate in real-time, stopping even the largest volumetric DDoS attacks from reaching the network. The service is supported by 24/7 access to a team of SOC experts to keep businesses online during DDoS attacks via comprehensive, multi-layered L3–L7 protection.
The following technical/preventive security controls are also recommended to protect against DDoS attacks:
- Use both network and web application firewalls.
- Use a network-based intrusion detection system.
- Apply patches promptly to prevent your systems from being used to launch attacks.
- Block traffic with spoofed source IP addresses.
- Use rate limiting to restrict the volume of incoming traffic.
Showing formjacking the red card
Other opportunistic cybercriminal tactics to keep an eye on include formjacking. Currently one of the most common web attack tactics, this involves siphoning data from an organization’s web browser to an attacker-controlled location.
As more web applications connect to critical components such as shopping carts, card payments, advertising, and analytics, vendors become an outsized target. Code can be delivered from a wide range of sources – almost all of which are beyond the boundaries of usual enterprise security controls such as proxies and web application firewalls. Since many websites make use of the same third-party resources, attackers know that they just need to compromise a single component to skim data from a huge pool of potential victims.
Typical security measures that can help organizations stay safe include:
- Creating an asset list of web applications. This should encompass a thorough audit of third-party content. The process is complicated by third parties usually linking to yet more websites and a tendency for substandard security controls.
- Patching your environment. While patching won’t necessarily fix the flaws in third-party content, it makes it harder to escalate from an initial foothold to a substantial compromise. Since web injection is such a versatile technique, patching applications running in your own environment is still critical to prevent damage from a compromised third-party asset.
- Vulnerability scanning. For years, CISOs have recognized the importance of running external scans to get a hacker’s eye view of the situation. This becomes even more important when huge quantities of content are assembled at the last minute on the client-side.
- Monitoring for code changes. Regardless of where code is hosted, it is important to gain an added degree of visibility – irrespective of whether new vulnerabilities are emerging. This means monitoring GitHub and AWS S3 buckets, as well as native code repositories.
- Multifactor authentication. Given that injection is often used to bypass authentication to access webserver code, multifactor authentication should be implemented on any system connecting to high-impact assets. Ideally, application-layer encryption can also supplement TLS/SSL by encrypting credentials and payment card details as the user enters them into the browser. Some well-known web application firewall (WAF) products have this capability. However, an Advanced WAF can offer enhanced levels of application-layer visibility and control to help mitigate distributed and polymorphic injection risks.
- Explore the potential of web application security headers. For example, it is possible to set up a Content Security Policy (CSP) to block unauthorized code injections into a website or application. In addition, SubResource Integrity (SRI) web methods can verify that third-party apps have not been altered. Both tools require work to properly fit a web application. This is where a robust, flexible WAF comes in.
- Monitor for newly registered domains and certificates. These are often used to host malicious scripts while appearing genuine to end-users.
Tackling the scourge of phishing
Phishing is another perennial favorite. Attackers don’t have to worry about hacking through a firewall, finding a zero-day exploit, deciphering encryption, or rappelling down an elevator shaft with a set of lockpicks in their teeth. It is far easier to trick someone to hand over their credentials. The hardest part is coming up with a convincing email pitch to get people to click on, and a fake site to land on. Expect a glut of these throughout the tournament.
According to F5 Labs’ latest Phishing and Fraud report, 52% of phishing sites used common brand names and identities in their website addresses. Phishers have also intensified efforts to make fraudulent sites appear as genuine as possible: F5 SOC data cited in the report found that most phishing sites leveraged encryption, with a full 72% using valid HTTPS certificates to trick victims. This means simply looking for the padlock (or an address that starts with https://) is no longer enough. In fact, it’s actively dangerous to advise this, since it implies that sites are inherently trustworthy simply by having a digital certificate.
Every organization will be a target of phishing attacks at some point, whether those attacks are directed or indiscriminate. Unfortunately, not all organizations implement robust information security management frameworks.
The NIST Five Functions provide a useful way to think about any cyber threat but, regardless of the lengths businesses go to protect their brand and their customers, phishing attacks will continue to be successful as long as there is a human that can be psychologically manipulated in some way. That’s why security controls and web browsers alike must become more proficient at highlighting fraudulent sites to users. Individuals and organizations also need to be continuously trained on the latest techniques used by fraudsters, from deceptive URLs to the abuse of HTTPS certificates.
Staying on the ball
The threats detailed above are not an exhaustive list. There are others. Remember, cybercriminals are extremely adept at taking advantage of the twists and turns related to events like Euro 2020. Stay alert, seek out the right security solutions, and always try to keep up with shifting attacker mindsets and capabilities.