DDoS Defense: How to Break the Link to Advanced Threats

ISMG SECURITY EXECUTIVE ROUNDTABLEsponsored by NETSCOUT Arbor

Agenda6:00 – 6:30 p.m.

Registration, Networking and Cocktails

6:30 – 6:45 p.m.

Introductions and Opening Remarks

• Nick Holland, Director, Banking and Payments, Information Security Media Group• Tom Bienkowski, Director, Product Marketing, NETSCOUT Arbor

6:45 – 8:30 p.m.

Roundtable Discussion

8:30 p.m.

Program Concludes

Introduction

Over the course of the past two years, enterprises worldwide

have seen a significant increase in the power and scale of DDoS

attacks – some of them, based on the Mirai botnet, leveraging

IoT devices. And many of these attacks have a direct link to

nation-state actors and their advanced threats, which use the

same methodologies commonly found in DDoS toolkits. Against

such threats and threat actors, conventional, perimeter-based

DDoS defenses are insufficient.

What types of DDoS attacks is your organization detecting? What are the most common attack vectors?

How should you refocus your defenses against DDoS and advanced threats?

If you’re looking for new answers to these questions, then welcome to this exclusive executive

roundtable on DDoS Defense: How to Break the Link to Advanced Threats.

Guided by insight from Tom Bienkowski of event sponsor NETSCOUT Arbor, this invitation-only dinner

will draw from the results of NETSCOUT Arbor’s latest Threat Reports, as well as the experiences of

the attendees, offering insights on how they have been able to improve detection and defense against

DDoS and advanced threats. Among the discussion topics:

• What types – and size - of DDoS attacks are most commonly detected?

• What are the most prevalent attack vectors?

• What is the direct link to advanced threats and nation-state attackers?

• How must enterprise defenses evolve beyond the perimeter to detect and prevent these attacks?

You’ll have the opportunity to discuss DDoS and advanced threats with a handful of senior executives in

an informal, closed-door setting, from which you will emerge with new strategies and solutions you can

immediately put to work.

Strategic Threat Intelligence: Lessons from the Pentagon 2

Discussion Points

Among the questions to be presented for open discourse:

• What types of DDoS attacks have you commonly seen in the past year?

• What common vectors do these attacks use?

• How do you rate your current DDoS defenses?

• What are the biggest gaps in your DDoS defenses?

• What threats do you see from nation-state attackers?

• How do you rate your defenses beyond the perimeter to defend against these attacks?

• What are your biggest gaps beyond the perimeter?

• How do you intend to fill these gaps in 2019?

Strategic Threat Intelligence: Lessons from the Pentagon 3

About the ExpertJoining our discussion today to share the latest insights and

case studies is:

Tom Bienkowski

Director, Product Marketing, NETSCOUT Arbor

Bienkowski has been in the network and security field for over 20 years. He has worked for large

enterprises as a network engineer and for network management and security vendors, where he has

had roles in sales engineering/management, technical field marketing and product management. At

NETSCOUT Arbor, he’s a director of product marketing focusing on the industry-leading Edge Defense

and Threat Intelligence solutions. Bienkowsi is a frequent speaker at IT security events around the world,

providing insights into cyberthreats and best defense practices.

About Arbor Networks

Since 1999, NETSCOUT Arbor’s DDoS protection and network visibility solutions have been tested and

proven in the world's largest, most complex networks. The company delivers powerful visibility and

traffic intelligence, at internet scale, to help customers not only understand their own environment, but

threat actors and their tools, behaviors and campaigns on a global basis.

To learn more about NESCOUT Arbor products and services, please visit our website at arbornetworks.

com or follow on Twitter @ArborNetworks.

Strategic Threat Intelligence: Lessons from the Pentagon 4

About the ModeratorLeading our discussion today is:

Nick Holland

Director, Banking and Payments, Information Security Media Group

Holland, an experienced security analyst, has spent the last decade focusing on the intersection of

digital banking, payments and security technologies. He has spoken at a variety of conferences and

events, including Mobile World Congress, Money2020, Next Bank and SXSW, and has been quoted by

The Wall Street Journal, CNN Money, MSNBC, NPR, Forbes, Fortune, BusinessWeek, Time Magazine,

The Economist and the Financial Times. He holds an MSc degree in information systems management

from the University of Stirling, Scotland.

About ISMG

Information Security Media Group (ISMG) is the world’s largest media organization devoted solely

to information security and risk management. Each of our 28 media properties provides education,

research and news that is specifically tailored to key vertical sectors including banking, healthcare

and the public sector; geographies from the North America to Southeast Asia; and topics such as

data breach prevention, cyber risk assessment and fraud. Our annual global summit series connects

senior security professionals with industry thought leaders to find actionable solutions for pressing

cybersecurity challenges.

For more information, visit www.ismg.io.

Strategic Threat Intelligence: Lessons from the Pentagon 5

NOTE: In advance of this event, ISMG’s Nick Holland discussed

DDoS defenses with NETSCOUT Arbor’s Tom Bienkowski. Here is

an excerpt of that conversation.

DDoS Attack Trends

NICK HOLLAND: As you reflect on 2018, what were the most

concerning DDoS attack trends?

TOM BIENKOWSKI: As we look back on 2018 we see a few

concerning trends.

First, the number of attacks is rising. This is mainly due to the ease

of which these attacks can be executed by using readily available

do-it-yourself attack tools or for-hire DDoS attack services.

Second, botnets are no longer used just for DDoS attacks. Gone

are the days where a single bot offered a simplistic DDoS attack

type. In today’s DDoS threat landscape, attackers increasingly add

diversification into their bots, allowing a wide variation of attacks and

protocols to take down networks. Related: IoT based botnets have

and will continue to grow in use and size.

Third, the number of larger attacks is rising. In 2018, the largest

attacks we saw was 1.7Tbps DDoS, but that’s rare. Even though most

attacks are under 2Gbps in size, we are seeing an increase in the

number of attacks over 100Gbps.

Link to Nation-States?

HOLLAND: What’s the link between these trends and nation-state

adversaries, as well as the advanced threats they represent?

BIENKOWSKI: The line between DDoS attacks and other forms of

cyberthreats is starting to blur.

When an adversary targets an organization, they will customize an

attack campaign that will utilize multiple tactics, techniques and

procedures. For example, Hidden Cobra is a North Korean APT

group that actively targets corporations, with a heavy emphasis on

financials. They deploy a variety of TTPs, including DDoS attacks

that are used to take out services and serve as a diversionary tactic.

CONTEXT

DDoS Defense: How to Break the Link to Advanced ThreatsQ&A With NETSCOUT Arbor’s Tom Bienkowski

“The line between DDoS attacks and other forms of cyberthreats is starting to blur. .”

Tom Bienkowski

Strategic Threat Intelligence: Lessons from the Pentagon 6

Flaw in DDoS Defenses

HOLLAND: In light of these findings, what are your concerns about

traditional DDoS defenses?

BIENKOWSKI: The truth is that DDoS attacks have been around for

over 20 years. And most organizations have some form of DDoS

protection in place. What’s concerning is that the protection many

of these organizations have in place were designed to stop DDoS

attacks from years ago.

The modern-day DDoS attack has changed dramatically in size,

frequency and complexity. The question we want organizations to

ask themselves is: “Is the DDoS protection we have in place still

adequate?” In other words, can it stop the modern-day DDoS attack

and other threats to your organization? Can a very traditional cloud-

based DDoS attack protection service (which is required for large

attacks) adequately stop a ‘low and slow’ application-layer attack? In

most cases, the answer is no.

Adversary Tactics

HOLLAND: How are adversaries responding to improvements in

defenses?

BIENKOWSKI: The adversaries are getting stealthier. They recognize

that large volumetric DDoS attacks (e.g. 100 Gbps) can easily be

recognized and thwarted using modern-day DDoS protection

technology and services. So instead, they are focusing on smaller,

application-layer attacks, which are much more difficult to detect yet

just as impactful.

This past year we saw a 20 percent increase in application-layer

DDoS attacks. Unfortunately for the targets who only have a cloud-

based DDoS attack protection service, they realized that it took

too long (if at all) to stop these application-layer attacks before the

impact was done.

The Best Defense

HOLLAND: What best practices do you recommend for DDoS

defense?

BIENKOWSKI: A hybrid defense. For the most comprehensive

protection, organizations should consider the combination of cloud-

based protection to stop large attacks, and on-premises protection

to stop application-layer attacks. DDoS protection should also utilize

stateless packet processing technology allowing it to stop inbound

TCP-state exhaustion attacks, which can bring down stateful

devices, such as NGFWs. And if possible, outsource to the DDoS

attack protection experts who do this daily.

NETSCOUT Arbor’s Approach

HOLLAND: How is NETSCOUT Arbor helping enterprises evaluate

and improve their defenses?

BIENKOWSKI: For almost 20 years, NETSCOUT Arbor has been

researching DDoS attacks and designing products and services

to stop them. We constantly strive to educate the market and

customers on the latest trends in DDoS attacks and recommend

best practices in defense so organizations can adequately protect

themselves.

Our solution consists of an intelligently integrated combination of

fully managed, cloud-based, global scrubbing and on-premises

products that use highly scalable stateless packet processing

technology to not only stop inbound DDoS attacks but also other

cyberthreats coming in and leaving an organization.

Finally, all our products and services are armed with our ATLAS

threat intelligence feed and expertise from our ATLAS Security

Engineering and Research Team, or ASERT.

“For the most comprehensive protection, organizations should consider the combination of cloud-based protection to stop large attacks and on-premises protection to stop application layer attacks.”

Strategic Threat Intelligence: Lessons from the Pentagon 7

Notes

Strategic Threat Intelligence: Lessons from the Pentagon 8

Notes

Strategic Threat Intelligence: Lessons from the Pentagon 9

About ISMG

Information Security Media Group (ISMG) is the world’s largest media organization devoted solely to information

security and risk management. Each of our 28 media properties provides education, research and news that is

specifically tailored to key vertical sectors including banking, healthcare and the public sector; geographies from

North America to Southeast Asia; and topics such as data breach prevention, cyber risk assessment and fraud.

Our annual global Summit series connects senior security professionals with industry thought leaders to find

actionable solutions for pressing cybersecurity challenges.

Contact

(800) 944-0401 • sales@ismgcorp.com

902 Carnegie Center • Princeton, NJ • 08540 • www.ismg.io

CyberEd