NETSCOUT SOC: Tales From the Trenches

Our SOC experts share some stories from the front lines of DDoS mitigation

Tales From the Trenches
NETSCOUT

If you think about it, Security Operations Center (SOC) experts rely on an interesting mix of skills: half Eagle Scout and half secret agent. After all, the Scouts use “Be Prepared” as a motto, and it takes meticulous preparation to automatically mitigate 79 percent of the 4,255 attacks the NETSCOUT SOC saw in the first six months of 2019. How does NETSCOUT’s Arbor Cloud SOC team scale to deal with this level of threat? Deep preparation, which means thoroughly understanding specific network environments and customizing defenses to automatically defend against such a huge number of opportunistic attackers. By building client-specific templates and measures for each client and using the enormous bandwidth available in Arbor Cloud, our SOC aims to make automatic mitigation par for the course. That’s the value of having the most focused DDoS expertise in the market — in both technology and personnel. But the reality is, no amount of preparation will create a system capable of automatically mitigating every attack. And that’s when you need to tap into your inner James Bond, fighting motivated attackers wielding a dizzying array of vectors. These are the situations the SOC lives for. The team’s collective experience and skills come together to quickly analyze and adapt defenses to match attackers tit for tat. Each confrontation brings the satisfaction of a well-fought fight as well as more material for that Boy Scout side — new tidbits about how attackers work, and how we can shut them down.

Some hats are whiter than others.

The Arbor Cloud SOC team received an emergency call from a regional North American telephony provider under siege from a determined attacker that was effectively using carpet bombing techniques to cause disruption. The attacker had warned the company that its current DDoS vendor was not going to be effective and threatened continued attacks until a bitcoin ransom was paid. The telephony provider brushed off the threats, and the attackers proceeded to take the company off-line for three days running. This is a huge deal for a provider that largely services small to midsize businesses, because one outage could result in massive customer churn. The provider was able to discover that the attacker had breached its network as well; the company was actively monitoring the attacker’s actions but was still not able to stop the DDoS attacks. That’s when we rode into town. The SOC team conducted an emergency overnight provisioning, and by morning were ready to mitigate. The moment that the Arbor Cloud autonomous system number (ASN) was announced to the internet, the attacker stopped all activities and withdrew from the network completely. Just the indication that Arbor Cloud was taking over protection was enough to drive the attacker away. This town had a new sheriff, and the bad guys had no appetite for a showdown.

Don’t want to study for finals? Hire a botnet.

Higher education, like everyone else, has embraced the digital world, adding online classes and moving tests from paper and pencil to keyboard and screen. So it’s not surprising to find this has made schools more susceptible to attacks on curriculum and testing — from the student body, that is. Out late last night? Didn’t get a chance to study? No problem. Just hire a botnet and take down the test server. No test today! We worked with a major university in the Northeast United States that was experiencing very targeted attacks on its online test platforms during semester beginnings and endings. School officials were convinced that the attacks came from within the student body, highlighting just how easy it is for novices to access very sophisticated attack tools. The attack vectors used were not particularly innovative, but the traffic was localized to sources geographically close to the university, and the timing of the attacks coincided with typical student cyber activities. The attackers were able to exert fine control on a botnet to closely simulate student traffic demographics and patterns. This typically would make the attacks more challenging to discern, but that wasn’t the case for the Arbor Cloud SOC team. They were able to use the wealth of tools and techniques at their disposal to make sure the university’s testing continued operating on schedule. Had the attacks succeeded, the school’s ability to conduct classes and do online testing would have been nullified.

We Can Play Chess Forever.

One customer, a major Asian gaming platform provider supporting tens of thousands of customers, was hit by a sophisticated attacker using a very large botnet. The pressure was on to find a fast solution because gamers can be very fickle and will quickly switch to other games or platforms if performance is not good. A thriving online gaming business could find itself in serious trouble if its service is deemed unreliable by the gamer community. The botnet used in the attack was very large and quite sophisticated, so it allowed the attackers to vary attack vectors at will. Moreover, a high percentage of legitimate traffic sources originated behind proxy servers, so defenders had to be careful not to block these IP addresses inadvertently. Commence the chess game. The Arbor Cloud SOC responded to the opening salvo with a typical mix of countermeasures tuned to the gaming environment. As soon as the attackers detected that their attack was not being effective, they switched vectors, forcing the SOC to switch defenses. Some of the attacks became so complex that they required real-time analysis and innovative filtering to thwart. The back-and-forth went on for a long time, but ultimately, the SOC team had the advantage thanks to the combination of know-how and tools that allowed them to adapt to every situation. The lesson here? Most attackers are all about the opportunity cost — make that cost too high, and they’ll depart for easier prey. Checkmate. 

Excerpted from NETSCOUT’s 1H 2018 Threat Intelligence Report.