David Hobbs currently serves in the Office of the CTO at Check Point while also managing Security Engineering in the Pacific Northwest. With over 25-years of experience, David has served as a consultant to numerous Federal and State Agencies, including the FBI, US Army Counterintelligence, Secret Service, and many private investigation companies.

Discover outstanding expert insights into DDoS attacks and how to properly architect application security in order to effectively reduce risk and mitigate threats. Get actionable steps to help you take your attack prevention initiatives to the next level. See how to convince your boss to buy-in.

Why do hackers conduct application layer DDoS attacks? What’s the end goal?

We’ll start with that end goal. The end goal of a DDoS attack is to cause a site or a company to go offline and no longer be able to service requests to their end users or to their customers. Essentially, they want to cause a complete and total outage.

Can you illuminate types of DDoS attacks and why hackers would select them?

Now, there are two different kinds of distributed denial of service attacks.

1. Volumetric. This attack type involves flooding the victim’s internet with so much traffic that their internet service provider is no longer able to service requests to the organization. Volumetric DDoS attacks account for about a third of the cases.

2. Application layer. Application layer DDoS attacks are sometimes a lot easier for attackers to orchestrate because various internet service providers and CDN providers, while they may be very good at stopping volumetric DDoS attacks, they don’t know the actual applications and may not necessarily have visibility into the encrypted data of the application or know how the application works. Attackers have learned that application layer attacks can be just as damaging to an organization as some volumetric attacks.

How are security professionals currently handling application security and DDoS prevention?

That’s a great question. Many organizations today have a contract with either their internet service provider or from a CDN provider. Organizations that have had a substantial number of DDoS attacks have a hybrid solution, which is on-premise equipment mixed with cloud scrubbing. Some use on-demand services in case of emergency only. On-demand services tend to have drawbacks, as the amount of time that it may take to mitigate those DDoS attacks could be a lot longer than otherwise.

What myths exist around AppSec, WAFs/CDN deployment and can you debunk them?

Some of the larger myths that exist around WAF and CDN are that the CDN provider or even an internet service provider will be able to mitigate large DDoS attacks or application security events. Essentially, because their business is not dedicated to actually knowing the inner workings of an organization’s application, many organizations think that when they’re relying on a third-party, that together, they’re going to magically be able to solve the attack.

CDN providers only protect Web Applications, but attackers can still attack other applications/services at the origin and take down your datacenter, so they cannot provide complete protection from DDoS attacks.

What we’ve seen in the last decade is that time to resolution -even if there’s an SLA in place – they tend not to get people into prevention mode very quickly. And so, we’ve seen instances where organizations thought that having a third-party assume the majority of the security responsibility would have been the fastest way to get their site back online. Many organizations then learn the painful truth, which is that recovery doesn’t necessarily happen very fast for them. And there are varying levels of mitigation that may not be there to protect them.

For the majority of organizations, what needs to change in order to increase protection?

When it comes to DDoS attacks, many organizations do not use a hybrid DDoS approach. Most organizations need to think about having on-premise protection, which can build baselines and know what the normal traffic is, so that in the event that they wind up having a volumetric attack, when they wind up utilizing volumetric scrubbing services, the mean time to resolution would be much faster than otherwise. Those are some of the larger changes that need to happen in order to increase protection.

The second consideration is making sure that application security and DDoS mitigation work hand-in-hand. Those are two of the main points in terms of what organizations need to do in order to really maximize their protection.

Can you please recommend several additional actionable insights?

From an actionable insight perspective, I know that many organizations don’t have the manpower to really be able to mitigate application level attacks and DDoS attacks themselves. What I would recommend is for organizations to find companies that they may be able to partner with that can provide expertise for them. It’s important to have experts that know your environment and who can help protect against the most sophisticated attacks. In addition, definitely look at a hybrid approach for DDoS, which would be application security, paired up with on-premise DDoS mitigation that’s tied into a volumetric scrubbing environment.

What should security leaders look for as they compare DDoS attack prevention options?

Organizations should definitely look for companies that have been doing dedicated DDoS mitigation for a very long time and that have a proven track record of being successful. The second thing is, when it comes to web application firewall, organizations need to look at new technologies that are using deep learning engines, can look at the known traffic going into a website and can help to build a positive security model.

It’s very important that they go above and beyond just signature matching and finding the known bad. A positive security model will help give organizations protection against zero-day attacks or unknown vulnerabilities.

How can security leaders get executives on-board with new tools/policies here?

Security leaders should be able to position, not only the cost of total downtime to an organization, but also the value of staffing their organization with experts who can build application security controls.

The ability to demonstrate a return on investment and to show potential cost reductions for the organization can be effective when going to the board of directors to say ‘this is the best path forward’.

Anything else that you wish to share with the CyberTalk.org audience?

Look to partner with companies that you know have a proven track record of being effective with this. Definitely feel free to reach out with any questions. I’m always happy to talk to CISOs and executives about my experience in mitigating DDoS attacks over the last decade.

Please send corresponding questions to [email protected]. Lastly, to receive cutting-edge cyber security news, exclusive interviews, expert analyses and security resources, please sign up for the CyberTalk.org newsletter.