Continuous Assessment #3

Continuous Assessment #3

In 2018, GitHub, a developer platform, was attacked using a distributed denial of service (DDoS) method. The attack was performed using more than 1.35 terabits per second (Tbps) of traffic (GitHub, 2018). Specifically, GitHub faced a memcached DDoS attack. The platform had to combat intermittent outages while its digital infrastructure evaluated the situation. In a short period, the system called for assistance from Akamai Prolexic, its DDoS mitigation service. The intermediary took over and rerouted all of the traffic coming in and out of GitHub, via scrubbing centers. The result was an 8-minute battle of weeding out and blocking any malicious packets of data. The assault lasted only about 8 minutes, yet remains to be the biggest DDoS attack to date.

A memcached DDoS attack is a type of a cyber attack that targets the database caching structure referred to as memcached (GitHub, 2018). The caching framework is intentionally designed to speed up networks and websites. The attack to the system is designed to flood an application or website with loads of traffic in order to crash the servers. Initially, memcache uses a distribution memory caching approach to help applications and website load their content faster through a temporary storage of content on other devices (Bai, 2018). The intention is to efficiently load whenever visitors come back to the site or application. An attack uses the same approach to create havoc. Because memcached is an open-source software it remains vulnerable to attacks. Memcached attacks, for example the one that GitHub faced, combines with a user datagram protocol (UDP) to enable data to reach and be transferred to users before the receiving party can agree to the communication. For instance, quick audio playbacks or other formats such as video are used to flood victims with intense and high volumes of data, thus crashing servers.

GitHub was affected in a number of ways. First, its services were inaccessible to end users for a short period, which meant a loss on its business end. This could also mean a loss on the financial side of the business. In another view, the company may have lost data to the attackers in the 10-minute window. Loss of data is a sensitive matter because it could mean future attacks or access to information that may be used to perform a different type of attack. Although the company was able to mitigate the attack in record time, it could also have exposed the vulnerabilities of the memcached system to other hackers and attackers (GitHub, 2018), opening up GitHub to more attacks or attempts on the same or a larger magnitude.

In response to the attack, GitHub used Akamai’s Prolexic Platform. The platform mitigated the attack through filtering all traffic in and out of the system from the UDP port. This is a part of the best common practices adopted to tech companies and a practical memcached remediation procedure to minimize risks (GitHub, 2018). The use of an intermediary, Akamai, was a good approach for GitHub owing to the former’s experience in dealing with amplification attacks for other clients.

References

Bai, K, 2018, ‘Analysis and Prevention of Memcache UDP Reflection Amplification

Attack’, International Journal of Science, 5(3), pp.297-302.

GitHub 2018, ‘GitHub Survived the Biggest DDoS Attack Ever

Recorded’, https://www.wired.com/story/github-ddos-memcached/Continuous Assessment #4

Crozier & Corner (2017) highlight the story of an Aussie defence contracting firm that lost loads of sensitive data to an attack in its network. The attacker was able to gain a full and unfettered access to the company’s environment and exfiltrated information without detection. The attacker, labeled an advanced persistent threat (APT) group, managed to get hold of more than 30GB of defence-related data related to high profile projects in the US and Australian militaries. To illegally exfiltrate the data from the company, the culprit used the victim’s internet-facing IT helpdesk server that used an outdated software with a vulnerability to arbitrary file uploads. The attacker exploited the vulnerabilities and uploaded a web archive file containing a copy of the backdoor that gave entry into the organization’s data. Other network enumeration tools were then uploaded, including scripts cred dumping tools, and lateral movement tools. The cred dumping platform used a modified variety of Mimikatz to obtain login credentials that are cached on the helpdesk server. MITRE ATT&CK describes the exfiltration method to include a command and control channel where the attacker remotely performs exfiltration via C&C infrastructure (MITRE, n.d.). The adversary communicates with the system under their own control. In this case, the IT helpdesk system was used to remotely grant access to the servers.

The impairment of the company’s critical infrastructure could lead to serious consequences. In the case study highlighted by Crozier and Corner (2017), the company lost a lot of sensitive information that could affect an entire nation’s defence stance on an international level. Therefore, organizations should, first and foremost, learn that no system is completely secure or safe from attacks of any kind. An important lesson is to know that every system has vulnerabilities and attackers are always looking for a way in though these vulnerabilities and weaknesses. A good way to prevent an organization from facing such losses is to remain non-complacent. Internet access points should be limited with silos. Another important lessons is the need to test often and to train employees on how to detect and prevent attacks. It is important for organizations to find time to improve on its security as a part of the best practices in order to minimize risks. The attack on the organization in the case study was detected weeks later after the initial attack. This means that it would have happened again without the knowledge of the company. It is, therefore, an important lesson for organizations to train its employees to detect and prevent potential threats.

To mitigate such attacks as mentioned in the case study, the MITRE ATT&CK framework suggests that ensuring that commonly used ports have detection systems, blocking internal connections, configure the network security infrastructure to block traffic to reach the internet, monitor application layer protocols, and monitor data obfuscation and encoding such a Base64 encoding (MITRE n.d.). The MITRE ATT&CK framework basically advises organizations to look at vulnerabilities and weaknesses in the perspective of an attacker in order to identify risky areas that may lead to potential attacks.

References

Crozier, R, Corner, S, 2017, Hacked Aussie Defence firm lost fighter jet, bomb, ship plans, itnews, Oct 12, https://www.itnews.com.au/news/hacked-aussie-defence-firm-lost-fighter-jet-bomb-ship-plans-475211

MITRE, ‘Exfiltration’, The MITRE Corporation, https://attack.mitre.org/wiki/Exfiltration