Recent Botnet Attacks Highlight Importance of Automated Testing to Harden Defenses

Massive Distributed Denial of Service (DDoS) attacks have become a weekly scourge, and with software now embedded in most consumer electronics (Is it too late to turn back from the Internet of Things? Asking for a friend.), the problem will likely only get worse.

Hackers have learned how to harness the items you use around the house to attack the services you rely upon. Just last week, one of the biggest and most sustained attacks affected services including Amazon, Spotify, Netflix, Reddit, and Twitter. The criminals did it by infecting our home devices, some 10 million of them, with a malware strain known as Mirai.

As internet security blogger Brian Krebs wrote, Mirai seeks out web-connected devices often protected by factory-default usernames and passwords, then directs those devices — DVRs, security cameras and such — to deluge target sites with trash traffic. Those sites are buried until they crater, affecting service.

The latest attack was directed toward Dyn, which provides routing services to the above-named megabrands. Service was crippled all along America’s East Coast.

“At this point, we know this was a sophisticated, highly distributed attack involving tens of millions of IP addresses. We are conducting a thorough root cause and forensic analysis and will report what we know in a responsible fashion,” said Kyle York, Dyn’s Chief Strategy Officer. “The nature and source of the attack are under investigation, but it was a sophisticated attack across multiple attack vectors and internet locations.”

Krebs’ own site was hit in the same manner and potentially by the same crooks, a few weeks earlier.

What Companies Can Do About It

DDoS attacks are just one of the many security worries companies must confront in rolling out critical enterprise apps, a fact that is giving rise to a move toward what’s being called Rugged DevOps — injecting security scans and stack analysis earlier in DevOps workflow to mitigate the bad actors. Credit the buzzphrase, like so many others, to DevOps guru Gene Kim.

A chief goal of DevOps, of course, is to speed up application delivery, but security has too often been left as an afterthought, resulting in a bolt-on approach that leaves apps vulnerable to malware intrusions such as Mirai.

There are a whole set of cultural issues (standardized configurations, controlled access to production systems, process discipline, and so on) involved in Rugged DevOps, but effective tooling and automation are key components.

Increasingly, companies are looking to integrate tools such as Blazemeter, which integrates load and performance testing in the workflow. Continuous load testing can not only help harden apps against DDoS attacks but also ensure apps are robust enough for peak customer demand, a common problem for consumer-facing services.

Rugged DevOps also increasingly means adopting tools like CA Technologies’ DevOps suite, which incorporates Service Virtualization and release automation solutions that can help developers build more resilient software.

Four common-sense steps to consider in your company:

1. Make security a priority sooner than later. Security qualifications testing (risk assessments, compliance checks) must be conducted early in development and continuously throughout.
2. Engage security experts as true partners — not afterthoughts — on your DevOps team.
3. Embed security tools in your general operations toolkit instead of segregating their use with the security team.
4. Automate testing. It’s difficult to discard all manual testing, but automation is far more effective and allows more testing at a lower cost.

Today more than ever, organizations must handle security management just as they approach other aspects of delivering their services. Event simulations and tests against intrusion and DDoS attacks should be automated throughout the integration and delivery process.