Shattering the Illusion of Total Network Security

With 60% more DDoS attacks in H1 of this year than in the entire year of 2021, it’s more important than ever that organizations have a way to identify and close DDoS vulnerabilities and proactively defend against attacks.

This post will look at three main types of network security assessments, their pros, and cons, as well as present an alternative approach that organizations should take to ensure they are protected from DDoS attacks.

Penetration testing

One of the most common network security testing organizations uses today is penetration testing or pentesting.

Traditional pentesting attempts to hack into your organization’s network to discover any vulnerabilities. The team conducting the pentests might have a few different goals, such as attempting to steal data, abuse APIs, hack into servers, and find exploits.

The Pros of Pentesting:

1. It identifies a wide range of vulnerabilities. These can include validating many of your network’s current security systems and identifying misconfigurations, encryption issues, un-patched vulnerabilities, data leakage prevention systems, authentication, weak passwords, and business logic flaws in software – basically, any method attackers can use to exploit your network.
2. It’s required by many compliance systems. These include HIPPA, PCI, SOC 2, and ISO 27001 compliance.

 The Cons of Pentesting:

1. It almost never includes DDoS. Pentesting typically doesn’t cover the detection of DDoS vulnerabilities. If it does, they are very specific. Or it may only detect DoS vulnerabilities.
2. It’s manual. Pentests are not automatic. Organizations rely on a specific individual or team for pentesting.
3. It’s expensive. Due to their costs, organizations are usually limited to the extent of coverage they test.
4. It doesn’t give you control. With pentesting, organizations rely on the expertise of the service company and how in-depth they can test. For example, if they don’t find vulnerabilities, it doesn’t necessarily mean you don’t have vulnerabilities.

DDoS Vulnerability Scanning

 Vulnerability scanning includes the setup of a device to run a scan that is generally non-disruptive to your organization’s network. The scan then informs you of which vulnerabilities it detected in your network and estimates the severity of each.

2 examples of what you can find using Vulnerability Scanning:

1. LOG4J vulnerabilities in the software version you are using
2. Information disclosure vulnerabilities in the specific software version you are using

 The Pros of DDoS Vulnerability Scanning:

1. Cost-effective. In comparison with pentesting, it’s more affordable.
2. Can be scheduled at regular intervals or whenever a network change has been made. In other words, the customer has control over when to run the scanner.
3. Non-disruptive. Vulnerability scanners are usually non-disruptive to your network.
4. It includes remediation reports. Unlike pentesting, vulnerability scanners both identify vulnerabilities and suggest ways to close the vulnerability. 

The Cons of  DDoS Vulnerability Scanning:

1. Only known risks can be found. The scan identifies vulnerabilities based only on a database of known vulnerabilities. For example, it can’t include zero-day vulnerabilities.
2. High potential for false positives. You might run a scan that identifies vulnerabilities, but a more in-depth test or scan with greater visibility would show that your network is safe from these vulnerabilities. For example, the scan might show that your end server is vulnerable, but your WAF protects you.
3. Limited in scope. While vulnerability scanning should discover individual gaps, attackers often exploit multiple security gaps. Most vulnerability scanners don’t offer remediation for smaller vulnerabilities, and several small vulnerabilities together can become an opportunity for attackers to exploit your network.

   Red team testing

Red team testing is different than the above security tests since it focuses on DDoS testing. However, red team testing’s main limitation is that it runs static tests against your dynamic network to see if it can defend against these attacks. These tests are usually carried out, in best scenarios, once a quarter, but more likely bi-annually. Since these tests are static, the test results become obsolete quickly.

The Pros of Red Team Testing:

1. Focuses on DDoS testing. Red team testing is the standard test in the market today for DDoS testing.
2. It checks the effect of DDoS attacks on your network. It runs a DDoS attack to check your organization’s response to a particular DDoS attack, so you know exactly what will happen to your organization in the event of a real attack.
3. Practice for the response team. It can help verify whether your security team is prepared in the event of a DDoS attack.

The Cons of Red Team Testing:

1. It requires a maintenance window. During this window (usually 3 hours), your network is down, and customers can’t access the website.
2. Quickly obsolete. Since tests are often only bi-annual and tests are static, the results are obsolete as soon as your organization makes a change to its environment.
3. Limited targets mean partial results. It is usually limited to 25 tests during this maintenance window. Results of the tests don’t accurately reflect the coverage of your organization’s dynamic attack surface.
4. Low visibility. Red team testing doesn’t tell you exactly how you are protected. For example, it doesn’t tell you which mitigation systems you’ve installed and where you’ve installed them. You don’t have much information other than whether an attack would be successful.
5. False negatives. Since red team testing checks at a specific rate, it means that if you are attacked at a different rate, you are not necessarily protected. For example, you might be protected against all attacks up to 10 Gg, but what if you are attacked at 100 Gg?
6. You might cause unexpected damage to your network. For example, you might damage a device in your network in a permanent way or you might affect targets outside of the scope of the attack.

The Future of DDoS Testing

It’s not that any of these types of network security assessments are better than others, as each answers different needs. Organizations need all three of these types of testing to fully evaluate their network security.

To be fully protected against DDoS attacks, however, a new type of DDoS testing is needed. One that identifies all DDoS vulnerabilities by continuously testing every attack vector across the entire dynamic DDoS attack surface with zero operational downtime, coupled with a prioritized remediation plan and validation of its execution.