Demo: A10 Defend Threat Control

Transcription

Hello everyone. Welcome to a demo of the newest product in the A10 Defend suite, A10 Defend Threat Control.

This standalone SaaS platform redefines DDoS intelligence, a new necessity for comprehensive DDoS protection, by bringing insights, analytics, and blocklists that are more actionable, flexible, and proactive.

Seen here is the dashboard of Defend Threat Control. The real time attack map displays a near real-time map of ongoing and stopped attacks in the last specified timeframe. Please note this is the A10 view on attacks. It is not possible to have full visibility of all attacks.

Similar to the idea of simple random sampling, this map is a random sampling of DDoS attacks occurring around the world, so the trends, patterns, and other insights depicted can be acted upon and are worth investigating.

By clicking in on individual inks, you an see more information about a specific attack. You can additionally filter by the time of when attacks may have occurred, and over to the filter on the left hand side, you can filter by duration of the attack, attack type, ASN – or autonomous system number – or country.

On the top navigation bar of the UI, let’s head over to “weapons & activities”.

The summary section displays the top attack vectors and attack methods seen by A10. This data is not crowd-sourced, it is researched using A10’s proprietary data gathering and validation method.

The filter function is still available on this page, so you can examine particular attack vectors in more depth. Also under “weapons & activities” is reflectors, botnets, and indicators of compromise.

Under reflectors, you can get the A10 perspective on how reflection-based attacks are being executed, such as leveraging the ARM protocol, or perhaps the more well-known NTP protocol. Reflectors are critical tools for the attackers during amplification attacks.

Under botnets, you’ll get the A10 perspective on the top ports that are scanned for botnet recruitment, top organizations that possess a large number of bots, a breakdown of botnets by country, and others.

One of the reasons DDoS is more dangerous is because of how easy botnet recruitment can be, and how large these botnets can be. It’s not as simple as simply stopping the attacking IP anymore, as that attacking IP can be part of a larger scheme. The complexity and volume of DDoS attacks have skyrocketed, in part because of attack or indicators of compromise, we report on top CVEs, not in terms of every existing CVE, but in terms of the ones we see as being more relevant, and DDoS-centric.

Continuing through the top bar navigation.

The tab titled “Attack Research” has details on a long list of attacks that we were able to see using Threat Control. Expanding the details shows us the /24 of the victim that is being attacked, along with what country the victim is from, What the ASN of the victim is, and other details.

Also under the top bar “Attack Research” there is another section titled “Search by IP/Networks” where you can check if a specific /24 IPv4 range has been attacked, or, if it has been used in an attack during a specified time range The final section I’d like to touch on is the IP block list section at the top bar navigation.

The best use of Threat Control is still via the insights, but we understand there is overload when it comes to notifications, and modern security teams are oftentimes hamstrung, so the IP block lists are meant to be more of a hands-off approach that will bolster your existing defense. These block lists can be ingested by SIEMs or any other security device you currently have deployed.

By clicking in, you will see various block lists that are available, along with the description of each list, and size of each list. Some of these lists are standard lists that you can find in threat intelligence feeds, whereas the bot, c2, and reflector lists are proprietary lists generated by A10 research.

Additionally, there is the option to generate a custom block list for your needs, which can be filtered by geolocation, ports of relevance attack protocols that are of higher concern, etc. etc. You can copy the custom URL to automatically update and download the list as it continually updates.

This here is a quick overview of the Defend Threat Control UI.

Contact us to learn more about how Threat Control is a necessary supplement to bolster your DDoS defense against modern DDoS attacks.