Growing DDoS attacks more and more frequently try to distract incident response teams in order to hide much bigger security incidents.
During this year alone, many security companies have announced a significant increase of DDoS attacks, highlighting growth of their diversity, complexity and quantity. The main resources, usually targeted
by the attackers, are web applications or websites. The main victims of DDoS blackmail are banks and financial institutions that own business-critical banking and trading web platforms, downtime of which is very expensive for the victims. However, in some cases a DDoS attack is just a smoke screen to distract IT security team and cover up a much bigger incident. This may be why DDoS attacks have become a reliable companion for Advanced Persistent Threats (APT) nowadays.
Robert Metcalf, a cybersecurity expert at PwC Switzerland, says: “In our professional experience of looking at recent cyber-attacks, DDoS and DoS are often a prelude to other attacks and minimizing the time to detect and respond is critical.”
It’s important to understand that classic DDoS attacks, aiming to make a web resource unavailable for a period of time, are rarely used by professional Black Hats in isolation from other attacks. The main objective of DDoS attack is to harm a competitor or force a victim to pay the ransom. A couple of days of downtime is insufficient to achieve any of these goals, simply because such a short downtime is not enough to seriously harm a company, except if it’s a popular online trader or retailer.
Moreover, stable downtime of a major e-commerce player will cost the attackers quite a lot even for a two-day period: large businesses usually have well protected infrastructure in the cloud with all sorts of DDoS-protection mechanisms, and require very powerful and thus expensive botnets. Furthermore, after large-scale attacks against major US or European companies, law enforcement agencies and cybersecurity companies usually join their forces to track and shutdown the botnet(s) used for the attack, amortizing botnet value much quicker than expected by the cybercriminals.
Therefore, if cybercriminals really want to harm victim’s business, they would be better to use RansomWeb attacks. Since then various companies, including IBM and PwC [9], mentioned RansomWeb attacks in their research.
Similar to classic DDoS attacks, RansomWeb attacks affect the availability of victim’s resources, making them inaccessible. However, different to DDoS, RansomWeb can last forever at no additional cost for the attackers, and therefore cause much more serious damage and financial losses to their victims.
The cherry on the cake comes from a Verizon report saying that 99.9 percent of exploited vulnerabilities [10] in 2014 were disclosed and given a CVE number more than a year prior, highlighting how easily a company can be hacked using public vulnerabilities, not even mentioning zero-days. As you can see, sophisticated hacking groups would rather compromise their victim first and then use RansomWeb tactics. Yes, RansomWeb vector has some limits and is not applicable for some types of systems, but usually it’s not a problem to find a vulnerable web application suitable for it.
This is why professional Black Hats tend to use DDoS attacks not as a main attack vector, but rather as a smoke screen to hide more serious data breaches. Black Hats have a good understanding of their victims’ cybersecurity and incident response teams: cases when ex-White Hats become Black Hats occur more frequently and will probably continue growing.
Usually, when a company is hit by a DDoS attack, all employees including top management are aware of it, as it impacts almost all the stakeholders on all levels. IT and IT security teams will probably spend days and nights in the office remediating the attack with their ISPs anti-DDoS vendors. While this chaos is happening, who will keep an eye on web security alerts and incidents? Quite probably nobody.
Companies all over the world continue cutting operational costs, and usually the same group of IT experts is in charge of everything related to security : from entry badges to PCI compliance and DDoS attacks. Such an atmosphere is a great gift for hackers: professional cyber mercenaries prefer that their victim will never ever be aware of the data breach and thus not perform any legal investigation or forensics. A sort of security [for hackers] through obscurity – yes, cybercriminals are also familiar with the content of CISSP and CISA certifications.
Today almost every company struggles with false-positive in their SIEMs. So who will worry about one more web security incident ticket or email alert when corporate PBX has just crashed unable to handle a tsunami of calls from angry customers who cannot check-out their orders?
Who will bother to review these tickets in two to three days when the DDoS attack will finally be mitigated? Exhausted and angry infosec folks will rather go home and sleep after crazy nights spent in the office.
In addition to human factors, many companies use log rotation configured in such a manner that old logs are replaced by recent ones. Usually raw logs for non-critical processes (e.g. web application visitors and their HTTP requests) are stored for a three to six month period to save disk space. A DDoS attack can overwrite the same volume of log data in several days, deleting all previous records that quite probably contain information about a sophisticated data breach. Who will bother to recover the logs? Probably nobody, as everyone will already be fed up with the DDoS mess.
Of course, sometimes a DDoS attack can be very cheap and simple to launch. If a victim’s web application has SQL injections or application logic vulnerabilities that attackers can use to exhaust web infrastructure’s CPU and RAM resources with just a dozen of HTTP requests, then DoS becomes a pretty interesting vector of attack. The problem is that usually it’s pretty easy to discover a security vulnerability leveraged by the attackers, and such DoS cannot last for a while.
However, make sure that your website is secure, otherwise the consequences of even the simplest DoS attack may be quite expensive.
DDoS attacks are not so unambiguous and obvious as they may seem at a first glance. Therefore, make sure that you clearly understand the motives behind a DDoS attack and its real purpose, otherwise hackers will silently do more than you think.
[su_box title=”About Ilia Kolochenko” style=”noise” box_color=”#336588″][short_info id=’60198′ desc=”true” all=”false”][/su_box]
Ilia Kolochenko is a Swiss application security expert and entrepreneur. He started his career as a penetration tester and has 15 years of experience in security auditing and digital forensics. After serving in Swiss artillery troops in 2007, Ilia founded his first pentesting and cybersecurity consultancy High-Tech Bridge. In 2014, Frost & Sullivan named the company a leading service provider in the European pentesting market. Later Ilia invented and built the concept of the ImmuniWeb Platform, which combines the strengths of human intelligence with Machine Learning, and is now entirely dedicated to it.As a Chief Architect at ImmuniWeb, he leads our data scientists, security analysts and software engineers. Ilia holds a bachelor degree in Computer Science and Mathematics from Webster University, a Master of Legal Studies from Washington University in St. Louis and a Master of Science in Criminal Justice (Cybercrime Investigation) from Boston University. Currently, Ilia is a Doctoral student (Ph.D. in Cybersecurity Leadership) at Capitol Technology University. Ilia Kolochenko is a member of Europol Data Protection Experts Network (EDEN), a Member of GIAC Advisory Board and a Committee Member at Boston University MET CIC (Cybercrime Investigation & Cybersecurity) Center. Ilia is a certified GIAC GLEG professional (Law of Data Security & Investigations) and a Certified Information Privacy Professional (CIPP/US and CIPP/E) by IAPP.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.