Have you heard of a smash-and-grab robbery? In the physical world, it usually refers to a group of thugs who storm a retail store – often a jewelry store or a pawn shop – and smash the display cases with sledge hammers. They grab all the expensive merchandise they can get and run out of the store before shocked store clerks have much time to react.
Now there is an equivalent type of attack in the cyber world. Instead of sledge hammers, criminals use a DDoS attack to cripple system resources and distract the security and networking professionals who turn their attention to mitigating the denial-of-service attack. Meanwhile, the cyber thieves are moving elsewhere through the network in an attempt to steal intellectual property or information that can be quickly monetized. The DDoS attack is simply a diversionary tactic to take security experts’ eyes off the data exfiltration.
Craig Treubig of the security firm Accuvant believes that this sort of cyber smash-and-grab technique will be used more frequently as criminals take advantage of readily available DDoS kits to execute their diversion. In a recent InformationWeek article, Treubig wrote:
As hacker tools become easier to get in an active underground market, we will likely see the number of smash-and-grab attacks increase. Enterprises must do more to protect themselves, and be on alert for the use of DDoS attacks coupled with denial-of-service (DoS) attacks.
Last October, Gartner vice president Avivah Litan confirmed that some of the DDoS attacks that were systematically directed at financial institutions in the past year or so were used as a cover-up for fraud. In an interview with BankInfoSecurity.com, Litah explained how a DDoS attack is used to mask account take-over activities—the kinds that were discovered at a handful of banks:
DDoS is a distraction, so when you're under an attack, all eyes are on the attack, and there's not as many resources paying attention to other parts of your system. You may even have alarms going off that you just don't have time to pay attention to, because most of the alarms that go off still have to be investigated manually.
Litan believes that at least 2 or 3 banks that experienced a DDoS attack also had their payment switch (software) taken over. This would allow thieves to direct money from a bank’s accounts wherever they want it to go.
Denial-of-service as a diversionary tactic is nothing new. In September 2012, the Financial Services Information Sharing and Analysis Center (FS-ISAC) issued a fraud alert to financial institutions. According to the alert, several banks had already become the victims of unauthorized wire transfers. In these incidents, DDoS attacks were launched either before or after the funds transfer in order to prevent the bank from immediately identifying a fraudulent transaction, which in most cases is necessary to stop the wire transfer.
FS-ISAC issued recommendations to financial institutions on how to reduce the likelihood of security breaches. I’ve taken the liberty to select some of the more general suggestions that apply to virtually any organization, and added a few pointers of my own:
- Educate employees on the dangers associated with opening attachments or clicking on links in unsolicited e-mails. Phishing attacks have been a successful means for attackers to plant malware or steal legitimate credentials.
- Do not allow employees to access administrative accounts from home computers or laptops connected to home networks.
- Review anti-malware defenses and ensure the use of reputation based content and website access filters.
- Ensure that workstations utilize host-based IPS technology and/or application white-listing to prevent the execution of unauthorized programs.
- Monitor employee logins and activities that occur outside of normal business hours.
- Consider implementing time-of-day login restrictions for the employee accounts with access to systems with sensitive data.
- Deploy an anti-DDoS solution to mitigate attacks on your network and to weed out bad traffic before it ever gets to other parts of your infrastructure.
- If you do suffer a DDoS attack, check your security system logs from end-to-end to determine if other suspicious activities took place before, during or after the attack.
- Review intrusion detection and incident response procedures and consider conducting a mock scenario testing exercise to ensure familiarity with the plan.