Dark DDoS Attacks Often Mask Security Breaches
It's a challenge for network security professionals to detect, never mind block, every intrusion. What’s troubling is how much time it can take for an organization to realize that its network security system has been breached. In its latest report on cyber security trends, “M-Trends 2016,” FireEye found that it took a median of 146 days for an organization to recognize that its security had been compromised. (This statistic is based on Mandiant’s experience responding to breaches. Organizations that detected a breach on their own or resolved the breach without Mandiant’s involvement are not included in the median.)
Some infamous security breaches weren’t detected for months; the U.S. Office of Personnel Management data breach is one instance that comes to mind. It took OPM staff over a year to become aware of the breach. TalkTalk’s breach was another that made headlines, and raised questions about how long it took for security staff to detect the breach and respond to it. In that incident “criminals accessed details of 156,959 accounts and 15,656 bank account numbers,” according to Express news.
The fact that some breaches have gone unnoticed for days, or even months is cause for concern. That’s way too much time, considering that hackers can infiltrate a network and obtain crucial data in a matter of minutes. Why did it take so long for TalkTalk to realize the security breach? One factor was a distributed denial of service (DDoS) attack. The Guardian reported that “TalkTalk said a distributed denial of service (DDoS) attack – one that overwhelms a website with traffic, taking it offline – was used as a smokescreen for the attack.”
DDoS Attacks Serve As Smokescreens
Corero’s research of its customer base found that 95% of DDoS attacks average less than 30 minutes in duration, and 93% of attacks are 1Gbps or less in size. Such partial link saturation attacks are often called “Dark DDoS attacks” because they can serve as a smokescreen for a security breach that exfiltrates sensitive data. A Dark DDoS attack distracts IT security staff by inundating online systems with junk traffic, while hackers penetrate other network services that are still up and running and vulnerable to attack.
Even if you have a legacy DDoS mitigation solution (such as a cloud scrubbing service), you’re not fully protected from a Dark DDoS attack, because scrubbing solutions still rely too much on human observation and intervention, which results in a time delay. A scrubbing center solution is usually activated at least 30 minutes after the attack has been initiated—by then some damage could already be done, either in terms of affecting a network or website, or stealing sensitive data.
For this reason, it’s more important than ever to have an automated, inline DDoS mitigation appliance in place, which provides 24/7/365 protection from DDoS attacks. According to Dave Larson, COO of Corero Network Security,
“The only proper defense is to use an automatic, always-on, in-line DDoS mitigation system, which can monitor all traffic in real-time, negate the flood of attack traffic at the Internet edge, eliminate service outages and allow security personnel to focus on uncovering any subsequent malicious activity, such as data breaches.”