Distributed denial of service (DDoS) attacks continue to plague the Internet in recent weeks, with a series of attacks recently making the headlines, including a DDoS attack on five major Russian banks and the UK's 'FBI' being hit by a DDoS attack. In the light of these events, it is important to understand why organizations must stay vigilant to the many potential – and sometimes hidden – effects of a DDoS attack.
DDoS attacks are no longer simply designed to deny service, but are increasingly used as a smokescreen to camouflage other cyber-attacks, including data breaches and financial fraud. In a large proportion of data breaches reported over the last few years, DDoS attacks have been occurring simultaneously, as a component of a wider strategy. In these cases, DDoS attacks are used as a diversion to distract the attention of the company's security team and cover up much more damaging malevolent activities. For this reason, organizations should be wary of being quick to claim that their business systems have not been affected by a DDoS attack, because this can be extremely difficult to ascertain.
For example, one of the biggest risks a company faces during a smokescreen DDoS attack is network exfiltration. Data exfiltration is a form of a security breach that occurs when a company’s data is copied, transferred, or otherwise retrieved from a computer or server without authorization. Detecting exfiltration attempts can be challenging on its own, because data routinely moves in and out of a company’s networks, meaning it can closely resemble normal network traffic. But when a DDoS attack is performed simultaneously, detection becomes even harder.
The risk of reputational damage from an interruption of service is another harmful consequence of a DDoS attack, and something with which the UK’s National Crime Agency (NCA) must now be all too familiar. While the agency was unlikely to suffer any operational issues as a result of its public-facing website being taken offline earlier this month, the irony of the story – that the website of one of the main cybercrime units in the UK was unable to defend itself from a DDoS attack – will not have been lost on those who read the story. Indeed, according to a recent Corero survey, IT security professionals believe that loss of customer trust is the most damaging consequence of a DDoS attack.
In this case, the NCA spokesperson also set a dangerous precedent by suggesting that a 30-minute interruption of service is acceptable. While there may be little risk to this particular organization from such a service outage, the effect of a similar attack on most other UK organizations could be detrimental. Short, sub-saturating DDoS attacks usually leave just enough bandwidth available to allow other multi-vector attacks to make their way into the network and past weakened network security layers undetected. If organizations allow these short attacks to continue, without fully analyzing what has happened, they could unwittingly allow a variety of malicious traffic to enter their networks.
To keep up with the growing sophistication range of attacks, it's essential that organizations maintain a comprehensive visibility across their networks with a DDoS monitoring tool that detects and blocks all potential DDoS incursions as they arise.
For more information, please contact us.