The Link Between DDoS Attacks & Security Breach Dwell Time

In terms of IT security, “dwell time” is the amount of time that lapses between when a security breach happens and when it’s discovered. CIO Australia published an interesting article that forecasts some 2017 IT security trends, and it predicts that dwell time will not improve. That article reported, “In some extreme cases, dwell times can reach as high as two years and can cost a company millions per breach.”

The costs of security breaches are infamous, and the methods are myriad, constantly evolving. One might ask, how could a security breach go unnoticed, especially for long periods of time? In part it is because it is difficult to identify attacks, either when they are in progress, or after the fact (it’s hard to sift through enormous network device logs for data that indicates when and where an attack occurred.)

Another factor that makes it difficult to notice security breaches is that hackers have become more adept at taking down firewalls and intrusion prevention systems (IPS) to invade networks, without causing major network disruptions. One of the easiest and most common ways to do that is with a distributed denial of service (DDoS) attack.

On its own a DDoS attack is not a security breach, but DDoS attacks often serve as smokescreens for more nefarious infiltrations. The vast majority are sub-saturating, low-threshold DDoS attacks; so they may create “noise” in the network, but they often escape attention; Corero research has shown that the vast majority (93%) of DDoS attacks are under 1 Gbps, and 96% last less than 30 minutes. As such, they often go unnoticed by IT security staff or traditional DDoS detection solutions.

Even when IT security staff do notice a DDoS attack, the attack can serve as a way to distract IT staff from protecting other aspects of a network. IT staff may scramble to engage a legacy DDoS mitigation solution, but it’s just not fast enough. Hackers need only seconds or minutes to crash a firewall and then map a network’s vulnerabilities to install malware and ransomware, or steal sensitive data (such as social security card numbers, credit card numbers, email addresses, intellectual property or personal information). Once inside a network, hackers can reside there for months.

Legacy DDoS solutions rely too much on human intervention; it usually takes 20-30 minutes to engage a legacy mitigation solution that swings out the “bad” traffic. In contrast, on-premise DDoS protection hardware detects and blocks even low-threshold, sub-saturating attacks, automatically, in real-time.

Even a small DDoS attack is enough to penetrate network security and open the door for malware and ransomware to come in. Network security professionals would be wise, therefore, to make sure that they have automated DDoS protection in place, as a first line of defense against intrusions.

For more information, contact us.