Track: General Security
Author: Vann Abernethy, Field CTO, NSFOCUS
Distributed Denial-of-Service (DDoS) attacks have been around for decades and have been increasing in popularity due to the relative ease in carrying one out. Traditionally, the purpose of these attacks has been to make a site or service unavailable to its intended users for some duration via either flood-type attacks or application-layer attacks (which are smaller, but just as effective) that overwhelm the target’s network or systems.But the result is basically the same: systems go down, resources are unavailable and the victim is scrambling to fix everything. Recently, however, there has been a rise in DDoS attacks being used as smokescreens to cover up other criminal activity, such as theft of intellectual property, banking and financial records, stolen customer data or even vulnerability probes. The intent here is not to shut down a particular website, but to distract security teams long enough so that the real attack goes unnoticed – at least initially.
Divide and conquer
In November 2011, the FBI warned of one such attack type, which relies on the insertion of some form of malware. When the attacker is ready to activate the malware, a DDoS attack is launched to distract and occupy defenders, as was the case with the Zeus malware variant that targeted banking institutions. Considering most malware goes undetected for long periods of time, even a small DDoS attack should be a red flag that something else may be going on. One way to combat this is to have multiple teams responding to a DDoS attack – one to work on the DDoS defense itself and another (or multiple, depending on the company) that goes into hyper vigilance mode to look for evidence of other attacks. Even after the DDoS attack has ended, security teams should do a complete, methodical review of all systems to ensure no other breaches have taken place. The most successful security programs incorporate some form of data forensics to uncover threats and breaches that might otherwise go unnoticed. Doing this requires some preparation work to set up sensors that routinely grab data from sources beyond the core security and routing devices. Any irregularities in the data will indicate that something suspicious is going on outside the initial DDoS attack.
The recon team
Another trend is that the DDoS attack itself may be a bit more sinister. For example, a DDoS attack could be masking a simultaneous attack that is probing for vulnerabilities, such as a network flood masking a vulnerability scan. In fact, this scheme proved successful for a group of attackers that made off with nearly $1 million in stolen Bitcoins from a Denmark-based payment processor in a well publicized attack that took place in November of 2013 (Information week, Bitcoin Thefts Surge, DDoS Hackers Take Millions, 11/15). In general, basic probing will likely be caught if the victim has even modest security protections, but that’s not always the case. The best defense here is to have a purpose-built DDoS defensive service or appliance that keeps the bad traffic off of your core security systems.
Always be one step ahead
In what was once a mere tool for taking down websites, DDoS attackers have found a new, useful application. Companies that have successfully thwarted attacks did so because they planned ahead and developed an action response plan, allocating resources to the proper channels and establishing it as a core part of the operations process. This not only allows security teams to act quickly to limit the time an attacker has to carry out their mission, but gives them the knowledge to better understand and stop the attack. Should a business find itself a victim of an attack, it’s critical to keep an eye open for other potentially suspicious activity.
Vann Abernethy is the Field CTO for NSFOCUS. He brings more than 20 years of Security and IT management experience working for a wide range of companies, from start-ups to the Fortune 500. Throughout his career, Abernethy has developed and deployed security, network and infrastructure management products and solutions; ranging from SMBs to government to some of the largest, industry-leading enterprises worldwide.