By Roy Reynolds, Technical Director, Vodat International
When you think of distributed denial of service (DDoS) attacks chances are you conjure up an image of an overwhelming flood of traffic that incapacitates a network. This kind of cyber-attack is all about overt, brute force used to take a target down. Some hackers are a little smarter using DDoS as a distraction while they simultaneously attempt a more targeted strike, as was the case with a Carphone Warehouse hack in 2015, but generally DDoS isn’t subtle.
Now, however retailers are having to re-think DDoS protection following the rise of a smaller stealthier incarnation of threat. A recent report by cybersecurity experts Neustar reveals a significant increase in small-scale DDoS attacks and a corresponding reduction in conventional large-scale events. The hacker’s aim here is to remain below the conventional ‘detect and alert’ threshold that could trigger a standard DDoS mitigation strategy so that an attack can continue unnoticed while specific areas of the target network are incapacitated.
The Neustar report reveals that between April and June of 2019, over 75% of all attacks mitigated by Neustar were 5 Gigabits per second (Gbps) or less, while large attacks – those of 100 Gbps and over – decreased by 64%.
These smaller, stealthier DDoS attacks are designed to enable the perpetrator to get in and get out of a network unnoticed or allow the attack to continue for quite a long time undetected. In fact, the longest duration for a single stealthy DDoS attack in Q2 of 2019 was nearly two days. Under-the-radar incursions like these are aimed at specific services, gateways and applications so they need less traffic to bring them down.
When quizzed by Neustar, 72% of CTOs, CISOs and security directors revealed that their systems would be unable to detect and protect against this new breed of stealth DDoS attacks.
The answer to the emerging threat is for organisations to deploy an ‘always on’ DDoS mitigation service that can constantly monitor traffic to ensure threats of all sizes are quickly detected, managed and neutralised. Organisations also need to create a business ‘risk register’ which enables them to focus primarily on their most-critical business assets so security efforts can be prioritised correctly.
As well as the rise of stealth attacks DDoS has evolved in five other critical ways:
- Access: Black market services, known as “rent-a-bot,” make it easy for almost anyone to launch a powerful DDoS attack against a business for a nominal fee.
- Complexity: New DDoS techniques have made DDoS exponentially more powerful and harder to defend against due to increased complexity and sophistication.
- Cost: DDoS attacks now cost victims £40,000 per hour, with an average duration of six to 24 hours.
- Ransom: Cyber extortion is now common with DDoS – 46% of DDoS’ed companies admit they received a ransom note.
- Diversion: DDoS is frequently used as a smokescreen for other attacks, like stealing customer data (33%) or implanting viruses and malware (50%).
Effectively combatting the DDoS threat requires a culture shift for many retailers as, until now, they have been heavily focused on point-of-sale malware and online attacks targeting credit card data. In fact, some 33% of all cyberattacks on retailers come from DDoS, making it the most common digital threat the sector currently faces.
While in years past this type of attack was primarily used for pranks and petty mischief, it is now increasingly used by organised cyber-criminals to threaten retailers’ operational and financial security.
When executing a DDoS attack, threat actors set their sights on any organization that relies heavily on its website to generate revenue. This makes retailers ideal targets. Attacks can start with a threat of DDoS action followed by a ransom demand so the threat actor’s success depends on their capabilities and credibility. While the accessibility of off-the-shelf tools to execute DDoS attacks has lowered barriers to entry, low-credibility, low-capability actors do exist.
Here are some key steps retailers should take to protect themselves from the DDoS threat:
- Identifying an Attack:It’s critical to identify a DDoS attack immediately, in order to prevent further damage, reputational loss and secondary attacks. To do this, establish a baseline of what normal network traffic looks like, that way you can quickly detect network traffic anomalies and attribute spikes in traffic to DDoS attacks.
- Establish a DDoS Policy: At a bare minimum, every retailer should have a policy in place for educating staff about DDoS attacks and the various risks they pose, as well as how the company is expected to respond. For example: What will the company do to inform/reassure customers? How will the company deal with ransom requests?
- Preventing Secondary Attacks:To prevent a secondary attack during a DDoS event, avoid key mistakes: don’t overlook alerts issued by your monitoring system; be cautious of any other unusual activity on your network; and be on the lookout for ‘social engineering’ attempts on IT personnel or other company staff, such as phishing emails or phone call scams.
- Cyber Insurance:Retailers should also make sure DDoS incidents are covered by their cyber insurance plans, including costs associated with mitigation attempts, downtime, cyber ransoms, etc.
- Conduct a Simulated DDoS Attack:DDoS “black-box” testing is the only way to test a retail network against a simulated real-world attack. This allows retailers to see exactly how their networks will react to a sophisticated DDoS attack and whether the defenses put in place are sufficient.
- Call in the experts:Every retailer, no matter how big, should have a third-party always-on DDoS mitigation service that will reroute traffic and scrub out illegitimate traffic once an attack begins.
- From Roy Reynolds, Technical Director at Vodat International.