DDoS attacks: a perfect smoke screen for APTs and silent data breaches
Growing DDoS attacks more and more frequently try to distract incident response teams in order to hide much bigger security incidents.
At the beginning of the year, Forbes mentioned a trend of growing DDoS attacks all over the world. During this year, many security companies have announced a significant increase of DDoS attacks, highlighting growth of their diversity, complexity and quantity. The main resources, usually targeted by the attackers, are web applications or websites.
A recent Verizon report says there were 34 percent more DDoS attacks in the first half of 2015 than in the first half of 2014, while average DDoS attack size increased 52 percent. SC Magazine has recently covered a relatively new trend of DDoS extortion attacks. The main victims of DDoS blackmail are banks and financial institutions that own business-critical banking and trading web platforms, downtime of which is very expensive for the victims.
However, in some cases a DDoS attack is just a smoke screen to distract IT security team and cover up a much bigger incident. A couple of weeks ago this question was highlighted by Kaspersky’s research. Let’s examine in detail why DDoS attacks become a reliable companion for Advanced Persistent Threats (APT) these days.
Robert Metcalf, a cybersecurity expert at PwC Switzerland, says: “In our professional experience of looking at recent cyber-attacks, DDoS and DoS are often a prelude to other attacks and minimizing the time to detect and respond is critical."
It’s important to understand that classic DDoS attacks, aiming to make a web resource unavailable for a period of time, are rarely used by professional Black Hats in isolation from other attacks. The main objective of DDoS attack is to harm a competitor or force a victim to pay the ransom. A couple of days of downtime is insufficient to achieve any of these goals, simply because such a short downtime is not enough to seriously harm a company, except if it’s a popular online trader or retailer.
Moreover, stable downtime of a major e-commerce player will cost the attackers quite a lot even for a two-day period: large businesses usually have well protected infrastructure in the cloud with all sorts of DDoS-protection mechanisms, and require very powerful and thus expensive botnets. Furthermore, after large-scale attacks against major US or European companies, law enforcement agencies and cybersecurity companies usually join their forces to track and shutdown the botnet(s) used for the attack, amortizing botnet value much quicker than expected by the cybercriminals.
Therefore, if cybercriminals really want to harm victim’s business, they would be better to use RansomWeb attacks. Since then various companies, including IBM and PwC, mentioned RansomWeb attacks in their research.
Similar to classic DDoS attacks, RansomWeb attacks affect the availability of victim’s resources, making them inaccessible. However, different to DDoS, RansomWeb can last forever at no additional cost for the attackers, and therefore cause much more serious damage and financial losses to their victims.
The cherry on the cake comes from a Verizon report saying that 99.9 percent of exploited vulnerabilities in 2014 were disclosed and given a CVE number more than a year prior, highlighting how easily a company can be hacked using public vulnerabilities, not even mentioning zero-days. As you can see, sophisticated hacking groups would rather compromise their victim first and then use RansomWeb tactics. Yes, RansomWeb vector has some limits and is not applicable for some types of systems, but usually it's not a problem to find a vulnerable web application suitable for it.
This is why professional Black Hats tend to use DDoS attacks not as a main attack vector, but rather as a smoke screen to hide more serious data breaches. Black Hats have a good understanding of their victims’ cybersecurity and incident response teams: cases when ex-White Hats become Black Hats occur more frequently and will probably continue growing.
Usually, when a company is hit by a DDoS attack, all employees including top management are aware of it, as it impacts almost all the stakeholders on all levels. IT and IT security teams will probably spend days and nights in the office remediating the attack with their ISPs anti-DDoS vendors. While this chaos is happening, who will keep an eye on web security alerts and incidents? Quite probably nobody.
Companies all over the world continue cutting operational costs, and usually the same group of IT experts is in charge of everything related to security: from entry badges to PCI compliance and DDoS attacks. Such an atmosphere is a great gift for hackers: professional cyber mercenaries prefer that their victim will never ever be aware of the data breach and thus not perform any legal investigation or forensics. A sort of security [for hackers] through obscurity – yes, cybercriminals are also familiar with the content of CISSP and CISA certifications.
Today almost every company struggles with false-positive in their SIEMs. So who will worry about one more web security incident ticket or email alert when corporate PBX has just crashed unable to handle a tsunami of calls from angry customers who cannot check-out their orders?
Who will bother to review these tickets in two to three days when the DDoS attack will finally be mitigated? Exhausted and angry infosec folks will rather go home and sleep after crazy nights spent in the office.
In addition to human factors, many companies use log rotation configured in such a manner that old logs are replaced by recent ones. Usually raw logs for non-critical processes (e.g. web application visitors and their HTTP requests) are stored for a three to six month period to save disk space. A DDoS attack can overwrite the same volume of log data in several days, deleting all previous records that quite probably contain information about a sophisticated data breach. Who will bother to recover the logs? Probably nobody, as everyone will already be fed up with the DDoS mess.
Of course, sometimes a DDoS attack can be very cheap and simple to launch. If a victim’s web application has SQL injections or application logic vulnerabilities that attackers can use to exhaust web infrastructure's CPU and RAM resources with just a dozen of HTTP requests, then DoS becomes a pretty interesting vector of attack. The problem is that usually it’s pretty easy to discover a security vulnerability leveraged by the attackers, and such DoS cannot last for a while.
However, make sure that your website is secure, otherwise the consequences of even the simplest DoS attack may be quite expensive.
DDoS attacks are not so unambiguous and obvious as they may seem at a first glance. Therefore, make sure that you clearly understand the motives behind a DDoS attack and its real purpose, otherwise hackers will silently do more than you think.