How Smoke Screen Cyber-Attacks Are Being Used in Data Breaches

2015 was a paramount year in data exfiltration. You may be familiar with many of the data breaches that were covered in the media this year, including the United States IRS, several major health care providers, Ashley Madison, and most recently, the personal data of children and parents from the vTech breach. Just last week, retailer Target agreed to settle with several banks for $39 million over their 2013 data breach.

Smoke screen attacks are an interesting technique that is common in data exfiltration. As the name suggests, these are attacks on the network that are specifically designed to misdirect security personnel from the real threat, which is data exfiltration. By distracting a security team, attackers are hoping they can slip under the protection sets by overloading them with activity in other parts of the network.

How it Works

smoke-screen Security personnel typically monitor the network using tools that generate alerts when there is an anomaly. When configured to do so, things like changes in bandwidth usage, latency, availability, and responsiveness will all send alerts to the Network/Security Operations Center (NOC or SOC). It’s that team’s job to begin investigating those events and one of the first places to look are event logs. It is best practice to have network appliances like routers, firewalls, and IPSs send their logs to a central collector, which allows for better correlation between network events, so tools like this make sense as the first place to look.

That is exactly what smoke screen attackers are hoping for. By attacking a network on multiple fronts, the attacker hopes to create confusion and misdirection. Knowing that security personnel will check the traditional tools, attackers will attempt to overwhelm them with irrelevant traffic, slowing down unrelated applications or filling logs with irrelevant data. Doing so makes identifying unique events more difficult.

What Can You Do?

If you notice an attack, you must be mindful of the intent. Was it designed to disrupt your network but your infrastructure handled it? Was it a decoy? Check your logs and perhaps filter out vectors once you’ve ruled them out. Check your other assets or collaborate with other departments in your organization to ensure that nothing else looks wrong.

The best way to assess and mitigate a smoke screen attack is with the use of a Web Application Firewall (WAF) that can help prevent data theft and the manipulation of sensitive corporate data, as well as protecting customer information. By combining this with an on premise detection and behavioral analysis device, you can mitigate smoke screen attacks while protecting customer data at the same time.

It is absolutely critical that organizations protect consumer data. Security professionals need to leverage all of the tools available to protect the integrity of this data. At Radware, we feel that layered security is the best way to do this. Web Application Firewalls can protect your websites and databases. DDoS mitigation appliances can protect you from the smoke screens. Firewalls and a strong perimeter can secure access. Make use of the tools and forensic data that you have available. And finally, remember that things aren’t always what they seem and a smoke screen attack just might be real intent of obvious network events.

Cyber-attacks are complex and dynamic challenges for anyone responsible for cyber security.

Download the DDoS Handbook for things to consider when planning for attacks.

Ron Winward

As a Security Evangelist at Radware, Mr. Winward is responsible for developing, managing, and increasing the company’s security business in North America. Ron’s entire career has been deeply rooted in internet and cybersecurity. For over 20 years, Ron has helped design complex solutions for carriers, enterprises, and cybersecurity providers around the world. Ron is an industry-recognized expert in the Mirai IoT botnet and its modern variants. Ron conducted the industry’s first complete analysis of the Mirai attack vectors, producing forensic examples for public distribution of each attack and the specific impact each attack had on networks. His work on IoT attack analysis has been presented at conferences worldwide and has been referenced by NIST. Prior to joining Radware, Ron was Director of Network Engineering for a global datacenter provider and ISP. In this role, Ron oversaw the growth and development of a global network infrastructure that delivered services to other ISPs, hosting providers, and enterprises around the world. During this time, Ron assisted some of the world’s top businesses in mitigating cyberattacks on their infrastructure, cultivating an extensive knowledge in DDoS attack methodologies. Ron holds a Bachelor of Science degree in Business and has earned many technical certifications throughout his engineering-focused career. Ron acutely understands the impact of technology and security on business and is enthusiastic about their interrelation.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program


An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center