Strikes Motivated by Hacktivism, Extortion Expected to Rise
Distributed denial-of-service attacks are growing in volume and frequency, striking a wide variety of industries and businesses. But many organizations remain ill-prepared to mitigate DDoS risks.
See Also: How to Measure & Communicate Return on Cybersecurity Investments
While DDoS attacks were once deemed primarily a nuisance, experts now say they're becoming a routine strategy cybercriminals use as part of a campaign to commit fraud or extortion.
DDoS Attacks Growing
DDoS mitigation provider Akamai points out in its December state of Internet security report that the largest DDoS attack measured during the second quarter of 2015 came in at more than 240 gigabytes per second and lasted more than 13 hours.
That's a significant change from the attacks waged against banks three years ago by the self-proclaimed hacktivist group Izz ad-Din al-Qassam Cyber Fighters, which averaged between 60 and 65 gigabytes per second.
Because DDoS attacks are so much easier to wage today than they were five years ago, any company could be a target, Arbor Networks warns in a December 2015 report it published about DDoS threats.
"Amplification- or reflection-type DDoS attacks, leveraging a variety of protocols, continue to be popular among malicious actors, a trend we anticipate will continue through 2016," says John Miller, who heads up cyber-intelligence at the information security firm iSIGHT Partners.
"Over the past couple years, we have observed sustained innovation and development in this area, such as identification of new attack opportunities and development of increasingly sophisticated tools. ... Amplification attacks' popularization has involved a move away from the traditional, Windows malware botnet model for DDoS infrastructure, to broader use of server-based DDoS tactics."
In addition to the increased speed and intensity of attacks, experts say the following four DDoS trends will be top concerns in 2016:
- Attacks waged by hacktivist groups, such as Anonymous, will become more common.
- Extortion attacks, such as those waged by DD4BC, will pose significant threats.
- Some attackers will exploit Internet-connected devices to wage their attacks.
- The cost of recovering from a DDoS attack will continue to increase.
It has been nearly four years now since the start of a campaign of high-profile DDoS attacks against U.S. banking institutions - attacks that many observers felt were politically motivated and carried out by threat actors who became known as hacktivists (see DDoS Attacks: Worst Yet to Come? ). The bank attacks receded from the spotlight in 2013, but hacktivism is alive and well, observers say.
"Hacktivism will make a comeback [in 2016], versus the percentage of criminal activity," says Dale Meyerrose, a consultant and retired U.S. Air Force General.
"I also believe that almost every major campaign that seeks to compromise an organization for hacktivism or other criminal reasons has a DDoS component," he says. "Most campaigns have three to five attack threads, one of which almost always includes a DDoS component."
But attacks waged for extortion also are becoming pervasive (see Experts: DDoS, Extortion Fuel New Attacks on Banks and Greek Banks Face DDoS Shakedown).
Avivah Litan, an analyst at the consultancy Gartner, says DD4BC and its copycats remain very active.
"Extortion is a big game changer in the cyberthreat landscape," she says. "It was in 2015 and will only grow in 2016."
Litan says the extortion phenomena is expanding across all sectors, not just banking.
And iSIGHT Partners' Miller notes: "Criminals have performed extortive DDoS attacks for years, particularly against organizations with little recourse to law enforcement assistance, due to nebulous legal status or location in areas challenged by significant government corruption. However, the DD4BC operation during 2014 and 2015 differentiated itself from concurrent activity, in that it targeted prominent Western corporations for an extended time and drew extensive public attention. We continue to see the ripple effects of this group's actions that increased others' interest in DD4BC's tactics."
In November, the Federal Financial Institutions Examination Council issued an alert about extortion attacks linked to DDoS (see FFIEC Issues Extortion Attack Alert).
The alert apparently was issued because of DD4BC, which has been targeting online casinos, banking institutions and others with DDoS attacks that disrupt online services until a ransom is paid. Authorities still don't know - or at least haven't made public - who is behind DD4BC.
Exploiting the vast number of Internet-connected devices will be a focus for many hackers waging DDoS attack this year, predicts Carl Herberger, vice president of security for DDoS-mitigation and security firm Radware.
"There are so many more Internet-connected devices that can be used to wage attacks, and this is fueling concern," he says. "Volumetric attacks are the biggest growth area because of the Internet of Things. I can use these things against you and you have very few good ways of controlling the muzzle of that attack, like if Grandma's thermostat is attacking you. There's not much you can do."
Most businesses are ill-prepared for DDoS attacks, which is why it costs them so much to recover, Meyerrose says.
The cost of recovering from a DDoS attack can be more than $50,000 for small businesses, he notes, quoting data from security firm Kaspersky Labs. That cost includes business lost to downtime and technology expenses and investments associated with site recovery.
DDoS Defense Checklist
So what can be done to defend against the growing DDoS threat?
"My main strategy for defense would be making sure I could quickly detect and block all types of DDoS attacks, e.g. application or network layer, and be able to quickly redirect my users to a backup duplicate, albeit streamlined, site to keep my business running without interruption," Litan says.
Experts also recommend:
- Incorporate all aspects potential risk, including DDoS, in corporate security strategies.
- Use continual monitoring to determine whether attackers have entered the network.
- When attacks are discovered, they should be monitored but allowed to run long enough so that attack data can be tracked and shared.
- Use a secured and managed Domain Name System that allows for seamless change of Internet protocols, when needed.
- Identify a trusted security intelligence provider that can share information about infected and suspicious IP.
- Have mechanisms in place to detect bots that use advanced techniques at the application layer.
- Patch software vulnerabilities in Web-facing systems to limit the potential for application-layer attacks.
- Properly configure Web-facing systems that may handle large amounts of traffic to ensure that they do not fail during a DDoS attack.
- Consider the use of a DDoS mitigation provider when dealing with high-volume attacks.
- Identify all Web-facing applications and ensure each is properly protected.
iSIGHT Partners' Miller also recommends that organizations designate employees responsible for handling DDoS attacks who are not also responsible for dealing with fraud.
"Attackers performing DDoS attacks for diversionary purposes have often assumed that organizations will be unable to effectively deal with simultaneous fraud attempts because the same employees are responsible for dealing with both issues," he says.