Despite ransomware stealing the headlines, CISOs must still pay attention to more traditional – and evolving – distributed denial-of-service (DDoS) attacks, writes Steven Mansfield-Devine
Russia’s war against Ukraine has highlighted the fact that DDoS – attempts to overflood services with traffic from multiple sources – remains a potent weapon.
According to a new report by Kaspersky, “a significant part of all DDoS-related news concerned these countries”, with notable attacks against targets – predominantly websites – on both sides.
However, DDoS continues to be a growing menace for organisations everywhere. Comcast has just released figures showing that its customers suffered 9.84 million attacks in 2021.
“DDoS attacks are still a major threat to organisations,” comments Kennet Harpsøe, senior cyber analyst at Logpoint. “They are easy and cheap to deploy.”
Holding you to ransom
DDoS attacks began as a means of extortion, but today there are multiple motivations, meaning that any kind of organisation can find itself being targeted.
“Around a third of attacks are driven by extortion, so while considerable it’s not the only factor,” says Phil Robinson, principal consultant at Prism Infosec. “When it comes to ransom-based DDoS attacks, attackers will look for a middle ground of organisations that may not have the most mature infrastructure but have enough money to make it likely they will pay off the attacker.”
The tactics, techniques and procedures (TTPs) continue to evolve. For example, Harpsøe says he has noted an increase in attacks against application servers.
“The cost-benefit is higher because computers need to work harder to reject a request on the application layer than on the network layer,” he explains. “Protection against these types of attacks differs from other DDoS attacks. Content Delivery Networks (CDN) can deliver the bandwidth and capacity to mitigate the risk.”
As to the severity, things aren’t getting any better. You can measure DDoS attacks in several ways. F5’s Silverline team says that the number of DDoS attacks declined in 2021. However, the size and complexity grew significantly, with the largest attack mitigated by the company in 2021 – at just under 1.4Tbps – being more than five times bigger that the record incident the previous year.
Criminals have a number of tools at their disposal and will use whichever ones work. There is no clear distinction between criminal groups using ransomware and those launching DDoS attacks.
Indeed, according to Europol’s Internet Organised Crime Threat Assessment (IOCTA), groups – including Avaddon, DarkSide, Ragnar Locker and Sodinokibi – are increasingly exploiting DDoS attacks as a way of pressuring ransomware victims to pay up.
And if you want a sign that DDoS is a threat you should take seriously, the IOCTA report notes that dark web marketplaces have put significant effort to protecting themselves against DDoS.
This isn’t to suggest that organisations have been standing still while the DDoS threat has been developing.
“Executing DDoS attacks is more difficult today than it used to be,” Harpsøe points out. “Internet Service Providers (ISPs) noticed the problem long ago and have implemented technology to mitigate the problem.”
In addition to turning to ISPs for help, he says: “Organisations can be proactive. DDoS attacks tend to happen in waves, so with a comprehensive SIEM solution in place, organisations can detect initial signs of DDoS activity and liaise with their ISP before the attack escalates.”
Robinson points out that having a response plan is key to surviving a DDoS attack.
“It’s important that organisations know what their possible attack paths are,” he says. “Companies should at a minimum be performing thorough vulnerability assessments of their networks to assess for these dangers.”
SC Unlocks: Cloud Endpoint focuses on hosted endpoint protection, the strategies and solutions available whilst also delving into why moving endpoint security to the cloud significantly tilts the advantage back in your favour and away from the attackers.