According to a new report from Kaspersky Labs, a significant majority of distributed denial of service attacks are a smokescreen designed to distract IT departments from further attacks intended to plant malware or exfiltrate sensitive data.
Many of the big DDoS attacks we hear about are motivated by a grudge, by political difference, or by a desire to extort money from a company. But the most pernicious use of DDoS attacks is as a distraction. When a company’s networks come under attack, the obvious response is to get all hands on deck to fight the immediate threat. DDoS attacks cost businesses dear in lost business, and the natural desire is to mitigate them as quickly as possible. However, if the bulk of a company’s resources are deployed to fight denial of services attacks, there’s no one left to combat — or even notice — the sorts of attacks that bring the most financial benefit to attackers.
DDoS attacks of significant data volume are now a standard part of the online criminal’s toolkit. Sophisticated attacks that leverage vulnerable services like NTP, DNS, and BitTorrent to amplify the available bandwidth can knock all but the largest network interfaces offline. With a high-bandwidth DDoS attacks, most businesses can be removed from the Internet, crippling their ability to reach customers and generate revenue. Naturally, that makes mitigating DDoS attacks the number one priority for many businesses, but an all-in focus on denial of service mitigation is probably not the best approach.
The Kaspersky report indicated that 20% of companies with more than 50 employees have been the victim of at least one DDoS attack, and that half of all DDoS attacks result in a loss of service. The most revealing figure is that 74% of DDoS attacks that resulted in significant service disruption coincided with further attacks that include malware attacks and network intrusions, among other attack types. 22% of DDoS attacks led to the loss of sensitive data.
The lessons to be learned here are quite clear. DDoS attacks should be considered harbingers of further attacks. Companies that offer online services should be ready for DDoS attacks and have procedures in place to monitor networks for further attacks when evidence of a DDoS becomes apparent.
According to Evgeny Vigovsky, head of Kaspersky DDoS Protection:
The conclusion is straightforward: although DDoS attacks are highly damaging, businesses should not devote 100% of their resource to remediate them. Instead they should keep an eye on the entire state of corporate security,” he says.
Devoting all available IT staff to mitigate the effects of the denial of service attack might seem the right course of action, but it’s a knee-jerk response that is likely exactly the reaction the attacker is looking for.
Image: Flickr/kevin pack