DDoS attacks increasingly used as diversions for data theft or fraud

Nearly a third of UK buinesses report DDoS incidents in 2013

A growing number of the DDoS attacks that hit UK organisations in 2013 were probably diversions designed to distract defenders from attempted data breaches or frauds, a survey and analysis by mitigation firm Neustar has suggested.

Almost one in three of the 331 UK firms surveyed reported they had been victims of DDoS attacks during the period, up from about one in five the year before, with attacks getting longer, somewhat larger and more persistent.

The overwhelming majority of attacks lasted from a few hours to two days in duration, with very long-lived attacks of a week or more falling from 22 percent in 2012 to 9 percent in 2013.

Reflecting greater investment in defence, attacks have grown in size with 60 percent now anything from 1Gbps to 20Gbps or larger. As has been well documented, extremely large attacks of 100Gbps or higher are a new trend although at that size the nuisance value is quickly passed to service providers rather than enterprises.

Overall, the rise of DDoS is turning into a significant cost of business, consuming staff resources; 32 percent of UK businesses now estimate that they lose about £10,000 ($16,500) for every hour of an attack equivalent to a quarter of a million pounds per day.

As bad as DDoS attacks have become in the UK, they are still less common than in the US, with Neustar's figures showing that nearly twice as many firms there reported experiencing them.

The important but hard-to-assess question is what is driving the rise in DDoS across the UK, US and elsewhere. Attackers don't always flag their motivations, which could cover anything from straight extortion, hacktivism, the actions of a competitor and, more rarely, a politically-motivated attack by a foreign state.

Neustar's analysis shows that a growing explanation is 'smokescreening', that is using a DDoS to occupy defenders while a data breach is attempted. This can take a number of forms depending on the sector, with an example from the banking industry being a DDoS against infrastructure that coincides with an attempt to drain customer accounts through ATMs.

According to Neustar's market manager Susan Warner, a tell-tale sign that a DDoS might have had a diversionary intention is simply that enterprises can't understand why they were attacked in the first place.

"A lot of times, firms don't make the connection," she says. If an enterprise can't understand why it was attacked - i.e. no extortion demand or hacktivist message was received for example - the possibility of attempted data theft "is probably a good place to start."

Globally, just over half of those reporting an attack said that it had coincided with the arrival of malware, 19 percent were aware of customer data theft, 14 percent financial theft, and 9 percent loss of IP. Neustar doesn't break these numbers down by country but a similar breakdown would almost certainly apply to the UK too.

As in the firm's 2012 survey, most organisations rely on firewalls to protect themselves with only a minority deploying either a DDoS mitigation appliance or some kind of service equivalent; 12 percent said they had no specific DDoS protection in place.

Gradually, regulators are bearing down on this passive approach, with the Federal Financial Institutions Examination Council (FFIEC) in the US requiring banks to put in place response plans to cope with this kind of attack.

What does a DDoS attack look like? Watch Neustar's Youtube visualisation.

Join the CSO newsletter!

Error: Please check your email address.

Tags Configuration / maintenanceneustarsecurityhardware systemsData Centre

More about Financial Institutions

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place