​Why Australian retailers need to brace themselves for attacks ahead of a busy Christmas period

Author: Nick Race, Country Manager, Arbor Networks

As 2015 draws to a close and we enter the busiest time of year for retailers, the number of DDoS attacks continues to rise, and now Australian retailers of all shapes and sizes are faced with the difficult challenge of protecting themselves in a threat-filled world and not becoming just another company to fall foul of the attackers going into 2016.

What is the real threat?

There has been a marked increase in attack size, which is particularly concerning as many retail businesses have Internet connectivity at or below the 1Gbps level, so there are now many more attacks out there that are capable of saturating their connectivity. This really illustrates the kind of impact these attacks can have to retailers that are reliant on the Internet to sell their products and services.

The most prominent trend is that the proportion of attacks in Australia of over 1Gbps is growing; and according to Arbor’s ATLAS threat monitoring system, the peak attack size for Australia in Q2 was a 196GB/sec UDP flood, a large, but no longer uncommon attack size. Of most concern to retail businesses is the growth in the average attack size. In Q2, 21% of all attacks on Australian targets topped 1GBbps and in Q3, 16% of attacks on Australian organisations were actually larger than 2Gbps.

This spike in attack size is especially obvious in large and complex reflection amplification attacks, a technique used to magnify the amount of internet traffic generated and one of the key ways attacks are being launched. The average size of a reflection amplification increased pretty much across the board in 2015 and the largest reflection attack in Australia in Q3 was 33Gbps targeted at port 80.

How & why should retailers protect themselves from attacks?

Quite simply, layered DDoS defence is the key to overcoming the attackers. The increasing size and frequency of volumetric attacks that can saturate Internet connectivity clearly shows the need for cloud and ISP-based DDoS protection services that can deal with these higher magnitude attacks. However, the stealthier, sophisticated application layer attacks haven’t gone away.

We are definitely seeing application layer attacks on larger organisations on the rise. These attacks can lead to longer recovery times than volumetric attacks and can be harder to detect from the cloud and ISP perspective, making ‘always-on’ proactive network perimeter DDoS protection so important.

These two layers of protection – on premise and cloud, plus network perimeter – work together to protect the availability of key web services from the DDoS threat, reducing the risk of costly business interruption, so should be a key consideration for any retail business wanting to ensure their digital services are not interrupted during the crucial pre- or even post-Christmas sales periods.

Extortion is a key trend

What is becoming more prevalent sadly is extortion, and as one of the oldest DDoS motivations, we have seen significant growth in this area in the past year, some of it well publicised given the DD4BC activity. This started back in July ’14 and is continuing in Australia and New Zealand currently, with extortion attempts targeting organisations mainly in the finance and retail sector. There have been some fairly well publicised cases in New Zealand particularly, where Arbor worked with Vodafone New Zealand to help protect a leading retailer after an extortion attempt.

The other trend to be aware of is the increasing use of DDoS as a part of broader attack campaigns, usually to distract security teams from either malware infiltration or data exfiltration. If an organisation is targeted with a DDoS attack they must be careful not to lose focus on the monitoring of their internal networks, as the DDoS attack may simply be a smoke screen for something potentially far more damaging.

Sharing threat intelligence really helps win the war against the attackers, as information from other organisations in the same vertical or geography can be very pertinent to the same risks. One key thing to remember is that attackers often share capabilities between each other, so they are making use of their collective capability and Australian retailers need to do the same and they can do that anonymously.

Why is retail under increased threat?

One of the key differences between the finance and retail verticals in Australia is the steps taken to deal with threats, whether they are sharing threat intelligence information with others in the same vertical or with government agencies and how quickly they react to an attack. The finance and banking sector in particular is fairly advanced when it comes to responding to and sharing threat intelligence in this region; however the retail sector is way behind and is leaving itself exposed to attackers.

Retail organisations need to look at the benefits that can come from sharing threat intelligence; sometimes they are too concerned about ‘helping the competition’ – but the key thing to remember is that sharing intelligence is usually a reciprocal arrangement, and the right information could prevent a hugely embarrassing and costly breach for all parties.

What retailers should look out for in 2016?

There is no doubt that we will continue to see a lot of reflection amplification DDoS attack activity throughout 2016. The latent capability within the Internet, which attackers are more than willing to exploit, still exists so it wouldn’t be surprising to see an attack up at around 500Gbps – higher than any other recorded attack – in the not too distant future.

We will continue see more of the high-profile breaches we’ve seen in retail over the last year in this region. It is also likely that we’ll become aware of many smaller organisations falling victim to data-theft. Many retailers have data that is either directly or indirectly valuable to attackers, and at the moment the value of that data is significantly higher than the cost to the attacker of extracting it.

Australian retail organisations need to shift their approach and fast, they should leverage the data they have more effectively, share intelligence more quickly and usefully and fundamentally make better use of their existing security resources.

Join the CSO newsletter!

Error: Please check your email address.

Tags DDoS attacksAustralian retailersamplification attacksArborChristmasCSO Australiasecurity flaws

More about Vodafone

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Nick Race

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place