As 2015 draws to a close and we enter the busiest time of year for retailers, the number of DDoS attacks continues to rise, and now Australian retailers of all shapes and sizes are faced with the difficult challenge of protecting themselves in a threat-filled world and not becoming just another company to fall foul of the attackers going into 2016.
What is the real threat?
There has been a marked increase in attack size, which is particularly concerning as many retail businesses have Internet connectivity at or below the 1Gbps level, so there are now many more attacks out there that are capable of saturating their connectivity. This really illustrates the kind of impact these attacks can have to retailers that are reliant on the Internet to sell their products and services.
The most prominent trend is that the proportion of attacks in Australia of over 1Gbps is growing; and according to Arbor’s ATLAS threat monitoring system, the peak attack size for Australia in Q2 was a 196GB/sec UDP flood, a large, but no longer uncommon attack size. Of most concern to retail businesses is the growth in the average attack size. In Q2, 21% of all attacks on Australian targets topped 1GBbps and in Q3, 16% of attacks on Australian organisations were actually larger than 2Gbps.
This spike in attack size is especially obvious in large and complex reflection amplification attacks, a technique used to magnify the amount of internet traffic generated and one of the key ways attacks are being launched. The average size of a reflection amplification increased pretty much across the board in 2015 and the largest reflection attack in Australia in Q3 was 33Gbps targeted at port 80.
How & why should retailers protect themselves from attacks?
Quite simply, layered DDoS defence is the key to overcoming the attackers. The increasing size and frequency of volumetric attacks that can saturate Internet connectivity clearly shows the need for cloud and ISP-based DDoS protection services that can deal with these higher magnitude attacks. However, the stealthier, sophisticated application layer attacks haven’t gone away.
We are definitely seeing application layer attacks on larger organisations on the rise. These attacks can lead to longer recovery times than volumetric attacks and can be harder to detect from the cloud and ISP perspective, making ‘always-on’ proactive network perimeter DDoS protection so important.
These two layers of protection – on premise and cloud, plus network perimeter – work together to protect the availability of key web services from the DDoS threat, reducing the risk of costly business interruption, so should be a key consideration for any retail business wanting to ensure their digital services are not interrupted during the crucial pre- or even post-Christmas sales periods.
Extortion is a key trend
What is becoming more prevalent sadly is extortion, and as one of the oldest DDoS motivations, we have seen significant growth in this area in the past year, some of it well publicised given the DD4BC activity. This started back in July ’14 and is continuing in Australia and New Zealand currently, with extortion attempts targeting organisations mainly in the finance and retail sector. There have been some fairly well publicised cases in New Zealand particularly, where Arbor worked with Vodafone New Zealand to help protect a leading retailer after an extortion attempt.
The other trend to be aware of is the increasing use of DDoS as a part of broader attack campaigns, usually to distract security teams from either malware infiltration or data exfiltration. If an organisation is targeted with a DDoS attack they must be careful not to lose focus on the monitoring of their internal networks, as the DDoS attack may simply be a smoke screen for something potentially far more damaging.
Sharing threat intelligence really helps win the war against the attackers, as information from other organisations in the same vertical or geography can be very pertinent to the same risks. One key thing to remember is that attackers often share capabilities between each other, so they are making use of their collective capability and Australian retailers need to do the same and they can do that anonymously.
Why is retail under increased threat?
One of the key differences between the finance and retail verticals in Australia is the steps taken to deal with threats, whether they are sharing threat intelligence information with others in the same vertical or with government agencies and how quickly they react to an attack. The finance and banking sector in particular is fairly advanced when it comes to responding to and sharing threat intelligence in this region; however the retail sector is way behind and is leaving itself exposed to attackers.
Retail organisations need to look at the benefits that can come from sharing threat intelligence; sometimes they are too concerned about ‘helping the competition’ – but the key thing to remember is that sharing intelligence is usually a reciprocal arrangement, and the right information could prevent a hugely embarrassing and costly breach for all parties.
What retailers should look out for in 2016?
There is no doubt that we will continue to see a lot of reflection amplification DDoS attack activity throughout 2016. The latent capability within the Internet, which attackers are more than willing to exploit, still exists so it wouldn’t be surprising to see an attack up at around 500Gbps – higher than any other recorded attack – in the not too distant future.
We will continue see more of the high-profile breaches we’ve seen in retail over the last year in this region. It is also likely that we’ll become aware of many smaller organisations falling victim to data-theft. Many retailers have data that is either directly or indirectly valuable to attackers, and at the moment the value of that data is significantly higher than the cost to the attacker of extracting it.
Australian retail organisations need to shift their approach and fast, they should leverage the data they have more effectively, share intelligence more quickly and usefully and fundamentally make better use of their existing security resources.