Distributed denial-of-service attacks have increased in complexity so that they are no longer just an annoyance causing a disruption in service. Criminals are using these attacks as a distraction while targeting sensitive data, leaving enterprises to pay for lost business and breach recovery.
Any conversation that involved breaches this year included the statement, “It’s not if but when.” The expectation has become, as IDC’s Christina Richmond, program director, security services, said, “Breach is a foregone conclusion.”
For many companies, the attacks are frequent and more advanced. Richmond said, "Distributed-denial-of-service attacks are no longer an isolated event. Sophisticated attacks hit companies of all sizes, in all industries.”
According to a recent report from Neustar, the odds of getting attacked are one in two, but once an enterprise has been attacked, the likelihood that they will be attacked again is 80 percent. The report also talked about the new trends in both the size and frequency of DDoS attacks.
“If the attacker’s goal isn’t to cause an outage but to disrupt, he doesn’t need to craft an attack of extra-large proportions. A SYN Flood attack is a good example. The attacker sends enough SYN requests to a company’s system to consume server resources and stall legitimate traffic,” the report said.
The method of attacks have changed in complexity and variability. Attackers don’t launch a single attack but rather send out waves and multiple vectors. “They may launch an email attack or attack an application or a server. They may launch multiple attacks in different vectors, coming from different places and attacking different targets,” said Joe Loveless, senior security manager, Neustar.
Larger attacks are easier to detect and mitigate, but these smaller, frequent attacks result in more significant damage, Loveless said. “They create chaos but still leave access open somewhere else,” he continued. The result, according to Neustar’s report is that one in four companies experience an actual theft of data or funds.
Another growing trend in DDoS is ransom. “Extortion is becoming more common, and companies are paying ransom to avoid being attacked but they are getting attacked anyway,” Loveless said.
These attacks are particularly concerning because of the attacker’s stealthy ability to infiltrate the security environment during a disruption. Once they have access, they take a slow and steady approach and often go undetected until they have reached their target: valuable corporate data or funds.
Joe Loveless, senior security manager, Neustar
“IDC believes that the customer is often the first to report a DDoS attack because their user experience suffers when they can't access a web site to buy a product, pay a bill, or find support,” Richmond said. The result is not only a financial loss, but a strike against brand and reputation.
According to Dave Larson COO, Corero Network Security, “A number of things are going on in the landscape and it’s hard to say whether these are rapidly changing or we are just starting to see them.”
Denying service, which seems like it would have to be a big giant attack, is actually the result of something much smaller. “Almost 72% of attacks last less than five minutes and 93% are less than 1GB per second in capacity,” said Larson.
The attacks, though, are not about denying service. Larson said, “These aren’t just randomly occurring. People are orchestrating them, and they have to be doing this for a reason. We are starting to see material data breaches that included DDoS attacks as part of a multi vector intrusion.”
These smoke screen style attacks have significant impact on an enterprise because by design, they are distracting, which leaves security professionals looking in all the wrong places. “DDoS itself isn’t creating the data compromise, but if it is causing you to look in the wrong place, you could be one of the very many organizations that have already been breached and you don’t know it,” said Larson.
Constantly monitoring the environment to make sure that no unknown traffic is crawling around in the network will help to prevent a data compromise after a DDoS attack. Larson said, “You can imagine that more down in the weeds the impact could be that your environment is being scanned and crawled and floor planned. The bad guys are figuring out what they need to gain access.”
The cost of recovering from an attack is significant, particularly for small and midsize businesses. In a special report on security risks, Kaspersky Labs noted, “On average, a DDoS attack costs SMBs more than $50K in recovery bills, which is significantly more than the typical costs they face recovering from other types of attack.”
For some reason, though, companies still aren’t convinced that investing in security against DDoS attacks is money well spent. The Kaspersky Labs survey found that only around half of respondents (56% of IT professionals) believe that spending money to prevent or mitigate an attack would be worth the investment.
Evgeny Vigovsky, head of Kaspersky DDoS Protection at Kaspersky Labs said, “Protection from DDoS attacks is an important part of risk management, yet only 34% of survey respondents have fully implemented DDoS prevention systems of any type.”
There are many factors to consider in evaluating risks for enterprises, from dependence on online services to other resources. “In most cases, online services--websites, emails, databases--are critical. Without them, normal workflow stops,” said Vigovsky.
“Costs associated with failed online services are bigger than expenses for prevention solutions, but unfortunately, there are still companies that do not include DDoS attacks in their risk management strategy,” Vigovsky continued.
The risks of not investing in DDoS prevention and protection are more than monetary. “When a company has to mitigate an attack that is taking place instead of preventing an attack from occurring, then they will pay a steep price for not only lost business contracts and damaged reputation, but also for an urgent solution too,” said Vigovsky.
Echoing the need for prevention and protection, Larson said, “All reasonably likely to be attacked environments should have DDoS defense on the perimeter.”
One measure enterprises should take to build a culture that prioritizes security and prepares for the inevitable of an attack is, “Simulating worst-case scenarios in order to create a corresponding cybersecurity strategy,” said Vigovsky.
Enterprises can take steps toward making security a central concern for all. “A comprehensive strategy should include a combination of IT solutions, security policies and prepared staff to help prevent cyberattacks,” Vigovsky said.
Richmond said, “IDC believes that security needs to move toward being a positive contributor to the business. Security in and of and for and by itself no longer works.” Shifting the corporate culture to one that centralizes a concern for security must be a priority enterprises.
In order to effectively make that change, executives have to buy in to an inclusive plan that is well designed and focused on cross communication. DDoS attacks impact more than security, and everyone from marketing to public relations shares an interest in preventing these attacks and minimizing their impact.