On July 17th, 2014, just as the conflict between Russia and Ukraine had reached crisis-point, Malaysian Airlines flight MH17 was shot down in Ukrainian airspace while flying from Amsterdam to Kuala Lumpur killing all 298 passengers and crew. Four years on, after an extraordinarily detailed investigation, the governments of the Netherlands and Australia concluded what many in the international community already believed; the crash of flight MH17 was caused by the detonation of a Russian anti-aircraft Buk missile launched from the eastern part of Ukraine. Despite Moscow’s continued denials, both governments said they will hold Russia accountable for the deaths under international law.
On May 25th this year, the day after the announcement, the third-largest Dutch bank, ABN AMRO and Rabobank experienced DDoS attacks, shutting many of their customers out of their online and mobile banking. There was also a spate of attacks on Dutch banks and the tax authority in late January and it was identified that these DDoS attacks appeared to come from servers in Russia.
Coincidence? Perhaps. Or maybe an example of the phenomenon security experts call “cyber reflection”, when an incident in the digital world mirrors an event in the physical one. These banks had no direct connection to the government’s announcement, but as major global institutions, they are a symbol of power in the Netherlands. DDoS attacks are often about symbolism – threat actors flexing their muscles and wreaking financial havoc just to show what they are capable of. Though this was not the first time ABN AMRO had been targeted, the timing of the attack and the location of the victims raises the very real possibility of retribution.
Cyber reflections once again change the risk calculus for enterprise security officers, particularly for global financial institutions and other supra-national entities whose power makes them prime targets, whether for state actors or disaffected activists. You simply don’t know when the next attack will come, where it may come from, who may behind it or why they are motivated to strike.
Of course, trying to answer the when, where, who and why questions is an essential part of DDoS defence. Global threat intelligence professionals feed a steady stream of threat landscape data and real-time alerts to enterprise security teams. But vigilance needs to be accompanied by strength and the best defence requires guarding every attack vector and sealing every vulnerability. Today’s DDoS attacks are increasingly multi-vector and multi-layered, employing a combination of large-scale volumetric assaults and stealth infiltration targeting the application layer.
Defences also need to be able to scale to protect against all levels of attack, from barely detectable entry attempts to overwhelming force. Best practices call for a hybrid defence posture, with on-premise devices that can handle every day, small-scale attacks, complemented by cloud-based mitigation when attacks reach a certain size threshold.
Because security resources are often stretched thin and teams can’t be minding every gap, automated detection and response should be a key part of the DDoS arsenal as well. Organisations should also give serious consideration to managed DDoS security services, which reinforce in-house resources with proven technologies and professional expertise dedicated to DDoS. This has the additional benefit of reducing operational overheads, compared to building in-house defences and a dedicated team to run this that needs to be built from scratch.
The weapons on the battlefield are ever-changing, so defences must evolve in parallel. Cooperation and information sharing are at the heart of this cyberwar, as they allow all parties to best prepare themselves based on the current threat landscape.
Whenever a controversial global incident occurs, keep an eye out for signs from the cyber world that retribution is in play, and ask yourself if there’s any possible reason that the reflective mirror might be aiming at you.