When cyber criminals launch a DDoS attack, they might be doing more than just trying to cause disruption. They could be using it as a decoy to distract from other attacks they're carrying out.
According to a new report by Neustar, attackers are using DDoS to confuse defences, distract IT teams, and stymie forensics. An earlier report from the same company found that 52% of companies experience theft of customer data, intellectual property, or funds during an attack.
Ramss Gallego, former international vice president of ISACA and now an evangelist at Symantec, says that distracting attacks in the form of DDoS onslaughts or infecting a certain infrastructure that mandates immediate attention and remediation are common.
"They oblige security teams to get systems and services up and running again while, in reality, other things might be happening on another corner of the network. This is also known as 'blended attacks'," he says.
So it's important to realise that while it may look like the hackers are focusing their energy on just one type of attack, they may well be doing other, more dangerous things as well. A joined-up approach to security is therefore necessary to fight today's threats.
Inittially, an organisation must deal with the distraction while being aware of other stealthy moves. Don Shin, A10 Networks' senior product marketing manager, says the first step organisations need to take is to eliminate the DDoS effects at the edge of their networks so the defenders and their tools can be effective in detecting the stealthy attacker actions.
"This applies to tools used for protecting the confidentiality of data and to the tools focused on availability of critical services," he says.
James Mason, service security manager at managed cloud and IT infrastructure provider Fordway, says that it's important to baseline normal behaviour in an environment and put it in an organisational context, using tools such as SIEM (Security Information and Event Management) to ensure all security events are centralised.
"This provides holistic visibility of your environment and will allow detection and investigation of a distracting attack as well as detecting other attacks that may be taking place at the same time," he says.
He adds that joined-up security that protects an organisation can prevents the 'throwing over the fence' attitude where people think security's an issue for the IT or security team, whereas it's in fact a business issue and needs to be something that should be done as a matter of course.
Visibility is key
Creating and deploying a joined-up security strategy starts with visibility, according to Shin.
"Visibility is most commonly realised by flow anomaly analysis tools that monitor the network. These analysis tools detect odd behaviour and then alert DDoS mitigation solution to change the routing structure of the network for inspecting and removing the anomalies. Once the traffic has been cleaned, that traffic is then steered back to the traditional security tools," says Shin.
Mason says it's imperative that someone in the organisation take the lead on information security and develop and own the security strategy.
"Of crucial importance is gaining commitment across the organisation, starting with commitment from senior management. This means formally putting in place security governance and ensuring that the security strategy is seen as a living document," he says.
Sam Curry, chief product officer for Cybereason, says that the gap between the security and business functions in a company must be bridged.
"This is hard. But security, like any function, is a set of business process," he says. "Bridge the divide."
He adds that it's important to create a culture of excellence in security that's fully business justified and understood at senior levels.
"Companies in a mere checklist stage of maturity or just compliance stimulus-response have got the biggest gap to bridge here," he says. "Treat this as a major, cross-functional exercise, get a real leader in place respected on both sides of the divide and then empower a conscious maturation."
A key tool in creating joined-up security is education according to Mason. He says an organisation's staff need to be trained about new threats, so that they know what to beware of and what to do should the worst happen.
"One very effective policy which we have implemented at Fordway and recommend to our customers is to have 'security champions' in all departments. This ensures security is embedded in day-to day activities and reminds everyone of their security responsibilities, while sharing knowledge and best practice and providing a channel for feedback," he says.
Gallego says tools shouldn't just be connected, but must be integrated too. "Security tools can connect in a very effective way... but the purpose and promise should be that solutions actually integrate in an efficient way as well," he says.
"An integrated, unified and simplified approach to using technology is the way to go. Technology, in a way, is not the problem, but rather [part of] the solution."
Joined-up security in the future
Two key threats that will need a joined-up security approach in the next 18 months are social engineering and ransomware, according to Mason.
"Hackers are increasingly exploiting social media, as many people don't realise how much information they give out which can then be used against them," he says.
Mason adds that there's also been a surge in hackers targeting organisations using attachments or links send via email, which appear legitimate but unleash ransomware.
"Organisations should ensure that all data is backed up in case the worst should happen, including data on mobile devices, and test a restore of the backup and ensure it's in a location that will not become encrypted should the system or service it's protecting be affected," he says.
Gallego says that organisations need to understand that cybercriminals are not going to stop and that activities such as ransomware or hacktivism won't stop.
"Enterprises must get ready to protect their three most important assets: people and data, employees/users and intellectual property. There's nothing else but fulfilling the promise of protecting and defending. All of the time," he says.
