If you can’t detect a breach within 3 hours, your data is probably already gone

DDoS salvos increasingly used to hide multiple, targeted cyberattacks

Distributed denial of service (DDoS) specialists can shut down an attack in 90 seconds once it’s detected – but if you take more than 3 hours to respond you’re likely to be compromised by a related attack in the meantime, warns a security expert who is seeing easy-to-source DDoS attacks becoming smokescreens for brazen data theft.

Attack levels were growing steadily but multi-vector attacks had become far more frequent, Neustar APAC general manager Robin Schmitt told CSO Australia as the firm’s Global DDoS Attacks & Cyber Security Insights Report polled 1021 security and C-suite executives about their experiences with attacks and breaches this year.

Fully 27 percent reported they had seen an increase in security incidents experienced along with DDoS attacks, with 76 percent of those attacked forced to deal with multiple attacks and 26 percent saying they had dealt with more than 5 attacks each.

Respondents reported 1646 breaches and 772 attacks, suggesting that each DDoS attack was being accompanied by 2.19 related breaches on average. “Attackers are getting more successful, and you’re seeing DDoS being used more and more as a smokescreen,” Schmitt explained, noting that ready availability of DDoS-as-a-service capabilities had made them simple to run in concert with conventional cyberattacks.

Cybercriminals “don’t need to need to be an expert in DDoS attacks,” he added. “They can purchase one, and focus their expertise on network penetration and data theft. They hit the client with a DDoS and then go in for what they’re really after.”

Some attackers come back multiple times until they got their target: while 16 percent of companies reported financial theft after being attacked once, for example, 23 percent of those attacked more than 5 times said they had suffered financial theft.

Those outcomes pose serious problems for organisations that get caught up in evaluating the DDoS but often fail to measure or remediate its impact up and down the supply chain. Fully two-thirds of respondents said they had been notified about an incident from a third party and 36 percent were notified of DDoS attacks or related breaches by their customers.

Delays proving disastrous. Chronic lack of visibility into operating environments had increased the chance that an organisation would be breached, and its data pilfered, without knowing about it. Delays in dealing with incidents were increasingly proving disastrous: 48 percent of organisations required at least 3 hours to detect a breach, while 45 percent said they required at least 3 hours to respond to one.

By that time, Schmitt said, 70 percent of organisations had suffered some form of data theft. After 12 hours, that figure rose to 90 percent. “You need to be able to detect and respond to these attacks quickly,” he said.

“Australia is doing a lot better than the rest of the pack, but we’re still suffering this too often. You’ve really got to focus on your response speed: you don’t want to be in a situation where your team is having to scramble, or it has taken a long time to confirm that it’s an attack. It’s frustrating to see these detection and response times climbing when you know there are methods out there that organisations can deploy to protect themselves.”

Better DDoS responses and threat visibility needed to be complemented with capabilities such as Web application firewalls (WAFs), which had seen “a massive jump” in adoption as better network-layer defences pushed attackers towards manipulating business logic at the application layer instead. Such exploits could prove fruitful for attackers in their own right, or be used as springboards to compromising other business or supply-chain partners that are the longer-play targets.

In the process, says Schmitt, the impact on businesses can come in many forms: “These attacks aren’t volume based, but they are designed to penetrate,” he explained. “They can have a significant impact with a few requests that don’t require a large amount of bandwidth. You may not run out of bandwidth, but find you run out of processing capability.”

Those interruptions were correlated to very real financial damages, with 20 percent of respondents saying that interruption of their systems could risk $US100,000 to $US249,999 in revenues every hour. Fully 9 percent were risking more than $US1m in revenues for every hour of downtime.

“It should come as no surprise that those who seem to harm companies use DDoS as a weapon,” the report noted. “[This] drives home the point that speed in detection and response is an ally to risk mitigation practices.”