Analysis: Why CIOs should fear DDoS

More than simply an inconvenience, Distributed Denial of Service attacks can be used to hide far more sinister cyber assaults

Distributed denial of service (DDoS) attacks are costly for businesses; in terms of lost revenue, the need to invest in new cyber defences, and potential extortion fees. But most costly of all could be their use as a decoy for other assaults.

Gartner analyst Anton Chuvakin told Computing that his recent research into DDoS attacks found a few examples where they had been used to facilitate data theft.

"It appears that the main purpose of the attacker was to distract the team investigating the data theft as well as overwhelm the systems the investigators may use to collect and analyse the evidence of the attack.

"Specifically, the attacker might have needed a certain window to make use of the stolen data, and only needed to delay the investigation by that time," he said.

According to John Roberts, head of managed services at network services provider Redstone, there are four main forms of attack that could be used alongside a DDoS assault to exploit a business's systems.

"There are DDoS viruses such as Cascade, Tequila and Frodo, which in the past were used to spread an attack. Then there is the use of a Trojan horse, which is software typically disguised as useful shareware or freeware. Users will consciously put it onto their system, not knowing what it really is," he explained.

Roberts said that a Trojan contains a backdoor to the users' systems and may even include a set of triggers.

"A trigger can be set for a certain date or time and this will initiate a sequence of events, possibly including a DDoS attack, which can bring the network down," he said.

[Turn to next page]

Analysis: Why CIOs should fear DDoS

More than simply an inconvenience, Distributed Denial of Service attacks can be used to hide far more sinister cyber assaults

Another alternative, Roberts said, is a computer worm, which is a form of malware that spreads to other computers; he claimed this was a "combination of a virus attack and a DDoS attack" that could bring down a business's mainframe or networks. Unlike other attacks, it only affects certain systems and is benign to others – therefore even if an enterprise's corporate network goes down, the email functions may still work.

"There can also be malicious sites sitting out there that trigger your web browser to perform unwanted functions in your system," he added.

A fifth form of attack sometimes seen alongside a DDoS assault is an advanced persistent threat (APT). APTs are generally sophisticated forms of attack from tenacious cyber groups who won't give up until the hack is successful.

But why would a hacker need to use another form of attack in addition to DDoS on a targeted business?

The answer is often financial.

"DDoS can flood a system and stop it working but if you look at Trojan horses, websites and worms, these are not just about bringing down the system, these are used to copy and steal data, valuable files or services from users," Roberts explained.

This data can then be sold on, ransomed back to the business, or used in other ways to profit the attackers.

Jeff Aliber, senior product marketing manager at Kona Security Solutions Akamai, added that an application layer attack like an SQL injection or cross site script is also widely used to break into an application and steal data, while a DDoS attack is launched as a diversion.

But while the attacks may be used simultaneously, they would still be separate assaults, Ovum analyst Andrew Kellett told Computing.

[Turn to next page]

Analysis: Why CIOs should fear DDoS

More than simply an inconvenience, Distributed Denial of Service attacks can be used to hide far more sinister cyber assaults

"It would be too simple to say that they are integrated, it is about bringing the elements together rather than saying there is an integrated group of components," he said.

Roberts agreed with Kellett and suggested that in many cases, DDoS attacks are merely used as a testing phase.

"If a DDoS attack is successful in bringing down a company's systems then that network is also likely to be susceptible to other attacks such as a Trojan or a virus," he said.

His statement is supported by mobile operator Verizon's 2012 Data Breach Investigations Report, which found that most victims of data breaches (79 per cent) fell prey because they were found to possess an exploitable weakness rather than because they were pre-identified for attack.

The same report found that 85 per cent of breaches took weeks if not months to discover, as many third parties discover them as oppose to the business itself.

"If an organisation's security can be quietly breached and malware can be implemented – it can sit [inside the system] and can start to deliver data from the organisation that is beneficial in terms of the value the attacker can obtain, such as stealing intellectual property," Kellett said.

So the message for CIOs and CISOs is clear. Don't treat DDoS attacks simply as an inconvenience, they could mask something far more sinister.