There’s nothing subtle about a DDoS attack. Your incident response console is lit up like a Christmas tree. Alarms are going off indicating that your network is down or severely disrupted. System users and managers are sending you panicky messages that business has ground to a halt. Meanwhile your mind is racing: Who would do this to us? Some kind of cyber extortionist? An unsavoury competitor? Hacktivists trying to send a message? And why would they do this?
There are many reasons behind a DDoS attack but one thing we have continued to see is the rise of DDoS attacks on media publications – most recently demonstrated by the attacks on Swedish media sites. After a bit of investigation, Arbor found that the attack was not endorsed by the Russian government, but instead a typical distributed attack, with computers located in Russia, among many other countries, generating attack traffic – most likely a botnet for hire service.
At the end of last year, we also saw the BBC hit by a DDoS attack and according to Newscycle Solutions, while Brian Krebs was hit by a DDoS back in 2013. Over 50% of media companies have been the victim of some sort of cyber-attack in the last two years – it’s clear that media organizations are currently in the firing line for hackers.
We know that every business has a different IT team and because of this have different views towards security. But it is important that even soft targets such as media organizations have a good understanding of the threat landscape and implement the right security processes. There are several factors media organizations should consider.
Easy to implement, easy to attack
Firstly, it is now far too easy to launch a DDoS attack. For a mere $5/hr anyone without any technical knowledge can purchase a DDoS for Hire Service and launch a DDoS attack. Quite often, it is used as a smokescreen to cover fraudulent activity.
Combine this with the many motives behind a DDoS attack and you see why there is such a rise in the number of DDoS attacks across all types of industries.
Changing motivations
Traditionally, vandalism and political/ideological disputes are the common reason for attacks on media organizations. The poster child for this is the DDoS attack on the BBC. It is just a way for hackers to flex their muscles to show everyone what they’re capable of.
More recent attacks have highlighted the growth of criminal extortion, data exfiltration and DDoS for Bitcoin. As media organizations report on all types events, while they may not take a side, they could still become a target of an attack. Interestingly there is usually a correlation between political conflicts in the real world and online attacks – often called cyber-reflection.
The variety of DDoS continues to grow
DDoS attacks are utilized as a diversion or smokescreen in multiple stages of the cyberattack kill chain. The following cases have all been documented as part of complex attacks and should be steps every business should be aware of:
- Reconnaissance: In this initial stage, cybercriminals launch a small DDoS attack to size up your security posture and ability to respond. If they find that a business’ security is weak, they will stick around to do some discrete probing and port scanning, looking for vulnerabilities to exploit so they can break into the organization. The knowledge they gather in this phase will be used for the Extract Data/Complete Mission Phase
- Malware Delivery/Exploitation: Now they’re inside the network and spreading out, dropping malware onto your machines. To cover their tracks, hackers will launch a DDoS attack to overwhelm an organization’s threat detection and forensics tools, making the search for the breach and the planted malware much harder to detect
- Extract Data/Complete Mission: In the final stage, they launch a DDoS attack as a diversion while they steal confidential data such as credit card information, intellectual property or other valuable information they can get their hands on. While the IT team are distracted, cyber criminals quietly slip away undetected with their loot and the DDoS attack mysteriously ends
Don’t be low-hanging fruit
If a media organization is hit with a DDoS attack, it might not be an independent event. It’s important to make sure there’s nothing happening inside the network that could be related to that attack – otherwise the consequences could be far worse. In fact, businesses may be able to take some cues from the DDoS attack that will help them investigate further.
For example, if the IT team knows where the attack is coming from, that could indicate who the threat actor may be. Plus the tactics, techniques and procedures (TTPs) the threat actor uses may help you hunt for other indicators of compromise (IOCs) potentially signalling that you’re falling victim to a larger threat campaign.
But why take all the risk? Preventing smokescreen attacks, and the potentially devastating damage they cause, is one more reason why many companies invest in strong DDoS protection. Like a burglar checking for unlocked doors, cyber-criminals look for low-hanging fruit. If they realize that a media site has the defenses in place that can deflect their initial attack, they’re more likely to abandon their efforts and look for an easier victim.