Next Previous

Can your incident response plan handle a DDoS attack?

9 February, 2017

The Internet of Things is here. And while it's intended use is to add convenience and connectivity to our lives, hackers have already found ways to turn the IoT against us. The most notable example occurred last October, when a botnet army of about 100,000 connected objects slammed DNS company, Dyn, with a powerful distributed denial-of-service attack. As a result, companies ranging from Netflix to The New York Times experienced website outages in various regions of the U.S.

A motive was never actually provided for why the attack was launched in the first place. In a way, that's the scariest part of the situation. The attack seems to have "diversion" written all over it. No one can say for certain whether that was the intention, but the notion does raise an essential question that organizations of all sizes should be asking themselves: Are we ready for DDoS?

Smoke and mirrors 

During a sit down with SC Magazine, Arctic Wolf Networks' head of security engineering, Sam McLane, pointed out that DDoS attacks are the perfect distraction and a devastatingly efficient way to throw an organization's incident response team of a hacker's trail.

While the organization is scrambling to respond to the attack, it's possible that quieter network activity will fly right under the radar. The result could be the establishment of a backdoor trojan through which malware(i.e. keyloggers, ransomware) can go in, and sensitive data can come out. 

According to IT Pro Portal, 56 percent of respondents to a poll conducted by cybersecurity researchers revealed that they're seeing DDoS being used as a smokescreen. More importantly, 26 percent of respondents said that when they lost data from targeted attacks, DDoS was involved as a diversion. 

DDoS is increasingly being used as an accomplice in highly targeted attacks.DDoS is increasingly being used as an accomplice in highly targeted attacks.

Using threat detection, IR as beacons in the storm

The most effective way to lift the shroud of DDoS is to ensure no vector is left unattended in the event of such an attack. According to McLane, a prudent course of action is to preassign specific staff members to monitor certain channels. Granted, this requires strength in numbers, which is not exactly a strong point for small and medium-sized businesses. There are two ways that this can be addressed:

  1. Through the use of real-time, automatic threat detection technology that continues to monitor all network activity during the attack. 
  2. By working with a third party that has the expertise and resources needed to help plan and execute an incident response plan. 

It's worth noting that these are not mutually exclusive solutions. Managed detection and response vendors play the dual role of security operation center and IR consultant for clients. In effect, this makes it possible to catch DDoS early and keep eyes on the network during the storms of DDoS.