DDoS attacks – the crippling smokescreen

The threat of DSoS attacks is increasing as geopolitics and a trend toward digital transformation collide.
27 March 2023

Where there’s smoke, there’s malware? The rise of DDoS attacks represents a combination of vulnerabilities.

DDoS (Distributed Denial of Service) attacks connect multiple online devices, transforming them into a kind of fake traffic cannon to overwhelm websites. They have a history dating back to 1996, and while they’ve been outstripped in the corporate consciousness by the likes of ransomware, bad actors are increasingly using DDoS attacks to cripple businesses – especially in critical or semi-critical national infrastructure frameworks.

What’s at least as worrying is that a recent ThoughtLab study revealed that 40% of Chief Security Officers did not think their organizations were sufficiently prepared to deal with the security threats they’re likely to face today, including DDoS attacks.

We sat down with Kev Eley, Vice President of Sales, Europe at LogRhythm, a company specializing in cybersecurity, to find out why DDoS attacks are on the rise – and what companies can do to avoid being poleaxed by them.

An old enemy.

THQ:

DDoS attacks have been around for a long while. What’s new about our landscape of intelligence about them?

KE:

They have been around for a long time, true. But 2022 was an interesting year. A lot of sources point to a higher number of DDoS attacks in 2022 than in previous years. Part of that is down to a number of organizations that are undergoing digital transformation, and expanding into new areas of computing, like the cloud and IoT (Internet of Things).

That’s increasing th amount of network connectivity, with more and more 5G sources. And whenever organizations increase the amount of technology they’re using, and that technology is interconnected through the internet, it corresponds to an expansion of the threat landscape.

That means the attack surface for adversaries is continuing to expand for a lot of organizations. And that presents an interesting target that lets threat actors cause a level of disruption. And of course, the geopolitical situation has also given rise to certain threat groups that are really determined to cause disruption to organizations.

With the ongoing conflict in Ukraine, pro-Russian threat actors will continue to target organizations and countries that are supporting Ukraine. We’ve seen that play out across other aspects of cybersecurity, particularly malware and ransomware, as well as DDoS attacks.

That combination of an increased attack surface and the broadening geopolitical tension is causing an increase in the number of DDoS attacks. Add to that an almost industrialization of cybercriminal groups and you get a lowered barrier of entry to the cybercriminal world, which also means more attacks.

DDoS attacks are frequently used as a smokescreen or a diversionary tactic to mask other malicious activity. So the more malicious activity of other sorts there is, the more DDoS attacks we’re likely to see. All those elements coming together are really contributing to this ever-changing landscape of DDoS attacks.

The perfect storm.

THQ:

So we’re in perfect storm territory for DDoS attacks?

KE:

Very much so. And I predict that it will continue, because it’s a tried and tested tactic for adversaries – as you say, DDoS attacks have been around since the 1990s. They wouldn’t still be around if they didn’t work.

And as the pace of transformation accelerates, it will continue to drive these perfect storm conditions that some groups unfortunately will seek to exploit.

THQ:

So hypothetically, the more either of those main factors – digital transformation or geopolitics – ramp up, the more incentivized the bad actors might become?

For instance, if the illegal invasion of Ukraine starts to go worse for Russia, the pro-Russian “cyber-troops” might be incentivized to intensify their efforts?

THQ:

Potentially, yes. What’s been interesting to me is that while a number of the organizations we work with have seen an increasing level of DDoS attacks, we haven’t really seen a new proliferation of very serious malware off the back of the attacks. Part of me wonders whether that’s related to the fact that if you think of the situation in Ukraine as a trigger for some of this activity, perhaps the Russian political machine anticipated that it would achieve its mission objectives faster.

But that’s not to say that as this continues, and if it can’t be resolved, that some type of additional DDoS activity, maybe even leading to some really nasty malware, could be unleashed upon the world…

How to protect your business.

THQ:

O…K. Let’s try and think positively. How can businesses protect against the DDoS threat as it is today, and as it will evolve?

KE:

Positive, but potentially predictable, this answer.

Being able to get actionable intelligence as to what’s happening across an organization’s network is imperative for the organization to be able to really detect any form of adversarial activity on its network. So it’s crucial that an organization has a SIEM (Security Information and Event Management) solution.

A SIEM solution really allows organizations to detect any form of malicious activity that’s playing out across their networks, their system servers, their applications, and across their users as well.

Having that capability, in combination with the appropriate processes and skilled individuals in the form of security analysts, is absolutely critical.

THQ:

It can’t just be skilled people and eyes across the organization though, can it? Not in 2023?

The power of automation.

KE:

Well, no – for an organization to be able to detect this type of activity (given the rate of change of organizations as they undertake digital transformation), they’re going to need some degree of automation if they want to harness intelligence from their networks and their systems effectively.

That’s the beauty of a SIEM tool – most of them will come with out-of-the-box rules that will specifically look for processes that could be spinning up or listening across the network.

What we deliver at LogRhythm adds to that automation with a form of AI engine rules, which give you a deterministic, rule-based ability to spot any form of DDoS type activity that’s playing out, but then we also apply machine learning analytics as well, to help an organization identify if there’s any form of anomalous activity or deviation from a normal state.

THQ:

We like a solidly normal state when it comes to not being under DDoS attack.

KE:

We do. And that’s the key, really – organizations really need to think about the way in which they can proactively monitor their environment and use that telemetry, those signals that would indicate when something’s happening that threatens the normal state.

 

In Part 2 of this article, we’ll dive deeper into the realities of DDoS attacks, what companies can do if they get hit by them, and how infrastructure frameworks can get breathing space and peace of mind in the modern DDoS minefield.