Mounting a response to the digital hijack threat

A denial of service attack can have a major impact on services offered internally like the email or file directories and external services including government information and payment portals. A worrying trend flagged up in research by RAND Corporation is that anyone can rent a 24hr DoS attack for a meagre sum of US$50. Mimicking the capitalist economies, the service is sometimes offered with a money back guarantee if it does not work.

Cyber Retaliation
2013 saw the world’s first known instance of a commercial cyber retaliation, more commonly called a CTT or Cyber Tit for Tat, that resulted in a tangible impact on the global internet.
    
Spamhaus, an international non-profit organisation that tracks the Internet’s spam operators, had recently blacklisted an internet hosting organisation based in Netherlands, called Cyberbunker. Their reasons included the allegations that Cyberbunker was openly hosting known spammers amongst other cyber vandals. As a result, there was a gradual loss of internet traffic to Cyberbunker, to which, it is alleged, the Netherlands based company retaliated. In short, Spamhaus was targeted by a Denial of Service attack of a magnitude that had never before been seen.
    
During that period significant portions of the Internet were affected, emails were delayed (in some cases severely), major websites were very slow or not loading at all, and internet banking was unavailable to many. Luckily for everyone, the internet did not grind to a complete halt.

The Basics
The primary objective of a denial of service attack is to deny access to critical resources. These resources can be external as in websites, payment portals or internal resources including directory services like active directory, email systems and corporate networks. It is important to point out that DoS attacks can be both internal and external. External DoS attacks make it to the media headlines primarily because they are external as in, the unavailability of a public facing website or email service.

Internal DoS attacks can sometimes have a greater impact but these attacks don’t often make it to the headlines. For example, the simple act of users unable to login and use their computers for a prolonged period of time is a Denial of Service in action, deliberate or not.

DoS & DDoS: The Difference
DoS stands for Denial of Service and DDoS stands for Distributed Denial of Service. The impact of a distributed attack is often far greater than a regular DoS attack. It must be noted that in many instances both terms are used interchangeably.

For an analogy of a DoS attack, imagine an attacker taking a single hammer and attempting to break a tempered glass. The attacker would have to spend a great deal of time and effort to break it. It would be like one single computer attempting to attack your website with an electronic hammer denying your legitimate users access
    
For an analogy of a DDoS attack, imagine the attacker paying 10 friends to take the same hammer and attack the glass at the same time. Not only will the glass break faster but the impact of the damage may be greater than a single hammer attack. The attacker hijacks 10 thousand computers scattered around the internet and uses the same hammer, this time multiplied by 10 thousand, to attack your website denying your legitimate users access.

The Threat of Internet of Things
Until recently an attacker would hijack thousands of vulnerable computers on the internet to launch a DDoS attack. These vulnerable computers include all types of computers including laptops, desktops or office email servers.
    
Now imagine the same attacker being able to hijack your fridge, smartphone, tablet and a million other of these devices and commandeer an even more catastrophic attack to your website. This is possible and we are already starting to see these Internet of Things (IoT) devices being used as accessories to DDoS attacks.

Understanding the Attackers
Understanding the attacker and the motivation that drives these attacks is crucial to building the appropriate protection and detection mechanisms. ISACA describes four main types of attackers: unsophisticated opportunists; sophisticated individuals who attack specific targets; those engaged in criminal or corporate espionage; state sponsored advanced attackers.
    
A fifth category could be referred to as insiders, or ‘privileged attackers’. Although technically, this type of attacker can be slotted into any one of the above four categories, it deserves its own classification as very often it is the employee or groups of them that end up causing the biggest disruption and damage to the business. Reasons range from bribery, job dissatisfaction or loss of employment.
    
The privileged attacker is a special kind of attacker as he/she is well versed with the culture, the technology, the technical architecture and most importantly has the explicit trust of his/her employers. In addition, in almost all instances this privileged user has the administrative user details including passwords to all the critical systems and that is why this type of user is also sometimes called the ‘god user’ or ‘superuser’.
    
The motivation of an attacker can be divided into five categories: grievance; crime; hacktivism; espionage and warfare.

The logic behind choosing a target
In a realm that has no boundaries and no governance framework there can be several reasons that an organisation falls victim to a DoS attack, ranging from the insider, equipped with sufficient knowledge and awareness of the technical landscape, who has an axe to grind with the management, to the malicious criminal or nation sponsored element that have significant funding, highly skilled and able manpower and the luxury of time to launch targeted or opportunistic attacks.
    
Consider this example. In the past, a denial of service for a business would normally mean having its windows smashed by a bored teenager. That same teenager could muster his friends and break multiple shop windows via a distributed denial of service. Importantly there was and still is physical effort involved in breaking glass and the resulting chaos and loss of business is localised.
    
Today, that same teenager, in many cases working alone, can cause global mayhem, affect the livelihoods of millions of people, deny critical services to hundreds of thousands of people – all from the comfort of their bedroom. If he or she is clever they could develop or produce the program (the equivalent of a stone) themselves. If they have spare change, say a few hundred dollars, the teen could procure a ready made program that guarantees mass destruction.

How to DoS
A DoS, in comparison to other more sophisticated attacks, is relatively easy to carry out. Worryingly, DoS and DDoS tools are readily available in what is a thriving underground market for cyber attack tools.

In an insider DoS attack, the IT System administrator literally pulls the plug on your email servers and deletes all the files and the backups, meaning all your data is inaccessible or gone. Alternatively, the system administrators permanently delete the authentication infrastructure in your organisation so that no one can log in.
    
A website is the window into the world of commerce, services and information. An outsider DoS attack can deny access to legitimate users of the site. Some examples of the impact of a DoS attack include: an NHS or surgery website not being able to accept doctors appointments; the site to renew car tax becomes inaccessible resulting in thousands of drivers with expired tax discs; and a council site accepting payments for parking charges is very slow causing many customers who are trying to pay for their fines to try again and again. This further slows the site and more customers cannot pay their fines.

Protection Mechanisms
When I visit my clients the first thing I ask is, “How are you protecting against a DoS attack?” There is confusion on most faces and sometimes, the techie amongst them is bold enough to ask why I bring up DoS before the other more sophisticated attacks like advanced malware attacks (also wrongly called APTs).
    
My answer is that DoS attacks are a nuisance, a waste of effort and skill and in most cases not something that any organisation’s IT teams should have to spend their time dealing with.

Building the Case
Surprising as it sounds, there can be a positive angle to DoS attacks. You see, most people understand the concept and have at some point in their career seen and felt the impact of either an internal or external denial of service. That makes it easy to obtain finance and project board approval, at least in my experience.
    
The case is, in most cases, very straightforward, especially when it comes to building a case for external protection. Not having DoS protection means that your payment or service portal could be inaccessible for several hours, if not days, affecting bottom line, reputation and brand image. In some cases, someone may lose their job for not including this attack vector in their protection strategy.

Stop Them From Reaching You
I have a very strong opinion when it comes to outsourcing security. However, when it comes to protecting against external DoS and more importantly a DDoS I strongly recommend utilising the services of an established outsourcer. The established firms have the wherewithal to absorb these large scale attacks, and can stop attacks at source.
    
A DoS attack is one of the few tangible forms of attacks that visibly affects employee and customer facing assets like authentication and websites. This material impact often leads organizations to spend unnecessary financial, human and technical resources in mitigation strategies.
    
The regular recommendations of carrying out a risk assessment and threat modelling apply but consider DoS attacks as a nuisance and annoyance more than an advanced threat.

Your assets will be DoS(ed) as they say and if you are a government body that is involved in an international or local conflict the likelihood of an attack is even greater. 


It is my recommendation that, unless there are specific reasons, organisations consider offloading the protection from this threat by a strategically outsourced agreement.

Further information
www.isaca.org.uk

Please register to comment on this article

Supplier Profiles

Me and You Education

Me and You Education is a collaboration between two companies with divergent backgrounds that provides deep insights into the murky and complex world of Counter Terrorism.

SecuLution