The number of companies under constant cyber-attack has rocketed from four percent last year to 19 percent today, and it's no longer a one-off but a deliberate method of attack – yet more than half of companies (52 percent) in a recent survey* say that they do not have the resources to tackle around-the-clock attacks for more than a day.
Talking to SCMagazineUK.com on the launch of its Ring of Fire', survey, (2014-2015 Global Application & Network Security Report) which tracks cyber attacks and predicts the likelihood of attack on major industries, Adrian Crawley regional director for the UK and Ireland, Radware explained: “It's a mix of volumetric network attacks as well as application attacks – about 50:50. The volumetric attacks are increasingly using DNS applification and reflection techniques so that minimal information is initially sent, but its amplified 100, or even 300 times. It's easy to do and attacks are rising from 10GB to 50GB, with many up to 100GB and some even larger. They are also lasting longer and some organisations are under constant attack. They are larger, last longer and use a mix of vectors.”
It was also noted that these attacks are dynamic, with Crawley citing one retailer who blocked all traffic from Russia during an attack, and the attackers changed location on the fly and the attacks then came from China.
Sarb Sembhi, director at STORM Guidance, commented to SCMagazineUK.com: "The trend is that attacks will be far more sustained than in the past, especially DDoS. With increasing use of broadband, going forward, companies that didn't used to need instant response will need to look at getting that capability – and this trend will continue."
Among leading targets are ISPs and hosting companies. As Crawley explained: “Although ISPs are set up to handle volume attacks, these attacks do cause degradation in the network and create a distraction so that lower volume specific application level attacks occur at the same time. And the attackers use tools to automatically change the type of attack as the attack goes on.
Sembhi adds: “ISPs and hosting companies are attractive targets as, with EU rules on data retention, if you hack an ISP or hosting company, for every customer, there are also their customer details so it's a high-value target.”
For other companies, off-loading volumetric attacks to the cloud is seen as a good response, but Crawley emphasises a multi-layered approach is needed as there will still be the application attacks – such as Slow Lorris, which look like real users and go for the server, so it's necessary to tackle both types of attack.
For the same reason Crawley notes that: “It's necessary to have the right personnel and not just rely on technology – whether that's in-house staff or external emergency response teams. You do also need automated processes to protect and mitigate attacks, with an emphasis on reducing time to mitigation via automation, down to around 10 seconds using some providers. But you still face zero day exploits and that's where you need intelligence as well at technology.”
The only vertical becoming less critical was financial services. This is not because they are less under attack but because they have taken measures to tackle the problem over the past two years. And they had the capability to employ people and deploy technology. The Ababil operation lasting seven months, and legislation in the US and UK, have also given firms more incentive to come up with DDoS attack mitigation solutions. So while financial services do face more sophisticated attacks, including encrypted attacks, they are less targeted as attackers go for the low hanging fruit.
However, Sembhi notes that the financial sector has had so many attacks over the last few years that there is a glut of financial details in the in the market with more than 1 in 5 US card holders having their details compromised. Credit card data for sale has seen prices forced to go down as a result. “This could also explain increased interest in health and mobile data sets, “ says Sembhi, adding, “The criminal business models have changed and are similar to those of legitimate businesses such as Google and Amazon in that they want to collect all the data about you that they can and this data contributes.”
In contrast, the education sector is under increasing attack, and it is having a financial impact, with grants for institutions dependent on hitting research deadlines which were not met due to degraded systems. The motives are more varied – in some cases even people worried about exams taking down the exam site.
While retail has stayed static globally, it is increasingly targeted in the UK. One retailier had 20 percent of its resource tied up with an attack in the week leading up to Black Friday, the attacker apparently testing its network during a time when it would expect to get 50 percent of its sales.
Gaming sites have seen an increase in attacks, and not just from individuals taking revenge for losses, but also competitors – causing a site to go offline or be unusable, so traffic would go to its own near-replica site. The perpetrators may be in jurisdictions where they are not reachable, or are not spoofing the original site, just providing an alternative to benefit from a take-down. Sembhi comments: “Criminal businesses are trying to out-do each other and so these increases will be seen for some time before it goes down, and as each competes against the other they up the ante. Also, gamers are likely to be more tech savvy and use their expertise to find and take advantage of any holes in the games.”
Government remained a central target and is expected to remain so, for hacktivists, foreign governments, and for financial gain.
Sembhi also observed: “It's surprising that energy and utilities are put as being at a low likelihood of attacks. This could create a false sense of security as they are targets for both hacktivists and state sponsored attackers, so while the numbers of attacks may be fewer, they face more capable adversaries. Also, unless their kit is brand new, it could be two to five years old, or even 10 to 15 years old with SCADA systems, so they are difficult to patch and use the technology model that existed at that time with just some software add-ons.”
However, Crawley agreed that the Internet of Things (IOT) will provide more opportunities for attackers to cause havoc and increase the complexity of attacks, requiring a stronger and more sophisticated perimeter. He told SC: “The IOT is a really challenging area, and a real asset to attackers, with more exposure, especially for amplification and reflection. And App attacks are becoming more complex and difficult to mitigate against. Volumetric attack bots are still in evidence in Russia and China, but the source of attacks is dispersed, with people hiding behind CDNs (Content Delivery Networks) – which have become an attackers tool.”
A disturbing trend identified is attacks such as that on the Boston Children's Hospital which puts lives at risk, and Crawley says we can expect to see more of this type of attack. In a press statement, Carl Herberger, vice president of security solutions at Radware adds: “The healthcare industry was pre-occupied by the threat of death - it's a scary thought to consider the possibility that life support machines or pace makers could be taken over and shut down by hacktivists using legitimate routes to get in.”