By Kate Fazzini - WSJ
A single cyberattack may be enough to keep an executive up at night. But what happens when that cyberattack is cover for a more destructive one?
U.K.-based mobile phone retailer Dixons Carphone PLC in January was fined £400,000, or about $563,000, by the U.K.’s Information Commissioner Office. The penalty stems from a 2015 incident in which the Carphone Warehouse division of the company was hit with a distributed denial of service, or DDoS, attack that coincided with the theft of personal information associated with 2.4 million customers.
A DDoS attack floods a company’s network with so much information that its website crashes. A company isn’t off the hook for breaches that happen at the same time, said Michael Sutton, chief information security officer for cloud security company Zscaler Inc. DDoS attacks don’t typically lead to a violation that would incur a fine. But a follow-on cyber assault in which hackers steal money or data could result in regulatory penalties for a victim company, Mr. Sutton said.
Using DDoS attacks as a diversionary tactic is of more concern now because the capabilities of attackers have grown, he said. Such attacks can be pulled off using many more internet-connected devices than ever before, including webcams.
New mass exploitation DDoS tools have emerged recently that have made it easier to create wider scale, high volume attacks against companies. That includes a tool known as “Autosploit,” which was released in January by hackers and can help attackers gather together large numbers of internet-connected devices for a DDoS attack.
Alan Lynn, commander of the U.S. Department of Defense’s information networks joint force headquarters, expressed concern at a conference last month about the growing power of DDoS attacks. He referred to the “terabyte of death,” or a future DDoS attack much larger than predecessors, according to a statement from the Defense Department.
DDoS attacks may be launched as a diversionary measure, or other criminals may take advantage of a company’s weakened defenses when they know it already is under siege, said Ashley Stephenson, chief executive of network security company Corero Inc.
In either event, executives should ensure their security teams can respond to multiple threats at once. They can do this by holding tabletop exercises that practice this type of activity, and then codifying those steps in a larger strategic plan, said Mr. Stephenson. “Even when there is a fire at the front door, they are checking the back door and the side door as well,” he said.
Not Always About Money
DDoS attacks are one of the oldest methods of cyberattack against corporations and government. The tactic gained notoriety more than a decade ago as a political or nuisance attack often against large companies, to embarrass them or spread an ideological message. At the time, Izz ad-Din al-Qassam Cyber Fighters and the Syrian Electronic Army, which supports Syrian president Bashar al Assad, executed DDOS attacks. They struck large U.S. banks and media companies to spread anti-capitalist, pro-Syrian and pro-Iranian political messages.
Criminals eventually found ways to make money by employing this style of attack. In 2012, the Financial Services Information Sharing and Analysis Center warned that DDoS attacks were being used to distract bank staff from fraudulent wire transactions. The Federal Financial Institutions Examinations Council warned in 2014 about the emergence of DDoS attacks as diversionary tactics for a range of other crimes.
Write to Kate Fazzini at email@example.com.