Skip to main content

DDoS Attacks Are Seldom What They Seem

January 15, 2015

In performing incident response over the years, I have frequently been pulled into DDoS incidents. These calls don’t come in every day, but they are pretty common. In fact, this probably happens about once every two or three weeks.

In most situations, the customers are primarily concerned about the obvious problems of network/system availability and the capability to conduct business. These are clearly reasonable concerns, but when responding to a DDoS incident, they aren’t the thing that worries me most.

Much worse than bringing down your ability to do business is what is often done in association with the DDoS event. About a year ago, the FBI sent out a notice to banks that stated that at least 50% of DDoS incidents are actually a smoke screen for cybercrime activity. And, I agree that it is at least 50% and probably more. In fact, I would state that most of the DDoS events we see also include some kind of gift that keeps on giving. They give you malware, and you give them anything of value within your computing environment.

Specifically, DDoS events are usually associated with one or more of the following:

  • Installation of backdoors for lateral movement, persistence, command and control
  • Compromise of business sensitive data
  • Data exfiltration
  • Fraudulent activity, such as unauthorized wire transfers 

As such, one needs to take steps to capture host, network and log activity as soon as possible and preserve it as long as necessary to verify that no other malicious activity has occurred. Doing this all the time for a reasonable period of time (often set by compliance), is a good idea anyway, but most companies don’t do it. So as not to repeat myself, see my blog on “Preparing for an Incident” for a list of steps and instructions.

It is important to do this as soon as possible so as not to lose crucial evidence. Don’t get distracted and caught up in the drama of the DDoS and leave yourself short on information that is critical to protecting your environment. Take the steps to capture the necessary information and then focus on responding to the DDoS attack.

Related Blogs

July 06, 2017

Indicators of Compromise (IOCs) are Not Intelligence

When discussing the topic of cyber threat intelligence, I frequently hear questions about Indicators of Compromise (IOCs). IOCs are not intelligence b...

See Details

June 28, 2017

Petya / Petna / NotPetya Ransomware Recommendations from the Trenches

Here we go again. Not long ago I updated a blog post containing actionable recommendations to protect your environment from ransomware threats, includ...

See Details

May 18, 2017

WannaCry Ransomware Recommendations from the Trenches

Approximately one year ago, I wrote a blog post containing actionable recommendations to protect your environment from ransomware threats. In the wake...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

RELATED INSIGHTS

January 15, 2015

DDoS Attacks Are Seldom What They Seem

In performing incident response over the years, I have frequently been pulled into DDoS incidents. These calls don’t come in every day, but they are p...

See Details

August 24, 2017

Enterprise Incident Management Brief

Learn how Optiv’s workshop helps security leaders evolve their technical incident response practices to broad scope enterprise incident management.

See Details

October 06, 2017

Managed Security Services - Service Guide

Learn about our flexible and scalable services to improve your security capabilities.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.