DDoS Attacks Are Seldom What They Seem
In performing incident response over the years, I have frequently been pulled into DDoS incidents. These calls don’t come in every day, but they are pretty common. In fact, this probably happens about once every two or three weeks.
In most situations, the customers are primarily concerned about the obvious problems of network/system availability and the capability to conduct business. These are clearly reasonable concerns, but when responding to a DDoS incident, they aren’t the thing that worries me most.
Much worse than bringing down your ability to do business is what is often done in association with the DDoS event. About a year ago, the FBI sent out a notice to banks that stated that at least 50% of DDoS incidents are actually a smoke screen for cybercrime activity. And, I agree that it is at least 50% and probably more. In fact, I would state that most of the DDoS events we see also include some kind of gift that keeps on giving. They give you malware, and you give them anything of value within your computing environment.
Specifically, DDoS events are usually associated with one or more of the following:
- Installation of backdoors for lateral movement, persistence, command and control
- Compromise of business sensitive data
- Data exfiltration
- Fraudulent activity, such as unauthorized wire transfers
As such, one needs to take steps to capture host, network and log activity as soon as possible and preserve it as long as necessary to verify that no other malicious activity has occurred. Doing this all the time for a reasonable period of time (often set by compliance), is a good idea anyway, but most companies don’t do it. So as not to repeat myself, see my blog on “Preparing for an Incident” for a list of steps and instructions.
It is important to do this as soon as possible so as not to lose crucial evidence. Don’t get distracted and caught up in the drama of the DDoS and leave yourself short on information that is critical to protecting your environment. Take the steps to capture the necessary information and then focus on responding to the DDoS attack.