Cybercriminals have become more sophisticated by employing methodologies that make them both tougher to detect and more capable of thwarting even tech-savvy targets. Hostile nation-states are using new attack methods that improve the odds of infiltrating and knocking off high-value targets. Increasingly, criminal groups are shifting their infrastructure to the cloud in order to hide among legitimate services, and bad actors have figured out novel ways to search the Internet for systems that are vulnerable to disruption.
According to the "Digital Defense Report" recently released by Microsoft, nation-state attacks have moved far beyond critical infrastructure, since the lion's share — over 90% — of security alerts originated from outside of this sector. Within the critical infrastructure arena, 60% of nation-state activity zeroed in on IT organizations, followed by commercial facilities, critical manufacturing, financial services, and the defense industrial base.
Nation-state actors typically do their dirty work in service of broader strategic goals that they see as essential to the political, cultural, and economic health — and even the survival — of their country. That's why the attackers are so determined and ready to put so much time and expense into disruptive cyber operations.
Their Goals: Espionage, Disruption, or Destruction
As noted in Microsoft's report, over a dozen hostile states are launching cyberattacks to collect intelligence about what their targets are thinking and doing. They're seeking official correspondence, proprietary corporate data, and personal information. They've also spearheaded operations designed to disrupt or destroy data and physical infrastructure at the organizations in their crosshairs.
Furthermore, nation-state actors have conducted intrusions intended to disrupt or destroy data or physical assets at targeted facilities or institutions. The US National Institute of Standards and Technology (NIST) defines a disruption as "an unplanned event that causes the general system or major application to be inoperable for an unacceptable length of time." A disruptive attack can cause minor or extended power outages or prolonged network downtime. Destructive attacks are associated with "overwriting, erasing, or physically destroying information," equipment, or facilities.
DDoS Today: Low Cost, Big Impact
As the coronavirus continues its global rampage, organizations everywhere are keeping going by allowing employees to work remotely via VPNs and moving their applications to the cloud. However, this pursuit broadens the attack surface and opens the door to distributed denial-of-service (DDoS) attacks, which are now among the biggest security threats organizations face, as highlighted in the Microsoft report. DDoS attacks are designed to overload an application's resources, making the application or APIs unavailable to legitimate users. The threats can be expensive and cause companies to lose productivity, time, money, customers, and reputation. Cybercriminals can point a DDoS attack at any endpoint that's accessible through the Internet.
Although the methodologies to produce DDoS attacks have become a lot more sophisticated, they've also become simpler and less expensive to launch. This makes it even easier for bad actors to throw a wrench into the lives and operations of users and businesses. Cybercriminals can take advantage of the massive rise in internet traffic since the onset of the pandemic. In effect, it makes it easier to launch a successful attack since when regular traffic is high, cybercriminals have to generate less malicious traffic to disrupt a system (with more online meetings, education settings, and other forms of virtual communication). They can also blend their malicious traffic with legitimate traffic and move up the IT stack towards applications and APIs, which makes the bad stuff much harder to detect.
A Frequently Used Smoke Screen to Keep IT Busy
But taking down a company network isn't always the attackers' real goal. DDoS attacks are often used to distract IT personnel so that a more sinister and destructive job can be carried out. This is a popular trick among cybercriminals. They might tie up an organization's "front door" and keep the IT department preoccupied with (for example) ensuring the company's website while pilfering data from a critical back-end server. This sort of scenario is further complicated these days. With more IT staff working from home, responses might not be as efficient and quickly as they were previously.
Shopping for DDoS? No Problem!
If you know where to look, it's relatively easy to find and buy professional DDoS services on the Dark Web and even the regular Internet. Fees vary and are based on factors such as the security level of the targeted site, the type of DDoS attack, the bandwidth required to conduct the attack, and who's flogging the service. This past May, the average price of a one-day DDoS attack was $134.09, according to Microsoft, although some went for as little as $15.00. The most expensive attack cost $416.67.
Like other cybercriminal services that have been around for a while, DDoS services have found a balance between supply and demand, so prices have stabilized over the last seven years or so. Shorter-duration attacks are the exception. Microsoft reports that the average price of a one-hour DDoS attack increased from $14.71 in July 2019 to $48.63 in May 2020. The average price of a one-day attack has risen from $74.97 in November 2019 to $134.09 in May 2020.
Enterprise Resilience: The New Reality
Although the prolonged COVID-19 pandemic has created a near-ideal environment for cybercriminals, it's also an opportunity for companies everywhere to make IT security and resilience an integral part of the enterprise.
Because so many people are working from home, other corporate assets such as data and intellectual property are also migrating away from headquarters to the cloud. Consequently, the security perimeter has been dramatically extended at a time when it's never been so important to keep IT networks, services, applications, and APIs up and running.
Just as the pandemic has challenged public officials to protect the health of citizens, its real and potential financial consequences have forced corporate leaders to think hard about how to sustain productivity as their workloads and employees moved away from their facilities. To figure out what had to be moved, corporations had to identify critical services and processes to ensure they weren't abandoned by personnel who needed on-site or break-glass access. Put another way, the pandemic compelled them to participate in a real-time enterprise preparedness exercise. To continue to learn from this, all companies need to scrutinize the productivity and performance of their essential services and processes and bolster their cyber resilience to conform to the new normal.