Enterprises and service providers worldwide, across every industry, face a never-ending deluge of distributed denial-of-service (DDoS) attacks that continue to rise in size, frequency and complexity. Unfortunately, not all companies realize the danger that DDoS attacks pose, or have insight into their own risk profile. The bottom line is that you first need to understand the facts about both in order to determine the right amount of insurance and risk you’re willing to live with.
In an effort to shed more light on these issues, Tom Bienkowski of Arbor Networks has outlined the five most common DDoS myths that he’s heard from customers and prospects in the field. (drag left or right to change the slide)
Myth: A DDoS attack has never targeted us before, so it never will.
Fact: The odds are changing. It’s never been easier to launch a DDoS attack. Combine this with the fact that there are many motivations behind DDoS attacks, and you’ll see why there has been a dramatic rise in the number of attacks. Unfortunately, they are non-discriminating and it can happen to just about any vertical or size of business. As long as you have some form of internet presence, you could be the victim of a DDoS attack.
To compound this, new tools have enabled anyone with an internet connection and a grievance to launch a DDoS attack, and the cost to entry is low — both from the attacker’s technical abilities and cost perspectives. For example, for less than $5 per hour, anyone – without any technical capabilities – can hire a “DDoS for Hire Service” to execute a DDoS attack. The mean cost to the attacker is very low, but the cost to the victim is about $500 per minute, according to ASERT.
This is a true game changer in terms of the threat landscape and all businesses should consider themselves a potential target of attack. No longer is it just certain verticals that are likely targets – such as finance, gaming and e-commerce. Today, any business, for any reason, any real or perceived offense or affliction, can become a target of a DDoS attack. A prime example of this is the recent 2016 Rio Olympics, where hacktivists targeted many organizations tangentially related to the Rio Olympics (i.e., ISPs, banks, sponsors) with DDoS attacks.
Myth: There was a DDoS attack problem, but it has been fixed.
Fact: Yes, this may be true. DDoS is not a new problem and many organizations have some form of protection in place. What many organizations fail to recognize is that the modern-day DDoS attack is much more complicated than the simple flooding attacks from years ago.
The modern day DDoS attack uses a dynamic combination of volumetric, TCP-state exhaustion and application-layer attack vectors. Industry best practices recommend that for the most comprehensive protection, a hybrid/layered approach is required. That is, 1) stop large volumetric attacks in the cloud, 2) stop smaller, stealthier application-layer attacks on premises, and 3) have an intelligent form of communication between these two mitigation methods to deal with the dynamic nature of multi-vector DDoS attacks.
In many cases, the old methods of DDoS attack protection (i.e., ISP or firewalls) simply are not adequate to protect the modern day DDoS attack. In fact, more than half of enterprises reported a firewall failure as a result of a DDoS attack, up from one-third from a year earlier, according to the 11th annual Arbor Worldwide Infrastructure Security Report (WISR).
Another disturbing trend is how DDoS attacks are being used as smokescreens or diversionary tactics to cover up other malicious activity such as fraudulent wire transfers or exfiltration of confidential data. The point is, don’t think of a DDoS attack as a one-off, independent event, but potentially part of a well-organized threat campaign against your organization.
Detecting DDoS Threats
Myth: If DDoS attacks were a problem, someone would have told us.
Fact: You pay your ISP for internet connectivity. It is obligated to maintain your connections and deliver of your traffic – whether this traffic is good or bad. It is not obligated to clean your traffic – unless you are willing to pay for this service. In today’s threat landscape, it’s essential for any organization that has a service that is reliant upon network availability to have the ability to detect, validate and contain threats as quickly as possible in order to minimize damage.
Yes, some of the largest DDoS attacks recorded have reached over 600Gbps, but what’s even more disturbing is that the average attack size is expected to grow to 1.15Gbps by the end of 2016. This becomes especially worrying considering a 1Gbps DDoS attack is large enough to take most organizations completely offline. In other words, don’t be so sure you’re protected because it doesn’t necessarily require a large attack to cause significant damage to your company. This means having the right tools and visibility in place to see what is transpiring on your own network.
Myth: It’s only a DDoS attack. It’s no big deal to be attacked.
Fact: This is where we see many organizations underestimate the impact of a DDoS attack. Lost revenue from a down service is only the beginning. The cost to mitigate the attacks, lost productivity, SLA credits, brand repair, etc. are just some of the indirect costs associated with a DDoS attack that are commonly overlooked.
If we look deeper into some of the business and operational implications of a DDoS attack, you need to consider:
1) How many IT personnel will be tied up addressing the attack, and what are they paid per hour? What else could these resources be contributing to the bottom line rather than mitigating slow performance or re-routing traffic?
2) How many more help desk calls will be received, and at what cost per call? This could be either internal or external, customer facing.
3) What will it take to recover operations? Will it require reconfiguration of components, additional capacity or components, even if on an interim basis? Under certain circumstances, what data might get lost or have to be manually re-captured?
4) What about repairing a company’s brand due to the fact that the attack was blasted all over the media.
5) What are the resulting customer SLA credits, regulatory fees, etc. that will be required? At the end of the day, when attempting to weigh the consequences of today’s DDoS attacks, it pays to think carefully and more broadly about consequences, and defenses.
Myth: My insurance will cover any DDoS attack damage.
Fact: Well, for sure not your business insurance. But do you have “cyber” insurance? And does it cover all costs associated with a DDoS attack? The mere fact that we’re starting to see industry interest in cyber insurance represents a coming of age of security, and recognition of the importance of security and what it means to truly live and do business in a connected world.
This is resulting in new cyber-insurance policies coming on the scene as mergers and acquisitions are driving buyers to send those being bought to get cyber insurance, and as new regulations are requiring companies have cyber insurance.
Executives are increasingly accepting the necessity of understanding their company’s cyber risk, and as a result we’re seeing a clear mindset shift happening in the industry – from CISOs at insurance firms being brought into business decisions, to re-insurers starting to ask about how to re-insure cyber insurance policies. With cyber insurance quickly emerging as a must-have for businesses of all sizes, it is critical to understand what insurance is right for your company. This means understanding what is (and what is not) covered by your policy, and what role the insurer will play in the event of a breach.