Often in conversations, I will point out that information security really is not about technology; it is about business and real life. True, we live in a digital age, and cybercrime utilizes technology simply because our real world now heavily relies upon the Internet and technology. Still, technology merely mirrors and is a representation of our physical world, albeit faster.
So how can a DDoS (Distributed Denial of Service) attack be similar to a pickpocket? Because both a pickpocket and DDoS involve distraction and both are executed for financial gain.
In our physical world, pickpockets frequent crowded places such as tourist attractions, subway trains, stadiums, and generally any place where large groups of people gather. These criminals often work with partners and a typical scenario may involve one person bumping into the intended victim, causing them to drop something, or distracting them into engaging in brief conversation while the other person steals the victim’s wallet, purse, or other valuable easily taken while the victim is distracted.
A DDoS attack is very similar to a pair of thieves working together to rob a distracted victim. While some DDoS attacks may be to disrupt, most are intended to distract the victim organization while some sort of financial theft takes place.
Just this last week, I saw a short blurb in Investors Business Daily quoting a study by BT that found 41% of international firms were hit by a DDoS attack this last year and 78% were targeted more than once. The article reported averages of 12 hours or more to recover. Twelve hours is a long time for a security team to be distracted.
As in the case where the accomplice distracts the victim while the pickpocket commits the robbery, DDoS is often a distraction while the real robbers fraudulently wire money, or commit some other financial crime. I many of these cases, the victim organization has already been compromised in much the same way as a burglar will stake out a target.
Prevention is often best, but even then, a determined criminal will find a way to commit the crime. From there, detection and response are key. While in crowded places, I often carry my valuables in other than the usual places, when bumped or otherwise distracted, I have conditioned myself to be aware and to quickly check to make sure I still have my valuables. Once the thief gets away, there is little that can be done and timing is critical.
If an organization is a victim of a DDoS attack two elements of response are key:
- As part of the response plan, ensure someone maintains monitoring of financial or other critical systems
- After the attack is abated, the recovery phase should include checking to ensure that other crimes and intrusions have not been committed.
– Ted Lloyd, CISM