Using this MO, attackers are using a soft, almost unnoticeable, DoS attack. One of the most common stealth attacks is a ‘Login-Brute-Force’ attack. Most Brute-Force attacks aim to get passwords or login credentials, and the way that targeted organizations usually block these attacks is by hardening their passwords. However, what’s actually going on is that the attackers are trying to saturate the login servers by creating bogus requests and locking out legitimate users. This creates a massive overload on the login servers, and in most cases also on the organizations’ call-centres, which receive calls from frustrated, legitimate callers that cannot log in to the site. Once the chaos is in place, attackers can use the same methods to steal information.
Fighting cybercrime: Five step plan
So if these attack methods are likely to be prolific in the next 12 months, what can you do to protect yourself? It comes down to knowledge and planning. The more the criminals perceive your organisation as their Holy Grail, the greater the sophistication and intensity of the attacks. Understanding how you can manage the exposure is critical.
Know your enemy: It is not just the NCA that publishes such cybercrime warnings, so do law enforcement agencies including the FBI, and government bodies such as CERT-UK. Work with them, monitor the law-enforcement cyber market and learn about new attack methods of operations and organised cybercrime groups.
Choose a single point of command: Use one Command and Control (C&C) that includes all aspects of the data-centre: Network, servers and applications. Some vendors provide a “Software Defined Architecture” where the detection, the call for action and the execution is determined automatically. Such solutions can prevent a cyberattack like the one made on Target on November 2013, where two different infosecurity groups detected the attack but failed to take the correct action.
Have an emergency response infrastructure and team ready to operate: This was recently recommended by the SANS Institute: “Protect the organization's information, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight) for quickly discovering an attack and then effectively containing the damage, eradicating the attacker's presence, and restoring the integrity of the network and systems.”
Separate critical networks: The concept of network separation is relatively old and it is a requirement in both PCI-DSS v2.0 and PCI-DSS V3.0. Criminals are financially motivated and won’t waste their time and resources on a network that does not contain any information. Make sure that your sensitive data is stored on a properly protected network with no simple access.
Don’t be a domino: Following the first four steps will get you in good shape, but what of your suppliers and partners? For example if you’re an online retailer and your ISP is hit what will be the consequences for you? Understand every point of weakness both inside your organization and externally to those who you rely on.
When you have all the steps in place supported by fully documented processes and trained response teams, it’s vital that it is continuously reviewed. You only need one change of personnel for a process to break down and the network to become a target. It’s also important to ensure that knowledge becomes power. Every piece of information your organization gathers about the current trends needs to go through a ‘so what’ test - what does it mean for us and our customers, and our partners and suppliers?
There are so many examples where failure to have a single plan let alone a broader continuity plan have resulted in consequences to revenue and reputation, which only goes to demonstrate that in this cyberworld working together to stay ahead is the way to stay alive.