The Growing Threat of Denial-of-Service Attacks

In the aftermath of the Target and Home Depot breaches, most retailers these days are heavily focused on point-of-sale malware and online attacks targeting credit card data. But another type of attack is actually more common, increasingly dangerous and under-prioritized by retail executives and their IT teams: the distributed denial-of-service attack, or DDoS. 
 
33% of all cyber attacks on retailers come from DDoS, making it the most common digital threat this industry faces, even more so than point-of-sale intrusions, according to Verizon's 2014 Data Breach Investigations Report. 
 
A denial-of-service attack is when a hacker floods your network or website with bogus data/requests in order to overwhelm it and make it unable to serve legitimate users. While in years past this type of attack was primarily used for pranks and petty mischief, it's now increasingly used by organized cyber-criminals to threaten retailers' operational and financial security.
 
DDoS attacks have evolved in five important ways:

1. Black market services, known as "rent-a-bot," make it easy for almost anyone to launch a powerful DDoS attack against a business for a nominal fee.
2. New DDoS techniques have made DDoS exponentially more powerful (1-50 Gbps) and harder to defend against due to increased complexity and sophistication.
3. DDoS attacks now cost victims $40,000 per hour (estimated average across all US industries), with an average duration of six to 24 hours.
4. Cyber extortion is now common with DDoS - 46% of DDoS'ed companies admit they received a ransom note. 
5. DDoS is frequently used as a smokescreen for other attacks, like stealing customer data (33%) or implanting viruses and malware (50%).

Because of the increasingly sophisticated and criminalized nature of DDoS, it's critical for retail management to put a higher priority on preventing and defending against these cyber attacks. This requires a comprehensive plan of action and simulated training, when possible.
 
Here are some key steps retailers should take to protect themselves:

• Establish a DDoS Policy: At a bare minimum, every retailer should have a policy in place for educating staff about DDoS attacks and the various risks they pose, as well as how the company is expected to respond. For example: What will the company do to inform/reassure customers? How will the company deal with ransom requests?
• Identifying an Attack: It's critical to identify a DDoS attack immediately, in order to prevent further damage, reputational loss and secondary attacks. To do this, establish a baseline of what normal network traffic looks like, that way you can quickly detect network traffic anomalies and attribute spikes in traffic to DDoS attacks.
• Know Who to Call: Every retailer, no matter it's size, should have a third-party DDoS mitigation service it can turn to during an emergency to reroute traffic and scrub out illegitimate traffic.
• Conduct a Simulated DDoS Attack: DDoS "black-box" testing is the only way to test a retail network against a simulated real-world attack. This allows retailers to see exactly how their networks will react to a sophisticated DDoS attack and whether the defenses put in place are sufficient. 
• Preventing Secondary Attacks: To prevent a secondary attack during a DDoS event, avoid key mistakes: don't overlook alerts issued by your monitoring system; be cautious of any other unusual activity on your network; and be on the lookout for 'social engineering' attempts on IT personnel or other company staff, such as phishing emails or phone call scams.
• Cyber Insurance: Retailers should also make sure DDoS incidents are covered by their cyber insurance plans, including costs associated with mitigation attempts, downtime, cyber ransoms, etc.

Due to the evolving nature of the DDoS risk, this attack needs to be taken more seriously by retailers and a comprehensive, proactive defense is recommended. With the right preparation, it's possible to dramatically reduce this threat.
 
Sahba Kazerooni is managing director of Security Compass, a cybersecurity firm specializing in DDoS testing and web/mobile application security for the retail, finance, technology, health and energy industries.