WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 25, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Ransomware operations have undoubtedly dominated the 2020 cyber threat landscape thanks to multi-million-dollar heists and new malware variants popping up every day. Although the risks posed by these operations are undoubtedly worth being carefully observed, focusing the entire spotlight on this threat may risk overshadowing other persistent malicious techniques that are frequently used by threat actors. For this reason, this blog will delve into Denial-of-Service attacks, analyzing the most notable attacks and the latest trends observed by our analysts.
Traditionally, Denial-of-Service (DoS) attacks present themselves as the archetype of the script kiddie’s beginner toolkit. The idea behind it is elementary: if you flood a website’s server with more requests than it can handle, you will slow down or even temporarily crash the entire system. When threat actors enlist various sources to conduct this operation, we talk about Distributed Denial-of-Service (DDoS) attacks, which have significantly evolved in the past years. They are now making their comeback within the threat landscape due to a lowered entry-bar and the widespread use of this attack in conjunction with other tactics, techniques, and procedures (TTPs).
Companies affected by DDoS may experience a long-time interruption of business, which in turn may cause financial loss, brand or reputational damage, and influence customer trust. This problem is even more true for those heavily relying on their website’s reliable functionality (obviously not the minority). Making sense of how this offensive technique has mutated over time and the current threat landscape trends is crucial to prevent and mitigate future attacks.
This year has been a turbulent one, to say the least. Global and regional events have profoundly shaken the worldwide order, and we have observed how cyberspace has permeated each of them to amplify their impact on our security. Many DDoS attacks played a part in this environment, and there are a few that we’d like to remember for their significance.
It’s impossible not to mention the global COVID-19 pandemic that is affecting every aspect of our lives. Although we were hoping never to see any exploitation of this crisis, cybercriminals took advantage of the chaos generated by the pandemic with scams, frauds, and misinformation techniques. Sadly, we also observed many attacks against the healthcare industry, with the most notable one being the March 2020 denial-of-service attack against the U.S. Health and Human Services Department operated by an unknown threat actor in a pivotal moment amid the virus outbreak.
The killing of George Floyd in May 2020 globally sparked protests and marked another crucial moment of this year. While people were marching on the streets to protest against police brutality, there were also people manifesting through online activity. Advocacy groups were subjected to the most significant number of attempted DDoS attacks. Simultaneously, other popular targets included government websites, such as those belonging to the police and the military, also marking the alleged resurgence of hacktivist group Anonymous.
This year, as if 2020 was not troubling enough, we also witnessed the largest DDoS attack ever recorded, which peaked at 2.3 Terabytes per second. The attack was carried out deploying hijacked CLDAP (Connection-less Lightweight Directory Access Protocol) web servers and caused three days of downtime for the unnamed targeted business. This event further proves how threat actors are refining their DDoS techniques to create a product more threatening than ever. For this reason, we’ve highlighted three main trends for this year that will likely be persistently present in 2021 as well.
Throughout the lifecycle of all cybercriminal trends, when threat actors observe a more efficient method, they naturally become more popular and complex over time. The digitization of society has inherently increased cyber risks across all geographies and industries. Most notably, the Internet of Things has exponentially grown over the past few years, and cybercriminals are looking to leverage its increased attack surface and double down on users’ unfamiliarity with proper security hygiene. The cybercriminal landscape has also implemented business opportunities for DDoS services and carved out solutions that include lower-level threat actors. Finally, as we’ve seen success in threat actors furthering their extortion attempts, DDoS attackers may take a page out of the ransomware operators’ playbook by threatening their victims with persistent attacks until their needs are met – only time will tell.
Unpatched IoT devices with inadequate passwords represent a goldmine for malicious actors interested in conducting DDoS attacks. During this year’s National Cyber Security Awareness Month (NCSAM), we discussed a broad array of topics related to the Internet of Things, such as the importance of protecting connected devices and doing so at home and work. Securing these devices is fundamental for your data and privacy because infected devices may be controlled by threat actors, leveraging their access to your device to conduct further malicious activity. This scenario is the case of DDoS botnets: swarms of compromised devices are exploited by threat actors to increase the power of their DDoS attack and reduce defenders’ chances to thwart it.
Mirai is probably the first and most well-known botnet aimed specifically at IoT devices, which wreaked havoc on systems with concerted DDoS attacks. Its first wave of notable attacks dates back to 2016 when it brought down much of America’s internet. Shortly after the incident, its creators publicly released the Mirai botnet source code, inspiring a long series of attempts to build new botnets capable of adapting to the mutated threat landscape and increase their risk level. One of the most recent examples of these botnets is Ttint, a botnet discovered in October 2020 based on the Mirai code; however, threat actors improved the program by implementing 12 additional remote access functions. With the number of IoT devices always on the rise, in terms of sophistication and variety, the threat posed by DDoS botnets will likely increase in the future.
As DDoS attacks have increased in sophistication and complexity, it’s natural to deduce that script kiddies with less technical know-how may be pushed off the cybercrime bandwagon; however, cybercriminals think differently. In turn, the cybercriminal threat landscape has spotted this issue and found a perfect niche opportunity to expand its business activities. Enter DDoS-as-a-Service (DDoSaaS). With solutions of this nature, anyone can easily rent a DDoS toolkit to easily conduct attacks against their preferred targets for just a few dollars a month. More specifically, advertisements for DDoS services posted within the last six months averaged just less than $7. This figure is a significant decrease in price from the $25 average in 2017, suggesting that this attack vector’s supply has notably increased within the last few years.
This activity is becoming more commonplace as more threat actors recognize this opportunity to generate profits without risking exposing themselves. One would think that renting a DDoS toolkit would only be possible in the obscurest corners of the dark web; however, that’s not the case here. Cybercriminals have also found a way to promote their services on common social media channels like YouTube and Reddit by calling their products “stressers” – tools used to test your own server’s robustness. Without any legal checks in place, it’s easy to imagine how these same tools can be used for nefarious purposes by malicious actors. These phenomena all contribute to lowering the barrier of entry for this kind of attack. This trend will likely increase in the future, thus making DDoS attacks a job that low-skilled criminals can do with professional threat actors’ efficiency.
You may be wondering what could be worse than a swarm of IoT devices unleashed against your servers by someone who just rented an attacking toolkit online. Well, you should also know that cybercriminals have started (again) to leverage this technique for extortion purposes. Business continuity interruption can be a useful weapon in cybercriminals’ hands as most businesses rely on their website to conduct their operations. But not all DDoS attacks are powerful enough to disrupt major companies’ servers and less so when operated by inexperienced threat actors; in this case, the extortion attempt may fail its objective as the potential victim doesn’t feel threatened enough.
We have recently observed a case where cybercriminals were impersonating infamous threat groups to threaten their targets. We’re talking about the August 2020 attack against the New Zealand stock exchange (NZX), an extortion campaign conducted by an unnamed cybercriminal group trying to impersonate famous cybercriminal collectives, such as Armada Collective and Fancy Bear, in a ransom note sent to the targeted organization. Although it is highly likely that the threat actor behind the attack was using heavy-hitting names to instill fear in the victim and facilitate the ransom payment, the attack was indeed more sophisticated than other observed DDoS attacks. It didn’t merely target public websites but also backend infrastructure, application programming interface (API) endpoints, and domain name servers (DNS) and managed to force the NZX to halt trading for several hours over four consecutive days.
This DDoS extortion attempt marks a resurgence of this technique, which peaked in 2017, when many groups were making similar claims to those described above. As companies became more suspicious of the groups’ real capabilities behind the extortion attempts, the market for cybercriminals shrank, and high-skilled threat actors moved to more rewarding targets. It seems unlikely that attacks similar to the NZX one may become commonplace in the coming months. Still, it appears that the DDoS attack, in combination with an extortion attempt, may live a new youth thanks to a lower barrier of entry.
Given the high complexity of DDoS attacks favored by a low entry-bar and easily accessible resources, it is fundamental to be prepared for an increased number of offensive operations of this type. Each DDoS is different from the other and needs to be responded in its unique way. Nonetheless, this article will highlight several strategic mitigation pieces of advice applicable in any case and will likely contribute to strengthening your security posture.