How to Recognize Linked Network Attacks
By Sarah Katz, Cyber Security Specialist
Given the highly dynamic nature of cyberspace, the threat landscape changes every day. As new risks emerge, both organizations and individual users adapt strategies to tackle upcoming threat actors. While detection remains a critical aspect of thwarting cyber-attacks, incident responders should remain cognizant of patterns evident in past and ongoing compromises in order to successfully prevent future assaults of a similar nature.
In 2016, cybersecurity and anti-virus research provider Kaspersky Lab reported findings that revealed attackers using Distributed Denial of Service attacks as a means of occupying blue team responders while conducting network penetration through other means. For example, security analysts distracted by slow performance and rushing to prevent potential website defacement may overlook a smaller scale, more insidious network intrusion attempts, such as phishing.
Working under an altered name for privacy purposes, Rain Incorporated is an enterprise technology company that first fell victim to a string of intermittent DDoS attacks beginning in the spring of 2018. The offending IP addresses observed were eventually traced back to geopolitical locations in China, Russia, and Turkey and, when the attack entered full swing, could number in the tens of thousands per minute. Within the same week as these attacks, an email account belonging to a customer of Rain Inc. was phished.
Initially not connecting the two events and treating the phishing attack as just one many of the daily conducted against customers and corporate employees daily, the ensuing weeks eventually showed a pattern: The customer whose account had been phished would appear in the database of traffic highlighted by Rain Inc.’s IDS. Once that customer had reset account credentials, database evidence showed a since deactivated Rain Inc. account that had sent the original phishing email to the customer in question.
Thus, a hacked corporate account of Rain Inc. had successfully phished a customer, in an attempt to penetrate the network while incident response managed the botnet-supported DDoS. However, the discovery that the original customer phish and DDoS shared a connection took months and multiple instances of blacklisting IPs that oftentimes turned out to be legitimate customer IPs. Once the blue team deduced the correlation, the response procedure became less about blocking external IPs and more about monitoring for network traffic from that deactivated corporate email account. As phishing attacks account for 49% of successful breaches against western enterprises, companies should remain vigilant for this type of penetration attempt.
By and large, corporate security should also keep in mind that where there exists evidence of one attack, another might be running parallel. In the case of attacks meant to slow network performance such as DoS, DDoS or website defacement, security analysts should pay careful attention to other types of attacks that seem to recur within a similar timeframe, such as one day or even up to a week. If a pattern emerges between the timing of an availability-based attack and another less frequent breach attempt such as phish, a hacker may be trying to stall while the smaller scale intruder sniffs for a user-based vulnerability.
About the Author
Sarah Katz is a UC Berkeley alumna, cybersecurity specialist and award-winning fiction author. She earned a nomination for the 2018 Women in IT Security Champion of the Year Award for being one of a select few former Facebook content moderators willing to speak on the issue of user privacy on social media. Updates on Katz’s work in security and writing can be found at www.facebook.com/authorsarahkatz on Facebook and @authorsarahkatz on Twitter.