In the Crosshairs: Would Hacktivists Target You with a DDoS Attack?

crosshairs

Hacktivists from Anonymous recently took down the websites of the Nissan car company with a DDoS attack in protest of Japanese whaling. While Nissan has nothing to do with whaling, they happen to be a big brand and Japanese, which was enough to make them a target. It’s another reminder that political and social protests drive many DDoS attacks, and even a slim connection to a controversial issue can be all that’s needed.

Every geopolitical event and social movement now has its reflection in the cyber world, including networks of hacktivists that try to take down websites of entities they disapprove of. In addition to the primary target, they may attack sponsors, suppliers, providers of local infrastructure and services, and anyone loosely connected to what they’re protesting. It’s is a global phenomenon that can affect any organization with an Internet presence – all it takes is to be in the wrong place at the wrong time:

  • During the 2014 Olympics in Sochi, Russia, there were many attacks against the Russian Olympic Committee but also attacks on service providers like Sochi airport and a well-known local prostitution site.
  • The FiFa World Cup in Brazil was marked by anti-government demonstrations. Anonymous launched DDoS attacks in support of the real-world activists, taking down a number of government and sponsor websites.
  • In the U.S. Pacific Northwest, anti-logging protesters who once lay down in front of bulldozers are now launching DDoS attacks from their living rooms against the logging companies and bulldozer manufacturers.
  • In Ferguson, Missouri and Cleveland, Ohio, protests in response to police shootings were all over the evening news. Behind the scenes, Op Ferguson and Madness C2 were ordering DDoS attacks against law enforcement sites and local government.

This is the new normal, and any enterprise that could be associated with current events had better get used to it. Anyone, with no technical knowledge, can now launch a DDoS attack against any organization that they think deserves it. For a very modest fee, they can employ one of the many DDoS attack services and tools, point it to their target and cause significant damage – potentially having a much greater impact than a small group of protesters could achieve in the physical world.

Take a Step Back
Here’s the lesson for security people: take a step back from your SIEM console and pay attention to what’s happening in the real world. Keep an eye on CNN or the BBC for geopolitical events that could provide the motivation for the next attack. Ask yourself:

  • Do we have any relationship to these events, either directly or indirectly?
  • Should I have reason to believe we could be targeted?

If you suspect that you could be a target, this simple framework can help you understand the potential threat and protect yourself:

  1. Who: Identify the likely threat actor associated with this issue or event
  2. How: Find out which tactics/techniques/procedures (TTPs) they commonly use
  3. What: Determine if there been any indicators on your network related to those TTPs

This simple approach enables you to look at threats from a more holistic or campaign perspective. Campaign-level threat intelligence provides defensive organizations with situational awareness that can help with the more rapid identification of IOCs and incident response functions.

Visualizing Global Threats
If you think you could be a target, you’ll want to be aware of the latest threat intelligence. Arbor Networks has collaborated with Google Ideas to create a Digital Attack Map that can be used to explore trends in DDoS attacks and make the connection to related news events on any given day. The data is updated daily, and historical data can be viewed for all countries. Check it out – I think you’ll find it a valuable resource.