Why NZ retailers need to be wary of attacks in the last week before Christmas
New Zealand retailers are entering the busiest week of the year ahead of Christmas, while the number of Distributed Deinal of Service (DDoS) attacks continues to rise and now Kiwi retailers of all shapes and sizes are faced with the difficult challenge of protecting themselves in a threat-filled world and not becoming just another company to fall foul of the attackers going into 2016.
What is the real threat?
Of most concern to retail businesses is the growth in the average attack size, and there was a marked increase in New Zealand from the first quarter of 2015 to the second, from 430.84Mbps to 1.1Gbps.
This is particularly concerning as many retail businesses have Internet connectivity at or below the 1Gbps level, so there are now many more attacks out there that are capable of saturating their connectivity and bringing their websites and online stores down. This really illustrates the kind of impact these attacks can have to retailers that are reliant on the Internet to sell their products and services.
The most prominent trend is that the proportion of attacks in New Zealand over 1Gbps is growing; and according to Arbor’s ATLAS threat monitoring system, it has a higher proportion of attacks above 1Gbps compared to the rest of Asia Pacific, with 35% for New Zealand and 17% for APAC overall.
This spike in attack size is especially obvious in large and complex reflection amplification attacks, a technique used to magnify the amount of Internet traffic generated and one of the key ways attacks are being launched. The average size of a reflection amplification increased everywhere in 2015 and the largest reflection attack in New Zealand was 16.69 Gbps - the “Chargen” attack targeted at port 60806.
How & why should retailers protect themselves from attacks?
Quite simply, layered DDoS defence is the key to overcoming the attackers. The increasing size and frequency of volumetric attacks that can saturate Internet connectivity clearly shows the need for cloud and ISP-based DDoS protection services that can deal with these higher magnitude attacks. However, the stealthier, sophisticated application layer attacks haven’t gone away.
We are definitely seeing application layer attacks on larger organisations on the rise. These attacks can lead to longer recovery times than volumetric attacks and can be harder to detect from the cloud and ISP perspective, making ‘always-on’ proactive network perimeter DDoS protection so important.
These two layers of protection – on premise and cloud, plus network perimeter – work together to protect the availability of key web services from the DDoS threat, reducing the risk of costly business interruption, so should be a key consideration for any retail business wanting to ensure their digital services are not interrupted during the crucial pre- or even post-Christmas sales periods.
Extortion is a key trend
What is becoming more prevalent, sadly, is extortion, and as one of the oldest DDoS motivations, we have seen significant growth in this area in the past year, some of it well publicised given the DD4BC activity.
This started back in July ’14 and is continuing in Australia and New Zealand currently, with extortion attempts targeting organisations mainly in the finance and retail sector. There have been some fairly well publicised cases in New Zealand particularly, where Arbor worked with Vodafone New Zealand to help protect a leading retailer after an extortion attempt.
The other trend to be aware of is the increasing use of DDoS as a part of broader attack campaigns, usually to distract security teams from either malware infiltration or data exfiltration. If an organisation is targeted with a DDoS attack they must be careful not to lose focus on the monitoring of their internal networks, as the DDoS attack may simply be a smoke screen for something potentially far more damaging.
Sharing threat intelligence really helps win the war against the attackers, as information from other organisations in the same vertical or geography can be very pertinent to the same risks. One key thing to remember is that attackers often share capabilities between each other, so they are making use of their collective capability and New Zealand retailers need to do the same and they can do that anonymously.
Why are retailers under more threat?
One of the key differences between the finance and retail verticals in New Zealand is the steps taken to deal with threats, whether they are sharing threat intelligence information with others in the same vertical or with government agencies and how quickly they react to an attack.
The finance and banking sector in particular is fairly advanced when it comes to responding to and sharing threat intelligence in this region; however the retail sector is way behind and is leaving itself exposed to attackers.
Retail organisations need to look at the benefits that can come from sharing threat intelligence; sometimes they are too concerned about ‘helping the competition’ – but the key thing to remember is that sharing intelligence is usually a reciprocal arrangement, and the right information could prevent a hugely embarrassing and costly breach for all parties.
What should retailers look out for in 2016?
There is no doubt that we will continue to see a lot of reflection amplification DDoS attack activity throughout 2016. The latent capability within the Internet, which attackers are more than willing to exploit, still exists so it wouldn’t be surprising to see an attack up at around 500Gbps – higher than any other recorded attack – in the not too distant future.
We will continue see more of the high-profile breaches we’ve seen in retail over the last year in New Zealand. It is also likely that we’ll become aware of many smaller organisations falling victim to data-theft. Many retailers have data that is either directly or indirectly valuable to attackers, and at the moment the value of that data is significantly higher than the cost to the attacker of extracting it.
New Zealand retail organisations need to shift their approach and fast, they should leverage the data they have more effectively, share intelligence more quickly and usefully and fundamentally make better use of their existing security resources.
Article by Nick Race, Arbor country manager