2015 was a paramount year in data exfiltration. You may be familiar with many of the data breaches that were covered in the media this year, including the United States IRS, several major health care providers, Ashley Madison, and most recently, the personal data of children and parents from the vTech breach. Just last week, retailer Target agreed to settle with several banks for $39 million over their 2013 data breach.
Smoke screen attacks are an interesting technique that is common in data exfiltration. As the name suggests, these are attacks on the network that are specifically designed to misdirect security personnel from the real threat, which is data exfiltration. By distracting a security team, attackers are hoping they can slip under the protection sets by overloading them with activity in other parts of the network.
How it Works
Security personnel typically monitor the network using tools that generate alerts when there is an anomaly. When configured to do so, things like changes in bandwidth usage, latency, availability, and responsiveness will all send alerts to the Network/Security Operations Center (NOC or SOC). It’s that team’s job to begin investigating those events and one of the first places to look are event logs. It is best practice to have network appliances like routers, firewalls, and IPSs send their logs to a central collector, which allows for better correlation between network events, so tools like this make sense as the first place to look.
That is exactly what smoke screen attackers are hoping for. By attacking a network on multiple fronts, the attacker hopes to create confusion and misdirection. Knowing that security personnel will check the traditional tools, attackers will attempt to overwhelm them with irrelevant traffic, slowing down unrelated applications or filling logs with irrelevant data. Doing so makes identifying unique events more difficult.
What Can You Do?
If you notice an attack, you must be mindful of the intent. Was it designed to disrupt your network but your infrastructure handled it? Was it a decoy? Check your logs and perhaps filter out vectors once you’ve ruled them out. Check your other assets or collaborate with other departments in your organization to ensure that nothing else looks wrong.
The best way to assess and mitigate a smoke screen attack is with the use of a Web Application Firewall (WAF) that can help prevent data theft and the manipulation of sensitive corporate data, as well as protecting customer information. By combining this with an on premise detection and behavioral analysis device, you can mitigate smoke screen attacks while protecting customer data at the same time.
It is absolutely critical that organizations protect consumer data. Security professionals need to leverage all of the tools available to protect the integrity of this data. At Radware, we feel that layered security is the best way to do this. Web Application Firewalls can protect your websites and databases. DDoS mitigation appliances can protect you from the smoke screens. Firewalls and a strong perimeter can secure access. Make use of the tools and forensic data that you have available. And finally, remember that things aren’t always what they seem and a smoke screen attack just might be real intent of obvious network events.
Cyber-attacks are complex and dynamic challenges for anyone responsible for cyber security.
Ron Winward is a Security Evangelist for Radware, where he helps execute the company’s thought leadership on today’s security threat landscape. Ron brings 20 years of experience in the Internet service provider space, most recently as Director of Network Engineering for a global infrastructure and colocation provider. With an expertise in network architectures and DDoS mitigation, Ron has helped design solutions for carriers, enterprises, and cybersecurity service providers around the world.