Attack Type – Distributed Denial of Service Scenario STAGES OF ATTACK A successful distributed denial of service DDoS attack on any company is often evident not only to the business itself but also the broader public Org 8 a payments company headquartered in the UK became the victim of a successful DDoS attack on 18th December one week prior to Christmas traditionally the busiest online shopping period for the company Online sales during this period typically generates Org 8 over 25 percent of its annual revenue Alerts that the payment processing servers and associated services were not responding began appearing on the company’s monitoring services and a large number of employees contacted the IT Service Desk It was immediately apparent to the technical teams the systems were offline There was delay in correctly identifying the outage was the result of a DDoS attack directly targeting Org 8 and as such Org 8 were slow to implement the appropriate incident handling procedures Org 8 had to call on several third party companies to help fully restore the affected services In this instance Org 8 was fortunate that the response time and effectiveness of those companies was very good Both Org 8’s primary and backup servers were overloaded with excessive malicious requests designed to exhaust all available resources to its essential business services Org 8 engaged the assistance of their Internet Service Provider ISP to block the malicious traffic Findings from the investigation into the attack found that no specific DDoS filtering services were in place and that the attackers had been probing the network for several weeks in a build up to the DDoS attack The alerts generated by probing had not been raised internally by the Org 8 security operations team who were busy responding to priority security incidents While some services were restored within six hours of the outage users of Org 8’s payment cards were frustrated by being unable to make purchases and in many instances turned to other payment methods to achieve their transactions Org 8 found that it took many months for customers to return to regularly using their services and noted a minor drop in spending around the same time the following year Org 8 was impacted by the loss of revenue from the initial DDoS attack and continued to suffer reputation and customer trust issues for some time following the incident SURVEY Scanning and probing of payments processing servers DELIVERY Construction of a Botnet capable of exhausting system resources and bandwidth Specific Failures Leading to Compromise • L ack of DDoS protection for business critical systems BREACH Launch a persistent attack against the targeted systems ATTACK TIMELINE Targeting to Compromise 2-3 weeks Compromise to Exfiltration N A Compromise to Discovery Immediate Compromise to Containment 6 hours – 3 days Method of Discovery Internal investigation following service outage Threat Actor External – Believed to be targeted Assets Compromised Payment processing services Business Impact High – Direct loss of revenue and ongoing customer faith AFFECT Six hour system outage Severe decline in revenue and customer confidence CASE STUDY ATTACK TYPE – DISTRIBUTED DENIAL OF SERVICE CASE STUDY