Cybercriminals and hackers have previously used Distributed Denial of Service (DDoS) attacks to knock websites offline in order to make a specific politically-motivated point or to threaten victims into paying in order to get the attack to stop.
But now, attackers are adopting military strategies and finding another way. Instead of playing their cards immediately — throwing the traffic of an entire botnet of zombie computers at a target — they send out constant DDoS attacks over months which are so low in bandwidth that the victim fails to detect them.
What harm can sending out low amounts of web traffic do to servers, you ask? Well, apparently a hell of a lot, as seen from the massive data breaches affecting big name brands like Carphone Warehouse, Talk Talk and Target in the last 12 months.
Dark DDoS: The next frontier
As most IT departments have cybersecurity defences that can only detect traffic flooding that goes above 1GB per minute, the term "Dark DDoS" has arisen for when attackers send a low amount of continuous web traffic to a company's servers and is a key topic being discussed at Infosecurity Europe 2016.
A Dark DDoS attack can't be detected so it merrily attacks your network's defences and executes multiple zero-day vulnerabilities that might be found in Linux, SSL, hypervisors or Apache — such as Heartbleed or Shellshock — until it finds a vulnerability that you haven't patched against because only attackers know about it.
"If you can create a pathway through an enterprise's network using DDoS — even if it's a few minutes — that's enough time, and once they've done that, they can embed an advanced persistent threat (APT: essentially the enterprise version of a botnet) that sits there quietly on the server until the bad guys want to use it," Dave Larson, chief operating officer at Corero Network Security told IBTimes UK.
"In the cybersecurity industry we call that 'being owned'. This is something the bad guys can exploit for their own needs. They go undetected for months and, slowly, information is trickling out of your environment but you don't even realise it."
Using military tactics to get behind your defences
This method of sneaking malware into your network undetected is similar to an army parachuting commandoes behind enemy lines in a Trojan horse-style, covert military operation, but that's not all.
Rather than slowly leaking crucial data from your network over time without being detected like credit card information or keystrokes, the attackers can also choose to one day launch a serious DDoS attack against your network that you do notice.
And while your IT department is busy scrambling to bolster your firewall and bandwidth to keep the service online, the attackers then access all parts of the network they want to grab what they need while the IT guys' backs are turned.
"You can stress the server and firewall to failing point with a DDoS attack in under a minute. If you can do that, then it's silly to wait for it to occur. That's what most people use as their edge defence," said Larson.
"All the things people are relying on can be easily obviated by a short duration attack. To protect yourself, enterprises need to look for service providers that will clean the pipe for them and examine every single packet of data. There is technology that is always online that can perform DDoS mitigation before it hits the end network."
Each DDoS attack costs an average of $720,000
According to research from IBM and Ponemon Institute, the cost of your network going down is $8,000 (£5,490) per minute and on average, each attack lasts about 90 minutes, meaning that just one DDoS attack can have an average cost of $720,000.
And that excludes the potential fallout from your customers' data being leaked, having to pay for a third party to investigate, reporting to government regulators about what went wrong and potentially being fined by regulators. In February, it was revealed the October 2015 Talk Talk data breach cost the telco £60m and has since resulted in the loss of 101,000 customers.
"Anyone who carries credit card data must comply with credit card payment standards. That standard requires anyone with credit card information to have an intrusion prevention system in place and to have logging in place to see all transactions occurring on the network," stressed Larson.
"But the problem is they are not required to have DDoS protection in place, and all those things can be rendered useless with a DDoS attack. They have not kept up with how the threat has evolved. DDoS protection tools have existed for 10 years but the majority operate differently to what we're proposing.
"93% of all DDoS attacks are all less than 1GB per second in terms of bandwidth they use and 70% are less than five minutes long. This means that the vast majority of the threat landscape has been designed to evade protections in place."
Corero's system uses a specialised processor that enables it to look at every single packet of data seeking to enter the network, no matter how small or large the traffic is, so the system can stop potential flood traffic and only allow good packets of data. The system is currently being used by several governments around the world.
"The more the attacks get automated, the easier it is for the organised crime syndicates to scale them out and attack more victims. We expect DDoS to get more complex and more entities will be quietly breached or attacked, while the end users don't even realise it's taking place," said Larson.
"If there's regular low bandwidth DDoS traffic, it's probably there for a reason. We want people to understand that the danger is real and this class of attack is happening in their environment more often than they think."