DoS Attacks Used as Smoke Screens, and How to Prevent Them

10 Sep 2019

On March 5th, 2019, a Denial of Service (DoS) cyberattack impacted a US power company. Although the event did not have any dramatic outcomes on the company, it highlighted a critical purpose of DoS attacks that is not often discussed.

What is a Denial-of-Service (DoS) Attack?

A Denial-of-Service (DoS) is a type of attack which floods its target with a massive number of requests or data. By overloading the network or computing resources, it attempts to crash the target or prevent legitimate users from accessing company assets and systems.

An attacker may utilize multiple sources (numerous attacking hosts) in order to enhance the effectiveness of the attack. This adds a “distributed” factor to the attack, which is referred to as “DDoS”.

Diversion Through Denial of Service (DOS)

In certain cases, the goal of a DoS attack is not only to affect system availability but to act as a smoke screen or as an additional measure to infiltrate a company. DoS is used to shut down the company's defenses and systems, thus exposing it to dangers such as the injection of malicious traffic and activities which accompany the DoS attack.

During the aforementioned event, the company's perimeter network devices (i.e. firewalls) were rebooted through an exploit of a vulnerability that exists within the devices. These unplanned reboots resulted in brief losses of communication between field devices and the company’s control center.

Potentially, there could be more to this incident than a DoS attack. To identify possible attack vectors that may accompany a DoS attack, security teams need to analyze it at a broader level.

These sorts of events can lead to major availability and safety issues to operations and production in industrial companies. Much of the impact can be minimized or prevented by following several important guidelines.

Preparing Against DoS Attacks

The guiding principle to protecting an Industrial organization from a DoS attack is to minimize exposure to the Internet and to publicly accessible sources. The following checklist highlights the main topics that industrial companies should address in order to defend themselves against IT-OT DDoS attacks and additional malicious activities:

1. Identify the security controls that the organization has in place which are designed to deal with such cyber-attacks.

Define which controls are controlled by the organization and which by external parties. To be sure, contact the Internet Service Provider (ISP) and inquire which DDoS mitigation controls it offers and which are already in place.

2. Use a combination of “cloud” security controls and on-premise controls.
  1. Identify the organization’s IT infrastructure and prepare a network topology diagram and an asset inventory.
  2. Explicitly define, monitor, and manage your critical assets. These include:
  • DNS services
  • External IP ranges
  • IPs of public-facing systems
  • IPs of external monitoring devices
  • Partner and 3rd party IPs
  • Whitelisted and blacklisted IPs (more on this below)

3. Baseline your infrastructure’s current performance and traffic

Understanding the baseline will make detecting attacks and anomalies easier.

4. Define contacts and establish playbooks.

Playbooks make it clearer and easier for teams that are involved in the process to respond. Including OT teams, IT teams, cybersecurity teams, ISP, law enforcement (if relevant), etc.

5. Verify SLA for the different service providers.

Verify that Business Continuity and Disaster Recovery plans are in place.

6. Patch and harden the security configuration of operating systems, devices, security control management interfaces, and applications that may be targeted by DDoS.
7. Verify that default endpoint, security controls, network, server, etc. administrative accounts have been removed.

Verify that active accounts employ multi-factor authentication and complex passwords. Change passwords when needed.

8. Create a blacklist of countries and source IP ranges which security controls can block.

This includes countries that may be “hostile” countries that may be involved in an upcoming attack, proxies that can be used for malicious purposes, etc.

9. Create a whitelist of the source IPs and protocols that must be enabled when prioritizing traffic during an attack.

Include the relevant corporate systems (external/internal), customers, critical partners, and 3rd parties, etc.

10. When possible, test your DDoS mitigation security controls and conduct simulations that test your cybersecurity readiness.

As DDoS attacks may affect other company assets besides system availability, strategic penetration testing sessions are also recommended.

11. Make sure to have a dedicated “war room” from where the incident can be managed.
12. When applicable, consider purchasing a Cyber Insurance policy.

This will help to compensate for the potential loss of revenue due to downtime, disclosure of data, extortion, legal fees, and PR fees.

For additional information or assistance implementing these types of controls, contact our security specialists.

11 Jan 2022 A House of Cards: The OT Digital Supply Chain is Exposed more...
02 Mar 2021 OTORIO’s Pen-Testers discovered more than 20 vulnerabilities in a popular Industrial Remote Access Solution more...
10 Feb 2021 Florida’s Water Poisoned by Hackers: A Warning Signal more...