Denial of service or data theft? Reflections on the TalkTalk attack

Max Pritchard

On October 21st 2015, web servers controlled by TalkTalk, the telecoms provider, came under cyber attack. The nature of the attack led to a degradation in service (e-mail and web) performance, which was how the attack was first spotted. For this reason it was categorised (at least by TalkTalk) as a sustained Distributed Denial of Service (DDoS) attack. Subsequently it emerged that customer data had been stolen during the attack.

TalkTalk representatives spoke about a “DDoS attack” that had led to a potential loss of customer data. Security researchers and commentators at the time pointed out that Distributed Denial of Service attacks threaten service availability, not customer data, and criticised TalkTalk for confusion and a lack of knowledge.

If I was not so astonished by the audacious scale and successful nature of the attack, I might have more sympathy for TalkTalk in being pilloried by commentators seemingly worried about semantics. As it is, TalkTalk’s shares suffered dropping from 289.4 (October 20th) to a low of 225.3 (October 26th). How much of that drop was related to this attack is unclear, but it is undoubtedly significant.

If a target system’s performance is degraded during an attack, it would lead us to one of four conclusions.

  1. The system is being hit by two different types of attack with different objectives; in this case data extraction and service denial.
  2. The nature of the data extraction attack causes system degradation as a side-effect.
  3. The nature of the service denial attack causes data extraction as a side-effect.
  4. The system performance degradation is separate and unrelated to the data extraction.

Options 3 and 4 seem unlikely given the circumstances. What we have probably seen here is either a multi-vector attack using DDoS as a ‘blind’ to distract defenders and disable defences alongside a coordinated attempt to extract data, or a Distributed Brute Force attack designed to extract customer data from a system – and coincidentally impairing the performance of the servers in question.

The use of DDoS as a distraction to mask attempts to penetrate a target network is not new, but, until this year, actual published evidence and analysis of this attack mode was hard to find in the public domain. Symantec spoke about this kind of mixed-vector diversionary attack at the RSA conference 2012 and banks and financial services companies have since been very wary of DDoS being used to mask data exfiltration.

In 2011, Sony said that it had evidence that the Anonymous hacktivist group used DDoS attacks as a smokescreen for data theft. Certainly Anonymous were using DDoS attacks against Sony at the time, but members of the group denied any connection between the DDoS attack and the penetration / hack that led to the theft of data. Coincidence, opportunism or conspiracy? Perhaps the two events were unrelated in the Sony case.

Regardless of when the first instance of DDoS as an ‘enhancement’ to other cyber threats took place, companies today must ensure that their DDoS and brute-force attack countermeasures are designed, deployed and tested alongside their traditional firewall, WAF and perimeter defences.

The attackers are not going to worry about whether their attack is called a DDoS, a hack, or simply data theft and we need to design security systems and processes to cover the whole of the threat landscape, and not just bits of it.