DDoS + Breach = End of BusinessLessons Learned from Attack that Shuttered Code Spaces
A distributed-denial-of-service attack and subsequent data breach that led to the shuttering of source code hosting firm Code Spaces offers an eye-opening reminder: Beware of DDoS attacks used as a diversionary tactic to draw attention away from devastating hacking.
See Also: Data Center Security Study - The Results
"With a DDoS attack, it's all hands on deck with security [staff] focused on it," says Rodney Joffe, senior vice president and senior technologist at security vendor Neustar. "They don't watch for other subtle things occurring in the background."
In addition to taking steps to mitigate the impact of DDoS attacks, organizations need to monitor for subsequent intrusions and ensure they have multiple backups to store mission-critical data that could potentially be exposed or deleted.
Defense against DDoS attacks should be considered a routine cost of doing business on the Internet, says Dan Holden, a director at Arbor Networks, a security firm. "No one is immune and the possible motivations of attackers leveraging DDoS are vast," he says. "This could range from cybercrime, geo-political disagreement or competitive takeout."
Code Spaces Attack
Code Spaces, in a message posted to the homepage of its website, says the DDoS attack against its servers and unauthorized access into the company's cloud control panel resulted in most of its data, backups, machine configurations and offsite backups being partially or completely deleted.
"Code Spaces will not be able to operate beyond this point," the company says. "The cost of resolving this issue to date and the expected cost of refunding customers who have been without the service they paid for will put Code Spaces in an irreversible position both financially and in terms of ongoing credibility."
During the June 17 DDoS attack against Code Spaces' servers, an unauthorized individual gained access to the company's Amazon cloud control panel, leaving a number of messages for the company to contact the intruder using a Hotmail address.
"Reaching out to the address started a chain of events that revolved around the person trying to extort a large fee in order to resolve the DDoS," the company says.
As Code Spaces worked to regain control of the cloud panel by changing passwords, the intruder created multiple back-up logins. "Upon seeing us make the attempted recovery of the account, [the intruder] proceeded to randomly delete artifacts from the panel," the company says.
The incident took place over a 12-hour period, Code Spaces says. The company is now working on supporting affected customers and exporting back to them any remaining data stored with Code Spaces. "All that we can say at this point is how sorry we are to both our customers and to the people who make a living at Code Spaces for the chain of events that led us here," the company says.
Code Spaces did not immediately respond to a request for additional information.
The attack against Code Spaces points to the need for organizations to segment their core services and have multiple backups in place.
"You cannot depend on a sole service for your business continuity," says Michael Smith, a director at Akamai Technologies, a DDoS mitigation provider. "You need to put backups and business-critical data and functions in redundant services, locations and technologies so that they are not all impacted together."
What made the incident against Code Spaces particularly devastating was the combination of a DDoS attack and an intrusion into the company's systems.
"DDoS is survivable," Smith says. "For it to be a business-ending event it has to be combined with other attacks. The direct cause was the hacking attack against their administration panel and the unavailability of their service because the attackers deleted storage groups and backups which were located in the same place with the same administrative access."
One key issue was the fact that the backups for Code Spaces were accessible via the admin account, Joffe of Neustar says. "From the admin, the [hacker] was able to delete the backups or the mechanisms to get to the backups," he says. With the way backups work now, files are moved electronically to other locations online. "The problem is it's only electronically reachable," he says. "If you have all the credentials in your master account, whoever takes over has the ability to find those files."
As a result, there should be secure isolation between the administration domains of these systems, says Ashley Stephenson, CEO of Corero Network Security, "so that an attacker cannot compromise the backup or alternate site from the primary sites."
Organizations need to identify the types of attacks to which they're most vulnerable and develop steps to mitigate those threats, says Carl Herberger, vice president of security solutions at Radware. "This will help an organization see how, and, more importantly, if, they are covering the cyber-attack threats facing their environment.
"Today's cyber-attacks are not just a nuisance and they are not isolated simple events," Herberger says. "All too many believe that a cyber-attack is just about volumetric attacks and [all] you need to do is buckle down to weather a storm that will eventually pass. However, this event demonstrates how technical actions must be taken."