The Anatomy of a Blended Attack
What is a blended attack?
Depending on the context, a blended attack can refer to two different things. Generally speaking, a blended attack refers to the idea of using mixed techniques to invade one computer system to the next. Blended attacks, then, can include computer viruses, worms, and Trojan horses.
They typically exploit an initial security flaw and move on to perform additional network damage. Hackers launching blended attacks seek to maximize the speed and severity of damage performed.
In the context of the Open System Interconnection (OSI) model (which defines a networking framework to implement protocols in seven layers), a blended attack is defined a bit differently.
A blended attack in this model refers to sophisticated cyberattack campaigns that aim to distract network administrators by launching one kind of attack while simultaneously launching a second kind for a certain objective such as injecting malicious malware into the network to obtain financial information.
Why is a blended attack dangerous?
Blended attacks are highly effective because it exploits the weaknesses present in multiple vectors (e.g networks, web applications etc). For this reason, a blended attack is often correlated to DDoS attacks. Because DDoS attacks can generally be divided into three broad categories including volume-based attacks, protocol attacks, and application layer attacks, hackers have a broad range of vectors to infiltrate.
By blending network and application layer attack techniques, a large amount of traffic can be generated to consume significant bandwidth and attackers can intensify the damage by executing further complex actions that consume server resources. The target pool also widens, posing a threat to not just website owners and network administrators but the average internet user as well.
Carried out as a single, sustained attack, blended attacks can throw off detection services and also bypass certain security firewalls since the basic attack types are cleverly masked.
For example, a blended attack combining an application layer attack with lower volumes of traffic can be quite effective. This is because low-traffic volume application layer attacks can bypass detection by traditional DDoS detection methods, providing a gateway for a second leg of the blended attack to gain access into the network.
But it doesn’t have to be so complicated. A blended attack can also be comprised of other mixed techniques. For example, hackers can use DDoS attacks combined with phishing methods.
On a banking site, a hacker can successfully bring down a website through a DDoS attack and then send phishing emails, apologizing for the inconvenience to its customers but sneak a link within the email that redirects them to a malicious site to steal their information.
What can be done?
In protecting against a blended attack, utilizing services like ISP and CDN alone will not suffice. An ISP can protect layer 3 and 4 and can assist in stopping a high-volume packet flood but cannot fend off advanced layer 7-based attacks.
Because web applications are practical targets for hackers, the application layer needs added protection. Small and mid-sized and larger enterprises who are concerned with blended attacks will thus require solid protection by upgrading their existing ISP firewalls, installing a WAF to safeguard the application layer, and implementing advanced DDoS Protection that protects layers 3, 4, and 7.
If blended attacks are dodging detection, companies must rethink their cyber security strategy by refocusing their current defenses for network and application-level services. It will also mean their cyber defense moving forward will require a “blended” solution, meaning multiple elements for effective cyber defense is necessary for attacks to be detected and stopped.