Light Dark
December 3, 2021 By Jonathan Reed 4 min read
Data Protection
Incident Response
Risk Management
Security Services

As soon as the Oct. 4 Facebook mega outage took place, questions about the cause ran rampant. Was it a cyber crime or a technical glitch?? Who was at fault?

The outage reportedly resulted in the loss of some $60 to $100 million dollars of revenue, and Facebook’s stock plunged 4.9% on the same day. That’s a total of $47.3 billion in lost market cap.

So what’s the difference between a cyber attack and a technical problem? The Facebook outage and other cyber attack examples help us find out.

Looks Like a Cyber Crime

Commenting about the outage, Santosh Janardhan, Facebook VP of Infrastructure said, “The end result was that our DNS servers became unreachable even though they were still operational. This made it impossible for the rest of the internet to find our servers.”

This case wasn’t a cyber crime. During routine maintenance, a command was issued to assess the availability of Facebook’s global backbone network capacity. An error took down the entire network, which disconnected all Facebook global data centers. In addition, a bug in an audit tool prevented anyone from detecting and deterring the command.

The end result was a total break of Facebook server connections between its data centers and the internet.

Real Cyber Crime

On the surface, a DNS flood (a type of distributed denial of service or DDoS attack) might look just like Facebook’s technical error. DNS flood attacks use high bandwidth connections from Internet of Things (IoT) devices to directly overwhelm and jam DNS servers. The flood of requests from IoT devices overwhelms the DNS provider’s services, which prevents real users from accessing the servers.

DDoS attacks deliver massive internet traffic by taking over multiple compromised computer systems as sources of attack traffic. Some attackers who launch this kind of cyber crime can use a mix of IoT and computers.

Still, to overflow Facebook would require a digital tsunami of unheard proportions. Facebook’s bandwidth and interconnectivity is so huge, it can absorb most large-scale attacks. Most likely, Facebook has a very large and highly distributed DNS system. It can probably monitor, absorb and block nearly any sized DDoS attack traffic.

When Is it a Cyber Crime, and When Is it a Tech Glitch?

In the case of a DNS-related failure, DDoS attacks come with huge traffic spikes. Any incident that isn’t a cyber crime would likely appear with normal traffic patterns.

Meanwhile, cyber threat intelligence can pick up on chatter about attacks of many kinds. Cyber threat intelligence analysis focuses on the triad of actors, intent and capability. It considers attacker tactics, techniques & procedures, motivations and access to the intended targets. In some cases, defenders may also use machine learning to monitor and predict threats.

If something has damaged your systems, besides fixing the problem, it pays to deploy attack detection tactics. For instance, check your firewalls. Has something disabled their rules? Does your network seem slow? Malware might be siphoning bandwidth. Have user accounts suddenly accessed areas in your network where they are not allowed? Identity and access management (IAM) tools are very useful for detecting and preventing strange user behavior.

IAM software uses machine learning and artificial intelligence to analyze parameters, such as user, device, activity, environment and behavior. By assigning an adjustable risk score, it can determine whether or not to grant access.

Sadly, depending on the types of cyber crime, you may never discover them until threat actors demand a ransom, claim the attack or begin selling sensitive data on the darknet.

Incident Recovery

When it comes to mopping up the damage, each technical issue will have its work defined. For the recent Facebook outage, they needed to figure out why a routine maintenance command took out the entire network. Plus, they need to check out the audit tool bug. And was that audit tool defective or disabled by an attacker?

Along more general lines, in the case of a cyber crime, you should be concerned about data theft, malware added to your systems, lingering back doors and web shells that could continue to provide access.

In the case of technical issues, think about physical failure, repeat failures and downstream damage to other systems.

Harden Against Both Problems

For technical glitches and cyber crime failures, you want the best incident response possible. Facebook’s Janardhan commented on this. He said:

“We’ve done extensive work hardening our systems to prevent unauthorized access, and … hardening slowed us down as we tried to recover from an outage caused not by malicious activity, but an error … I believe a tradeoff like this is worth it — greatly increased day-to-day security vs. a slower recovery from a hopefully rare event like this.”

He went on to emphasize the importance of strengthening testing, drills and overall IT resilience. For more specific issues, proactive offensive and defensive security could make all the difference, such as:

  • Penetration testing – Directly seek out and identify real vulnerabilities in your networks and infrastructure
  • Adversary simulation – Operators build their own attack tools to mimic real-world advanced attackers
  • Vulnerability management – Scan and prioritize vulnerability data using an automated ranking engine.

Coming Clean

For any cyber crime response, especially where sensitive personally identifiable information is concerned, timely and accurate communication is critical. This not only serves to preserve the brand reputation, but regulatory agencies require full disclosure.

For example, according to GDPR: “In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority….”

Note that in this massive outage, Facebook didn’t have to say anything. What happened was self-evident. Still, on the same day they posted a statement. Until you’re sure, it doesn’t pay to even speculate on the cause of the problem until your research is complete.

It’s critical to have a disaster response strategy and team in place at all times. They should practice their response so if an incident occurs, nobody moves without a pre-established plan and chain of command.

In most cases, it pays to talk openly about it as early as possible. Delays only make it look like you’re trying to cover up something. The post-incident messaging should be clear and concise. Tailor your messaging to satisfy regulators, respect the customer’s right to know and preserve brand integrity. They’ll want to know whether you suffered a cyber crime or a technical glitch too. Telling them up front will help secure their trust, too.

 |  |  |  |  | 
Jonathan Reed
Freelance Technology Writer

More from Data Protection
March 27, 2024

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

March 12, 2024

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

March 5, 2024

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature