"There have been many unattributed breaches, and the large financial organizations shrug their shoulders and say it's social engineering, and the reason they say that is because they spend hundreds of millions of dollars on their security perimeter annually, and their security perimeter saw nothing," Dave Larson, CTO and vice president of product for Corero Network Security, said. "What our report and statistics are saying is that it would be naïve to attribute all attacks to social engineering attacks just because you spend a lot of money on your security perimeter. It is easy to see if you look for it."

Based on an analysis of Q4 2014 customer data, Corero found that attackers are evolving their use of DDoS attacks to circumvent companies' cybersecurity solutions, disrupt service availability and infiltrate victim networks.

"DDoS attacks are often used as a distraction technique for ulterior motives," Larson noted. "They're not always intended for denying service, but rather as a means of obfuscation, intended to degrade security defenses, overwhelm logging tools and distract IT teams while various forms of malware sneak by."

In Q4 2014, 87% of attack attempts against Corero's customers were less than one gigabit per second in peak bandwidth utilization, while another 10% of attacks were between one and five gigabits per second. These attacks are intended to partially saturate Internet links and distract corporate security teams to leave enough bandwidth available for a subsequent attack, which then infiltrates the victim's network and accesses sensitive customer data or intellectual property.

Corero stated that for organizations that rely on out-of-band defenses or anti-DDoS scrubbing lanes, it can take up to an hour to effectively switch to a cloud-based DDoS mitigation solution and to re-route traffic following an identified attack. This slower response time means that cloud-based DDoS defense tools could completely miss an attack, and cause organizations to suffer from outages that solutions intended to prevent.

The average length of a data center downtime due to a DDoS attack is 86 minutes, and the cost per minute during this downtime is $8,000, according to research conducted by the Ponemon Institute.

While volumetric DDoS attacks are easier to identify and often garner the most attention, Corero found that attackers are beginning to leverage more adaptive and multi-vector attacks against their targets. This enables them to profile a victim's network security defense strategy and subsequently launch additional attacks that can bypass the organization's cybersecurity defenses.

"With 96% of DDoS attacks lasting 30 minutes or less, by the time an on-demand defense has been engaged, it is already too late and the damage has been done," Larson said.

DDoS attacks have threatened service availability for more than a decade. However, more recently, they have become increasingly sophisticated and multi-vector in nature, overpowering traditional defense mechanisms and reactive countermeasures, Larson said.

"As our customers' experiences indicate, the regularity of these attacks simply highlights that there is a growing need for protection that will properly defeat DDoS attacks at the network edge, and ensure the accessibility required for the Internet connected business, or the Internet providers themselves," he noted.

To defend against both traditional and evolving DDoS attack methods, Corero recommends credit unions pursue the following measures:

• Consider implementing technology to detect, analyze and respond to DDoS attacks by inspecting raw Internet traffic at a line rate.

• Introduce a layered security strategy, focusing on continuous visibility and security policy enforcement to establish a proactive, first line of defense capable of mitigating DDoS attacks.

• Ensure complete application and network layer visibility into DDoS security events. This allows for forensic analysis of past threats and compliance reporting of security activity.

"Our technology is usually deployed as an always-online protection mechanism in front of routers, firewalls, IPSs and server layers," Larson explained. "The DDoS landscape has morphed and the attackers are aware that some equipment only sees large spikes so they are able to do stuff under the thresholds to avoid detection."

Corero also conducted a survey at the U.S. RSA Conference 2015 and Infosecurity Europe, and found that more than half of IT security professionals (52%) said loss of customer trust was the most damaging consequence of DDoS attacks for their businesses. In addition, 22% indicated that DDoS attacks have directly impacted their bottom lines, disrupting service availability and impeding revenue-generating activity.

One-fifth of respondents cited by Corero described a virus or malware infection as the most damaging consequence of a DDoS attack, and 11% indicated that data theft or intellectual property loss because of a DDoS event is highly concerning.

Nearly half of those surveyed admitted to responding reactively to DDoS attacks. When asked how they knew that they suffered from a DDoS attack, 21% cited customer complaints of a service issue, while 14% said the indicator was an infrastructure outage (for example, their firewalls went down). Another 14% said application failures, such as website outages, alerted them to the DDoS event. In contrast, 46% were able to spot the problem in advance by noticing high bandwidth spikes – an early sign of an imminent attack – through using other network security tools.

"Real-time protection is really the only way to proactively combat the DDoS attacks targeting businesses," Larson noted. "Using scrubbing centers to mitigate DDoS attacks off-site is a game of cat and mouse."

Approximately 50% of respondents rely on traditional IT infrastructure, such as firewalls or intrusion prevention systems, to protect against DDoS attacks, or they depend on their upstream provider to deal with the attacks. Only 23% of those surveyed have dedicated DDoS protection via on premise, appliance-based technology or from an anti-DDoS cloud service provider. However, it appears that many organizations are more in tune with the ramifications of DDoS attacks, as 32% indicate that they have plans to adopt a dedicated DDoS defense solution to protect their business better in the future.

What's more, DDoS attacks are becoming increasingly potent and are some of the most frequent types of cybersecurity incidents – 18% of respondents cited the attacks in a U.S. State of Cybercrime Survey, a collaborative effort with PwC, CSO, the CERT Division of the Software Engineering Institute at Carnegie Mellon University, and the U.S. Secret Service.

And, a Verisign report found that DDoS attacks against the financial services industry doubled during Q4 of 2014 to account for 15% of all attacks. During Q1 of 2015, 18% of DDoS attacks took place within the financial services industry.