"The attackers will bring down a website, get the IT people focused in a certain direction, tie up their resources on the DDoS attack while a more sophisticated breach is performed with no one paying attention," Gaffan said.
A decoy attack could also be used in conjunction with a phishing attack, he added. For example, a phishing message could be sent to a bank's customers asking them to use an alternative URL because the bank is having trouble with its common web address. A recipient may follow good security practices and paste the common URL for the bank in his browser.
Because the bank is under a DDoS attack, however, they can't connect to the institution, he said. So, in desperation, they click on the URL in the phishing message and get infected.
Those kinds of misdirection DDoS attacks, though, haven't become mainstream. "They are occurring, but they're relatively rare," said Daniel Peck, a research scientist at Barracuda Networks.
The IBM report also questioned the dedication of many organizations to sound security basics. "Many of the breaches reported in the last year were a result of poorly applied security fundamentals and policies and could have been mitigated by putting some basic security hygiene into practice," the researchers wrote.
"Attackers seem to be capitalizing on this 'lack of security basics' by using a model of operational sophistication that allows them to increase their return on exploit," they wrote.
"The idea that even basic security hygiene is not upheld in organizations, leads us to believe that, for a variety of reasons, companies are struggling with a commitment to apply basic security fundamentals," the researchers wrote.
Barry Shteiman, senior security strategist with Imperva, said in an interviewÃ'Â that the lack of adherence to basics could be due to a fundamental misunderstanding of security by companies. "They don't understand the difference between a safety belt and auto insurance," he said. "They don't understand that it's more important to protect themselves than to preserve their reputation after a breach has been made."
Sign up for CIO Asia eNewsletters.