DDoS: a seven-point action plan
By Rakesh Shah.
Distributed denial of service (DDoS) is no longer just a service provider problem: far from it. It can be a very real business continuity issue for many organizations.
DDoS attacks are what some would consider an epidemic today for all sorts of organizations. Why? The stakes continue to skyrocket. The spotlight continues to shine brightly, attracting attackers looking for attention for many reasons and motivations.
In recent times, attack motivation has been politically or ideologically motivated. Attackers want to make a statement and to make headlines (and to cause many headaches along the way) – quite similarly to the effect a sit-in or a strike would have in the ‘offline’ world.
This new breed of attacker targets high profile organizations in order to ensure his or her grievances will be heard. Few targets are as high profile or mission critical to the economy as financial services.
A case in point is Operation Ababil, a politically motivated DDoS campaign targeted at banking institutions, which started in September of 2012. Led by a group called Cyber Fighters of Izz ad-Din al-Qassam, this campaign has featured multiple waves of attacks, with each growing in sophistication, strength and breadth.
Analysis has shown such hackers study the security defences of their targets and modify their attack methodology with each wave to better evade the mitigation efforts of financial institutions. No enterprise risk assessment and business continuity plan today is complete without taking into account the risk represented by DDoS attacks.
To mitigate the growing threat of DDoS attacks, CISOs should follow this seven-point action plan:
1. The best defense is purpose-built
Because of the complexity of DDoS attacks, the optimal solution is an intelligent DDoS mitigation system, deployed on-premise, that can detect and block attacks with multiple dimensions of countermeasures before they escalate. Traditional IPS devices, firewalls and other security products are essential elements of a layered-defense strategy, but they are designed to solve security problems that are fundamentally different from dedicated DDoS detection and mitigation products. IPS devices, for example, block break-in attempts that cause data theft. Meanwhile, a firewall acts as policy enforcer to prevent unauthorized access to data. Because they are solving other security problems, they are stateful and can actually be the first device to go down during a state-exhausting DDoS attack.
2. Defend upstream
A financial institution will never have enough on-premise bandwidth available to offset an attempted volumetric attack—aimed at flooding its networks with Internet traffic. Here, the best defense will provide protection at the cloud or service-provider level where traffic can be diverted to a mitigation center.
3. Know who to contact
It seems shocking that basic contact information is a roadblock to effective mitigation, but it often is. One company suffered ninety minutes of total downtime due to a DDoS attack. The company spent the first forty minutes of that attack trying to get all parties, from internal teams and providers, on a conference call to discuss the mitigation. The total revenue loss was estimated at $1.7M. The damage to the brand was significant as paying customers were not happy about the downtime to the service.
As this example shows, it is imperative that you know who from within the organization, your service provider and your managed security partner is there to help and how to contact them. Without this information, your ability to respond has already been compromised.
4. Develop a whitelist
If you have a large number of repeat users and important customers, develop a whitelist of their addresses so that their traffic can be passed during an attack even if everything else must be dropped.
5. Draw up an incident-handling process and practice
Insist on a documented process for interactions with any managed security service partners (MSSPs). This will provide a structure for dealing with an incident, when stress levels can be high—enabling a quick response and preventing people from taking risks with security to try and solve a problem. Once an incident response plan is in place, it is important to rehearse so that the response is coordinated—both internally and with service providers to ensure all parties are able to respond quickly and effectively.
6. Beware of smoke screens
What appears to be one type of attack may simply be the means to achieve a deeper, more destructive goal. For instance, an identified DDoS attack may be a smoke screen for hackers as they attempt to infiltrate proprietary customer information and intellectual property. In August 2013, it was reported that three banks were plundered during DDoS distractions. An application-layer DDoS attack was used to divert the attention and resources of banks away from fraudulent wire transfers simultaneously occurring. This is by no means unique.
7. Strength in numbers
Participating in information sharing within the sector and with external parties, such as vendors, ISPs, regulators and law enforcement, will help identify new threats and best practice approaches.
The authorRakesh Shah is senior director of product marketing & strategy at Arbor Networks.
•Date: 4th April 2014 • US/World •Type: Article • Topic: ISM