Barry Greene, Co-founder and Chief Technical Officer, GETIT
Preparing for DDoS is sobering. Security advice is inundating Board members, CXOs, and professionals. This security FUD is often confusing, contradictory, and is always biased toward “buying something.” DDOS information overload leads to a paralysis of action which is the worst thing that can happen to an organization. In a way, the CXOs of the world are getting a “denial of service” based on all the good “security advice” from the industry.
At this point, it is natural to think your organization might need to hire security or DoS expert. As a first step, jumping in and hiring a “security expert” is a mistake. Yes, security expertise should be sought, but that comes later. The first step is for Executive Management to allocate time for the existing team to focus on security. Time is the No.1 investment in security that any CXO can authorize, prioritize and demand. The people who know your network, your business and your operations are in your organization now. They are smart, dedicated, overwork, and saturated. They would be the best experts who would know the security and business risk to your network. The first thing they will need is time.
1. To figure out what could be targeted by a DDOS attack
2. To figure out what is most important to keep alive during a DDOS attack
3. To review the existing tools in your network to protect those “critical services”
4. To build response plans and to complete DDOS preparation checklist.
For example, why hire a “DDOS expert” to tell you which services are critical to your business operations? If you pull your team into a conference room and say “we have a DDOS that just choke up our entire Internet links,” that same team would be able to brain dump the operational and business impact to the company. That same team would be able to list out which services need to be restored first, second, third, to get the business back in operation. This exercise is one of the first exercises a “DDOS Consulting” would conduct to find the critical services that need protection. The CXO does not need to spend money to get this list. The CXO needs to prioritize time to tap into the experience of the existing team.
So what’s next? Start with a full day “off-site” Tabletop Exercise on DDOS Defense. Tabletop exercises are extremely useful tools in the security work. There are multiple ways of conducting these workshops. Assign one or two people on the team who are good facilitators to do searches on the Internet for “DDOS Tabletop Exercises.” There is a range of materials available that are freely downloaded. In many cases, the materials include the author’s E-mail and will respond to questions. Some groups like US-CERT and other FIRST Teams will provide packaged “DDOS Tabletop Exercises” for free.
The essential skills needed for a successful tabletop exercise are good meeting facilitator and a good note taker. They do not need to be experts at DDOS. The facilitator keeps everyone talking, everyone contributing; everyone motivated to explore all the nasty ways the organization can be DDOSed. The note taker is at the whiteboard documenting all the observations, ideas, and actions. Sometimes, having one other person on a computer using a mind mapping tool like Freemind will help to structure the ideas. If the team needs to be inspired, they can go to YouTube and search for “DDOS, NANOG.” The North American Network Operations Group (NANOG) is one of several Operation Groups who gather, consult, and discuss how to keep the Internet glued together. DDOS is a frequent topic. With all the sessions taped and public, these operations meetings are a great source to get to unbiased insight. The sessions are professional, honest, and not vendor pitching. They are great tools to inspire and inform during a DDOS tabletop exercise and they are also free.
At the end of the tabletop exercise, the existing team would have a better understanding of the DDOS threat vectors and rough ideas for how they might protect the critical business services. Again, the key element is time. A DDOS Tabletop exercise requires an investment of time.
Next, this same team starts to pull in all the existing vendors. The objective is to use the list of critical services and the information gained from the tabletop exercise to find out what tools exist not to protect against DDOS attacks. Start with the Service Providers that provide Internet access. Then pull in all the network vendors, security vendors, and server vendors. Buying new anti-DDOS countermeasures takes time. DDOS attack can happen anytime so it is best not to wait. There are always things that can be done in a network today that will add DDOS resilience. Most of these things do not require additional cost. They just need additional time to plan, test, and deploy a new configuration.
Once these things are done, you will be ready to hire help to build additional DDOS resilience into the business. This will be done with an existing team who have had the time and support from their CXOs to focus. They will be motivated because their vast experience of the network they built and operated has been honored. The action plan to build additional DDOS resilience will be focused and cost effective. Don’t jump into buying DDOS expertise and solutions. The best security investment any CXO can do is dedicate time for the existing team to become security experts.