Robb Reck, CISO,
Distributed Denial of Service (DDoS) attacks are at an all-time high and companies across every vertical are feeling the pain. The internet has been weaponized and is being used to disable and disrupt the services and products being delivered from it. DDoS is a parasite that is damaging the internet from the inside-out. What if the time and money that you spent on data center redundancy and your strategies for site failover were rendered ineffective because a DDoS took it all offline in a matter of moments leaving you unable to service your customers or generate revenue?
“The goal for any organization should be to invest the right amount of time and money into protections to manage risk appropriately”
Not only are DDoS attacks increasing in frequency, but also in size and complexity. With many attacks leveraging vulnerabilities across multiple internet protocols the time and effort required to identify and apply a mitigation strategy has increased dramatically. The questions then follow: How long will the attack last? Which of our impacted services are most important? How much revenue have we lost? How will our clients view the stability of our relationship as a partner? It is enough to make any leader lose sleep at night.
Real Life Consequences - Protonmail
Protonmail, an encrypted email service provider, chronicled their own plight recently when their infrastructure was attacked by two separate DDoS groups. These attacks crippled their website, and effectively shuttered their company for almost a week Protonmail noted that the attack that targeted their environment “exceeded 100Gbps and attacked not only the datacenter, but also routers in Zurich, Frankfurt, and other locations where our ISP has nodes.” It impacted not only Protonmail’s ability to deliver their service, but dozens of other companies that were impacted as collateral damage.
Motivation behind DDoS
The motivation behind a DDoS attack falls into: financial gain, political agenda, or mischief.
The use of cyber-attacks for financial gain should not surprise anyone as this has been the primary intent of malicious cyber activity for over a decade. Where DDoS lends an interesting twist is that the value to the cybercriminal is not in dropping malware, phishing, and stealing credentials or data. It comes in the form of extortion and corporate espionage. During or even before an attack, it is not uncommon for the person or people behind it to request a ransom payment to either prevent the attack from occurring or to stop it once it has started. Paying the ransom is a dual-edged sword, however because you are effectively negotiating with criminals at that point, which means that they may stop the attack when payment is received or an initial small bounty. Competitors may also use DDoS as a means to promote a negative image of your brand in an effort to build distrust in your ability to deliver service and drive business away. It is widely accepted that this is common practice in some highly competitive markets, such as online gambling.
With the rise of (loosely) organized DDoS groups like Anonymous, Lizard Squad, and DD4BC along with the availability of free and low-cost DDoS-as-a-service tools, the barrier to entry for someone who wishes to engage in this type of activity is quite low. This has made DDoS the weapon of choice for many who wish to launch such an attack for fun, to wreak havoc, or to squelch a vocal online minority An example occurred in June of this year when many Canadian government websites and systems were taken offline due to DDoS in response to bill C-51 which aimed to enact of a number of measures aimed at banning promotion of terrorism and expanding the power of the Canadian Security Intelligence Service (CSIS).
What you should do about it
It is essential that IT leaders prepare their organizations for this threat. The goal for any organization should be to invest the right amount of time and money into protections to manage risk appropriately. Too little investment and we leave ourselves vulnerable to unacceptable loss due to attack, but too much investment means that we’re stealing the resources from other critical risks. These four steps provide a framework for protecting your organization.
Business impact analysis (BIA). The goal of BIA is to survey the corporate resources that could be attacked from outside and determine what impact to your company would be if they were taken off-line. At the very least, come up with a relative impact rating, to help you determine which resources are most critical to your organization.
Be careful not to overlook supportive systems. Your customer-facing website may be the highest profile resource, but there are likely other resources required to maintain that website. VPN concentrators, DNS servers, and load balancers are just some of the infrastructure components that may be essential for the customer-facing site to function, and could be targeted by attackers.
Assign recovery time objectives (RTO). RTO quantifies how long your business is willing to go without this resource. It gives you success criteria by which to evaluate your DDoS protection controls. The lower the RTO the more controls you will need to put in place to protect the resources, so making the decision to give everything an RTO of 0 is not only extremely expensive, it’s also impractical. The assignment of RTOs should be performed in coordination with the company’s executive team. This will ensure the RTOs align with the senior leadership’s desires and may make it easier when you request budget for DDoS controls.
Implement solutions. Next you should design and implement solutions which facilitate achieving those RTOs. Effective DDoS mitigation solutions require people, process and technology wrapped together. Purely technical solutions are unlikely to be sufficient. Some DDoS mitigation technologies impact performance or usability of the services they are protecting so should not be enabled at all times. Many third party scrubbing solutions charge based on the volume of data send through their environment, so an always-on approach gets expensive very quickly.
Consider a tiered approach to DDoS mitigation.
1. On the simplest end, look at DDoS protection options built into your firewall, web application firewall or other networking equipment. These can help with some of the simplest attacks.
2. Generally appliances are much more effective than the defenses built into your existing network gear. While on-network protections are essential for continuous protection, they can only do so much. A large scale DDoS can easily overwhelm your internet pipe and make your resources unavailable.
3. For the largest attacks it makes sense to partner with a third party scrubbing company. In the event of a volumetric attack you can swing your traffic to the third party. These companies have huge internet connections that can take the attack traffic, filter out the bad, and send the clean data to you.
Whichever technical solutions you choose, be sure to wrap the appropriate personnel and processes around them. Employees need to know how to recognize an attack, how to enable any protections that aren’t always on, and how to restore the environment to normal operations.
Test your solutions. Optimally, try to perform a series of tests, starting with small discrete tests that focus on validating specific parts of your tiered approach. Discrete tests could include:
• Do your firewall’s controls successfully prevent SYN flood attacks?
• Does your on-site DDoS appliance successfully prevent low volume attacks?
•·Can you determine whether resource performance issues are benign anomalous behavior or indicate an ongoing attack?
• Is your staff able to respond to attacks and route traffic to your third party scrubbing service quickly enough to support your RTO?
• Is your scrubbing vendor able to mitigate high volume attacks and provide a clean stream of data to your infrastructure?
After validating the individual components of the program, the next step is a comprehensive testing strategy. In this step you will need more experienced testers, and will probably want to engage an experienced external firm. A qualified third party can help evaluate all the ploys an attacker may launch, providing your organization with another set of eyes.
The results of the testing can fit directly into your continuous improvement process, allowing you to tweak and improve your DDoS controls over time, better mitigating the risks to your organization.
The trend is clear: DDoS attacks have become a favorite implement in the hackers’ toolbox. The best time to create your DDoS mitigation plan is now, before attackers have knocked your systems off-line. While you cannot eliminate this risk entirely, you can give yourself a fighting chance by:
- Understanding the changing landscape,
- Inventorying your own company’s internet accessible resources,
- Implementing solutions to appropriately protect them, and
- Testing your people, processes and technologies.