The six key elements of a DDoS incident response plan
Let’s face facts, all enterprises interact with their customers and stakeholders online today, so all organisations need to have robust defences to detect and mitigate distributed denial of service (DDoS) attacks.
It’s equally important, however, to ensure that there is a robust Incident Response Plan and process specific to DDoS implemented. Otherwise, the investment in the right defences could all be for nothing.
An international online gaming company learned that lesson the hard way. The company in question had invested in a reputable DDoS managed services company and considered itself well protected. Then one Sunday, when key people in the organisation had the day off, a series of volumetric attacks targeted the site and took it down.
Only a few senior employees were able to escalate incidents to the DDoS service provider, but unfortunately, they were not immediately available. When they were found, the internal teams and the service provider dialled into different conference lines, delaying response further.
As a result, mitigation measures were not put into effect until it was too late and the gaming service was down for more than 90 minutes. Online gamers demand high quality, lightning-fast services. When they are offline completely, that is unacceptable and gamers will switch to one of the many other gaming options available. At a minimum, the gaming company in this case lost US$1 million in revenue.
The damage to customer relationships and the cost of incentives to keep them, are additional longer-term consequences of a successful DDoS attack.
What went wrong? Having signed up for a reputable DDoS protection service, the small security staff at the gaming company felt like they were covered.
What they didn’t fully appreciate, and their DDoS service provider didn’t explain, was that speed is a critical factor in incident response and successful mitigation. The security team had never been trained; nor had they performed practice drills for such an eventuality. There was no transferrable process that did not depend on one or two individuals’ knowledge and authority.
Incident response is too often an afterthought in the case of DDoS attacks. So, what does an effective Incident Response Plan look like? It’s helpful to break it down into six key elements that cover planning, preparation and practice, what to look for and do during an attack, and what can be learned from an attack to further improve response the next time - and there will always be a next time. Note, too, that these elements are not linear, but rather a loop.
1. Preparation: This is likely the most difficult yet most important phase because it lays the foundation. Without adequate preparation, failure is virtually certain. The midst of an attack is no time to be trying to figure out your response.
First, build the team and assign responsibilities. Response to advanced threats is often regarded as the responsibility of security operations teams, while DDoS defence typically falls to a network team, not the security team. Breaking down those silos is critical for communication during an attack. Establish upstream and downstream relationships and contact procedures – who is going to call whom, and why.
Meanwhile, know the enemy. Understand their motivations and their techniques. Know the attack vectors they are likely to use. Harden defences and prepare the tools to counteract them. Know your equipment and infrastructure. Understand just how much stress it can handle. Test its resilience. You don’t want to be surprised when an attack overwhelms its capabilities.
Most importantly, train the team and practice. Preparation is an ongoing process. Poise and cool heads will be far preferable to panic when an attack eventually comes.
2. Identification: Without sufficient network visibility, enterprises lack the information needed to understand whether poor service or application performance is a result of DDoS attack traffic, or a network misconfiguration. On-premise solutions provide the critical traffic visibility needed to quickly diagnose the issue, saving IT and network teams valuable time while improving performance.
3. Classification: What kind of attack are you seeing? This tells you how you can expect it to proceed, and what kinds of countermeasures you need to employ.
4. Traceback: Ascertain the origin of the attack – where is it coming from? Where and how is it affecting the network? This can help explain whether other network problems you are seeing are related to the attack.
5. Reaction: Having identified, classified and traced back the attack, you will be better prepared to implement the most appropriate mitigation tool. No one tool or technique is applicable in all circumstances. It pays to have a varied toolkit at hand, and to leverage automated response capabilities wherever possible.
6. Post-mortem: Analyse what happened. What can you learn? What can you do better? What is the one step everyone missed? How can you make the response faster, easier or less painful the next time? Anything concrete that comes of your findings, loop back to phase one and incorporate it into your preparation process.
Strengthen response capabilities with best-practice defence
The online gaming operator’s experience also underscores the need for a hybrid detection and mitigation solution that combines cloud-based and on-premise protection capabilities, which most security analysts now consider a DDoS mitigation best practice.
With a cloud-based service alone, it is often the customer’s responsibility to notify the MSSP when an attack has begun. On-premise DDoS solutions (appliance or virtual) provide network visibility and have many built-in countermeasures that kick in automatically when an attack is detected, without manual intervention, usually before you are even aware of the attack. This buys you valuable time to initiate and coordinate your Incident Response Plan.
In the best-practice scenario, the on-premise and cloud defences are integrated for seamless protection. Through advanced “cloud signalling,” the on-premise device alerts the cloud infrastructure to initiate mitigation when attack traffic reaches a specified capacity in your network.
Without question, automation gives you a critical advantage in incident response, but don’t rely on it entirely. You still need a solid Incident Response Plan. Attackers employ sophisticated technology, but their real advantage is their cunning. Effective DDoS response calls for a similar combination of advanced technology and human intelligence to stop them in their tracks – and practice, practice, practice.
Article by Arbor Networks A/NZ country manager Tim Murphy.