With the recent Dyn distributed denial of service (DDoS) attack lighting up media headlines, enterprise security practitioners are being asked how to ensure that the organizations for which they work aren’t the next DDoS victims. For some practitioners this can be attributed to a “shiny object syndrome,” in other words, the human tendency to focus on that which is most recent and interesting. However, it is a very real possibility that a DDoS attack could bring an entire business to a screeching halt for days at a time; this risk is making security practitioners think twice about how (or if) their organizations are prepared to withstand a DDoS attack.
While “availability” is recognized as one third of the venerable “confidentiality/integrity/availability” triad familiar to all security professionals, in practice security tends to focus more on “confidentiality” and “integrity,” relegating “availability” to the other teams in IT. Though there is some debate within the security community about the “damage” a DDoS attack inflicts, it’s always in the best interest of a company to prepare for attacks—of any sort. Not to mention, system availability and performance are goals valued by the business. When security can demonstrate a dedication to those same goals (even if the why differs), that’s a big win for everyone involved.
Chris Clymer works with Fortune 500 companies and startups alike in his role as Director of Information Security at MRK Technologies, and says that companies can take some basic steps to prepare for a DDoS attack.
Have a threat intelligence program
A good threat intelligence program can highlight emerging threats before an attack ever strikes. Threat intelligence data gathered from across the web (surface, deep, and dark), public information, and internal sensors can be extremely beneficial to organizations proactively looking to unearth information about potential attacks. Still today, and despite the ever-increasing threat landscape and prevalence of cyber attacks, few organizations invest significant effort in this space, choosing instead to subscribe to some type of “threat feed” and calling that the “threat program.”
Developing a true, holistic threat intelligence program—which combines internal and external data sources, situational awareness (e.g., organizational activities or high-profile news), and human analysis-- geared towards identifying the threats facing your particular organization can be hugely helpful in identifying potential attacks. Building this type of robust threat program provides organizations the ability to see possible DDoS attacks (as well as other types of attacks and exploits) before they hit, giving the organization more time to prepare.
Ensure all your devices have basic cyber hygiene
Clymer points out that the recent DDoS attack was caused by poorly configured Internet of Things (IoT) devices. Very often technology is implemented without fully securing configurations, or putting in a process for ongoing maintenance. Security and IT teams tend to focus attention on a core group of servers and PCs that are most familiar and overlook other devices around the organization, leaving them poorly maintained.
To manage this risk, security teams should ensure a program and process for covering the security basics exists, and that it accounts for all devices on the network. This focus on the fundamentals includes:
- Asset inventory
- Regular patching
- Strong password implementation with frequent update requirements
- Limiting direct access from the internet or other networks
Leverage multiple DNS providers
Many companies rely on a single provider for Domain Name Service (DNS) resolution of all their websites. Doing so puts the business at greater risk of an outage, as a sustained attack targeting this provider could potentially result in an outage of these sites…along with many others, as was the case with the recent attack on the DynDNS service.
IT teams also commonly depend on a sole provider for DNS resolution for all PCs, which puts users at greater risk of experiencing an outage as well. Organizations that use a secondary DNS resolver from a different provider than the primary provider increase the likelihood that their users/customers will be able to reach websites even if the primary provider experiences an attack or is down for a period of time.
Make use of DDoS prevention services
In recent years the market for DDoS mitigation services has grown significantly, as these attacks have become more frequent and voluminous. While mitigation services can take a number of forms, the most prevalent are those combined with Content Delivery Networks (CDNs) like Cloudflare and Akamai. These providers’ large networks allow customers to front end incoming traffic and distribute the load. But this comes at a cost. The more security-minded CDNs analyze web traffic for patterns and can detect when levels are high, often helping shut down an attack before the attack shuts down the website.
With DDoS attacks growing in frequency and size, potential customers should ask for service level guarantees; security journalist Brian Krebs recently got the boot from Akamai because his website was repeatedly attacked and the demands on the CDN were too high.
In addition, a certain amount of DDoS mitigation is available from traditional on-premises load balancing solutions, such as those from F5 Networks. These systems still run the risk of being overwhelmed if enough traffic is directed their way, however they can drop particular types of DDoS traffic on the front ends of clients’ networks, preventing the traffic from overwhelming back end servers. This approach can be more effective for application-level attacks, however they are still limited by the client’s bandwidth.
The most important point of all, says Clymer, is to “know your organization’s expectations of uptime and clearly communicate your actual, current capabilities.” At the end of the day, DDoS preparation, like anything else security manages, is ultimately a risk decision. For instance, “for a manufacturing company, it might be perfectly acceptable to executive management for the corporate website to be offline for a few hours,” says Clymer, “as long as that timeframe doesn’t impact customer orders.” Conversely, he says, “a retailer may require 24/7 website availability to process orders…no downtime is acceptable.”
Because the recent DDoS attack affected so many companies and it still grabbing headlines, now is a great time to check in and further align the business’s goals with security’s actions. Nothing can be more frustrating than putting time and effort into something no one cares about, but on the flip side, no one wants to be caught ignoring an issue that matters a lot. It’s likely that the business wants its public-facing website(s) available 24/7 and internal resources available during regular office hours. Start those conversations now, though, then build your DDoS protection strategy around the results before the next wave of widespread DDoS hits. When it does, you can be the hero who gets to say, “We were only down for 10 minutes” instead of being the guy or girl who has to spend the next 48 hours in incident response.