Jon Murphy, GVP-IT Security, Ocwen Financial Corporation
A 2016 study from Kapersky and B2B International before last year’s infamous DYN attack reported that a single DDoS attack can cost a company between $52,000 and $444,000! These costs are comprised of factors both to stop the DDoS attack, and/or to pay the ransom that is demanded for it to end. However, the cost range estimate above does not include the costs of industry reputation damage and the loss of customer confidence. I mentioned pervasive before and to punch that point home, consider that according to a 2016 statement by the Department of Homeland Security, over the past five years, the scale of these attacks has increased tenfold!
The bad actors are rapidly evolving their techniques and this makes it difficult to identify the best defense against them. For instance, a highly sophisticated Layer 7 (Open Systems Interconnection–OSI Network Layer) DDoS attack may target just specific areas of a website, making it even more difficult to separate from normal traffic. Consider that a Layer 7 DDoS attack might target a specific website element only (e.g., company logo or a unique page graphic) to consume resources every time it is downloaded with the intent to exhaust the server.
Additionally, some attackers may use Layer 7 DDoS attacks as diversionary tactics while other exploits exfiltrate sensitive information or install ransomware—all the time your IT staff are consumed fighting the DDoS attack.
While bad actors conducting DDoS attacks often target sites or services hosted on high-profile web servers such as e-tailers, banks, or credit card payment gateways, any organization can be hit. Motivation runs the gamut from activism, revenge, blackmail/ extortion, or terrorism. Worse still, as technology advances so do the many ways to launch a DDoS attack. Out on the dark web there are freely available network stressors and DDoS tools that can be acquired, configured, and controlled via botnets and other command and control tools. More advanced tools include nation state-backed “Internet Cannons” that weaponize valid Internet user traffic by rewriting HTTP requests to flood targeted websites.
Since DDoS attacks can be extremely complex, there is a need for multiple layers of defense in depth to be able to keep up with the latest threats. While you can hope you are not targeted, that is not a sound strategy. You should proceed as if you will be targeted or hit and take proactive steps now. So, with defense in depth in mind, let’s talk about 10 of those proactive steps, as a combination of strategy and tactics that you could take in advance.
1. Take assessment–objectively and honestly determine your strengths, gaps, vulnerabilities, and threats; hire a qualified 3rd party if necessary
2. Adopt a framework–this is the foundation to your entire enterprise-level security program and DDoS protections within it; NIST, ISO, SANS – pick one
3. Incident response plan–Create and regularly practice an all-hazards plan with a crisis communication plan built-in
4. Solid router and firewall configs– look to expert advice from the OEM and for solid “hardening standards”
5. Traffic threshold monitoring–find out what “normal” amounts of traffic to your sites look like and then create a threshold to alert on
6. Cloud based DDoS defense systems– lots of great vendors; check the think thanks for ratings and ask other colleagues for their experiences
7. Enhanced DNS protection services– same as above; the best spot and stop trouble before it ever gets close to your network
8. IDS/IPS–Use next generation firewalls with built-in intrusion detection and prevention (IDS/IPS) coupled with Border Gateway Protocol (BGP) to stop DDoS attacks.
9. WAF—A web application firewall(WAF) acts like an anti-malware tool that blocks malicious attacks on your website(s). It sits above your application at the network level to provide protection before the attacks reach your server. As a bonus, using a WAF not only protects you against DDoS attacks, but also generally improves application performance and enhances user experience.
10. Upstream filtering–provided by your ISP, includes reputation based blocking - a feature called Unicast Reverse-Path Forwarding to silently drop—or “blackhole”—the bad traffic.
With forethought and planning, you don’t have to rely on hope when it comes to dealing with DDoS.
While bad actors conducting DDoS attacks often target sites or services hosted on high-profile web servers such as e-tailers, banks, or credit card payment gateways, any organization can be hit. Motivation runs the gamut from activism, revenge, blackmail/ extortion, or terrorism. Worse still, as technology advances so do the many ways to launch a DDoS attack. Out on the dark web there are freely available network stressors and DDoS tools that can be acquired, configured, and controlled via botnets and other command and control tools. More advanced tools include nation state-backed “Internet Cannons” that weaponize valid Internet user traffic by rewriting HTTP requests to flood targeted websites.
Motivation runs the gamut from activism, revenge, blackmail/ extortion, or terrorism
1. Take assessment–objectively and honestly determine your strengths, gaps, vulnerabilities, and threats; hire a qualified 3rd party if necessary
2. Adopt a framework–this is the foundation to your entire enterprise-level security program and DDoS protections within it; NIST, ISO, SANS – pick one
3. Incident response plan–Create and regularly practice an all-hazards plan with a crisis communication plan built-in
4. Solid router and firewall configs– look to expert advice from the OEM and for solid “hardening standards”
5. Traffic threshold monitoring–find out what “normal” amounts of traffic to your sites look like and then create a threshold to alert on
6. Cloud based DDoS defense systems– lots of great vendors; check the think thanks for ratings and ask other colleagues for their experiences
7. Enhanced DNS protection services– same as above; the best spot and stop trouble before it ever gets close to your network
8. IDS/IPS–Use next generation firewalls with built-in intrusion detection and prevention (IDS/IPS) coupled with Border Gateway Protocol (BGP) to stop DDoS attacks.
9. WAF—A web application firewall(WAF) acts like an anti-malware tool that blocks malicious attacks on your website(s). It sits above your application at the network level to provide protection before the attacks reach your server. As a bonus, using a WAF not only protects you against DDoS attacks, but also generally improves application performance and enhances user experience.
10. Upstream filtering–provided by your ISP, includes reputation based blocking - a feature called Unicast Reverse-Path Forwarding to silently drop—or “blackhole”—the bad traffic.
With forethought and planning, you don’t have to rely on hope when it comes to dealing with DDoS.
Read Also
Syncing Data with Business Processes
Tony Summerlin, Senior Strategic Adviser, FCC/CIO, Office of the Managing Director
Implementing a Cybersecurity Program - The Journey of True Partnership with IT
Maurice Edwards, Senior Vice-President Enterprise Risk, Mattress Firm
Information Governance = Data Governance + Disclosure
Tera Ladner, Director, Information Governance, Aflac
Do You Suffer from Cloud Strategy Deficiency (CSD)?
Hiba S. Sharief, Vice President, IT, Oportun
