The Six Phases of a DDoS Incident Response Plan
Any enterprise that interacts with its customers and stakeholders online — which is just about everyone these days — needs to have robust defenses to detect and mitigate distributed denial of service (DDoS) attacks. It’s just as important, however, to have an equally robust incident response plan and process specific to DDoS. Otherwise, all your investment in defenses could well be for naught.
An international online gaming company learned that lesson the hard way. The company in question had invested in a reputable DDoS managed services company, and considered itself well protected. Then one Sunday, when key people in the organization had the day off, a series of volumetric attacks targeted the site and took it down. Only a few senior employees were able to escalate incidents to the DDoS service provider, but unfortunately, they were not immediately available. When they were found, the internal teams and the service provider dialed into different conference lines, delaying response further, as a result, mitigation measures were not put into effect until it was too late, and the gaming service was down for more than 90 minutes. Online gamers demand high quality, super-fast services. When they are offline completely, that is unacceptable. There are many gaming options available to choose from. At a minimum, the gaming company in this case lost $1 million in revenue. The damage to customer relationships, and the cost of promotions to keep them, are additional longer term consequences of a successful DDoS attack.
What Can Go Wrong with DDoS Service Providers
What went wrong? Having signed up for a reputable DDoS protection service, the small security staff at the gaming company felt like they were covered. What they didn’t fully appreciate, and their DDoS service provider didn’t explain, was that speed is a critical factor in incident response and successful mitigation.
The security team had never been trained; nor had they performed practice drills for such an eventuality. There was no transferrable process that did not depend on one or two individuals’ knowledge and authority.
Incident response is too often an afterthought in the case of DDoS attacks. So, what does an effective incident response program look like? It’s helpful to break it down into six phases that cover planning, preparation and practice, what to look for and do during an attack, and what can be learned from an attack to further improve response the next time (knowing there will always be a next time). Note, too, that these phases are not linear, but rather a loop.
This is likely the most difficult yet most important phase because it lays the foundation. Without adequate preparation, failure is virtually certain. The midst of an attack is no time to be trying to figure out your response.
First, build the team and assign responsibilities. Response to advanced threats is often regarded as the responsibility of security operations teams, while DDoS defense typically falls to a network team, not the security team. Breaking down those silos is critical for communication during an attack. Establish upstream and downstream relationships and contact procedures — who is going to call whom, and why.
Without sufficient network visibility, enterprises lack the information needed to understand whether poor service or application performance is a result of DDoS attack traffic, or a network misconfiguration. On-premise solutions provide the critical traffic visibility needed to quickly diagnose the issue, saving IT and network teams valuable time while improving performance.
What kind of attack are you seeing? This tells you how you can expect it to proceed, and what kinds of countermeasures you need to employ.
Ascertain the origin of the attack — where is it coming from? Where and how is it affecting the network? This can help explain whether other network problems you are seeing are related to the attack.
Having identified, classified and traced back the attack, you will be better prepared to implement the most appropriate mitigation tool. No one tool or technique is applicable in all circumstances. It pays to have a varied toolkit at hand, and to leverage automated response capabilities wherever possible.
Analyze what happened. What can you learn? What can you do better? What is the one step everyone missed? How can you make the response faster, easier or less painful the next time? Anything concrete that comes of your findings, loop back to phase one and incorporate it into your preparation process.
Strengthen Response Capabilities with a Best-Practice Defense
The online gaming operator’s experience also underscores the need for a hybrid detection and mitigation solution that combines cloud-based and on-premise protection capabilities, which most security analysts now consider a DDoS mitigation best practice. With a cloud-based service alone, it is often the customer’s responsibility to notify the MSSP when an attack has begun. On-premise DDoS solutions (appliance or virtual) provide network visibility and have a number of built-in countermeasures that kick in automatically when an attack is detected, without manual intervention, usually before you are even aware of the attack. This buys you valuable time to initiate and coordinate your incident response plan.
In the best-practice scenario, the on-premise and cloud defenses are integrated for seamless protection. Through advanced “cloud signaling,” the on-premise device alerts the cloud infrastructure to initiate mitigation when attack traffic reaches a specified capacity in your network.
Without question, automation gives you a critical advantage in incident response. But don’t rely on it entirely. You still need a solid incident response plan. Attackers employ sophisticated technology, for sure, but their real advantage is their cunning. Effective DDoS response calls for a similar combination of advanced technology and human intelligence to thwart devious behavior. And practice, practice, practice.
To learn more about NETSCOUT Arbor’s award winning DDoS solutions, click here.