Though they’re not going away anytime soon — and every security geek in the IT department knows it — distributed denial-of-service (DDoS) attacks still cause great panic in most organizations hit by them. This being the case, it bears underscoring the importance of planning ahead so that you don’t get caught flatfooted when the next attack comes, whether it’s a DDoS or something even bigger.
1. Activate your response plan
Rather than responding to the waves of panic that are likely circulating around the sales and executive teams, the most productive thing to do is to rely on your advance planning to start the response process rolling. Remembering that the key to solving problems is usually communications, you should focus on providing company executives with regular updates. Then you can focus on the technology issues without undue badgering.
This is, I think, the right time to remind that one of the best antidotes to security crises is to have an computer security incident response team (CSIRT) capability. This resource, whether in-house or contracted out, can save countless amounts of downtime. You can learn more about incident response from places like the Forum of Incident Response and Security Teams (FIRST).
2. Set up a war room
When Skype suffered a major outage — which, though not a DDoS, had some of the massive but temporary service disruption characteristics of a DDoS — we set up two war rooms: one near the company executives and one in the heart of the engineering center. This kind of arrangement not only allows “the right people” to come together face-to-face, it also allows for a focal points to form for network operations, media/PR, and the executive team. This location is focused on communication, so be sure to have redundant means at your disposal in case your chosen system (phone line, Jabber, Skype, etc.) is itself impacted by the attack.
3. Think tactically
Your first general priority is limiting downtime, so you have to quickly assemble the data available to you to identify the cause of the problem and its target. Work with your ISP or network peers to maximize your options within the terms of your service contract, and preferably without incurring additional costs.
While you can have traffic shunted or blackholed, do keep in mind that such measures as having new network addresses assigned to critical resources may likely cause lasting secondary effects, such as the invalidation of IP-bound digital certificates. For lengthy attacks, it may be worth the effort to have a plan for a temporary customer notice website, which can keep customers informed of the company’s efforts to restore service.
For small businesses, these kinds of services can often be arranged ad hoc, but it’s best to have a planned service with a specified DDoS service level agreement. In addition, cutover of these services may require coordination with your domain registrar or your ISP.
4. Think strategically
Your next general priority is preventing further downtime. This requires more thought and more research; you need to identify the rationale for the attack. In other words, why did someone target your infrastructure to attack today? Is there a pot of gold at the end of the attack? Is the attack you’re experiencing merely cover for another, separate attack whose aim is to steal valuable customer data?
There are many possibilities here, but the point to make is that the CISO of the organization needs to be well aware not only of the technology in play, but also of the risk matrix relating to data available on the network and even things like public perception of the company. Many otherwise mundane companies have been hit by hackers or so-called hacktivists merely due to the public position of a single member of the company’s board of directors.
5. Document, review and train
If there’s one silver lining to an attack, it’s that the event can serve as a crucible for learning for the entire staff, including people far outside the technical teams. Take notes as the event unfolds, including the time that decisions (even mundane ones) were made. Also take time to understand the cost impact of the attack and its remediation. During a post-mortem, these notes will serve better than any cockamamie exercise could to develop better processes and procedures for the next time. The bad news is that there probably will be a next time.
