When struck by DDoS, what actions should a credit union take? Mike Saylor, vice president of technology for the Texas Credit Union League (TCUL) says the first step is to conduct an enterprise risk assessment (ERA), or at a minimum at IT Risk Assessment.
“You cannot protect an environment without knowing what you have, its current risk posture, and the controls and counter measures you have in place,” explains Saylor.
An enterprise risk assessment takes into consideration key processes, people, resources, impact from both the Business and IT perspectives.
“This exercise is typically an eye opener for organizations that have never conducted one,” adds Saylor. “It is a great way to identify, verify, document, and begin to track what is important to the sustainability of your organization, and the business, financial, legal, reputational risks associated with them.”
DDoS, or distributed-denial-of-service-attacks cause Internet-based service outages by overloading network bandwidth or system resources. DDoS attacks do not directly attempt to steal funds or sensitive personal information, but they may be coupled with such attempts to distract attention and/or disable alerting systems.
Other steps Saylor suggests include:
2. Developing an action plan to prepare for and respond to DoS/DDoS attacks
“Do not think of a DoS as an ‘if,’ but instead it should be perceived as a ‘when’,” advises Saylor.
Denial of Service can also be accidental (e.g. construction crew cuts the power or telecom line, new IT guy changes a configuration, external auditor introduces a virus, etc). Based on the results and knowledge gleaned from the ERA, and with specific consideration to DoS attacks, an organization can now formulate a response that mitigates risk to the extent possible. Response activities typically include:
Current contact information for key personnel (IT, management, legal, communications, etc), vendors (ISP, hardware, telecom), and support contractors (extra arms and legs)
Inventory of know hardware (routers, switches, firewall, servers, etc.) that may likely be impacted by a significant attack
Incident response procedures that detail the progression and dependencies of response activities (Business and IT), which should include technical, communications (Internal / External), escalation, and other organization specific actions.
3. Know your Infrastructure and Document it
“This is key and should have been accomplished in steps one and two,” suggests Saylor. “The point here is that if you do not know what you have, how can you protect it, replace it, manage it.”
4. Working with your Internet Service Provider (ISP) for detection and defense
Most internet service providers will help you with a DoS attack. ISPs can capture a lot of data related to an attack, if you ask them. By default, ISPs do not log traffic due the vast amounts data this would amount to for all of their customers.
“Knowing ahead of time who to call at your ISP is important,” Saylor says.
5. Implement Mitigation technology and Verify Capabilities
If your organization uses network traffic analysis tools, Saylor says it’s important to make sure they have been configured properly and the extent of their capability within your environment.
“Implementing a solution out of the box does not always afford you the best protection,” warns Saylor. “Call your vendor and ask if the solutions you have can help mitigate a DoS attack.”
6. After Action Reports and Lessons Learned
“If you are attacked, do not just wipe the sweat from your brow and carry on,” cautions Saylor.
Saylor notes that documenting and discussing lessons learned with everyone involved (IT, business, contractors, vendors, ISP, etc) in the response is important to ensure that your controls (Incident Response, communications, etc) were designed effectively.
“This is also a good time to update your ERA, contact information, hardware inventory, and other documents that may need modification,” he recommends.
7. Managed Security Service Providers as an alternative
There are several companies that provide managed security monitoring services that could help with the identification and response to DoS attacks.
“There is a cost associated with this approach, but in small environments it makes financial sense to outsource this to a managed service provider,” says Saylor.