Why every company needs a DDoS response plan
In this Help Net Security interview, Richard Hummel, Senior Threat Intelligence Manager at NETSCOUT, discusses how companies can overcome the challenges of identifying and mitigating DDoS attacks. He stresses the need for adaptive, multilayered defense strategies and the inevitability of a comprehensive DDoS response plan.
Hummel also focuses on the evolving nature of DDoS threats and the critical role of staying updated on emerging trends and technologies.
How can companies overcome the difficulties of identifying and mitigating DDoS attacks?
Today’s DDoS attacks are not what they were even a few years ago, and we continue to see DDoS attacks that are framed as the largest in history (though larger ones are certainly yet to come, unfortunately). Additionally, they are now even more carefully choreographed by bad actors who can rapidly identify weaknesses, tailor new vectors for attacks, and make adjustments in real-time based on perceived vulnerabilities to exploit.
As a result, large organizations need adaptive, multilayered defense capabilities that can respond just as quickly to different types of attacks as they are presented, including large volumetric and more targeted application-layer attacks.
Moreover, the inconvenient truth is that bad actors continue to find new methodologies to orchestrate attacks. It’s important that security professionals stay up to date on emerging trends and embrace technologies like intelligence feeds and AI that can help automate responses, even against brand-new, zero-day attack methodologies.
How important is having a DDoS response plan, and what should it typically include?
Given the rising number of DDoS attacks each year and the reality that DDoS attacks are frequently used in more sophisticated hacking attempts to apply maximum pressure on victims, a DDoS response plan should be included in every company’s cybersecurity tool kit. After all, it’s not just a temporary lack of access to a website or application that is at risk. A business’s failure to withstand a DDoS attack and rapidly recover can result in loss of revenue, compliance failures, and impacts on brand reputation and public perception.
Successful handling of a DDoS attack depends entirely on a company’s preparedness and execution of existing plans. Like any business continuity strategy, a DDoS response plan should be a living document that is tested and refined over the years. It should, at the highest level, consist of five stages, including preparation, detection, classification, reaction, and postmortem reflection. Each phase informs the next, and the cycle improves with each iteration.
Are any specific industries or sectors more frequently targeted by DDoS attacks?
Lately, DDoS attacks are one of the primary ways that cybercriminals wreak havoc at major sporting events. From cyberwarfare involving geopolitical entities using DDoS attacks to deny access to critical infrastructure to hacktivism designed to protest or draw attention to social or political causes, the rationales for such attacks are virtually endless. However, a look back at the history of DDoS attacks shows that cybercriminals have always targeted sporting events.
For example, as early as London 2012, DDoS attacks targeted electrical systems during the opening Olympics ceremony. Rio 2016 witnessed a massive 500 Gbps attack against government websites and sponsors. Likewise, during the Pyeongchang 2018 Games, the governing committee was the target of a critical incident during the opening ceremony, where attackers compromised numerous services, including Wi-Fi, television broadcasting, and ticketing. More recently, NTT reported blocking more than 450 million cyberattacks during the Tokyo 2021 Games.
Additionally, DDoS attacks significantly threaten the online gambling and gaming industries, since it’s relatively easy for those with financial or competitive interests to disrupt operations long enough to change or delay outcomes in their favor. For example, online championships for popular games like Fortnite are popular targets. Unfortunately, organizations can experience significant collateral damage when their servers, hosting tens of thousands of users, are targeted by waves of DDoS attacks.
When an organization is under a DDoS attack, what immediate steps should be taken to mitigate the impact?
The first step should be clearly communicating to senior leadership in the language that will help them understand evolving DDoS attacks. In that discussion, it is critical to illustrate the business implications of a target-rich environment in the modern enterprise. Next, it’s also important to assign a team to classify and traceback the attack in question. During that process, security teams need to develop a statement for employees on the nature of the attack and the countermeasures that the security team will take to remediate it. Taken together, enhancing a company’s DDoS security posture requires building awareness and fostering collaboration across business functions.
Likewise, as mentioned previously, IT teams need to analyze threats from previous attacks to understand vulnerabilities and anticipate future attacks. According to our latest Threat Intelligence Report, which is based on data collected from over 230 countries around the world, we found that there was a sharp 15% increase in DDoS attacks in 2H 2023, with 7 million recorded attacks.
To better understand vulnerabilities, it’s critical to identify the types of DDoS attacks most commonly seen today so that security teams can develop effective defense strategies. For example, volumetric attacks aim to overwhelm the target’s available bandwidth with significant data flow, potentially making it inaccessible to legitimate users. State exhaustion attacks target the limited capabilities of network devices, such as firewalls or load balancers, bombarding them with requests to deplete their memory and processing capacity.
Last but not least, application-level attacks are particularly insidious as they can often go unnoticed. They mimic regular traffic but intend to disrupt specific functions or consume application resources until the targeted services shut down.
What role do government agencies play in supporting organizations against DDoS threats?
Government entities, ISPs, and businesses are vital to countering DDoS attacks and protecting critical infrastructure globally. When government agencies collaborate with ISPs and companies, they can take a proactive and multi-layered approach to minimize the impact of DDoS threats. However, the bottom line is that there is no escape from DDoS attacks on governmental institutions, and threat intelligence needs to be taken more seriously because of how universal the threat can be when it comes to compromising global ISP networks and additional IT infrastructure.
What do you foresee as the future of DDoS attack tactics and defense strategies?
As we have seen with the rise in global hacktivist groups and other bad actors, in the future, we will continue seeing attackers evolve their tactics for pulling off new, automated DDoS attacks, which will also continue advancing in both frequency and complexity. To stay one step ahead of attackers’ malicious exploits, organizations need to take a more pragmatic approach to their holistic mitigation of these evolving DDoS threats.
That begins with an investment in intelligent DDoS mitigation systems that offer actionable, adaptable threat intelligence to automatically remediate issues before increasingly savvy and malicious entities can orchestrate new exploits. While bad actors will continue to find new ways to engineer DDoS attacks, rapid, automatic detection is critical to stopping an attack before it can impact business-critical services.