By Ben Herzberg
How should organizations deal with actual threats and demands for money from criminals?
Demands for money don’t always result in attacks, and attacks don’t always result in demands for money. Criminals don’t always attack after sending an extortion demand, and in many cases, an organization is attacked without a request for money or a particular demand. What it comes down to is organizations have a responsibility to prepare for security incidents such as DDoS attacks, data breaches and the like. Effective cyber security is proactive security. It is crucial that organizations be on the offensive and not just implement security when being extorted.
When implementing a mitigation plan for DDoS attacks or other risks, the first step is for the organization to map its assets. It’s also important to note that websites aren’t the only DDoS targets as they can include DNS servers, mail servers, or any other resource with an internet connection. Third-party assets should also be mapped. For example, if the organization is using an OTP service and it’s attacked, users may not be able to log into the organization. Once the assets are laid out, the treatment should be prioritized. For example: what would happen if service X were to go down? A mitigation plan should be created for each service.
In many cases, what’s needed for part of the services is an “on-demand” solution, which only diverts traffic through the DDoS mitigation once the organization is under attack.
Too often, businesses make a rush decision to pay extortionists. Organizations must understand that “caving in” to demands may look like a simple way out. However, payment doesn’t assure the organization won’t get another extortion email in the following week from someone else or even from the same extortionist.
How should organizations best mitigate DDoS attacks?
With the vast increase of IoT devices, allowing cheap attacks like the ones stated in the Kaspersky research, attackers may send enormous amounts of traffic and packets, which may easily exhaust the organization’s pipeline.
Therefore, the mitigation must be done as far away from their network as possible, which means in the cloud, before it even reaches the organization’s ISP.
In addition, the person in charge of protection against DDoS attacks must understand what she protects against. In many cases, organizations take a checklist approach and simply buy some protection such as a clean-pipe, disregarding Layer 7 attacks or investing in an on-premises appliance. Persistent attackers target the weakest links – if they find out that an organization is less affected by high-bandwidth attacks, they will attempt Layer 7 attacks or attacks with a high rate of requests per second.
When building a mitigation plan, it is important to make sure that it gives sufficient protection against all the attack vectors and not just against a part of them. Luckily, there are many great online resources for learning about DDoS attacks and mitigation. Imperva has one such online tutorial at ddosbootcamp.com.
What steps can the industry make to lessen the risk of DDoS attacks?
The magic word here is “responsibility.” ISP’s and hosting service providers need to be more active in making it harder for attackers to use their infrastructures to carry out attacks. They can enforce IP checks so that spoofed packets won’t be sent from their network, and they can block offenders.
IoT devices manufacturers should ensure that the devices are not shipped before they undergo at least some basic security checks such as shipping a device with a default password and not demanding it be changed upon installation.
The bottom line is organizations must be prepared for attacks, so if there is an attack they are not affected. It may be too optimistic, but my hope is that if organizations put protections in place, attackers will have a narrower market and will stop their malicious activity and find something positive to do with their lives.
About Ben Herzberg
Ben Herzberg is security research group manager of Imperva-Incapsula’s security research group consisting of elite security researchers and developers who research applications, traffic, protocols and trends in cyber threats. He has many years of experience in hacking stuff and writing code.