Preparing for DDoS : An IT operations perspective

Last week I served as a panelist for a webinar on Distributed Denial of Service (DDoS) attacks against credit unions. Susan Warner of Neustar, discussed the nature and growing severity of DDoS attacks along with their business impacts. My colleague, Jane Pannier, In-house Counsel for AffirmX, discussed regulatory compliance issues. My role was to address DDoS preparedness from an IT operations perspective. As a former credit union CIO and COO, I sought to bring a practitioners perspective to the discussion. While I am not a DDoS expert, I am acutely aware that many in our industry are unprepared for a DDoS attack. The goal of the webinar  was to draw attention to the problem, and provide general guidelines for preparedness. These guidelines are intended to augment, not replace, guidance issued by FFIEC on April 2.

For a copy of the full webinar presentation and Neustar’s 2014 DDoS Research Report (registration required), please visit: http://www.affirmx.com/ddos-webinar .

DDoS: A problem we can’t ignore

If your credit union has a server with public access, you have no choice but to consider the threat of a DDoS attack with the utmost seriousness.  Now that the larger banks have shored up their defenses, malevolent actors are focusing their sights on a new line of targets: smaller financial institutions.

Just how seriously your institution could be impacted by a DDoS attack depends on how much of your credit union’s business and reputation depends on access and availability of your online services. If your online banking operations or other online services are down for an extended period of time, there is the potential for significant damage to  your credit union’s reputation.

DDoS preparedness is best considered to be  a strategy. The approach should be similar to the strategy used for disaster recovery: understand the risk, know your environment, perform up-front front planning and preparation, document your findings and your plans, do occasional tests of your plan, and–finally–revisit  your strategy on an ongoing basis.

A 7 Point Approach to DDoS Preparedness

1. Conduct a company-wide DDoS risk assessment

Every credit union should be accustomed to the process of documenting formal risk assessments, taking into consideration both NCUA guidance and best practices. Conducting a company-wide DDoS risk assessment is the essential first step in DDoS preparedness.

By evaluating your environment and taking into account specific points of exposure, you should be able to zero-in on most likely targets, such as home banking, public facing  websites and other online services.

With this information in-hand you should then work to identify the potential impact of an attack on your business. What losses could your institution incur in the form of lost revenue or reputational damage?

2. Create an action plan to prepare for and respond to DDoS attacks

Armed with the information you derive from your risk assessment, you are then better positioned to move to the next step: create an action plan to prepare for and respond to DDoS attacks.

If you haven’t prepared for an attack, your response is likely to be slow, disorganized and therefore ineffective.

We recommend that you develop a plan – much like the plan that you already have for the Unintended Disclosure of Non-Public Member Information. This should augment your existing Incident Response Plan, with a focus on the various DDoS-centric activities.

As with disaster recovery planning, the use of different scenarios to help shape specific responses is a constructive way to go about developing and detailing this plan.  Taking  into account the various types of DDoS attacks, such as Protocol Attacks, Application Attacks or Bandwidth Attacks,you can adjust scenario duration and plans based on the specific servers subjected to the attack.

An extremely important element of your action plan, which, unfortunately, is often forgotten or ignored, is to include the specific steps you will take to monitor the other systems that are not directly impacted by the DDoS.

Today DDoS attacks are frequently used as a smokescreen to create a crisis designed to distract your staff while something else – usually more nefarious – occurs elsewhere in your credit union.  A DDoS attack needs to be directly addressed, but this should also trigger heightened awareness for of other attacks that may be occurring against your enterprise.

3. Know your infrastructure components

How well documented is your enterprise infrastructure? Do you have a complete inventory and map of all of your components? How frequently is this updated?

Having one or more IT people that know everything about your systems isn’t enough. If your infrastructure inventory isn’t documented and current, you are not prepared for an attack. Your enterprise infrastructure inventory will help you focus on the specific types of attacks you can withstand, and help you identify the best practice approaches to DDoS defense for your environment.

4. Understand Your Infrastructure Components

When I spoke with several credit union executives about their state of DDoS preparedness, many reported that they would simply rely on their ISP to fix things. As Benjamin Franklin famously said, “Failing to prepare is preparing to fail.”

Don’t wait for an attack to learn the extent of your ISP’s defensive capabilities. It is essential that you proactively develop and document response plans with all of your online service providers.

A few things to document and understand about your ISP:

• Do you have a calling tree and support numbers, contacts and account numbers readily available to you?  And, do you know where to find them if your site or network is down?
• Do you understand your ISP’s options for defending against DDoS attacks?  Do they use black hole routes, upstream filtering or cloud-based mitigation?
• What are the SLA’s within your contract with your ISP?

A key question that every credit union must also address is whether to depend on their ISP for DDoS protection, or to contract with a DDoS mitigation services provider.

While an ISP-based solution might seem to make sense, there are several factors to consider.  If your organization is multi-homed, all your ISPs would need to participate. Otherwise, bandwidth availability during attacks would be spotty. It is also difficult to coordinate an active mitigation between multiple ISPs. Does your organization want to be the one coordinating this response? If not, then selecting and experienced, third-party DDoS protection provider should be an essential part of your plan.

5. Implement general rules to help mitigate DDoS attacks

This step is one that your IT team should already have as part of their general operating procedures. If not, make it an immediate priority. The following are general rules to help defend against a DDoS attack. They should only be used as a guide, since they will not stop all attacks, especially some of the more complex varieties.

•          Turn off all unnecessary ports and protocols

•          Implement an IP blacklist

•          Block invalid and malformed packets

•          Configure and harden network equipment

Ongoing vulnerability assessments will help you to validate that you’ve properly configured and protected your environment against these ever-evolving threats.

6. Conduct a post-attack analysis after a DDoS attack

While it is crucial to have a plan in place to address a DDoS attack, it is equally important to perform a post-attack analysis. Some of the items to consider documenting an attack include:

• Type of attack (Volume, Protocol, Application Layer)
• What equipment helped you mitigate, even if it was only partially successful?
• What attack traffic had the most impact and why?

This analysis will help you evaluate the effectiveness of your response plan, identify any holes in your documentation, and also help you determine whether or not you need to replace or upgrade infrastructure components. If you don’t have the budget for more resilient infrastructure, you may want to think about outsourcing to a security service provider.

7. Leverage monitored and managed services

Partnering with an experienced third-party DDoS mitigation provider has significant benefits.  Such providers have deep experience in dealing with DDoS attacks and offer a wide array of equipment and resources.  You can use their services on demand—for example, a DNS redirect service—or have them monitor your network 24/7 for signs of attacks.

For your copy of the webinar presentation “Is Your Credit Union Prepared for a DDoS Attack” as well as Nuestar’s DDoS Research report please visit: http://www.affirmx.com/ddos-webinar