Last week, the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) published an updated guide, Understanding and Responding to Distributed Denial-of-Service Attacks, which provides organizations proactive steps to reduce the likelihood and impact of distributed denial-of-service (DDoS) attacks. The guidance is aimed towards both network defenders and leaders to help them understand and respond to DDoS attacks, which can cost an organization time, money, and reputational damage.
Although DDoS attacks are unlikely to impact the confidentiality or integrity of a system and its associated data, they affect availability by interfering with the legitimate use of that system, thereby imposing a cost of time and money, and possibly reputation on the victim’s business. Some of the actions listed in the joint DDoS guide that should be taken by organizations before an incident are:
- Understand your critical assets and services: Identify which services you have exposed to the public internet and the vulnerabilities of those services. Prioritize assets based on mission criticality and need for availability.
- Enroll in DDoS protection service: Protect systems and services by enrolling in DDoS protection service that can monitor network traffic, confirm the presence of an attack, identify the source, and mitigate the situation by rerouting malicious traffic away from your network.
- Determine the coverage and limitations with internet service providers defenses: Engage with your internet service providers (ISP) and cloud service providers (CSP) to understand existing DDoS protections, which should include reviewing Terms of Service agreements.
- Develop an agency DDoS response plan: The response plan should guide the organization through identifying, mitigating, and rapidly recovering from DDoS attacks.
Depending on the scale of the DDoS attack, the impact may be negligible or severe to include loss or degradation of critical services, loss of productivity, extensive remediation costs, and acute reputational damage. If an incident is suspected, some the action that can be taken include;
- Review indicators in the guide that can help confirm a DDoS attack, as well as contact your upstream network service provider to determine if there is an outage on their end or if their network is the target of the attack and you are an indirect victim.
- Deploy mitigation to include continue working with the service providers to get the DDoS attacks blocked, as well as configuration changes to the current environment and initiating business continuity plans that may assist in response and recovery. MS-ISAC offers a Guide to DDoS Attack that provides several recommended mitigations.
- DDoS attacks may also be used to divert attention away from other more malicious acts—malware insertion or data exfiltration--being carried out by the threat actor, so victims should stay on guard throughout a DDoS response.
In the near future, CISA plans to offer a tabletop exercise that can be used by any organization to assess their security and resilience to a DDoS attack. The reporting agencies urge every organization to apply the recommended actions in the joint DDoS Guide, as well as adopt their Shields Up guidance and take steps to implement necessary security and resilience measures that can reduce the likelihood of compromise. Access the full guide below.