1 / 24

How Effective CSOs Prepare for DDoS Attacks

How Effective CSOs Prepare for DDoS Attacks. Rob Kraus & Jeremy Scott Solutionary SERT. Speakers. Rob Kraus. Jeremy Scott. Senior Research Analyst Twitter: @jeremyscott_org. Director of Research Twitter: @robkraus. Solutionary, Inc. (Twitter: @solutionary)

darin
Download Presentation

How Effective CSOs Prepare for DDoS Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. How Effective CSOs Prepare for DDoS Attacks Rob Kraus & Jeremy Scott Solutionary SERT

  2. Speakers Rob Kraus Jeremy Scott Senior Research Analyst Twitter: @jeremyscott_org • Director of Research • Twitter: @robkraus Solutionary, Inc. (Twitter: @solutionary) Security Engineering Research Team (SERT)

  3. Countering Attacks Hiding In Denial-Of-Service Smokescreens -Dark Reading, September 2013 What’s better than creating your own DDoS? Renting one -TechRepublic, September 2013 Cybercrooks use DDoS attacks to mask theft of banks' millions -CNET.com, August 2013 DDoS Botnet Now Can Detect Denial-Of-Service Defenses -Dark Reading, August 2013 DDoS Attacks Strike Three Banks -Bank Info Security, August 2013

  4. DDoS Varieties • Every DDoS is different • Attack types/target infrastructure/services • Tools (booters, stressers, DDoS for rent) • Examples: • Volumetric • SYN Flood (TCP protocol) • DNS Amplification (reflection) • HTTP Application Attacks

  5. Basic Volumetric DDoS Attack

  6. Application Layer DDoS • Targets applications • Effective due to underlying components serving content • Logon pages • “Heavy” content pages • Complex database queries • Max connections exceeded

  7. Case Study #1 • Mid-sized financial institution • Targeted application DDoS • Over 30,000 attack sources • Attack duration 30 minutes Attacked 8 times in 2012

  8. DDoS Movie

  9. Case Study #2 • Large financial institution • Over 91,000 attack sources (150 countries) • Attack duration: 10.5 hours • Bandwidth Consumption DDoS • Masked 3 unauthorized ACH transfers totaling 4.2 million dollars

  10. Other DDoS Considerations • Is your organization the target…or the source? • Monitor internal and external bandwidth • Visibility is key • Monitor appropriate parts of infrastructure • Consider SSL termination points

  11. Solutionary 2013 GTIR

  12. “Everyone has a plan until they get punched in the face.” -Mike Tyson Planning

  13. IR Roles & Responsibilities • Planning • Preparation • Testing plan effectiveness • Monitor intelligence feeds • Communication • Manage incidents

  14. DDoS Response Goals • “Stop” vs. Mitigate • Goal #1 Detect the attack in a timely manner • Goal #2 Enable reactive controls • Goal #3 Achieve “Sustained Availability” • Goal #4 Recovery and review

  15. Defense Maturity Basic Controls Advanced Controls

  16. DDoS Mitigation Service Providers

  17. Poor CSO Approach • Rely on others to understand the risk • Unaware of the organizations capabilities to thwart attacks • Expect results even after no prior planning • Scramble for budget during the attack • Don’t consider attacks a part of delivering business

  18. Effective CSO Approach • Think in terms of “tactical” and “strategic” solutions • Understand: • threat, risk, vulnerabilities, loss potential • it isa matter of “when”, not “if” • the goal is not to stop, but mitigate • not all DDoS can be mitigated, but still try • “rolling your own” solution is not always the best choice • Sponsor and participate in IR plan development

  19. Effective CSO Approach • Embrace and leverage relationships • ISP • Vendors - subject Matter expert support contracts • Conduct test exercises to determine plan effectiveness • Leverage existing technologies • Plan and allocate budgets • Training • External IR support • Mitigation services

  20. Benefits of Being Effective • Compress the mitigation timeline • Reduce overall impact • Loss of productivity • Loss of availability (loss of revenue) • SLA penalties • Legal costs • Protecting your brand

  21. References • RFC 4987 - Syn Flood Attack and Mitigation • Solutionary – 7 Steps to DDoS Protection • Solutionary – 2013 Global Threat Intelligence Report (GTIR)

  22. Questions?

More Related