Key critical components that should be part of a sound DDoS response plan - Vinay Sharma, Regional Director, India and SAARC, NETSCOUT
Today businesses across the globe, be it in any sector or vertical market, across geographies are very dependent on the Internet, web-based applications, and services for many of their functions. Moreover, new business models with remote working culture and BYOD adoption are leading to a spike in cybercrimes. Organizations have to operate at the speeds and scales of the Internet in addition to being well-prepared to weather cyberattacks which also come at high speeds and scales. In specific, Distributed Denial of Service (DDoS) attack is among the most dangerous ones. This is an attempt to exhaust the resources available to a network, application, or service so that genuine users are denied access. DDoS attacks are a significant threat to business continuity, be it a retailer financial services or gaming companies, with an obvious need for availability. These attacks also target the mission-critical business applications that your organization relies on to manage daily operations, such as email, salesforce automation, CRM, and many others.
It is paramount for organizations to maintain availability and resilience in the face of DDoS attacks which are continuously happening all over the globe. The organization’s inability to withstand an attack and recover can result in loss of revenue, compliance failures, impacts on brand reputation, and public perception, among others. Hence it is critical for any organization to have a robust plan of action when a DDoS attack occurs.
Preparation
The most important phase in the plan is preparation. Here one gets the tools, people, processes, processes, and communications plan together, ready to address the DDoS attack. Training, practicing, and rehearsing the plan is crucial too. The plan should have the entire scope of different elements, processes, and procedures along with the organization’s ability to execute when the attack occurs. The plan must also include targeted attacks against critical vendors, supply-chain partners, and keystone customers besides the attacks against the business.
Detection
It is not easy for an organization to know about the attack when it happens, what tools to use, and the process for communication. Those businesses that lack good visibility into their internet traffic, many a time don’t even understand that they are under attack and come to know of it after suffering outages. These could last for days or even weeks. That is why detection is very crucial. It is important to have the relevant tools to detect that there has been an attack and alert the organization of the potential harm. This step is critical as future steps in the cycle depend on the organization’s ability to accurately detect an attack first.
Classification
Once the attack is detected, it is important to determine the nature of the attack and what is targeted, including size and attack characteristics to accurately classify it. This classification is key as having an incomplete picture can lead to less effective steps along the cycle with inappropriate reactions, making things even worse.
Traceback
After classifying, one needs to understand where the attack traffic ingresses and egresses from the network. It is important to use automation for detection, classification, and traceback for its speed and accuracy at which determinations can be made versus trying to perform by hand.
Reaction
Now, one is informed enough about the attack to perform mitigation by considering the best option under the circumstance. For a successful reaction, the key is to successfully mitigate the attack and maintain availability over the course of the attack. By identifying and classifying the attack the most appropriate DDoS mitigation action can be chosen.
Post-mortem