SlideShare a Scribd company logo

Assess DDoS risk for UK business

M
Mike Revell

DDoS attacks can cause financial losses and reputational damage to businesses. To assess DDoS risk, a business needs to understand how its infrastructure, applications, and employees may be impacted. Expected annual losses from DDoS are calculated by estimating the potential loss from an attack and the likelihood of an attack. While some studies report thousands of DDoS attacks per year, these numbers are unreliable. Instead, a business should evaluate if it has characteristics, like an online presence or controversial profile, that motivate certain types of attacks.

1 of 20
Download to read offline
A GUIDE TO DDoS, MITIGATION AND TESTING (2015) Part 2: DDoS risk assessment activereach Ltd. Prospect House Business Centre Crendon Street, High Wycombe, Bucks, HP13 6LA Main Reception Tel: 0845 625 9025, Fax 01494 980255 Email: finance@activereach.net www.activereach.net VAT no. GB941 4420 46, Company no. 06716533
A guide to DDoS, mitigation and testing Assessing the risk of DDoS for a UK business Caution The following document contains numbers culled from surveys, white papers, online tools and reports. These sources seldom disclose their methods, bias or motivations and a large number of them disagree with each other. For example, industry white papers containing statistics about the proportion of DDoS events that were volumetric attacks, as opposed to application attacks, seldom agree. A cynic may suggest that this would depend on the DDoS mitigation services being recommended as a result of the statistics contained in the white papers. However it could easily be a factor of the research methods employed or data set selection. To use them in any risk analysis would then seem to be folly. However, for a company that is wishing to assess the potential risk to their business of DDoS attacks in the absence of any attacks on them to date, arguably basing any DDoS mitigation budgetary decisions based on some evidence is better than raw guesswork. At least assumptions made in the risk calculations can be examined, and any answers found can be tested against future surveys or independent reports. The following analysis is presented as an informed risk assessment toolkit which might prove to be one step improved from ‘finger in the wind’ assessment. You use the information in this document at your own risk. ©2015 activereach Ltd. 2
Risk assessment structure There are three common steps to a risk assessment for DDoS. 1. Scope of impact of a DDoS attack 2. Expected annual loss from DDoS attacks 3. Spend/activity to mitigate expected losses from DDoS attacks Scope of impact for DDoS attacks What is vulnerable to disruption from DDoS attacks? This is potentially a complicated question to answer for a business. Most companies understand the basic connection between their business strategy and their IT infrastructure, but the details may not always clear to the individuals involved in a risk assessment ; the many complex dependencies may not be immediately obvious. In simple terms, the business strategy will be broken down into business activities or functions, which need access to particular IT applications, which requires certain things from the network. 1. Business strategy (Growth through B2C activity, asset acquisition/disposal or focus on efficiency) 2. Business functions (Sales, customer service, billing, marketing, HR, management) 3. IT applications (CRM, billing application, web site, telephony) 4. IT network infrastructure (Internet access from head office, private VPN, server, data centre) This is a complex tree. Applications (in efficiently run businesses) are often shared across ©2015 activereach Ltd. 3
A guide to DDoS, mitigation and testing multiple business functions and each department’s dependency on it may differ. A call centre may be using the same telephone circuits as the sales team, but if the circuits fail, the sales team can switch to their mobile phones whereas the call centre may simply stop - or be forced to switch sites. Understanding the impact to the business strategy of the disruption of a particular element of infrastructure requires someone (or several people) familiar with the business to trace the connection back from infrastructure - to applications that it impacts - to the business function and then to the business strategy itself. It’s not something a white paper or checklist can do. What damage can a DDoS attack cause? A fully effective DDoS attack will completely exhaust a system’s resources - disabling the system or team it is aimed at for a period of time. A partially effective DDoS attack will slow down a system or team. If the system or team targeted generates revenue/profit for a business (or reduces risk), then that ability will be damaged with associated financial loss for the target. So - for example - a particular online casino might generate £30m a year. If that server is disabled for 24 hours, then the direct damage to the business revenue might be £30m/365 = £82k . In 2014, according to Incapsula (2014 survey of 240 North American companies), 50% of DDoS attacks lasted 6-24 hours, 37% were under six hours. Prolexic's Q4 2014 report calculated an average attack duration in 2014 of 17 hours. As well as direct loss of revenue/profit from affected services, there is the immediate direct cost of IT, security staff and management that may be drafted in to tackle the event, and liaise with service providers and staff and there will be an impact on customer services handling ©2015 activereach Ltd. 4
customer queries (a BT report suggested that complaints and queries increase over 30% during a DDoS attack). There is also the subsequent longer-term costs of additional security or regulatory audit and clean-up - additional mitigation and impact on sales or share price as confidence in the target suffers. Most companies have calculated a cost per hour of downtime caused by IT failure as part of their business continuity planning and an outage caused by DDoS is no different in this regard - apart from one or two factors. Firstly, unlike an IT outage, certain categories of attacker will target a system at the time of maximum cost for the target. Political sites attacked more frequently during campaigning or elections, e-commerce sites during sales, gambling sites during high profile betting events. Risk calculations cannot assume a random attack (average daily values of revenue/profit) and, instead, must consider the maximum possible cost of a system outage (maximum daily values of revenue/profit). Secondly, DDoS is perceived as a security event and a system failing as a ‘breach’. This may cause increased reputation damage compared to an IT failure and consequently increased impact on sales or share price. What systems might be impacted by a DDoS attack? It is easy to identify a web or email server as potentially at risk from a DDoS attack, but harder to identify that an apparently private MPLS service from a Telco shares physical infrastructure with that Telco’s public Internet services and so may be indirectly affected by DDoS events. DDoS attacks most commonly occur from compromised devices on public networks (bots) attacking other devices on public networks. The most obvious targets are public servers running applications that use the global DNS (eg. prominent web sites). However any device with a public IP address may be directly targeted. There are also indirect impacts to consider. If a service provider’s core switch is attacked and ©2015 activereach Ltd. 5
A guide to DDoS, mitigation and testing disabled, then all customer connections that traverse that switch might be impacted. Similarly if one tenant’s virtual server on a multi-tenant server is attacked, then all tenants may be impacted. A systematic review of a company’s infrastructure will need to examine the physical, logical, application and human systems that are used to underpin a business strategy Physical (boxes and wires) analysis (Layers 1 and 2 of OSI) The first step is typically to identify all devices and network connections/circuits under the company’s control - and the third parties that they connect to (Telcos or Internet service providers). Each element will have a finite set of performance capabilities - maximum bandwidth, CPU, memory or storage limits. Logical analysis (Layers 3 and 4 of OSI) It is important to understand a company’s external IP address ranges, AS numbers, BGP peers, and virtual networks under their control as well as the third party networks that may be traversed. At this layer of analysis, the company’s reliance on network authentication, address translation, DNS, access control lists (ACLs) or other network-centric associated functions might be considered. Application analysis (Layers 5,6 and 7 of OSI) Direct applications such as telephony, CRM, billing applications, web servers, databases and mail servers. These may be held in data centres, company offices or third party virtual environments. Indirect applications may include monitoring and management, user authentication, network time, domain name services. The advent of cloud computing and increasing use of outsourced applications (CRM, IPT) makes identification of all of the dependencies of a network hard to do in most cases. If a company has made no effort to identify the extent of the exposure to DDoS, they are much more likely to be unpleasantly surprised by a future attack event. ©2015 activereach Ltd. 6
The human element In addition to the technical infrastructure that may be vulnerable to DDoS attacks, the human element is a crucial component to consider. If a company’s IT or security staff are busy dealing with a DDoS attack, then they are rendered unable to deliver their usual service - which may include critical security monitoring activities. This may allow a criminal to use DDoS to ‘blind’ a company to illegal activity - data exfiltration, malware or other threat. DDoS attacks are being seen that are designed to stress the human and process component of a business’ systems. So-called ‘drive-by’ DDoS attacks are shorter in duration and are aimed as much to force a company into allocating resources to defend against the attack and implement mitigating processes as they are to disable a technical system. Any full risk assessment will need to consider the available human resources available to a company, and the efficiency of the DDoS mitigation processes both during and after an attack event. The current trend is to simplify DDoS defences from ‘on demand’ to ‘always on’ to eliminate the human component of swinging traffic to scrubbing centres and back again - and ensure that monitoring of possible reconnaissance attacks is maintained. Expected annual loss from DDoS In order to calculate an expected annual loss from DDoS, you need to know two things. The anticipated loss resulting from an attack and the likelihood of being attacked. Expected annual loss = (Loss per event) x (annual chance of being attacked) Loss per event = (duration of event x loss per hour) + clean-up + reputation damage We have already discussed the loss per event. The average DDoS attack is 17 hours long and the cost per hour of an outage caused by DDoS is the same as any outage event - modified by the fact it is more likely to happen at the worst possible time for the company and the damage to reputation and future sales is likely to be higher that simple IT outages. ©2015 activereach Ltd. 7
A guide to DDoS, mitigation and testing How do we calculate a company’s chances of being attacked? How many DDoS attacks are there each year? The chance of being hit by a DDoS attack is a question of frequency. If you would expect one attack every three years, then the annual risk is 33%. One approach to calculating the likelihood of being attacked is a simple volumetric one. How many DDoS attacks are there each year? How many targets are there? Divide the two numbers. For example: Prolexic (now owned by Akamai) states on its web site that there are, on average, over 7,000 DDoS attacks a day. That would mean 2.55m attacks a year. Looking at destination addresses of these attacks suggests that 7% of attacks are aimed at targets in the UK. There are 1.25m companies in the UK with more than one employee. If the attacks were distributed evenly across all companies in the UK with more than one employee, that would mean that the annual risk of any given UK company being hit by a DDoS attack is about (2,555,000 x 0.07 / 1,250,000) = ~15%. Is this number convincing? Unfortunately it’s very easy to find completely different assessments of the number of attacks each year. The NSFocus Threat Report 2013 is frequently quoted stating 28 attacks per hour - which would be an order of magnitude smaller than the Akamai average. Even accounting for annual attack frequency increase this is significant. No company sees all attacks - all DDoS filters leak (false negative) to some extent - and what they classify as a single DDoS attack may differ. Many marketing reports and white papers now quote percentage increases in attacks, rather than absolute numbers. One suspects that they worry about revealing something about their relative size compared to competition. Or it might be modesty. ©2015 activereach Ltd. 8
Regardless - we know that there are certain characteristics of targets that will modify this 15% risk upwards by a certain factor and we might be able to work out that factor by looking at how many of these characteristics a target company has. Common lore would have it that financial services and online gaming are most likely to be hit. Analysis of rate of attacks on large companies versus small companies suggests that, today, large companies (250+ employees) are twice as likely to experience DDoS attacks. But this might just be slightly lazy compartmentalisation for marketing purposes and ease of analysis or a factor of the choice of organisations that a given survey selected from. Size and vertical isn’t everything Within the finance sector is a vast array of different businesses. Some have particularly high public profiles, some deal with consumers, some are quite small, but have complex high value commercial interests. The shadows they cast into the Internet are very different. Some are very likely to be targets for DDoS - others are unlikely to experience one - but when they do it will be very focused and sophisticated. Thinking about ‘large’ companies and companies in particular verticals, it is relatively easy to come up with counter-examples to an assessment that they are likely to see frequent DDoS attacks. For example - digital assets are not totally dependent on company size. A massive manufacturing or engineering company may have a very modest web presence, while a small SaaS company may have disproportionately massive network assets and Internet-connected presence. Each company's dependence on technology will also vary. Larger companies tend to make greater use of private network facilities or autonomous operation under technology failure conditions which will see the threat of DDoS considerably reduced. Online gaming sites might experience rashes of minor attacks as individuals engage in petty disputes using DDoS tools - but nothing with the intensity and focus of an attack on an online gambling site. ©2015 activereach Ltd. 9
A guide to DDoS, mitigation and testing There must be a set of characteristics of organisations that are more likely to be found with large companies compared to small ones, and, perhaps, in certain vertical markets that are driving the frequency and intensity of DDoS attacks. Let’s consider the motivations behind DDoS attacks and relate them to characteristics of their selected targets. ©2015 activereach Ltd. 10
Motivations behind DDoS attacks DDoS Motive Description Target characteristics to look for Examples Political Protest Hacktivists and collectives (Anonymous) to make a point or raise awareness of an issue Political affiliation Media footprint Recent or ongoing controversy Anonymous attacks on financial organisations not supportive of Wikileaks. Cyber warfare State-sponsored or terrorist-inspired attacks on a perceived enemy Critical infrastructure; economic, societal or governmental Media footprint Political affiliation Attacks on French municipal web-sites in the aftermath of the Charlie Hebdo shootings. Reputation Criminals hoping to make a reputation for themselves by taking out a ‘big name’ Iconic brand Perceived high security posture Media footprint LizardSquad attacking Microsoft XBox Live and Sony Playstation network Christmas Day 2014. Extortion or financial gain Criminals hoping to gain money directly by threatening and/or engaging in DDoS activities Digital product or service delivery Multiple customer impact High ratio of revenue to resource Known peak activity (eg. sales day) Dependent on online sales Criminal gang caught trying to extort money from UK Online Casino. Criminals trying to get money from online florists coming up to Valentine’s Day. Revenge against an organisation Disgruntled customers, staff or ex-employees or contractors. Large number of consumer customers High turnover of staff Low customer satisfaction Tech savvy customers and staff Mass e-mail campaign against Domestic and General. Attacks against Kent police Self-inflicted Servers with low average demand hit by sudden spikes in traffic overwhelming supplied capacity Niche daily news and content First-come first-served tickets Social-media driven content Under investment in spare capacity Day one of the Olympic ticket sales for the 2012 Games. Black Friday sees Argos, Tesco and other sites crash under load Diversion Criminals hoping to disguise penetrating attack or data exfiltration by using DDoS as a diversion. Valuable digital IP High ratio of revenue to resource Complex security environment Scattered reports from US financial organisations of synchronised DDoS and data exfiltration attacks. Business Competition Attacks designed to disrupt a competitor’s activities High turnover of staff Tech-savvy staff Unscrupulous market practices Digital product or service Reputed to be routine practise in the world of online gambling ©2015 activereach Ltd. 11
A guide to DDoS, mitigation and testing delivery Emerging international market Individual competition/ revenge Individuals targeting individuals Competitive immature tech- savvy e-communities - gaming or hacking sub- culture and the companies that host them League of Legends players receive advice on countering individual DDoS attacks. People regularly banned for DDoS attacks. Accidental or prank Playing with DDoS attack tools. Individual needs to exert control and power. Iconic brand Brand confusion MafiaBoy From this understanding we can construct a simple questionnaire that assesses an organisation’s “DDoS threat shadow” - i.e. how large and aggressive the pool of potential DDoS threat actors is - and thus what an organisation’s risk of being hit by a DDoS event might be and the likely nature and wider objective of that attack. Large number of consumer customers, high turnover of staff, media footprint, iconic brands. These risk factors are spread across a number of potential high frequency threat motivations; revenge, cyber-warfare, protest and reputation. Large companies are better known and have a larger pool from which enemies may appear. However, an old security adage is that “Obscurity is not security” and it applies here. Take extortion, for example. Large companies have the capacity to engage with DDoS mitigation, and the legal and commercial implications of extortion attempts. Aggressive counter-actions against cybercriminals - working with law enforcement to identify and nullify botnets and criminal gangs may prove to be an effective deterrent to threat actors looking for financial gain. “Good” criminals are efficient at identifying bad risk-reward scenarios. That’s why a lot of them rent out their botnets to less risk-averse threat actors. Unfortunately that means the criminal threat is likely to slide down the value scale - to the medium-sized and smaller companies that are less able to counter DDoS threats - where the value per attack is smaller, but the likelihood of detection is lower. The relative ease and low ©2015 activereach Ltd. 12
cost of DDoS and anonymous mass-communication tools, with which criminals might target hundreds or thousands of companies from a chair in front of a computer means they only need to get a small percentage of successful ‘hits’ and their crime pays off. From reading various reports it seems that a small percentage of hits is all that they can expect with most stating that these extortion attempts are seldom successful. If a company pays up are they likely to report it? Also are they likely to be hit again? DDoS mitigation firm CloudFlare commented on a recent rash of extortion attempts aimed at florists taking orders online. It was timed to coincide with St. Valentine’s day and was looking for a ‘modest’ amount of ‘protection money’ (a few hundred dollars) to prevent them being hit by a DDoS for the period. Unencumbered by financial investment in the target company, law enforcement and technology firms make easy recommendations to not pay the criminals - but instead pay mitigation companies thousands or tens of thousands for technology-based defences. One can only imagine a business owner’s stress presented with such a dilemma. What is the chance of being attacked this year? Another way of approaching the question of risk is looking at results from surveys of similar companies. Neustar report from 2013, which surveyed over 300 UK companies stated that 30% of UK companies claimed they had been hit by one or more DDoS attacks. This compares with 60% of North American companies from the same period and was an increase from 20% in 2012. A 2013 report from BT put the global figure at 41% of companies who had experienced at least one DDoS attack. Casual risk analysis could use these raw numbers as they are. They may also serve as useful verification for any more granular risk assessment - a test to see if the resulting numbers look realistic. ©2015 activereach Ltd. 13
A guide to DDoS, mitigation and testing Frequency versus sophistication Reports vary, but most agree that the risk of being hit twice or more is very high. The proportion of attacks on single targets that use multiple vectors is increasing - and criminals are aware that there are potential human and business weaknesses in mitigation that makes shorter irregular frequent attacks more difficult to combat that sustained single attacks. This sophistication is polarising the threat landscape and introducing notable differences in styles of DDoS attack. Those created by low-skill threat actors using off-the-shelf DDoS tools are often unsophisticated and lack subtlety or guile. They may use well-known volumetric or protocol attacks, but are not likely to be well-timed, well-targeted or adaptable to counter-measures. They are considered low-sophistication attacks. They may still be highly effective at taking down a target system, however. When a DDoS attack tool is updated with a high impact technique, like DNS reflection and amplification, then anyone using the tools benefits from the enhanced attack. High-skill threat actors are well-prepared and are more likely to use custom tools or botnets with sophistication. They plan the attack well and understand the target’s weak spots in terms of infrastructure and business timing. DDoS is used on concert with penetrating attacks, malware insertion, spear-phishing or other techniques. They may be more likely to use low- and-slow application attacks - or a cascading sequence of probes to determine what slips past defences. These are considered high-sophistication attacks. The nature of some DDoS categories varies based on the capability of the threat actor involved. In general unsophisticated attacks are more likely than sophisticated ones simply because of the low proportion of possible antagonists with the technical capability to act in a sophisticated focused yet malicious manner. Some DDoS threats are persistent - others will be prompted by news events; sudden celebrity or notoriety, trends on social media or shifts in politics or foreign affairs. ©2015 activereach Ltd. 14
activereach DDoS risk assessment questionnaire Rate your organisation against the following statements/characteristics Statement / characteristic. Score 0 for “not applicable”, 1 for “somewhat applicable” and 2 for “highly applicable” Score 1 Your organisation has known political affiliations or the public perceives it as representing a government, religion, nation or a political concept such as capitalism. Add to Protest Add to Warfare 2 Your organisation attracts lots of media coverage and has a sizable impact or footprint in conventional or social media. Add to Protest Add to Warfare Add to Reputation 3 Your organisation is involved in some recent or ongoing controversy. Add to Protest 4 Your organisation controls infrastructure or conducts activities critical to a country’s economic, societal or governmental integrity. Add to Warfare 5 Your organisation control brands that are iconic or internationally recognised. Add to Reputation Add to Prank/Accidental 6 Your organisation is reputed to have a high security posture because of the nature of its business or brand values. Add to Reputation 7 Your organisation makes money from products or services that are delivered digitally. Add to Financial 8 Your organisation controls network infrastructure that is used by many customers. Add to Financial 9 Your organisation has very short windows of intense commercial activity of great importance to annual revenue or profit such as Christmas sales or seasonal events. Add to Financial 10 Your organisation is dependent on online sales. Add to Financial 11 Your organisation has large numbers of consumer customers. Add to Revenge 12 Your organisation suffers from high turnover of staff and regular redundancies. Add to Revenge Add to Competition 13 Your organisation suffers from low customer satisfaction scores. Add to Revenge 14 Your organisation has a high proportion of employees and customers who are technically aware. Add to Revenge 15 Your organisation is a digital public content provider (news, games, social media) with a well-defined narrow subject-matter focus Add to Self-inflicted 16 Your organisation sells tickets to popular events Add to Self-inflicted 17 Your organisation is very efficient and buys just enough network capacity that it needs Add to Self-inflicted 18 Your organisation has valuable digital IP on internal servers such as user subscription data (username/passwords), digital media (photos, films, music), financial information (card data, bank details). Add to Diversion Add to Financial 19 Your organisation’s revenue from online activities has Add to Diversion ©2015 activereach Ltd. 15
A guide to DDoS, mitigation and testing increased, but the number of staff supporting the infrastructure has decreased as services are outsourced. Add to Financial 20 Your organisation maintains a very complex network security environment. Add to Diversion 21 Your organisation does business in a market with unscrupulous competitors. Add to Competition 22 Your organisation does business in a market that has international competition from emerging economies. Add to Competition 23 Your organisation hosts content for young, technically-savvy e-communities such as forums, games or social media content. Add to Individual 24 Your organisation is often confused for another because of a similar name, acronym or brand. Add to Prank/Accidental Total rating Add up the above numbers to give a rating between 0 and 48 Scoring Total the scores to give you a rating from 0-48. This is a number representing the number of DDoS threat motivations that might be stacked against your company, the breadth of the shadow your organisation casts over the DDoS threat landscape if you will. Your likelihood of being attacked will be higher, the higher your rating. By totaling the scores in each of the ten threat areas and dividing by the maximum score in each threat area, you can rank the most likely motivations behind a potential DDoS attack against your organisation. Area Protest Warfare Reputation Financial Revenge Your score Maximum 6 6 6 10 8 Ratio Area Self-inflicted Diversion Competition Individual Accidental/ Prank Your score Maximum 6 6 6 10 8 Ratio ©2015 activereach Ltd. 16
One with this analysis is that it doesn’t hold as well for service providers because they may be a target of DDoS attacks because of one or more of their customers as well as directly. This is relatively easy to ignore because any company whose entire business is providing network services to other organisations should consider the prospect of DDoS attacks as a near certainty. The Arbor Networks “State of the Internet” report, which surveys a large number of data centre providers and ISPs reported this year (2015) that 80% of these businesses had seen one or more DDoS attacks in the past 12 months – with many experiencing dozens, if not hundreds. If the answer to question 8 is “Highly Applicable”, then instead of simply adding to the likelihood of DDoS as a tool of extortion, then this would place these businesses in the “High Risk” category automatically. There is no strong data on motivations behind DDoS attacks. However an understanding of the type of threat actors that oppose an organisation can inform an understanding of the likely frequency and intensity of any possible DDoS attacks - and also, perhaps, suggest activities that could serve to reduce the likelihood of an attack, or the resultant severity. Converting rating into annual likelihood Surveys (such as that by BT or Neustar) suggest that the average risk of DDoS for a UK business is around 30%. One in three UK businesses surveyed report that they have experienced a DDoS attack. This is much higher for US businesses that have been surveyed (~60%). However many businesses in the UK lack vulnerable public network infrastructure, don’t hold any digital IP of significant value, have little brand visibility and are not involved in business activities that are likely to draw political protest. In these cases, one would assess the risk much lower than average with a possible DDoS event every ten years - most likely to be accidental, self-inflicted, unscrupulous competition or the result of a problem with disgruntled ex-employee. If we have assessed the likelihood of DDoS for a UK business to be 15% if all companies were equally likely to be hit, then the probability of a low-risk company being hit will be slightly lower than this - say 10%. ©2015 activereach Ltd. 17
A guide to DDoS, mitigation and testing At the other end of the spectrum, we are aware that if a company is hit once, there is a high (~75%) possibility of a subsequent attack within the same year. This suggests a curve where risk increases sharply at high values of the DDoS risk assessment rating. Subsequent to an attack, the risk can be assessed at 75% or higher. DDoS risk assessment rating Annual likelihood of DDoS attack Mean time between attacks 0-10 (Below average) 10% ~10 years 11-30 (Average) 30% ~3 years 31-48 (Above average) 70% ~18 months ©2015 activereach Ltd. 18
Threat types and elements of non-technical mitigation considerations There are probably many non-technical methods that might be employed to help mitigate the chances of attack alongside a strong technical, policy, personnel and testing policy. Threat type Non-technical mitigation considerations Protest Engagement with protesters, enabling constructive criticism, monitoring social media for evidence of organised protest using DDoS tools, security posture planning with events associated with controversy or protest. Warfare Review and compliance with latest regulation concerning protection of critical infrastructure. Physical separation of critical systems from public networks. DDoS tests and simulations to examine operational performance of systems, people and processes under duress. Analysis of whether nation-based filtering may be appropriate. Reputation PR plan to inform customers whilst negating positive spin for threat agents. Financial Positive engagement plan with specialist units in law enforcement in the event of an extortion attempt. Identification of key business activity days and planning IT events and resources to sympathise. Review security logs looking for recon attacks weeks prior to key event dates. Revenge Effective constructive complaints process. Information flow between IT and customer services. Effective exit policies with constructive dialogue for contractors and employees previously engaged with the network. Self-inflicted Good capacity planning of bandwidth to expected traffic loading. Spare capacity/headroom. Load testing to determine maximum load limits. Better communication between marketing/events and IT/infrastructure team with a policy of routinely considering potential impact on infrastructure of marketing events. Diversion Review of outbound filtering to help prevent exfiltration. Strong internal monitoring and bulkhead network design to impede unauthorised data movements during DDoS attack. Regular DDoS tests and simulations to judge impact on staff of response plan for DDoS events and to ensure spare capacity to deal with operational security when under DDoS attack. Competition No specific recommendations. Individual Review social media policy for staff including use of social media using work facilities. Review user agreements concerning use of DDoS against other subscribers (online gamers, for example) and consider publishing policy position regarding punishments or sanctions for offenders - account banning. Publish effective user reporting system to underpin technical monitoring systems. Accidental/Prank Consider stepped response plan which allows for mistakes to be identified and rectified prior to any costly mitigation engagement. Create PR plan for the case of accidental or prank DDoS attack. ©2015 activereach Ltd. 19
A guide to DDoS, mitigation and testing Summary All UK business should understand the impact that a DDoS attack might have on their business. To do this, they need to look at the breadth of their IT infrastructure that might be lost under a DDoS attack and the cost implications of losing that infrastructure for a period of time. When combined with an understanding of the annual likelihood of an attack, a company can then understand the expected cost impact of DDoS ranged against the company. All that would remain is the allocation of budget to DDoS mitigation (technical and non-technical) proportionate to the expected loss. Some of the assumptions that are made during a risk assessment exercise, particularly those around the expected impact of a DDoS attack may be quantified accurately through a formal DDoS test. In the next section of the report, the place of DDoS testing in a comprehensive DDoS mitigation programme will be considered. ©2015 activereach Ltd. 20

Recommended

ZSAH Security - Web
ZSAH Security - WebZSAH Security - Web
ZSAH Security - WebFahd Khan
 
cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015Paul Ferrillo
 
The cost of downtime
The cost of downtimeThe cost of downtime
The cost of downtimeBillyHosking
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityRahul Tyagi
 
White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...balejandre
 
SecureGRC: Unification of Security Monitoring and IT-GRC
SecureGRC: Unification of Security Monitoring and IT-GRCSecureGRC: Unification of Security Monitoring and IT-GRC
SecureGRC: Unification of Security Monitoring and IT-GRCxmeteorite
 
JP Morgan Paper
JP Morgan PaperJP Morgan Paper
JP Morgan PaperGerasimos Zapantis
 
A data-centric program
A data-centric program A data-centric program
A data-centric program at MicroFocus Italy ❖✔
 

Recommended

ZSAH Security - Web
ZSAH Security - WebZSAH Security - Web
ZSAH Security - WebFahd Khan
 
cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015Paul Ferrillo
 
The cost of downtime
The cost of downtimeThe cost of downtime
The cost of downtimeBillyHosking
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityRahul Tyagi
 
White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...balejandre
 
SecureGRC: Unification of Security Monitoring and IT-GRC
SecureGRC: Unification of Security Monitoring and IT-GRCSecureGRC: Unification of Security Monitoring and IT-GRC
SecureGRC: Unification of Security Monitoring and IT-GRCxmeteorite
 
JP Morgan Paper
JP Morgan PaperJP Morgan Paper
JP Morgan PaperGerasimos Zapantis
 
A data-centric program
A data-centric program A data-centric program
A data-centric program at MicroFocus Italy ❖✔
 
Who is the next target proactive approaches to data security
Who is the next target proactive approaches to data securityWho is the next target proactive approaches to data security
Who is the next target proactive approaches to data securityUlf Mattsson
 
Practical advice for cloud data protection ulf mattsson - oracle nyoug sep ...
Practical advice for cloud data protection ulf mattsson - oracle nyoug sep ...Practical advice for cloud data protection ulf mattsson - oracle nyoug sep ...
Practical advice for cloud data protection ulf mattsson - oracle nyoug sep ...Ulf Mattsson
 
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3EnterpriseGRC Solutions, Inc.
 
DDoS Attacks Advancing and Enduring a SANS & Corero Survey
DDoS Attacks Advancing and Enduring a SANS & Corero SurveyDDoS Attacks Advancing and Enduring a SANS & Corero Survey
DDoS Attacks Advancing and Enduring a SANS & Corero SurveyStephanie Weagle
 
Take back your security infrastructure
Take back your security infrastructureTake back your security infrastructure
Take back your security infrastructureAnton Chuvakin
 
6 Ways to Fight the Data Loss Gremlins
6 Ways to Fight the Data Loss Gremlins6 Ways to Fight the Data Loss Gremlins
6 Ways to Fight the Data Loss GremlinsIntronis MSP Solutions by Barracuda
 
Prevent & Protect
Prevent & ProtectPrevent & Protect
Prevent & ProtectMike McMillan
 
br-security-connected-top-5-trends
br-security-connected-top-5-trendsbr-security-connected-top-5-trends
br-security-connected-top-5-trendsChristopher Bennett
 
Cyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe SecurityCyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe SecurityRahul Tyagi
 
Winston morton - intrusion prevention - atlseccon2011
Winston morton - intrusion prevention - atlseccon2011Winston morton - intrusion prevention - atlseccon2011
Winston morton - intrusion prevention - atlseccon2011Atlantic Security Conference
 
Information security trends and concerns
Information security trends and concernsInformation security trends and concerns
Information security trends and concernsJohn Napier
 
SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey FireEye, Inc.
 
Heartland
HeartlandHeartland
Heartlandgrimesjo
 
Managed Takedown Service - Digital Shadows
Managed Takedown Service - Digital ShadowsManaged Takedown Service - Digital Shadows
Managed Takedown Service - Digital ShadowsDigital Shadows
 
College Presentation
College PresentationCollege Presentation
College Presentationscottfrost
 
DDoS Effects On Enterprises 2020 | Industries affected by DDoS Attacks in 2020
DDoS Effects On Enterprises 2020 | Industries affected by DDoS Attacks in 2020 DDoS Effects On Enterprises 2020 | Industries affected by DDoS Attacks in 2020
DDoS Effects On Enterprises 2020 | Industries affected by DDoS Attacks in 2020 MazeBolt Technologies
 
Enterprise GRC for PEoplesoft
Enterprise GRC for PEoplesoftEnterprise GRC for PEoplesoft
Enterprise GRC for PEoplesoftAppsian
 
Prevention is futile in 2020 - Gartner Report in Retrospect
Prevention is futile in 2020 - Gartner Report in RetrospectPrevention is futile in 2020 - Gartner Report in Retrospect
Prevention is futile in 2020 - Gartner Report in RetrospectJermund Ottermo
 
SPC MD 821
SPC MD 821SPC MD 821
SPC MD 821dallasnewscast
 
Advancements Result from 2004 Indian Ocean Tsunami
Advancements Result from 2004 Indian Ocean TsunamiAdvancements Result from 2004 Indian Ocean Tsunami
Advancements Result from 2004 Indian Ocean Tsunamidallasnewscast
 
MICROCURRICULOS MIT
MICROCURRICULOS MITMICROCURRICULOS MIT
MICROCURRICULOS MITProyectoocho UniSalle
 
Planificacion de clase
Planificacion de clasePlanificacion de clase
Planificacion de claseWilmer Alberto Montero
 

More Related Content

What's hot

Who is the next target proactive approaches to data security
Who is the next target proactive approaches to data securityWho is the next target proactive approaches to data security
Who is the next target proactive approaches to data securityUlf Mattsson
 
Practical advice for cloud data protection ulf mattsson - oracle nyoug sep ...
Practical advice for cloud data protection ulf mattsson - oracle nyoug sep ...Practical advice for cloud data protection ulf mattsson - oracle nyoug sep ...
Practical advice for cloud data protection ulf mattsson - oracle nyoug sep ...Ulf Mattsson
 
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3EnterpriseGRC Solutions, Inc.
 
DDoS Attacks Advancing and Enduring a SANS & Corero Survey
DDoS Attacks Advancing and Enduring a SANS & Corero SurveyDDoS Attacks Advancing and Enduring a SANS & Corero Survey
DDoS Attacks Advancing and Enduring a SANS & Corero SurveyStephanie Weagle
 
Take back your security infrastructure
Take back your security infrastructureTake back your security infrastructure
Take back your security infrastructureAnton Chuvakin
 
br-security-connected-top-5-trends
br-security-connected-top-5-trendsbr-security-connected-top-5-trends
br-security-connected-top-5-trendsChristopher Bennett
 
Cyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe SecurityCyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe SecurityRahul Tyagi
 
Winston morton - intrusion prevention - atlseccon2011
Winston morton - intrusion prevention - atlseccon2011Winston morton - intrusion prevention - atlseccon2011
Winston morton - intrusion prevention - atlseccon2011Atlantic Security Conference
 
Information security trends and concerns
Information security trends and concernsInformation security trends and concerns
Information security trends and concernsJohn Napier
 
SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey FireEye, Inc.
 
Managed Takedown Service - Digital Shadows
Managed Takedown Service - Digital ShadowsManaged Takedown Service - Digital Shadows
Managed Takedown Service - Digital ShadowsDigital Shadows
 
College Presentation
College PresentationCollege Presentation
College Presentationscottfrost
 
DDoS Effects On Enterprises 2020 | Industries affected by DDoS Attacks in 2020
DDoS Effects On Enterprises 2020 | Industries affected by DDoS Attacks in 2020 DDoS Effects On Enterprises 2020 | Industries affected by DDoS Attacks in 2020
DDoS Effects On Enterprises 2020 | Industries affected by DDoS Attacks in 2020 MazeBolt Technologies
 
Enterprise GRC for PEoplesoft
Enterprise GRC for PEoplesoftEnterprise GRC for PEoplesoft
Enterprise GRC for PEoplesoftAppsian
 
Prevention is futile in 2020 - Gartner Report in Retrospect
Prevention is futile in 2020 - Gartner Report in RetrospectPrevention is futile in 2020 - Gartner Report in Retrospect
Prevention is futile in 2020 - Gartner Report in RetrospectJermund Ottermo
 

What's hot (18)

Who is the next target proactive approaches to data security
Who is the next target proactive approaches to data securityWho is the next target proactive approaches to data security
Who is the next target proactive approaches to data security
 
Practical advice for cloud data protection ulf mattsson - oracle nyoug sep ...
Practical advice for cloud data protection ulf mattsson - oracle nyoug sep ...Practical advice for cloud data protection ulf mattsson - oracle nyoug sep ...
Practical advice for cloud data protection ulf mattsson - oracle nyoug sep ...
 
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
 
DDoS Attacks Advancing and Enduring a SANS & Corero Survey
DDoS Attacks Advancing and Enduring a SANS & Corero SurveyDDoS Attacks Advancing and Enduring a SANS & Corero Survey
DDoS Attacks Advancing and Enduring a SANS & Corero Survey
 
Take back your security infrastructure
Take back your security infrastructureTake back your security infrastructure
Take back your security infrastructure
 
6 Ways to Fight the Data Loss Gremlins
6 Ways to Fight the Data Loss Gremlins6 Ways to Fight the Data Loss Gremlins
6 Ways to Fight the Data Loss Gremlins
 
Prevent & Protect
Prevent & ProtectPrevent & Protect
Prevent & Protect
 
br-security-connected-top-5-trends
br-security-connected-top-5-trendsbr-security-connected-top-5-trends
br-security-connected-top-5-trends
 
Cyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe SecurityCyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe Security
 
Winston morton - intrusion prevention - atlseccon2011
Winston morton - intrusion prevention - atlseccon2011Winston morton - intrusion prevention - atlseccon2011
Winston morton - intrusion prevention - atlseccon2011
 
Information security trends and concerns
Information security trends and concernsInformation security trends and concerns
Information security trends and concerns
 
SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey
 
Heartland
HeartlandHeartland
Heartland
 
Managed Takedown Service - Digital Shadows
Managed Takedown Service - Digital ShadowsManaged Takedown Service - Digital Shadows
Managed Takedown Service - Digital Shadows
 
College Presentation
College PresentationCollege Presentation
College Presentation
 
DDoS Effects On Enterprises 2020 | Industries affected by DDoS Attacks in 2020
DDoS Effects On Enterprises 2020 | Industries affected by DDoS Attacks in 2020 DDoS Effects On Enterprises 2020 | Industries affected by DDoS Attacks in 2020
DDoS Effects On Enterprises 2020 | Industries affected by DDoS Attacks in 2020
 
Enterprise GRC for PEoplesoft
Enterprise GRC for PEoplesoftEnterprise GRC for PEoplesoft
Enterprise GRC for PEoplesoft
 
Prevention is futile in 2020 - Gartner Report in Retrospect
Prevention is futile in 2020 - Gartner Report in RetrospectPrevention is futile in 2020 - Gartner Report in Retrospect
Prevention is futile in 2020 - Gartner Report in Retrospect
 

Viewers also liked

Advancements Result from 2004 Indian Ocean Tsunami
Advancements Result from 2004 Indian Ocean TsunamiAdvancements Result from 2004 Indian Ocean Tsunami
Advancements Result from 2004 Indian Ocean Tsunamidallasnewscast
 
Cells of cellular organisms
Cells of cellular organismsCells of cellular organisms
Cells of cellular organismsKimmyhera
 
4 fundamental-ehr-components-of-increasing-physician-satisfaction-in-your-fac...
4 fundamental-ehr-components-of-increasing-physician-satisfaction-in-your-fac...4 fundamental-ehr-components-of-increasing-physician-satisfaction-in-your-fac...
4 fundamental-ehr-components-of-increasing-physician-satisfaction-in-your-fac...MEDHOST
 
nơi nào dịch vụ giúp việc theo giờ có kinh nghiệm hcm
nơi nào dịch vụ giúp việc theo giờ có kinh nghiệm hcmnơi nào dịch vụ giúp việc theo giờ có kinh nghiệm hcm
nơi nào dịch vụ giúp việc theo giờ có kinh nghiệm hcmjosh525
 
Birkman - Scheibmeir Results
Birkman - Scheibmeir ResultsBirkman - Scheibmeir Results
Birkman - Scheibmeir ResultsJim Scheibmeir
 
Financial analysis on recession period conducted at mahindra & mahindra tractors
Financial analysis on recession period conducted at mahindra & mahindra tractorsFinancial analysis on recession period conducted at mahindra & mahindra tractors
Financial analysis on recession period conducted at mahindra & mahindra tractorsProjects Kart
 
Study on Brand awareness of Mahindra & Mahindra Tractors
Study on Brand awareness of Mahindra & Mahindra Tractors Study on Brand awareness of Mahindra & Mahindra Tractors
Study on Brand awareness of Mahindra & Mahindra Tractors Projects Kart
 
веверн б. в. 6-я батарея. 1914-1917 г.г. повесть о времени великого служения ...
веверн б. в. 6-я батарея. 1914-1917 г.г. повесть о времени великого служения ...веверн б. в. 6-я батарея. 1914-1917 г.г. повесть о времени великого служения ...
веверн б. в. 6-я батарея. 1914-1917 г.г. повесть о времени великого служения ...Александр Галицин
 
вульфен. лодзинское сражение (прорыв у брезин)
вульфен. лодзинское сражение (прорыв у брезин)вульфен. лодзинское сражение (прорыв у брезин)
вульфен. лодзинское сражение (прорыв у брезин)Александр Галицин
 
TEDx Manchester: AI & The Future of Work
TEDx Manchester: AI & The Future of WorkTEDx Manchester: AI & The Future of Work
TEDx Manchester: AI & The Future of WorkVolker Hirsch
 

Viewers also liked (16)

SPC MD 821
SPC MD 821SPC MD 821
SPC MD 821
 
Advancements Result from 2004 Indian Ocean Tsunami
Advancements Result from 2004 Indian Ocean TsunamiAdvancements Result from 2004 Indian Ocean Tsunami
Advancements Result from 2004 Indian Ocean Tsunami
 
MICROCURRICULOS MIT
MICROCURRICULOS MITMICROCURRICULOS MIT
MICROCURRICULOS MIT
 
Planificacion de clase
Planificacion de clasePlanificacion de clase
Planificacion de clase
 
Cells of cellular organisms
Cells of cellular organismsCells of cellular organisms
Cells of cellular organisms
 
Smart
SmartSmart
Smart
 
4 fundamental-ehr-components-of-increasing-physician-satisfaction-in-your-fac...
4 fundamental-ehr-components-of-increasing-physician-satisfaction-in-your-fac...4 fundamental-ehr-components-of-increasing-physician-satisfaction-in-your-fac...
4 fundamental-ehr-components-of-increasing-physician-satisfaction-in-your-fac...
 
nơi nào dịch vụ giúp việc theo giờ có kinh nghiệm hcm
nơi nào dịch vụ giúp việc theo giờ có kinh nghiệm hcmnơi nào dịch vụ giúp việc theo giờ có kinh nghiệm hcm
nơi nào dịch vụ giúp việc theo giờ có kinh nghiệm hcm
 
Birkman - Scheibmeir Results
Birkman - Scheibmeir ResultsBirkman - Scheibmeir Results
Birkman - Scheibmeir Results
 
Financial analysis on recession period conducted at mahindra & mahindra tractors
Financial analysis on recession period conducted at mahindra & mahindra tractorsFinancial analysis on recession period conducted at mahindra & mahindra tractors
Financial analysis on recession period conducted at mahindra & mahindra tractors
 
Civil war
Civil warCivil war
Civil war
 
Study on Brand awareness of Mahindra & Mahindra Tractors
Study on Brand awareness of Mahindra & Mahindra Tractors Study on Brand awareness of Mahindra & Mahindra Tractors
Study on Brand awareness of Mahindra & Mahindra Tractors
 
допрос колчака протоколы
допрос колчака протоколыдопрос колчака протоколы
допрос колчака протоколы
 
веверн б. в. 6-я батарея. 1914-1917 г.г. повесть о времени великого служения ...
веверн б. в. 6-я батарея. 1914-1917 г.г. повесть о времени великого служения ...веверн б. в. 6-я батарея. 1914-1917 г.г. повесть о времени великого служения ...
веверн б. в. 6-я батарея. 1914-1917 г.г. повесть о времени великого служения ...
 
вульфен. лодзинское сражение (прорыв у брезин)
вульфен. лодзинское сражение (прорыв у брезин)вульфен. лодзинское сражение (прорыв у брезин)
вульфен. лодзинское сражение (прорыв у брезин)
 
TEDx Manchester: AI & The Future of Work
TEDx Manchester: AI & The Future of WorkTEDx Manchester: AI & The Future of Work
TEDx Manchester: AI & The Future of Work
 

Similar to Assess DDoS risk for UK business

The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDC
The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDCThe Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDC
The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDCCloudflare
 
Protecting against modern ddos threats
Protecting against modern ddos threatsProtecting against modern ddos threats
Protecting against modern ddos threatsPedro Espinosa
 
Solution_Use_Case_-_DDoS_Incident_Monitoring.pdf
Solution_Use_Case_-_DDoS_Incident_Monitoring.pdfSolution_Use_Case_-_DDoS_Incident_Monitoring.pdf
Solution_Use_Case_-_DDoS_Incident_Monitoring.pdfمنیزہ ہاشمی
 
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDCDefending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDCCloudflare
 
The role of DDoS Providers
The role of DDoS ProvidersThe role of DDoS Providers
The role of DDoS ProvidersNeil Hinton
 
IMPROVING DDOS DETECTION IN IOT DEVICES
IMPROVING DDOS DETECTION IN IOT DEVICESIMPROVING DDOS DETECTION IN IOT DEVICES
IMPROVING DDOS DETECTION IN IOT DEVICESIRJET Journal
 
Examining the emerging threat of Phishing and DDoS attacks using Machine Lear...
Examining the emerging threat of Phishing and DDoS attacks using Machine Lear...Examining the emerging threat of Phishing and DDoS attacks using Machine Lear...
Examining the emerging threat of Phishing and DDoS attacks using Machine Lear...IRJET Journal
 
Cybersecurity- What Retailers Need To Know
Cybersecurity- What Retailers Need To KnowCybersecurity- What Retailers Need To Know
Cybersecurity- What Retailers Need To KnowShantam Goel
 
E guide weathering the storm at your business
E guide weathering the storm at your businessE guide weathering the storm at your business
E guide weathering the storm at your businessSoma Technology Group
 
Protecting your business from ddos attacks
Protecting your business from ddos attacksProtecting your business from ddos attacks
Protecting your business from ddos attacksSaptha Wanniarachchi
 
An Introduction to zOS Real-time Infrastructure and Security Practices
An Introduction to zOS Real-time Infrastructure and Security PracticesAn Introduction to zOS Real-time Infrastructure and Security Practices
An Introduction to zOS Real-time Infrastructure and Security PracticesJerry Harding
 
Application Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsApplication Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsCognizant
 
Cyber+Incident+Response+-+Generic+Denial+of+Service+Playbook+v2.3.docx
Cyber+Incident+Response+-+Generic+Denial+of+Service+Playbook+v2.3.docxCyber+Incident+Response+-+Generic+Denial+of+Service+Playbook+v2.3.docx
Cyber+Incident+Response+-+Generic+Denial+of+Service+Playbook+v2.3.docxGamalAbdelshafy
 
Provide a MEMO.docx
Provide a MEMO.docxProvide a MEMO.docx
Provide a MEMO.docxwrite30
 
Managed security services for financial services firms
Managed security services for financial services firmsManaged security services for financial services firms
Managed security services for financial services firmsJake Weaver
 
The_Forrester_Wave_DDoS_S 2015Q3.PDF
The_Forrester_Wave_DDoS_S 2015Q3.PDFThe_Forrester_Wave_DDoS_S 2015Q3.PDF
The_Forrester_Wave_DDoS_S 2015Q3.PDFDominik Suter
 
Four Ways Businesses Can Secure Themselves from Digital Supply Chain Attacks.pdf
Four Ways Businesses Can Secure Themselves from Digital Supply Chain Attacks.pdfFour Ways Businesses Can Secure Themselves from Digital Supply Chain Attacks.pdf
Four Ways Businesses Can Secure Themselves from Digital Supply Chain Attacks.pdfEnterprise Insider
 

Similar to Assess DDoS risk for UK business (20)

The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDC
The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDCThe Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDC
The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDC
 
Protecting against modern ddos threats
Protecting against modern ddos threatsProtecting against modern ddos threats
Protecting against modern ddos threats
 
Solution_Use_Case_-_DDoS_Incident_Monitoring.pdf
Solution_Use_Case_-_DDoS_Incident_Monitoring.pdfSolution_Use_Case_-_DDoS_Incident_Monitoring.pdf
Solution_Use_Case_-_DDoS_Incident_Monitoring.pdf
 
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDCDefending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
 
The role of DDoS Providers
The role of DDoS ProvidersThe role of DDoS Providers
The role of DDoS Providers
 
DDoS Report.docx
DDoS Report.docxDDoS Report.docx
DDoS Report.docx
 
IMPROVING DDOS DETECTION IN IOT DEVICES
IMPROVING DDOS DETECTION IN IOT DEVICESIMPROVING DDOS DETECTION IN IOT DEVICES
IMPROVING DDOS DETECTION IN IOT DEVICES
 
Examining the emerging threat of Phishing and DDoS attacks using Machine Lear...
Examining the emerging threat of Phishing and DDoS attacks using Machine Lear...Examining the emerging threat of Phishing and DDoS attacks using Machine Lear...
Examining the emerging threat of Phishing and DDoS attacks using Machine Lear...
 
Cybersecurity- What Retailers Need To Know
Cybersecurity- What Retailers Need To KnowCybersecurity- What Retailers Need To Know
Cybersecurity- What Retailers Need To Know
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
Shadow IT
Shadow ITShadow IT
Shadow IT
 
E guide weathering the storm at your business
E guide weathering the storm at your businessE guide weathering the storm at your business
E guide weathering the storm at your business
 
Protecting your business from ddos attacks
Protecting your business from ddos attacksProtecting your business from ddos attacks
Protecting your business from ddos attacks
 
An Introduction to zOS Real-time Infrastructure and Security Practices
An Introduction to zOS Real-time Infrastructure and Security PracticesAn Introduction to zOS Real-time Infrastructure and Security Practices
An Introduction to zOS Real-time Infrastructure and Security Practices
 
Application Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsApplication Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting Reputations
 
Cyber+Incident+Response+-+Generic+Denial+of+Service+Playbook+v2.3.docx
Cyber+Incident+Response+-+Generic+Denial+of+Service+Playbook+v2.3.docxCyber+Incident+Response+-+Generic+Denial+of+Service+Playbook+v2.3.docx
Cyber+Incident+Response+-+Generic+Denial+of+Service+Playbook+v2.3.docx
 
Provide a MEMO.docx
Provide a MEMO.docxProvide a MEMO.docx
Provide a MEMO.docx
 
Managed security services for financial services firms
Managed security services for financial services firmsManaged security services for financial services firms
Managed security services for financial services firms
 
The_Forrester_Wave_DDoS_S 2015Q3.PDF
The_Forrester_Wave_DDoS_S 2015Q3.PDFThe_Forrester_Wave_DDoS_S 2015Q3.PDF
The_Forrester_Wave_DDoS_S 2015Q3.PDF
 
Four Ways Businesses Can Secure Themselves from Digital Supply Chain Attacks.pdf
Four Ways Businesses Can Secure Themselves from Digital Supply Chain Attacks.pdfFour Ways Businesses Can Secure Themselves from Digital Supply Chain Attacks.pdf
Four Ways Businesses Can Secure Themselves from Digital Supply Chain Attacks.pdf
 

Assess DDoS risk for UK business

  • 1. A GUIDE TO DDoS, MITIGATION AND TESTING (2015) Part 2: DDoS risk assessment activereach Ltd. Prospect House Business Centre Crendon Street, High Wycombe, Bucks, HP13 6LA Main Reception Tel: 0845 625 9025, Fax 01494 980255 Email: finance@activereach.net www.activereach.net VAT no. GB941 4420 46, Company no. 06716533
  • 2. A guide to DDoS, mitigation and testing Assessing the risk of DDoS for a UK business Caution The following document contains numbers culled from surveys, white papers, online tools and reports. These sources seldom disclose their methods, bias or motivations and a large number of them disagree with each other. For example, industry white papers containing statistics about the proportion of DDoS events that were volumetric attacks, as opposed to application attacks, seldom agree. A cynic may suggest that this would depend on the DDoS mitigation services being recommended as a result of the statistics contained in the white papers. However it could easily be a factor of the research methods employed or data set selection. To use them in any risk analysis would then seem to be folly. However, for a company that is wishing to assess the potential risk to their business of DDoS attacks in the absence of any attacks on them to date, arguably basing any DDoS mitigation budgetary decisions based on some evidence is better than raw guesswork. At least assumptions made in the risk calculations can be examined, and any answers found can be tested against future surveys or independent reports. The following analysis is presented as an informed risk assessment toolkit which might prove to be one step improved from ‘finger in the wind’ assessment. You use the information in this document at your own risk. ©2015 activereach Ltd. 2
  • 3. Risk assessment structure There are three common steps to a risk assessment for DDoS. 1. Scope of impact of a DDoS attack 2. Expected annual loss from DDoS attacks 3. Spend/activity to mitigate expected losses from DDoS attacks Scope of impact for DDoS attacks What is vulnerable to disruption from DDoS attacks? This is potentially a complicated question to answer for a business. Most companies understand the basic connection between their business strategy and their IT infrastructure, but the details may not always clear to the individuals involved in a risk assessment ; the many complex dependencies may not be immediately obvious. In simple terms, the business strategy will be broken down into business activities or functions, which need access to particular IT applications, which requires certain things from the network. 1. Business strategy (Growth through B2C activity, asset acquisition/disposal or focus on efficiency) 2. Business functions (Sales, customer service, billing, marketing, HR, management) 3. IT applications (CRM, billing application, web site, telephony) 4. IT network infrastructure (Internet access from head office, private VPN, server, data centre) This is a complex tree. Applications (in efficiently run businesses) are often shared across ©2015 activereach Ltd. 3
  • 4. A guide to DDoS, mitigation and testing multiple business functions and each department’s dependency on it may differ. A call centre may be using the same telephone circuits as the sales team, but if the circuits fail, the sales team can switch to their mobile phones whereas the call centre may simply stop - or be forced to switch sites. Understanding the impact to the business strategy of the disruption of a particular element of infrastructure requires someone (or several people) familiar with the business to trace the connection back from infrastructure - to applications that it impacts - to the business function and then to the business strategy itself. It’s not something a white paper or checklist can do. What damage can a DDoS attack cause? A fully effective DDoS attack will completely exhaust a system’s resources - disabling the system or team it is aimed at for a period of time. A partially effective DDoS attack will slow down a system or team. If the system or team targeted generates revenue/profit for a business (or reduces risk), then that ability will be damaged with associated financial loss for the target. So - for example - a particular online casino might generate £30m a year. If that server is disabled for 24 hours, then the direct damage to the business revenue might be £30m/365 = £82k . In 2014, according to Incapsula (2014 survey of 240 North American companies), 50% of DDoS attacks lasted 6-24 hours, 37% were under six hours. Prolexic's Q4 2014 report calculated an average attack duration in 2014 of 17 hours. As well as direct loss of revenue/profit from affected services, there is the immediate direct cost of IT, security staff and management that may be drafted in to tackle the event, and liaise with service providers and staff and there will be an impact on customer services handling ©2015 activereach Ltd. 4
  • 5. customer queries (a BT report suggested that complaints and queries increase over 30% during a DDoS attack). There is also the subsequent longer-term costs of additional security or regulatory audit and clean-up - additional mitigation and impact on sales or share price as confidence in the target suffers. Most companies have calculated a cost per hour of downtime caused by IT failure as part of their business continuity planning and an outage caused by DDoS is no different in this regard - apart from one or two factors. Firstly, unlike an IT outage, certain categories of attacker will target a system at the time of maximum cost for the target. Political sites attacked more frequently during campaigning or elections, e-commerce sites during sales, gambling sites during high profile betting events. Risk calculations cannot assume a random attack (average daily values of revenue/profit) and, instead, must consider the maximum possible cost of a system outage (maximum daily values of revenue/profit). Secondly, DDoS is perceived as a security event and a system failing as a ‘breach’. This may cause increased reputation damage compared to an IT failure and consequently increased impact on sales or share price. What systems might be impacted by a DDoS attack? It is easy to identify a web or email server as potentially at risk from a DDoS attack, but harder to identify that an apparently private MPLS service from a Telco shares physical infrastructure with that Telco’s public Internet services and so may be indirectly affected by DDoS events. DDoS attacks most commonly occur from compromised devices on public networks (bots) attacking other devices on public networks. The most obvious targets are public servers running applications that use the global DNS (eg. prominent web sites). However any device with a public IP address may be directly targeted. There are also indirect impacts to consider. If a service provider’s core switch is attacked and ©2015 activereach Ltd. 5
  • 6. A guide to DDoS, mitigation and testing disabled, then all customer connections that traverse that switch might be impacted. Similarly if one tenant’s virtual server on a multi-tenant server is attacked, then all tenants may be impacted. A systematic review of a company’s infrastructure will need to examine the physical, logical, application and human systems that are used to underpin a business strategy Physical (boxes and wires) analysis (Layers 1 and 2 of OSI) The first step is typically to identify all devices and network connections/circuits under the company’s control - and the third parties that they connect to (Telcos or Internet service providers). Each element will have a finite set of performance capabilities - maximum bandwidth, CPU, memory or storage limits. Logical analysis (Layers 3 and 4 of OSI) It is important to understand a company’s external IP address ranges, AS numbers, BGP peers, and virtual networks under their control as well as the third party networks that may be traversed. At this layer of analysis, the company’s reliance on network authentication, address translation, DNS, access control lists (ACLs) or other network-centric associated functions might be considered. Application analysis (Layers 5,6 and 7 of OSI) Direct applications such as telephony, CRM, billing applications, web servers, databases and mail servers. These may be held in data centres, company offices or third party virtual environments. Indirect applications may include monitoring and management, user authentication, network time, domain name services. The advent of cloud computing and increasing use of outsourced applications (CRM, IPT) makes identification of all of the dependencies of a network hard to do in most cases. If a company has made no effort to identify the extent of the exposure to DDoS, they are much more likely to be unpleasantly surprised by a future attack event. ©2015 activereach Ltd. 6
  • 7. The human element In addition to the technical infrastructure that may be vulnerable to DDoS attacks, the human element is a crucial component to consider. If a company’s IT or security staff are busy dealing with a DDoS attack, then they are rendered unable to deliver their usual service - which may include critical security monitoring activities. This may allow a criminal to use DDoS to ‘blind’ a company to illegal activity - data exfiltration, malware or other threat. DDoS attacks are being seen that are designed to stress the human and process component of a business’ systems. So-called ‘drive-by’ DDoS attacks are shorter in duration and are aimed as much to force a company into allocating resources to defend against the attack and implement mitigating processes as they are to disable a technical system. Any full risk assessment will need to consider the available human resources available to a company, and the efficiency of the DDoS mitigation processes both during and after an attack event. The current trend is to simplify DDoS defences from ‘on demand’ to ‘always on’ to eliminate the human component of swinging traffic to scrubbing centres and back again - and ensure that monitoring of possible reconnaissance attacks is maintained. Expected annual loss from DDoS In order to calculate an expected annual loss from DDoS, you need to know two things. The anticipated loss resulting from an attack and the likelihood of being attacked. Expected annual loss = (Loss per event) x (annual chance of being attacked) Loss per event = (duration of event x loss per hour) + clean-up + reputation damage We have already discussed the loss per event. The average DDoS attack is 17 hours long and the cost per hour of an outage caused by DDoS is the same as any outage event - modified by the fact it is more likely to happen at the worst possible time for the company and the damage to reputation and future sales is likely to be higher that simple IT outages. ©2015 activereach Ltd. 7
  • 8. A guide to DDoS, mitigation and testing How do we calculate a company’s chances of being attacked? How many DDoS attacks are there each year? The chance of being hit by a DDoS attack is a question of frequency. If you would expect one attack every three years, then the annual risk is 33%. One approach to calculating the likelihood of being attacked is a simple volumetric one. How many DDoS attacks are there each year? How many targets are there? Divide the two numbers. For example: Prolexic (now owned by Akamai) states on its web site that there are, on average, over 7,000 DDoS attacks a day. That would mean 2.55m attacks a year. Looking at destination addresses of these attacks suggests that 7% of attacks are aimed at targets in the UK. There are 1.25m companies in the UK with more than one employee. If the attacks were distributed evenly across all companies in the UK with more than one employee, that would mean that the annual risk of any given UK company being hit by a DDoS attack is about (2,555,000 x 0.07 / 1,250,000) = ~15%. Is this number convincing? Unfortunately it’s very easy to find completely different assessments of the number of attacks each year. The NSFocus Threat Report 2013 is frequently quoted stating 28 attacks per hour - which would be an order of magnitude smaller than the Akamai average. Even accounting for annual attack frequency increase this is significant. No company sees all attacks - all DDoS filters leak (false negative) to some extent - and what they classify as a single DDoS attack may differ. Many marketing reports and white papers now quote percentage increases in attacks, rather than absolute numbers. One suspects that they worry about revealing something about their relative size compared to competition. Or it might be modesty. ©2015 activereach Ltd. 8
  • 9. Regardless - we know that there are certain characteristics of targets that will modify this 15% risk upwards by a certain factor and we might be able to work out that factor by looking at how many of these characteristics a target company has. Common lore would have it that financial services and online gaming are most likely to be hit. Analysis of rate of attacks on large companies versus small companies suggests that, today, large companies (250+ employees) are twice as likely to experience DDoS attacks. But this might just be slightly lazy compartmentalisation for marketing purposes and ease of analysis or a factor of the choice of organisations that a given survey selected from. Size and vertical isn’t everything Within the finance sector is a vast array of different businesses. Some have particularly high public profiles, some deal with consumers, some are quite small, but have complex high value commercial interests. The shadows they cast into the Internet are very different. Some are very likely to be targets for DDoS - others are unlikely to experience one - but when they do it will be very focused and sophisticated. Thinking about ‘large’ companies and companies in particular verticals, it is relatively easy to come up with counter-examples to an assessment that they are likely to see frequent DDoS attacks. For example - digital assets are not totally dependent on company size. A massive manufacturing or engineering company may have a very modest web presence, while a small SaaS company may have disproportionately massive network assets and Internet-connected presence. Each company's dependence on technology will also vary. Larger companies tend to make greater use of private network facilities or autonomous operation under technology failure conditions which will see the threat of DDoS considerably reduced. Online gaming sites might experience rashes of minor attacks as individuals engage in petty disputes using DDoS tools - but nothing with the intensity and focus of an attack on an online gambling site. ©2015 activereach Ltd. 9
  • 10. A guide to DDoS, mitigation and testing There must be a set of characteristics of organisations that are more likely to be found with large companies compared to small ones, and, perhaps, in certain vertical markets that are driving the frequency and intensity of DDoS attacks. Let’s consider the motivations behind DDoS attacks and relate them to characteristics of their selected targets. ©2015 activereach Ltd. 10
  • 11. Motivations behind DDoS attacks DDoS Motive Description Target characteristics to look for Examples Political Protest Hacktivists and collectives (Anonymous) to make a point or raise awareness of an issue Political affiliation Media footprint Recent or ongoing controversy Anonymous attacks on financial organisations not supportive of Wikileaks. Cyber warfare State-sponsored or terrorist-inspired attacks on a perceived enemy Critical infrastructure; economic, societal or governmental Media footprint Political affiliation Attacks on French municipal web-sites in the aftermath of the Charlie Hebdo shootings. Reputation Criminals hoping to make a reputation for themselves by taking out a ‘big name’ Iconic brand Perceived high security posture Media footprint LizardSquad attacking Microsoft XBox Live and Sony Playstation network Christmas Day 2014. Extortion or financial gain Criminals hoping to gain money directly by threatening and/or engaging in DDoS activities Digital product or service delivery Multiple customer impact High ratio of revenue to resource Known peak activity (eg. sales day) Dependent on online sales Criminal gang caught trying to extort money from UK Online Casino. Criminals trying to get money from online florists coming up to Valentine’s Day. Revenge against an organisation Disgruntled customers, staff or ex-employees or contractors. Large number of consumer customers High turnover of staff Low customer satisfaction Tech savvy customers and staff Mass e-mail campaign against Domestic and General. Attacks against Kent police Self-inflicted Servers with low average demand hit by sudden spikes in traffic overwhelming supplied capacity Niche daily news and content First-come first-served tickets Social-media driven content Under investment in spare capacity Day one of the Olympic ticket sales for the 2012 Games. Black Friday sees Argos, Tesco and other sites crash under load Diversion Criminals hoping to disguise penetrating attack or data exfiltration by using DDoS as a diversion. Valuable digital IP High ratio of revenue to resource Complex security environment Scattered reports from US financial organisations of synchronised DDoS and data exfiltration attacks. Business Competition Attacks designed to disrupt a competitor’s activities High turnover of staff Tech-savvy staff Unscrupulous market practices Digital product or service Reputed to be routine practise in the world of online gambling ©2015 activereach Ltd. 11
  • 12. A guide to DDoS, mitigation and testing delivery Emerging international market Individual competition/ revenge Individuals targeting individuals Competitive immature tech- savvy e-communities - gaming or hacking sub- culture and the companies that host them League of Legends players receive advice on countering individual DDoS attacks. People regularly banned for DDoS attacks. Accidental or prank Playing with DDoS attack tools. Individual needs to exert control and power. Iconic brand Brand confusion MafiaBoy From this understanding we can construct a simple questionnaire that assesses an organisation’s “DDoS threat shadow” - i.e. how large and aggressive the pool of potential DDoS threat actors is - and thus what an organisation’s risk of being hit by a DDoS event might be and the likely nature and wider objective of that attack. Large number of consumer customers, high turnover of staff, media footprint, iconic brands. These risk factors are spread across a number of potential high frequency threat motivations; revenge, cyber-warfare, protest and reputation. Large companies are better known and have a larger pool from which enemies may appear. However, an old security adage is that “Obscurity is not security” and it applies here. Take extortion, for example. Large companies have the capacity to engage with DDoS mitigation, and the legal and commercial implications of extortion attempts. Aggressive counter-actions against cybercriminals - working with law enforcement to identify and nullify botnets and criminal gangs may prove to be an effective deterrent to threat actors looking for financial gain. “Good” criminals are efficient at identifying bad risk-reward scenarios. That’s why a lot of them rent out their botnets to less risk-averse threat actors. Unfortunately that means the criminal threat is likely to slide down the value scale - to the medium-sized and smaller companies that are less able to counter DDoS threats - where the value per attack is smaller, but the likelihood of detection is lower. The relative ease and low ©2015 activereach Ltd. 12
  • 13. cost of DDoS and anonymous mass-communication tools, with which criminals might target hundreds or thousands of companies from a chair in front of a computer means they only need to get a small percentage of successful ‘hits’ and their crime pays off. From reading various reports it seems that a small percentage of hits is all that they can expect with most stating that these extortion attempts are seldom successful. If a company pays up are they likely to report it? Also are they likely to be hit again? DDoS mitigation firm CloudFlare commented on a recent rash of extortion attempts aimed at florists taking orders online. It was timed to coincide with St. Valentine’s day and was looking for a ‘modest’ amount of ‘protection money’ (a few hundred dollars) to prevent them being hit by a DDoS for the period. Unencumbered by financial investment in the target company, law enforcement and technology firms make easy recommendations to not pay the criminals - but instead pay mitigation companies thousands or tens of thousands for technology-based defences. One can only imagine a business owner’s stress presented with such a dilemma. What is the chance of being attacked this year? Another way of approaching the question of risk is looking at results from surveys of similar companies. Neustar report from 2013, which surveyed over 300 UK companies stated that 30% of UK companies claimed they had been hit by one or more DDoS attacks. This compares with 60% of North American companies from the same period and was an increase from 20% in 2012. A 2013 report from BT put the global figure at 41% of companies who had experienced at least one DDoS attack. Casual risk analysis could use these raw numbers as they are. They may also serve as useful verification for any more granular risk assessment - a test to see if the resulting numbers look realistic. ©2015 activereach Ltd. 13
  • 14. A guide to DDoS, mitigation and testing Frequency versus sophistication Reports vary, but most agree that the risk of being hit twice or more is very high. The proportion of attacks on single targets that use multiple vectors is increasing - and criminals are aware that there are potential human and business weaknesses in mitigation that makes shorter irregular frequent attacks more difficult to combat that sustained single attacks. This sophistication is polarising the threat landscape and introducing notable differences in styles of DDoS attack. Those created by low-skill threat actors using off-the-shelf DDoS tools are often unsophisticated and lack subtlety or guile. They may use well-known volumetric or protocol attacks, but are not likely to be well-timed, well-targeted or adaptable to counter-measures. They are considered low-sophistication attacks. They may still be highly effective at taking down a target system, however. When a DDoS attack tool is updated with a high impact technique, like DNS reflection and amplification, then anyone using the tools benefits from the enhanced attack. High-skill threat actors are well-prepared and are more likely to use custom tools or botnets with sophistication. They plan the attack well and understand the target’s weak spots in terms of infrastructure and business timing. DDoS is used on concert with penetrating attacks, malware insertion, spear-phishing or other techniques. They may be more likely to use low- and-slow application attacks - or a cascading sequence of probes to determine what slips past defences. These are considered high-sophistication attacks. The nature of some DDoS categories varies based on the capability of the threat actor involved. In general unsophisticated attacks are more likely than sophisticated ones simply because of the low proportion of possible antagonists with the technical capability to act in a sophisticated focused yet malicious manner. Some DDoS threats are persistent - others will be prompted by news events; sudden celebrity or notoriety, trends on social media or shifts in politics or foreign affairs. ©2015 activereach Ltd. 14
  • 15. activereach DDoS risk assessment questionnaire Rate your organisation against the following statements/characteristics Statement / characteristic. Score 0 for “not applicable”, 1 for “somewhat applicable” and 2 for “highly applicable” Score 1 Your organisation has known political affiliations or the public perceives it as representing a government, religion, nation or a political concept such as capitalism. Add to Protest Add to Warfare 2 Your organisation attracts lots of media coverage and has a sizable impact or footprint in conventional or social media. Add to Protest Add to Warfare Add to Reputation 3 Your organisation is involved in some recent or ongoing controversy. Add to Protest 4 Your organisation controls infrastructure or conducts activities critical to a country’s economic, societal or governmental integrity. Add to Warfare 5 Your organisation control brands that are iconic or internationally recognised. Add to Reputation Add to Prank/Accidental 6 Your organisation is reputed to have a high security posture because of the nature of its business or brand values. Add to Reputation 7 Your organisation makes money from products or services that are delivered digitally. Add to Financial 8 Your organisation controls network infrastructure that is used by many customers. Add to Financial 9 Your organisation has very short windows of intense commercial activity of great importance to annual revenue or profit such as Christmas sales or seasonal events. Add to Financial 10 Your organisation is dependent on online sales. Add to Financial 11 Your organisation has large numbers of consumer customers. Add to Revenge 12 Your organisation suffers from high turnover of staff and regular redundancies. Add to Revenge Add to Competition 13 Your organisation suffers from low customer satisfaction scores. Add to Revenge 14 Your organisation has a high proportion of employees and customers who are technically aware. Add to Revenge 15 Your organisation is a digital public content provider (news, games, social media) with a well-defined narrow subject-matter focus Add to Self-inflicted 16 Your organisation sells tickets to popular events Add to Self-inflicted 17 Your organisation is very efficient and buys just enough network capacity that it needs Add to Self-inflicted 18 Your organisation has valuable digital IP on internal servers such as user subscription data (username/passwords), digital media (photos, films, music), financial information (card data, bank details). Add to Diversion Add to Financial 19 Your organisation’s revenue from online activities has Add to Diversion ©2015 activereach Ltd. 15
  • 16. A guide to DDoS, mitigation and testing increased, but the number of staff supporting the infrastructure has decreased as services are outsourced. Add to Financial 20 Your organisation maintains a very complex network security environment. Add to Diversion 21 Your organisation does business in a market with unscrupulous competitors. Add to Competition 22 Your organisation does business in a market that has international competition from emerging economies. Add to Competition 23 Your organisation hosts content for young, technically-savvy e-communities such as forums, games or social media content. Add to Individual 24 Your organisation is often confused for another because of a similar name, acronym or brand. Add to Prank/Accidental Total rating Add up the above numbers to give a rating between 0 and 48 Scoring Total the scores to give you a rating from 0-48. This is a number representing the number of DDoS threat motivations that might be stacked against your company, the breadth of the shadow your organisation casts over the DDoS threat landscape if you will. Your likelihood of being attacked will be higher, the higher your rating. By totaling the scores in each of the ten threat areas and dividing by the maximum score in each threat area, you can rank the most likely motivations behind a potential DDoS attack against your organisation. Area Protest Warfare Reputation Financial Revenge Your score Maximum 6 6 6 10 8 Ratio Area Self-inflicted Diversion Competition Individual Accidental/ Prank Your score Maximum 6 6 6 10 8 Ratio ©2015 activereach Ltd. 16
  • 17. One with this analysis is that it doesn’t hold as well for service providers because they may be a target of DDoS attacks because of one or more of their customers as well as directly. This is relatively easy to ignore because any company whose entire business is providing network services to other organisations should consider the prospect of DDoS attacks as a near certainty. The Arbor Networks “State of the Internet” report, which surveys a large number of data centre providers and ISPs reported this year (2015) that 80% of these businesses had seen one or more DDoS attacks in the past 12 months – with many experiencing dozens, if not hundreds. If the answer to question 8 is “Highly Applicable”, then instead of simply adding to the likelihood of DDoS as a tool of extortion, then this would place these businesses in the “High Risk” category automatically. There is no strong data on motivations behind DDoS attacks. However an understanding of the type of threat actors that oppose an organisation can inform an understanding of the likely frequency and intensity of any possible DDoS attacks - and also, perhaps, suggest activities that could serve to reduce the likelihood of an attack, or the resultant severity. Converting rating into annual likelihood Surveys (such as that by BT or Neustar) suggest that the average risk of DDoS for a UK business is around 30%. One in three UK businesses surveyed report that they have experienced a DDoS attack. This is much higher for US businesses that have been surveyed (~60%). However many businesses in the UK lack vulnerable public network infrastructure, don’t hold any digital IP of significant value, have little brand visibility and are not involved in business activities that are likely to draw political protest. In these cases, one would assess the risk much lower than average with a possible DDoS event every ten years - most likely to be accidental, self-inflicted, unscrupulous competition or the result of a problem with disgruntled ex-employee. If we have assessed the likelihood of DDoS for a UK business to be 15% if all companies were equally likely to be hit, then the probability of a low-risk company being hit will be slightly lower than this - say 10%. ©2015 activereach Ltd. 17
  • 18. A guide to DDoS, mitigation and testing At the other end of the spectrum, we are aware that if a company is hit once, there is a high (~75%) possibility of a subsequent attack within the same year. This suggests a curve where risk increases sharply at high values of the DDoS risk assessment rating. Subsequent to an attack, the risk can be assessed at 75% or higher. DDoS risk assessment rating Annual likelihood of DDoS attack Mean time between attacks 0-10 (Below average) 10% ~10 years 11-30 (Average) 30% ~3 years 31-48 (Above average) 70% ~18 months ©2015 activereach Ltd. 18
  • 19. Threat types and elements of non-technical mitigation considerations There are probably many non-technical methods that might be employed to help mitigate the chances of attack alongside a strong technical, policy, personnel and testing policy. Threat type Non-technical mitigation considerations Protest Engagement with protesters, enabling constructive criticism, monitoring social media for evidence of organised protest using DDoS tools, security posture planning with events associated with controversy or protest. Warfare Review and compliance with latest regulation concerning protection of critical infrastructure. Physical separation of critical systems from public networks. DDoS tests and simulations to examine operational performance of systems, people and processes under duress. Analysis of whether nation-based filtering may be appropriate. Reputation PR plan to inform customers whilst negating positive spin for threat agents. Financial Positive engagement plan with specialist units in law enforcement in the event of an extortion attempt. Identification of key business activity days and planning IT events and resources to sympathise. Review security logs looking for recon attacks weeks prior to key event dates. Revenge Effective constructive complaints process. Information flow between IT and customer services. Effective exit policies with constructive dialogue for contractors and employees previously engaged with the network. Self-inflicted Good capacity planning of bandwidth to expected traffic loading. Spare capacity/headroom. Load testing to determine maximum load limits. Better communication between marketing/events and IT/infrastructure team with a policy of routinely considering potential impact on infrastructure of marketing events. Diversion Review of outbound filtering to help prevent exfiltration. Strong internal monitoring and bulkhead network design to impede unauthorised data movements during DDoS attack. Regular DDoS tests and simulations to judge impact on staff of response plan for DDoS events and to ensure spare capacity to deal with operational security when under DDoS attack. Competition No specific recommendations. Individual Review social media policy for staff including use of social media using work facilities. Review user agreements concerning use of DDoS against other subscribers (online gamers, for example) and consider publishing policy position regarding punishments or sanctions for offenders - account banning. Publish effective user reporting system to underpin technical monitoring systems. Accidental/Prank Consider stepped response plan which allows for mistakes to be identified and rectified prior to any costly mitigation engagement. Create PR plan for the case of accidental or prank DDoS attack. ©2015 activereach Ltd. 19
  • 20. A guide to DDoS, mitigation and testing Summary All UK business should understand the impact that a DDoS attack might have on their business. To do this, they need to look at the breadth of their IT infrastructure that might be lost under a DDoS attack and the cost implications of losing that infrastructure for a period of time. When combined with an understanding of the annual likelihood of an attack, a company can then understand the expected cost impact of DDoS ranged against the company. All that would remain is the allocation of budget to DDoS mitigation (technical and non-technical) proportionate to the expected loss. Some of the assumptions that are made during a risk assessment exercise, particularly those around the expected impact of a DDoS attack may be quantified accurately through a formal DDoS test. In the next section of the report, the place of DDoS testing in a comprehensive DDoS mitigation programme will be considered. ©2015 activereach Ltd. 20