Version 1.0
It is time to prepare for Expected DoS Attacks. There is no perfect anti-DoS solution. But with forethought, planning, coordination, and practice any organization minimizes the impact of the DoS attacks. What follows ten essential steps that have proven to help organizations prepare for DoS attacks. The fundamental principles you will find in these guidelines is not to panic, DO NOT RUSH TO BUY, and to give your existing team time to invest in your Anti-DoS Allies.
Step 1 – What services are critical to your business?
A distributed denial of service (DoS) attack is an assault on a service. What services are essential to your business (“critical” = a direct impact on your business or the mission of the organization)? What are the most business affecting services accessible via the Internet? What critical internal services require the Internet to function (i.e. if the Internet stops working will the internal business functions stop)?
One of the most common misconceptions is that everything can be protected from a DoS attack. Prioritize the most critical services needed for the business or organization’s mission. Other non-critical might go down from the director or collateral impact of the DoS. There is no escaping the reality of a DoS attack. DoS attacks can get ugly. Our goal with step 1 is to minimize the anxiety during that attack by trying to restore everything. It is much easier to have internal agreement on the critical services restoration path and work to the plan to keep those services up and to run.
Step 2 – CxO Sponsored Internal “DoS Workshop.”
CxOs worry that their existing team might not be up to defending their network against DOS attacks. While every organization has knowledge gaps, the people with the best knowledge of the network and services are the existing team. Step 2 for DOS preparation is to pull together a cross-functional team and have a consultation on the “critical services list” and what would happen if there is a DOS attack. The aim of the DOS Workshop is to build a list of issues, gaps, and capabilities. It is amazing what existing teams can do if they only get the mandate to spend the time to focus on preparing for a DOS attack.
Step 3 – Make a list of the potential DoS Defense Allies.
Defending against a DoS attack is not a solo affair. The biggest Operators in the industry collaborate to mitigate DoS attacks. They collaborate with their competitors. They collaborate with vendors. They collaborate with investigators. Collaboration with a group of Anti-DOS Allies has been the #1 factor for successful DOS mitigation. So, who are your Anti-DoS allies? Who would you call? Is it your Internet Service Provider? Is it your equipment vendors? What about law enforcement or the local CERT Team? These groups can be your Anti-DoS Allies if you spend time and invest in the relationship before the attack. Use the idea provided in this document to make a list of all the potential DoS Defense Allies. For several of them, you do not need a contract or agreement. For others, they will be part of your ecosystem of vendors and service providers.
Step 4 – Get the Security – Emergency Contacts and “Reach Out”
Who will your team call when a DoS attack starts? Does everyone on your team know the emails, mobile phones, and IMs of each of your critical Anti-DoS Allies? Building an emergency contact list is not a new concept. Make sure your operations and security team have all these Emergency Anti-DoS contacts. This Emergency contact list is an industry Best Common Practice (BCP), but it is surprising that most organizations do not spend the time to build and maintain this anxiety-reducing crisis tool. Practice with the list. Regularly reach out to everyone on the list. E-mail, call, and chat, and practice with the list during tabletop and red/blue team exercises. It is important to make sure each organization is ready to be part of your “DoS Defense Alliance.” This first step to building the confidence they will help you is to regularly “reach out.”
Step 5 – Regular Sync Up Meetings with your Anti-DOS Allies
Set up a conference call (or physical meeting) with your new DoS Defense Alliance members to review your critical services. Explore what they can do together. Exchange intelligence and lessons learned. And when possible, practice. Spend time to explore what information is going to be needed to do the DoS investigation. Your law enforcement Anti-DoS allies will help you with the information they need to open a case. The regular sync up meetings is a vital tool to explore what you can do together and what information needs to be exchanged to facilitate each party’s success against a DoS attack.
Step 6 – Build Anti-DOS Crisis Communications Plan and Escalation Plan
Bad things happen to a network. Effective communications with customers, shareholders, staff, and partners are the difference between a catastrophe and managed chaos. Build an internal and external security crisis communications plan. Do not wait. What would happen if there was an attack now, before deployment of the new in-depth anti-DoS solution? Building this plan, working with the crisis communications team in the company (or learning crisis communications principles) would all be a valuable input for the anti-DoS solutions.
This plan would have the obvious external – public – version. This would be hand in hand with the PR and Marketing Teams. Their crisis communications training will be helpful. Internal security crisis communication is just as crucial. Every customer touchpoint is critical to how the public and your customers see your response. An internal “go-to” site where everyone in the company goes to get accurate information that can be shared with the customer eases anxiety for everyone (staff and customers).
Some peers in the industry joke that organizations need not spend millions of dollars on anti-DoS solutions. All that is required is an effective crisis communications plan that manages the anxiety of customers, shareholders, and the board of directors. The reason they say this is the witnessing of excellent communications plans during massive DoS Defense fiascos. The effective crisis communications allowed for quick recovery on the DoS attack was over. Review crisis communications plan quarterly and postmortem after each DoS incident.
Step 7 – What anti-DoS techniques work now?
There is a range of simple tools that can build anti-DoS resiliency into the existing network. Pull all the vendors in the network into meaningful resiliency conversations. “What can we do with what we have now?” Most vendors will try to push a “new product.” Push back on new “shining security widgets.” Focus is on today. What tools work today if a DoS attack starts? Expected DoS Attacks are based on existing threats. Don’t wait when you have a perceived threat. Find out what works today, practice, and prepare.
Step 8 – Practice, Practice, Practice – Prepare for the Expected DoS Attacks
Anti-DoS tools only work if everyone knows how to use the tools. Anti-DoS Alliances are only productive if the Alliance communicates, practices, and works to understand how to align their Anti-DoS response. Allocate time to have regular War Room, Table-top, Red Team/Blue Team, Cyber Range, and other “training exercises.” Ensure everyone knows how to use the tools.
Step 9 – How to Report DOS Attacks – the Collection Exercise
People who launch DOS attacks do get caught. It takes hard work with a lot of international collaboration. The first steps are the victims of DoS attacks working with their Anti-DoS Allies to report the details of the assault. The “Reporting DoS Attacks & Fighting Back Against DoS Attacks” white paper is a tool to help organizations review and prepare information their Anti-DoS Allies will need to do their part of the investigation. Expected DoS Attacks are an opportunity to work in tandem with law enforcement to arrest the DoS Source.
Step 10 – Building resilient capability for the future?
We can build critical services to be highly resilient to DoS attacks. Intentionally invest and learn these architectural and resiliency principles. Not all of them would be worth the cost, but over time, the organization would learn which are the most beneficial. Ask “which are the top architectural techniques to resist DoS attacks” during all the conversations with vendors, operators, Anti-DoS Allies, and other experts.
Additional Materials
It is critical to prepare for Expected DoS Attacks. Prepare for DoS Attacks. Don’t wait until it is too late (like during a DoS Attack). Here are additional resources to help you explore a way to prepare your organization:
- Preparing for DOS Attacks – the Essentials – Are you Prepared for your Next DoS Attack? Reporting DoS Attacks are the Key to Fighting Back!
- 7 Critical Security Conversations
- Three questions every CxO should ask their ISP
- Are you part of the DDOS Problem?
- Preparing for the next DDOS Wave
- How To Prepare For A DDoS Attack: 10 Steps – Like a hurricane or a flood, a DoS is a crisis. Follow these 10 steps to prepare for an attack before it hits.
Need Security Advice?
If you find your organization needs help and worry about the FUD from the industry, reach out and ask for help. You can reach me at bgreene@senki.org. Help organizations leverage the surrounding talent to get started with their security activities. Start with the Operator’s Security Toolkit. It is the no-nonsense security for all Operators. It provides details to help them build more security resilient networks. In the meantime, stay connected to the Senki Community to get updates on new empowerment and security insights. You can sign up to the mailing list for updates here: Stay Connected with Senki’s Updates.