The disturbing reality of a successful hacking attempt looms over all businesses, government agencies and websites that hold any form of public data. But organisations still aren’t doing enough to prepare for the crippling event of an attack.
It’s only by putting in place a detailed, comprehensive plan before attacks strike can organisations — including public agencies — hope to mitigate some of the risk represented by a Distributed Denial of Service attack, or indeed, a direct hack into back-end systems designed to steal information.
The unfortunate reality is that these attempts are increasing. According to the 2016 Akamai State of the Internet report, DDoS attacks increased by 125% from Q1 2015 to Q1 2016.
Importantly, these attacks are becoming more sophisticated. The report found mitigated attacks were overwhelmingly multi-vector attacks (59%, up from 56% the previous quarter), in which hackers target an organisation using a variety of technologies, across multiple stages, in order to make attacks more powerful and drag out for much longer.
For any organisation or agency, that downtime is simply unacceptable.
But even that isn’t the worst problem. According to James Tin, principal enterprise security architect at Akamai, these attacks are often merely a distraction for the main attack — a critical data breach.
“Over 50% of DDoS attacks have an associated data breach,” he said. “They’re distractions.”
Unfortunately, the technology used to create these attacks is becoming cheaper.
“It’s actually quite simple to launch an attack,” said Tin. “It can start off at $3.75 for a 10-minute attack, which will take down most enterprises in Australia. If you’re the target, you have no control when it starts, or when it stops. It’s essentially the wild west out there.”
As the State of the Internet report found, many sites from which attacks can be launched play a key role here; these DDoS-for-hire frameworks allow “multiple attacks [to] be launched simultaneously”.
Australian organisations need a plan to survive the impact. Without it, Tin says, agencies will be stumbling in the dark — and might make decisions they otherwise mightn’t have made. In some cases, he says, organisations making rushed decisions can make the effects of the attack even worse.
“If you don’t have a plan … we’ve seen Australian organisations try something, and it doesn’t work, then try another thing and that doesn’t work either. One organisation was effectively down for four days because they didn’t have a proper plan and they made some decisions that caused some more problems.
“Would you rather the attack hit you, not have any capability to stop, and then only afterwards have the budget to create a plan — or would you like to have a solution in place before it happens?
“When you’re under duress, you typically make the wrong decision.”
Agencies should consider the following steps to mitigate the possibly crushing effects of a DDoS attack …
Comprehensive communication
Whenever an attack happens, you need someone designated as a key communicator. This person should handle both communication that travels inside, and outside, the business including external stake holders such as ministers and press. Keeping that person in sync with technical teams will ensure no false information is spread.
Constant updates are crucial, also. Both internal employees and public users, if affected, will want to see an organisation is on top of an attack. How you respond publically will be the measure of how stakeholders will judge you on the confidence of working with you in the future.
Additionally, ensure the contact details of this communication leader — including contact details of other technical teams — are readily accessible to everyone in your organisation.
Run a simulation
In order to determine your ability to stop an attack, an agency should run a simulation. Not only will this help your infrastructure teams understand your liabilities and strengths, it will also ensure key personnel understand their roles in the event of an attack.
This simulation needs to be all-encompassing. Think like an attacker, and simulate circumstances you might even think unlikely to occur — it’s the only way to expose your vulnerabilities.
It would be easy in this situation to overestimate just how much your infrastructure can handle. However, as Tin explains, this area of cybersecurity is developing faster than many organisations can handle.
“Even Australia’s largest banks can’t afford to do all this themselves because they can’t stay ahead of the attackers, and attacks evolve,” he explained.
Making sure your infrastructure has plenty of headroom to withstand even a more significant attack than you assume could occur is only good practice. This is also another reason to keep up-to-date with key industry statistics — knowing the techniques, tactics and procedures of the average attack will give you the capability to fight one.
Deploy mitigation plans beforehand
Having spare capacity is well and good, but organisations should ensure they deploy resplonse plans that can help mitigate the effects of an attack beforehand. There are infrastructure appliances that can do this, but Tin makes the point businesses should have that infrastructure deployed around the world, because deploying it in within Australia is a little too late. The traffic has already caused the collateral damage and most service providers will Black-Hole traffic, which means all traffic to you will be offline, both good and bad, meaning the attacker has achieved their goal.
“Deploy them further away from the asset you’re trying to protect,” he said. “Don’t deploy where you are — put them in those other locations so you can scrub the traffic overseas closer to the source, then deliver it to Australia.
Don’t just rely on your ISP
It’s important to ask your ISP questions about how much traffic they can handle. For instance, if your site is hit with 80 Gpbs of traffic, can your ISP block that attack — and if so, how long will it take?
Ensure you know how much your ISP can help you in the event of an emergency.
Continually update your plan
Attacks change. Cybersecurity is an ever-evolving world, and making sure your plan adapts to those changes is crucial. Conduct a simulation at least once a year to make sure your preparedness is at its full capacity — including when new members join, or key individuals change roles.
“I liken it to being a commercial airline pilot — they’re in flight simulators practicing for the worst events, so they don’t have to experience something for the first time in the while flying a real plane,” said Tin. “It’s the same with cybersecurity. Practice, don’t just pray.”