How Effective CSOs Prepare for DDoS Attacks - PowerPoint PPT Presentation

How effective csos prepare for ddos attacks
1 / 24

  • Uploaded on
  • Presentation posted in: General

How Effective CSOs Prepare for DDoS Attacks. Rob Kraus & Jeremy Scott Solutionary SERT. Speakers. Rob Kraus. Jeremy Scott. Senior Research Analyst Twitter: @jeremyscott_org. Director of Research Twitter: @robkraus. Solutionary, Inc. (Twitter: @solutionary)

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

How Effective CSOs Prepare for DDoS Attacks

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

How effective csos prepare for ddos attacks

How Effective CSOs Prepare for DDoS Attacks

Rob Kraus & Jeremy Scott

Solutionary SERT



Rob Kraus

Jeremy Scott

Senior Research Analyst

Twitter: @jeremyscott_org

  • Director of Research

  • Twitter: @robkraus

Solutionary, Inc. (Twitter: @solutionary)

Security Engineering Research Team (SERT)

How effective csos prepare for ddos attacks

Countering Attacks Hiding In Denial-Of-Service Smokescreens

-Dark Reading, September 2013

What’s better than creating your own DDoS? Renting one

-TechRepublic, September 2013

Cybercrooks use DDoS attacks to mask theft of banks' millions, August 2013

DDoS Botnet Now Can Detect Denial-Of-Service Defenses

-Dark Reading, August 2013

DDoS Attacks Strike Three Banks

-Bank Info Security, August 2013

Ddos varieties

DDoS Varieties

  • Every DDoS is different

    • Attack types/target infrastructure/services

    • Tools (booters, stressers, DDoS for rent)

  • Examples:

    • Volumetric

    • SYN Flood (TCP protocol)

    • DNS Amplification (reflection)

    • HTTP Application Attacks

Basic volumetric ddos attack

Basic Volumetric DDoS Attack

Application layer ddos

Application Layer DDoS

  • Targets applications

    • Effective due to underlying components serving content

      • Logon pages

      • “Heavy” content pages

      • Complex database queries

      • Max connections exceeded

Case study 1

Case Study #1

  • Mid-sized financial institution

  • Targeted application DDoS

  • Over 30,000 attack sources

  • Attack duration 30 minutes

Attacked 8 times in 2012

Ddos movie

DDoS Movie

Case study 2

Case Study #2

  • Large financial institution

  • Over 91,000 attack sources (150 countries)

  • Attack duration: 10.5 hours

  • Bandwidth Consumption DDoS

    • Masked 3 unauthorized ACH transfers totaling 4.2 million dollars

Other ddos considerations

Other DDoS Considerations

  • Is your organization the target…or the source?

    • Monitor internal and external bandwidth

  • Visibility is key

    • Monitor appropriate parts of infrastructure

    • Consider SSL termination points

Solutionary 2013 gtir

Solutionary 2013 GTIR

How effective csos prepare for ddos attacks

“Everyone has a plan until they get punched in the face.”

-Mike Tyson


Ir roles responsibilities

IR Roles & Responsibilities

  • Planning

  • Preparation

  • Testing plan effectiveness

  • Monitor intelligence feeds

  • Communication

  • Manage incidents

Ddos response goals

DDoS Response Goals

  • “Stop” vs. Mitigate

    • Goal #1 Detect the attack in a timely manner

    • Goal #2 Enable reactive controls

    • Goal #3 Achieve “Sustained Availability”

    • Goal #4 Recovery and review

Defense maturity

Defense Maturity

Basic Controls

Advanced Controls

Ddos mitigation service providers

DDoS Mitigation Service Providers

Poor cso approach

Poor CSO Approach

  • Rely on others to understand the risk

  • Unaware of the organizations capabilities to thwart attacks

  • Expect results even after no prior planning

  • Scramble for budget during the attack

  • Don’t consider attacks a part of delivering business

Effective cso approach

Effective CSO Approach

  • Think in terms of “tactical” and “strategic” solutions

  • Understand:

    • threat, risk, vulnerabilities, loss potential

    • it isa matter of “when”, not “if”

    • the goal is not to stop, but mitigate

    • not all DDoS can be mitigated, but still try

    • “rolling your own” solution is not always the best choice

  • Sponsor and participate in IR plan development

Effective cso approach1

Effective CSO Approach

  • Embrace and leverage relationships

    • ISP

    • Vendors - subject Matter expert support contracts

  • Conduct test exercises to determine plan effectiveness

  • Leverage existing technologies

  • Plan and allocate budgets

    • Training

    • External IR support

    • Mitigation services

Benefits of being effective

Benefits of Being Effective

  • Compress the mitigation timeline

    • Reduce overall impact

      • Loss of productivity

      • Loss of availability (loss of revenue)

      • SLA penalties

      • Legal costs

    • Protecting your brand



  • RFC 4987 - Syn Flood Attack and Mitigation

  • Solutionary – 7 Steps to DDoS Protection

  • Solutionary – 2013 Global Threat Intelligence Report (GTIR)



  • Login