The CISA, FBI and Multi-State Information Sharing and Analysis Center (MS-ISAC) collaborated to create a document guideline for organizations to defend against DDoS attacks. As DDoS attacks can be a challenge to trace and block, the vector is often leveraged by hacktivists, nation-state groups and other politically motivated actors. Therefore, government websites are common targets.
The guideline emphasized three notable forms of DDoS attacks that the public sector should prepare for:
- Protocol-based attacks, in which malicious actors target vulnerable protocol implementations to reduce a target's performance and potentially cause a malfunction.
- Volume-based attacks, which take up a target system's resources by overloading it with a large volume of traffic.
- Application layer-based attacks, which target weaknesses within specific applications to take up its processing power or cause a malfunction.
The advisory warns that these attacks are not mutually exclusive, as malicious actors can deploy multiple methods to launch sophisticated attacks. Additionally, attack methods are constantly evolving.
Security leaders weigh in
Ken Dunham, Cyber Threat Director at Qualys Threat Research Unit:
“DDoS attacks have proven to be the most effective by bad actors for payouts and disruption when timed against a target's primary business needs. For example, targeting a gambling institution just prior to a sporting event, which would make it more likely to payout to make the DDoS attacks stop. DDoS attack tactics have changed tremendously over the years with changes in technology. We’re seeing massive throughputs that are impossible to defend against unless you have specific DDoS countermeasures in place, proactively, starting at the edge of your border gateway. In keeping with the themes of the joint advisory, organizations would be wise to proactively identify actors, threats, and TTPs specific to their organization to prioritize what might be more likely to hit and thus plan countermeasures more effectively.”
Darren Guccione, CEO and Co-Founder at Keeper Security:
“The latest joint advisory highlights the critical need for government entities to protect themselves against the persistent threat being presented by DDoS attacks. Because DDoS attacks are relatively easy to execute and can cause significant reputational and financial losses as a result of disrupting the target organization’s services, they are a prominent tool in bad actors’ arsenal. While not every attack can be prevented, this advisory offers steps that can be taken to mitigate the damage caused by cybercriminals and minimize impacts on systems and operations.
“Aligning with cybersecurity best practices, the joint advisory provides useful guidance to mitigating and responding to DDoS attacks. It emphasizes the importance of implementing network monitoring, regularly analyzing network traffic to have an established baseline and implementing captcha to differentiate between human users and bots. Additionally, organizations should consider developing a robust incident response plan, employing DDoS mitigation services and evaluating and potentially increasing bandwidth capacity to effectively mitigate the impact of these attacks.”
John Gallagher, Vice President of Viakoo Labs at Viakoo:
“The joint advisory issued by the US Government around DDoS attacks is important and needed to keep organizations vigilant about these threats. In particular, breaking down the different methods of attack helps organizations refine their current (insufficient) strategies based on what their infrastructure is.
“Calling out application-layer attacks (as well as protocol based attacks) helps provide context to DDoS attacks – all too often it is just the volume-based attacks that defenses are based around. DDoS attacks, like many other forms of cyber attack, often grows within an organization one application at a time. Having application-based discovery methods, and a way to create a “dictionary” of device, port, and application connections can be effective in combating these attacks.
“Where this advisory could have gone further is in recommending putting effort into bot eradication. DDoS attack are quickly rising because threat actors have deployed vast botnet armies; where is the focus on removing those armies? Especially where there are fleets of IoT devices (a typical place for bots to reside), some guidance and push should be made to eradicate these armies.”