Reflections from a road trip: The evolving risk of DDoS attacks
Recently, I spent time with some of our customers discussing recent security events and the threat landscape. As a leader for vulnerability handling, we often have to deliver news regarding our products that can cause significant disruption for patching and remediation. I always appreciate the time that customers take to provide feedback on our products and services.
The dominant topic during conversations with customers was the threat landscape, specifically the Distributed Denial of Service (DDoS) attacks that have and are currently taking place. While DDoS attacks are certainly not new territory for our industry, there were some interesting observations we discussed regarding the nature and impact of such activities.
Our customers shared that the network infrastructure demonstrated considerable resilience and succeeded in delivering the increased traffic to the intended destination. Unfortunately, by delivering the increased loads, many Internet-based applications and services failed. In times past, network infrastructure devices lacked the resiliency to sustain these types of loads and our interactions were focused on network stability and recovery. This time, our conversations were focused on working proactively to embed additional intelligence into the network to detect and mitigate future attacks.
Data shows that the implementation of secure development practices have resulted in network elements that are more resilient to load-based attacks than they were ten years ago, yet we remain at risk for successful load-based attacks. The end user experience is exactly the same—applications and services are rendered unavailable. In my mind, this means that despite all the efforts around secure coding, patching, and other traditional security best practices, the DDoS problem is by no means solved. So where does that leave us?
At this point, most blog posts would start discussing the threat landscape, actors, and all of the other sexy aspects of security. Although Cisco provides a wealth of information on these topics (see the end of this post for examples), I’d like to take a different approach and offer up the perspective that DDoS is no longer a problem to be relegated to the security community alone.
We live in a connected world with more critical services, applications, and infrastructure relying on the Internet every day. It’s time to consider the threat of DDoS as a business continuity risk. Companies draft detailed contingency plans to allow business transactions to continue in the face of events such as natural disasters, terrorist attacks, and blackouts. Many companies have regular tabletop simulations or even live drills to ensure failover capabilities. The primary goal of this type of activity is validation of the failover plans and capabilities. An indirect benefit is the confidence that an organization can build robust process and decision capabilities in a future crisis.
A best practice that I will share from Cisco is that, along with the traditional risk management teams, we partner with subject matter experts from Corporate Communications, Legal, and Public Relations. Creating these dependencies and relationships outside of a crisis helps clarify and drive the decision making structure during an event. Anyone that has been involved in a crisis knows that a lot of people want to ‘help’ or be ‘in the loop’. With the current realities of social media and ‘Hactivism,’ the relationships between these groups become even more critical. In some cases, public messaging from your own company can result in being targeted for an attack, so having trusted relationships and transparency between these teams is more critical than ever.
Hopefully your organization includes cyber security activities in your business continuity planning and execution cycles. Those plans should not be limited to DDoS, as there are many other risks that we are well aware of, but this is a good place to start making new friends and building new relationships.
Finally, please check out the Cisco Security Intelligence Operations (SIO) Portal for a great deal of collateral produced to help our customers protect their networks. The following items are specific examples from the SIO Portal as well as this security blog about DDoS Attacks:
- Return of the DDoS Attack by John Stewart, Cisco CSO
- Protecting Our Networks: It’s a Team Game Now! By John Stuppi, Technical Leader
- Distributed Denial of Service Attacks on Financial Institutions: A Cisco Security Intelligence Operations Perspective by Andrae Middleton, Security Engineer
- Cisco SIO Tactical Resources by Cisco’s Security Engineering Community