1. Protect Against DDoS Attacks

The standard security best practices for generic and layered cybersecurity defense can provide reasonable protection against DDoS attacks. Yet some specific measures, such as vulnerability patching and IT hardening, can provide even better protection.

Patch & Update Resources

All resources should be patched and fully updated. For effective DDoS defense, priority for patching and updates should be placed on devices between the most valuable resources and the internet, such as firewalls, gateways, websites, and applications. IT teams should also perform the following actions:

• Perform vulnerability scans: Routinely use vulnerability scanning tools to discover any issues such as missing updates, patches, or misconfigurations. Vulnerabilities can arise from overlooked patches and outdated software.
• Implement patch management: Create a process to regularly prioritize, test, and deploy updates and patches to your devices and applications to ensure they are kept up to date with no errors or conflicts.

Harden Applications

Applications and websites can be hardened by making changes to your network, using application security tools, or penetration tests to probe for vulnerabilities, misconfigurations, or coding oversights. Specific attention should be given to attacks that might enable various types of DDoS attacks.

For example, adding captchas to verify human interaction on your website can defend against attackers using bots to send a large number of requests that can overwhelm and crash a server.

Lock Down IT Infrastructure

Servers, gateways, firewalls, routers, and other IT infrastructure can be hardened against attack by changing settings, adjusting configurations, eliminating unnecessary features, and installing optional features that provide additional network security.

Hardening includes, but is not limited to:

• Block network ports: Block unused ports on servers and firewalls.
• Restrict access: Limit some protocols to devices on the internal network.
• Enable rate limiting: Set or lower rate limit thresholds to drop packets when the other computer fails to reply or makes repetitive requests.
• Block half open connections: Enable time-outs for half-open connections.
• Set firewall rules: Configure your firewall to detect and drop spoofed, improperly formatted, or malformed packages.

For example, DNS servers can be specifically targeted by attackers and are vulnerable to various types of attacks. If the organization doesn’t use it, UDP access to port 53 (DNS) should be blocked.

Read our article for more information on how to prevent DNS attacks, including general best practices to follow and tips for specific DNS servers and types.

2. Deploy Anti-DDoS Architecture

In addition to hardening, the IT architecture can also be designed for more resiliency and security against DDoS attacks. IT teams that overprovision infrastructure, back up their systems, create redundancy, obscure potential DDoS targets, and isolate vulnerable devices can limit the effectiveness of DDoS attacks and strengthen overall resilience.

• Overprovision your infrastructure: When building out your network and equipment, estimate your bandwidth and then design for 200–500% of the baseline needs. While this can be expensive, the additional resources buy time to react to a DDoS attack.
• Back up critical components: Redundant devices or backup devices are required for a resilient architecture and can be used to restore systems quickly after a DDoS attack. Update the data regularly and only bring them online after the attack has been stopped.
• Add redundancy: Consider redundancy options like separating firewalls from routers, moving resources to the cloud, and distributing traffic across multiple data centers to avoid bottlenecks or single points of failure vulnerable to DDoS.
• Obscure the target: Obscurity makes attacks more difficult. Protect your internal networks by blocking ICMP or ping requests and adding additional layers of security like Virtual Private Networks (VPNs) or secure web gateways (SWGs) to hide IP addresses.
• Isolate resources: Content distribution networks (CDN) or Anycast networks send resources to different locations and IP addresses, making DDoS attacks less effective. You can also utilize network segmentation and access control lists.

3. Install Anti-DDoS Tools

In addition to hardening and design, organizations can obtain tools, download and install patches, or enable features that specifically protect against DDoS attacks based on their needs and budget. Some of these include:

• Anti-DDoS features: Check with your device’s manufacturer for any DDoS-specific features or patches to install on appliances like servers to defend against attacks; like the mod_reqtimeout module in Apache 2.2.15 that defends against the Slowloris attack.
• Routers and gateways: Oftentimes, routers and gateways have advanced features that can be enabled to mitigate DoS attacks. Network administrators or security teams can find these features in the device’s admin console and enable them as needed.
• Rate limiting: Response Rate Limiters (RRL) can be configured on network devices to stop various DDoS attacks, like blocking several identical requests from the same IP address or dropping several TCP requests with no response.

As a caution, hardening for security should not go so far as to destroy the functionality of the useful protocols. For example, make sure the updates and patches don’t conflict with another system on the network, or instead of blocking or dropping the packets from all sources, the ICMP can be limited to allow-listed IP addresses internal to the organization to enable the functionality while also blocking external DDoS attacks.

Additional DDoS Protection: Firewalls, Appliances & Services

While some firewalls can stop a DDoS attack alone, others need help. Firewalls traditionally formed the initial defense against external attacks, and modern firewalls can stop many of the older and simple DDoS attacks, such as IP Null attacks or ACK Fragmentation Floods. However, firewalls cannot stop attacks disguised as normal traffic (HTTP GET, HTTP POST, etc.) and can be overwhelmed with volumetric attacks.

Extra protection should be applied to protect exposed or critical resources such as application servers exposed to the internet or DNS servers and services. Various vendors offer software that adds anti-DDoS features to firewalls or hardware to specifically guard against DDoS attacks.

In addition, organizations can engage in cloud-based DDoS Solution providers such as Akamai, Cloudflare, and Amazon Web Services to provide enterprise encompassing solutions.

See our list of the best DDoS solutions and see how they compare to other vendors, strengths, weaknesses, and the cost to implement them in your organization.

4. Design a DDoS Response Playbook

After establishing a hardened and updated IT infrastructure protected with anti-DDoS architecture and tools, the IT and security teams need to create a DDoS playbook. A formal document can assist responding teams should a DDoS attack occur.

The response plan may include:

• Who to call: Contact information for the response team members, applicable vendors like internet service and hosting providers, professional incident response and security vendors, executives, and legal counsel.
• Infrastructure information: Network details such as IP addresses, failover devices, network maps, etc.
• Action plan: Steps to take in the event of a DDoS attack.

Practice the response plan at least once a year and routinely check to ensure all contact information in the playbook is still accurate. Some elements of the playbook may even be automated by some anti-DDoS tools, so additional security measures may be implemented to blunt the danger of the DDoS attack faster than people can react.

Read our guide on how to create an incident response plan and get our free template.

5. Deploy DDoS Monitoring

With hardened infrastructure and an effective playbook in hand, the IT teams and security teams can then use different monitoring tools to watch for signs of a DDoS attack in progress. Here are some tools you can use for monitoring your assets:

• Network monitoring: Network monitoring tools are hardware or software applications that track the behavior, traffic, and health of endpoints, firewalls, routers, switches, and servers.
• Security monitoring: Security monitoring tools collect and analyze network and device information to detect suspicious behavior and trigger alerts to IT and security teams.

These monitoring tools will establish ‘normal’ traffic baselines so that abnormal traffic patterns generate alerts. The earlier a team can detect an event in progress, the faster the attack can be resolved.

Teams should select a tool appropriate for the resource and set up alerts for typical indicators of DDoS attacks such as sudden bandwidth demand increases, anomalous traffic increases, or unusual traffic sources. Alerts can be routed to security incident and event monitoring (SEIM) tools, security operations centers (SOCs), managed detection and response (MDR) services, or even DDoS security specialists.

While automated responses can create fast reaction times and automatically stop DDoS attacks, they should be used carefully. False positives might lead to operation disruptions, so alerts still need to be evaluated by the security team.

Three Fundamental DDoS Defense Strategies: Pros & Cons

When implementing DDoS defense, the strategies can be performed manually by IT teams, purchased through on-premise hardware or software, or implemented by cloud-based or off-premise tools and services. While some of these technologies can overlap or reinforce each other, many organizations don’t have the resources to apply multiple solutions and must choose a single solution that fits their needs. Each of these options has significant pros and cons.

DIY DDoS Defense Pros & Cons

Do-it-yourself defense can certainly be deployed successfully against DDoS attacks. These defenses often consist of manually deployed settings on open source software, firewalls, and servers.

For example, manually adding IP addresses to deny lists can be easy, but often lags behind the constantly moving and evolving attacks; especially when facing botnets of thousands of endpoints, making manual IP deny-listing overwhelming.

On-Premises Defense Tools/Services Pros & Cons

Organizations can buy appliances and software specifically to defend against DDoS attacks. These tools can be deployed in front of resources to be protected (firewalls, servers, etc.) or installed on the resource themselves.

Using the previous example, an appliance or local firewall application may come pre-loaded with a list of well-known botnet IP addresses based upon the vendor’s experience. This blacklist will be much more comprehensive than a DIY list but will be part of a more expensive solution and will need regular updates.

Cloud-Based Defense Tools/Services Pros & Cons

Cloud-based DDoS protections tools provide more overarching security for the organization as a whole. Cloud hosted tools are often referred to as Software-as-a-Service, or SaaS. If possible, cloud-based tools are the best option of the three.

Using the IP deny-listing example, SaaS DDoS tools generally are pre-loaded with IP addresses for well-known malicious botnets that are much more comprehensive than a DIY list and will be continuously updated by the SaaS provider.

Bottom Line: DDoS Prevention Tools Are a Must-Have

DDoS attackers seek to prevent access to a resource for legitimate users. Depending upon the resource affected, denied access could be merely annoying or it could cause an entire enterprise to be disabled. When a DDoS attack succeeds, effective planning allows for quick recovery and limited damages. Large and small organizations will benefit from investing time and resources into protecting against DDoS attacks and IT infrastructure resiliency.

For a better understanding of DDoS attacks and the different characteristics, check out our complete guide on the types of DDoS attacks.

The post How to Prevent DDoS Attacks: 5 Steps for DDoS Prevention appeared first on eSecurity Planet.

The post Video: Brain Cipher Ransomware Hacks Deloitte appeared first on eSecurity Planet.

The post Video: Hackers Bypass TSA Security with SQL Injection appeared first on eSecurity Planet.

When under siege from a DDoS attack, systems grind to a halt and often become entirely unresponsive. Defenders must move quickly to block the attack, which may require outside assistance or even temporarily shutting down the resource; determine the type of DDoS attack using logs, alerts, and other resources; and finally, recover from the attack by making changes to the security architecture and investing in tools to prevent future attacks.

Stage I: Containment

Once under a DDoS attack, resources perform sluggishly, and even changes to protect them can be difficult to execute. Although attacks cannot be fully stopped without identifying the attack, identification won’t be possible if the systems can’t be accessed due to the system being flooded with malicious traffic.

The attack must be stopped — even temporarily — to recover internal resources such as the CPU capacity and memory. Organizations that send logs to other resources (segregated storage, SIEM solutions, etc.) may be able to work on blocking the attack while determining the type of DDoS attack simultaneously.

Initial DDoS Response Tactics

Simple DDoS attacks can often be blocked using skilled internal resources. Yet, keep in mind that even basic DDoS attacks may need to be blocked upstream with the help of the host internet service provider (ISP), or else the blocked DDoS attack traffic can still threaten connection bandwidths and ISP infrastructure.

The initial DDoS response options you can choose from include calling your service provider (like internet and web hosting), contacting cybersecurity experts, making changes to your network to block the attack and strengthen DDoS protection, shutting down your services to make changes before going back online, and/or implementing new technologies for better protection.

Contact Your Service Providers

In some situations, simply contacting your internet or web hosting provider and notifying them of the situation can be all you need to stop a DDoS attack in its tracks. They may already know and are working on blocking the traffic. Service providers can confirm the existence of an attack and implement some changes to stop the malicious traffic from reaching your network. Some of these include:

• Increase bandwidth: Increasing the bandwidth can help you withstand a DDoS attack or mitigate it altogether, but may not be cost-effective.
• Change IP addresses/ranges: Changing your IP address and DNS information can stop the attack temporarily until the attacker targets the new IP address. In addition, several internal systems would need to be changed to reflect the new IP address.

Although contacting your service providers is helpful, it may not be enough. Typical internet bot DDoS attack sizes can reach 100 to 500 Gbps, with some larger scale attacks reaching over 100 million requests per second. Even the largest enterprises will struggle to block attacks of this scale without professional assistance.

Hire Cybersecurity Experts

Utilizing a combination of skilled professionals and high-end tools and services is one of the most effective ways to defend against DDoS attacks as well as protect yourself from attacks in the future. These can include:

• Cybersecurity professionals: Security consultants, managed detection and response (MDR) experts, and other professionals should be contacted to help stop the attack, improve systems against future attacks, and recommend other incident response tools and services.
• Cloud services: Cloud-based DDoS protection services often provide the most comprehensive option to block DDoS attacks, so organizations will often migrate some or all of their infrastructure to a cloud provider like AWS, Microsoft Azure, or Google Cloud.

Be sure to update your access control lists to allow the connection between the services and the system being protected and block other connections so nothing bypasses the DDoS service. However, also keep in mind that even cloud providers cannot prevent DDoS attacks originating within the organization’s network.

Although having professional tools and services is worth the investment, it’s still an expensive one that surpasses any in-house solution and may not be an expense the company is ready to take on. In addition, finding a qualified professional while you’re actively being attacked may prove to be difficult and stressful.

Furthermore, security experts usually keep records of botnets and attack vectors, allowing them to act swiftly and even stop attacks before they’re activated.

Filter Targeted IP Addresses & Locations

Reviewing log files will often reveal valuable information regarding your network, including IP addresses and locations generating most of the DDoS traffic. You can then use this information to enable quick and inexpensive defenses on your network. Some options include:

• IP filtering: IP filtering will allow you to block specific IP addresses.
• Geo-blocking: Geo-blocking will allow you to block connections from a geographic location.

These can provide the much needed time for teams to develop and deploy other strategies, but are rarely a permanent solution since attackers can spoof their IP addresses or utilize botnets from unblocked regions, leading to a game of security whack-a-mole where defenders are constantly trying to keep up with attackers.

Also, any legitimate traffic from a blocked area won’t be able to access your resources, which can lead to financial losses and reputational damage in that region. Lastly, it’s usually recommended for these filters to also be applied at the ISP level to avoid being consumed with traffic that is being blocked.

Enable or Strengthen DDoS Protection Options

Organizations should check their existing resources (server software, router firmware, etc.) for DDoS protection options that may not yet be activated. Check your networking devices for the following security options:

• DDoS protection on routers: Enabling this helps protect your network against DDoS by monitoring the number of traffic packets entering your network.
• Rate limiting: Rate limiting is a security feature that limits the number of requests that can be made in a specific timeframe.

Since these features are already built into several network devices, it should be relatively easy and inexpensive to set up and get running on your network BEFORE an attack. They may not be effective during an attack, and you may not be able to deploy these features until after.

Shut Down Services

Sometimes shutting down the system under attack provides the best option. The service or resource can be isolated and hardened against further attack before it’s brought back online. Some examples are:

• Stop specific requests: If you notice you are being bombarded with a specific network request (i.e., SYN flooding), you can rate-limit the incoming connection requests.
• Block downloads: If a specific service is trying to download very large files, a defense might be to disable downloads temporarily without affecting the rest of the website.

This is a quick, inexpensive, and effective way to stop DDoS attacks on your service. But that downtime can also be disruptive and costly to the organization. Especially in the event of a full system shutdown.

Implement New Technology

This step requires the most planning and configuration and ideally should be implemented early on and not after an attack where decisions can be rushed and considerations can be overlooked. Some tools to consider include:

• Firewalls: A firewall is a tool that monitors network traffic and enforces security policies to block suspicious network activity or malicious attacks.
• Secure web gateways: This tool is similar to a firewall but primarily focuses on blocking suspicious web traffic.
• DDoS protection appliance: A DDoS protection appliance is a dedicated device designed to analyze network traffic to detect and stop DDoS attacks.

The downside to these tools is that they can be expensive and time-consuming to deploy and require a significant amount of resources for upkeep. In addition, they don’t protect against external attacks and may not scale quickly to protect against larger attacks.

Any organization under attack should explore all options and implement what they believe will offer the greatest chance of success based upon their immediate circumstances.

Non-Technical DDoS Responses

Even as the incident response team may be scrambling to cope with the DDoS attack, the organization must still deal with other stakeholders. After the attack, follow the non-technical responses below:

• Notify executives and stakeholders: All executives and stakeholders need to be notified and constantly updated in accordance with the organization’s incident response plan.
• Establish internal communications: Inform employees about the availability of internal resources or alternative methods to accomplish their duties.
• Coordinate public relations: Contact customers about system status in accordance with the incident response plan.
• Contact your insurance provider: Cybersecurity insurance companies, regulators (Security and Exchange Commission, etc.), and law enforcement must be notified.

Management should embed non-technical assistance into an incident response team to coordinate, manage, and execute written, verbal, and phone communication with stakeholders. Executives may even want to embed someone on the team with the authority to authorize expenses or to coordinate the rapid authorization of purchases needed to recover from the DDoS attack.

Check out our full article on how to create an incident response plan, which includes a free template to start from.

Internal vs. External Attacks

The initial DDoS techniques mentioned above apply to all attacks. However, depending on the type of DDoS attack and the architecture affected, some techniques will be more useful than others. You will need to know the difference between protecting internal networks and external resources like video game systems from DDoS attacks.

Stop Internal & External Router, Server & Website DDoS Attacks

Assets exposed to the internet for utility, applications, and websites often will be targeted by DDoS attackers because they are the easiest to affect. Servers hosting or supporting these resources will often suffer CPU, memory, and bandwidth overload.

These attacks will be very different from internal DDoS attacks on servers and routers, which target the internal networking protocols and resources. Still, once an attack begins, the steps to protect each of these different resources will be quite similar.

1. Block the Initial Attack

Examine the log files and begin to block the IP addresses associated with the attack (internal or external), geofencing to block specific regions, or, for internal attacks, even power down compromised local devices generating traffic.

However, there may be circumstances that don’t permit shutdown of the DDoS attackers. For example, if an attacker turns the respirator machines of the hospital into a botnet, the hospital cannot simply turn off the respirators without severely affecting patient health.

Additionally, many attackers will be sophisticated enough to switch tactics and sources once they realize the attack has been blocked. Still, while blocking may only be effective temporarily, it will help to buy time for more effective protection to be implemented.

2. Side-Step the Attack

If blocking proves ineffective, try changing the server IP address, router IP address, or website URL to move the server out of the path of the DDoS attack. As with blocking the attack, this may only be a temporary reprieve, but it can buy time to implement other tactics that take more time to execute.

3. Stop the Service

If blocking or side-stepping the attack does not work, the organization may need to stop the service under attack (such as a PDF download, shopping cart, internal router, etc.).

Stopping a website, application, or internal network in part or entirely will be so disruptive that this step should not be taken lightly. It should only be pursued if steps 1 and 2 cannot provide enough time to pursue other steps below.

4. Enable Additional Protections

While part of the incident response team attempts to stop the existing attack, other members should be working on enabling other protection against DDoS attacks in these ways:

• Call the ISP: The ISP can help with setting up external DDoS protection services for websites, applications, and publicly exposed devices under attack (firewalls, servers, routers, etc.).
• Evaluate firewall protections: Installing WAF services or adjusting your current WAF settings and policies can bolster your network defenses to block the attacks, or you can reroute your internal traffic through next generation firewalls (NGFW).
• Adjust rate limits: Configuring rate-limiting on your network devices can change request thresholds for existing firewalls, servers, and other related resources to limit the amount of traffic coming into your network.
• Add tools: Adding or upgrading protection for networks and websites, network security products, network intrusion detection systems (IDS) and intrusion prevention systems (IPS), and cloud firewall solutions like FWaaS can protect you from future attacks. 
• Getting help: Hiring an incident response or managed IT security service (MSSP) vendor can help locate and remove the malware driving the DDoS attack.

However, be aware that additional protections can affect existing architecture or performance. For example, load balancers may be bypassed by DDoS tools, or the packet inspection of DDoS protection appliances may introduce lag time for traffic.

Also keep in mind that a forensic or security investigation will become part of the recovery process, especially for any attack that might trigger cybersecurity insurance claims. The initial infection, access points, malware, and changes to systems introduced by attackers will need to be located and removed to prevent future DDoS attacks or other types of attacks (ransomware, data theft, etc.).

Learn more about the best forensics tools used by experts, including their key features, pricing, and how they stack up against other tools.

Stop External Router or Video Game System DDoS Attacks

Smaller businesses, game servers, and streamers often connect their routers directly to the internet and attackers can find their IP addresses to target them. With no IT professional supporting the environment, attacks on these exposed systems can result in complete shutdown of internet access. Some ways to stop these attacks are changing your IP address, enabling defensive features in your equipment, and adding extra layers of security.

1. Reset the IP Address

The fastest method to dodge a DDoS attack is to reset the IP address. There are several ways to accomplish this:

• Fastest method — Unplug: Unplug the router, game system, and sometimes also the modem. Router IP address reset can take as short as 5 minutes to assign a new IP address or as long as 24 hours, depending upon the ISP.
• Best method — ISP Contact: Contact the internet service provider (ISP); some ISPs limit changes in IP address and need to be contacted directly, but ISPs can also implement additional security or offer additional services to block DDoS attacks.
• Admin console IP Reset: Log into the router console as an admin via a web browser and change the IP address; check the router’s manual for instructions.
• Command Prompt IP Address Reset: Release and renew the IP address using the command line prompts like ipconfig (Windows, MacOS) or ip (Linux); MacOS users can also use advanced system preferences to select TCP/IP and “Renew DHCP Lease.”

Of course, this technique renders the internet or network unavailable until the router is restarted, and attackers can still search for the new IP address to attack the router.

2. Activate DDoS Defense Options

You can also explore defensive options in the equipment you use. Some defense options are:

• Router protection: Check your router administration consoles and manuals for additional DDoS protection options that can be enabled or strengthened. These can be activated quickly, but may affect performance.
• Upgrade equipment: Older routers or consumer-grade routers may lack features to protect against modern DDoS attacks and other common network threats. Consider upgrading to devices with more security features or capacity.
• Enable privacy mode: Some game consoles have privacy and online safety options available in the menus that can be used to minimize public information. For example, Xbox has a ‘private mode’ feature and is available under More Options>Xbox Settings>Privacy and Online Safety.

3. Add Layers of Protection

To block future attacks against routers, consider adding additional layers of protection:

• Add appliances: Add network protection devices like firewalls, secure web gateways, and DDoS protection between the router and the internet.
• Upgrade or add professional-grade devices: Consider purchasing newer routers and next-generation firewalls that provide more security.
• Cloud-based protection: Add cloud solutions such as FWaaS or DDoS protection service from a vendor such as Cloudflare or Sucuri.
• VPN network service: Use a Virtual Private Network (VPN) to obscure IP addresses; however, it can add ping because of extra network hops. Gamers and streamers can look for VPN services with low-latency connections and secure IP addresses.

The best choice will depend on the budget and technical capabilities of the organization or person as well as how quickly the solution needs to be put into place.

Stage II: Analysis

Some attacks become obvious because everything grinds to a halt, but often there will be a period in which the resource “acts strange” as it struggles with the early stages of a DDoS attack. In either case, the attack cannot be completely stopped unless it’s recognized, the logs are reviewed to characterize the type of DDoS attack, and possibly trace the attack to the source.

Recognize the Signs of DDoS Attack

The first signs of a DDoS attack will be delays. Applications will be slow to proceed, websites will be slow to load, servers will be slow to respond to requests, etc.

Users behind an internet connection under attack may find themselves cut off from the internet or unable to use local resources. Network operations centers, firewall monitoring tools, cloud usage tools, and other monitoring solutions may catch spikes in network or internet traffic.

Deep into the attack, resources will simply become unavailable — even to run diagnostic tools or to access log files and other reports. Teams should respond as quickly as possible or ensure resources prioritize sending logs out for analysis.

Examine & Analyze Logs, Alerts & Records

Ideally, the first indicators of trouble will come in the form of logs and alerts from monitoring tools and software checking for bandwidth, application performance, memory, or CPU issues. Alerts can help a response team jump into action and prevent the DDoS attack before it takes down resources.

TIP: Document everything. These records from the DDoS attack hold valuable information for several teams and stakeholders, including the following:

• Incident Response teams: Digital Forensics and Incident Response teams will use the logs to assist them in their analysis of the attack to better understand what happened and how to prevent future attacks.
• Cybersecurity Insurance: Most cybersecurity insurance companies will require a copy of the logs with the reports when reviewing a claim to calculate damages.

Without alerts, an organization may have to rely upon customer or internal complaints, which may be delayed due to the congested resource (application, server, etc.), or until the entire network is crippled by the DDoS attack.

Attack Characterization

Attack characterization helps to separate attack traffic from legitimate traffic and to determine the type of attack. For example, attacks using protocols to disable infrastructure will require a different response than an application-level attack targeting a specific function in an application.

With so many different types of DDoS attacks, it can be difficult to determine exactly which one may be deployed. However, the response team will analyze the logs to find information regarding the attack and potential defenses.

A digital forensic investigation may be required for DDoS attacks to determine how the malware entered the network and launched the DDoS. Investigators will collect the evidence and ensure attackers and malware have been removed from the network.

Attack Traceback

DDoS attack traceback seeks to identify the source of the DDoS attack. For example, if the attack can be traced back to a range of IP addresses, the attack can be blocked through IP Blocking. However, tracing can be extremely challenging and may not lead back to the actual attacker.

Stage III: Recovery

Organizations that can quickly eliminate a DDoS attack may suffer no more than inconvenience. Organizations that are not so fortunate will need to assess the damage, make any needed adjustments required from the DDoS remediation, determine what immediate steps to take for preventing recurrence of that DDoS attack, and consider other preventative measures.

DDoS Attack Damage

Damage from DDoS attacks vary from organization to organization and will depend upon the resources affected. However, a recent survey from Corero estimates that DDoS attacks can cost organizations hundreds of thousands of dollars per hour and up to $1 Million for larger organizations, averaging a little over $6,000 a minute. However, none of these reports account for other costs or the loss of business and reputation.

After a DDoS attack, organizations will need to document their costs and damages for insurance and to create an estimate to budget for tools and services to prevent future DDoS attacks.

DDoS Remediation Adjustments

In the scramble to stop the attack, organizations may make changes to the architecture or software that inadvertently causes other issues. Part of the recovery process requires examining the infrastructure to detect and fix those broken components or links. For example, moving a website behind a DDoS filtering service provider may only move the main domain. Sub-domains may need to be migrated manually.

Similarly, integration with other third-party tools may require additional configuration. For example, a publishing website could discover that their web content management system no longer correctly connects to the published content protected by the DDoS provider and that changes may be required to reconnect to it.

For DDoS attacks launched within the network, individual computer systems may need to be sanitized to remove malware or an attacker’s ability to access the device for future attacks. Sometimes this may also trigger data and system recovery needs.

DDoS Attack Lessons Learned

Generate a lessons-learned report that explains everything that happened and clearly explains how to protect against similar attacks. Mitigation should be enacted immediately, but if that is not practical, the mitigation should be planned and proposed for budgeting as soon as possible.

The costs to remediate the DDoS attack and any business losses from the downtime will provide a rough target for comparison with the mitigation budget.

If the attack was significant in size or impact, report the incident to law enforcement or industry organizations such as CERT. Reporting attacks can build profiles of major attackers and help in taking down major botnets like 911 S5 and Raptor Train.

Navigating the 3 Stages

Incident response teams often find themselves executing these stages simultaneously. Additionally, as attackers observe the defender’s actions, they will often change tactics and require the defending team to iterate between these stages and the steps within them.

Of course, the specifics of each stage will be highly customized and will depend on many factors, starting with the type of DDoS attack, the resource under attack (router, website, app, server, etc.), and the DDoS protections or mitigations already in place.

Additionally, the IT architecture, the resources of the defender, and the dedication of the attacker will also play significant roles in how the stages and techniques must be navigated.

Fortunately, ISPs and vendors can provide professional DDoS protection services for those in need. However, several tasks they perform are similar to what we covered, with the difference being potentially more experience and more sophisticated tools.

The OSI Model & DDoS Attacks

All communication on a network is sent as network packets. As each computer or firewall receives the packet, the device will check for the contents and handle the packet according to the instructions in the header. DDoS attacks abuse these packets and attempt to exploit potential weaknesses to overload systems. The different layers of the OSI model can be used to determine the type of DDoS attack:

However, knowing which layer is under attack does very little to help block or stop the attack. At their essence, all attacks generally fall into two categories: 

• Infrastructure Layer Attacks (Layers 3, 4): These DDoS attacks affect firewalls, servers, and routers with volumetric or malformed packet attacks. ISPs and hosting partners can typically help with these attacks if they are external.
• Application Layer attacks (layers 6, 7): These attacks target websites and applications by overloading information requests. They can be stopped by web application firewalls but may require additional features like adding captchas to block automated requests.

After executing the three critical stages to stop a DDoS attack, an organization will find themselves in a better position. However, recovery alone cannot prevent future DDoS attacks because they only address the last attacks. The best way to stop a DDoS attack will always be for organizations to be proactive and add defensive measures before they’re attacked.

5 Steps to Prevent Future DDoS Attacks

IT and security teams can deploy many options in preparation for a DDoS attack that will help to control and manage the future impact when one occurs. Some of these include:

1. Harden against attacks: Update, patch, and change settings to protect resources against attacks.
2. Deploy anti-DDoS architecture: Configure resources and implement policies that protect resources from potential attacks and minimize the impact of a successful attack.
3. Use anti-DDoS tools: Enable features and add tools to detect and protect against or mitigate the effects of DDoS attacks.
4. Design a DDoS Response Playbook: Create a plan for how security, operations, and management teams will respond to a DDoS attack.
5. Install DDoS Monitoring: Install monitoring to watch and alert staff of signs of an attack.

An organization also should consider the possible motivations of the attackers. Some DDoS attacks may be used as a distraction or cover-up for other attacks such as espionage, ransomware, or business email compromise. Any DDoS playbook should also include activating 

Learn more on how to prevent DDoS attacks in five steps, as well as three fundamental defense strategies.

Top 3 Anti-DDoS Vendors

While a significant threat, anti-DDoS measures should not be so optimized that they compromise other priorities for operations and security. The best web application firewall options that will help mitigate DDoS attacks include AppTrana, Cloudflare, and F5.

AppTrana

AppTrana is a fully managed web application firewall (WAF) powered by AI, that includes web application scanning for getting visibility of application-layer vulnerabilities; instant and managed risk-based protection with its WAF, Managed DDOS and Bot Mitigation service, and several other features. All backed with a 24×7 Managed Security Expert service to provide custom rules and policy updates with zero false positive guarantee and promise.

AppTrana offers a 14-day free trial of their WAF, and pricing starts at $99 a month for their Advanced tier. Customers can request a demo and get pricing for their premium and enterprise offerings.

Cloudflare

Cloudflare is a web infrastructure and cybersecurity company specializing in protecting websites and organizations from cyberattacks. The Cloudflare WAF uses threat intelligence and machine learning to defend against cyber threats.

Cloudflare does offer a free plan. However, its functionality is very limited compared to their other plans that start at $20 a month for the pro license and increase to $200 a month for the business license (when paid annually).

F5

F5’s award-winning WAF offers features like behavioral analytics and machine learning to in-browser data encryption and more to inspect and block any malicious activity. Their SaaS-delivered WAF is quick to set up and deploy, and easy to manage.

Pricing is not available on the F5 website. However customers can contact them for a trial or demo, or they can use F5’s Distributed Cloud pay as you go service, available on the AWS marketplace.

When choosing vendors for anti-DDoS tools or services, it is important to work with DDoS specialists. However, these vendors, like any other IT measures, should fit into the overall IT and security strategies that provide fundamental defense against DDoS attacks on websites (web application firewalls, etc.), applications (application security, etc.), or networks (firewalls, etc.).

Types of DDoS Protection Solutions

When considering tools for protection, the solutions often break down into three classifications: Do-it-yourself (DIY), on-premises appliances, and off-premises tools. Each style has inherent pros and cons:

• DIY tools: These are typically created from Open Source Tools, which means they are usually free or have a lower cost than commercial tools. The drawback is that they tend to require expertise to integrate and have limited filtering capabilities and scalability.
• On-premises appliances: On-prem tools can be installed locally, have good filtering capabilities, and are simpler to use and integrate. However, these tools can be expensive, have limited scalability, and are only compatible with specific infrastructure.
• Off-premises protection: These tools are cloud-hosted tools, often referred to as Software-as-a-Service, or SaaS. Cloud based tools are usually easy to use and integrate and the scalability and compatibility. The one downside to cloud based protection is cost.

Ultimately, the tradeoffs revolve around price, speed, and control. DIY tools will always cost the least and offer full control but won’t respond quickly or scale easily to handle large attacks. Scaling represents capacity but also directly affects speed since a device that is over its capacity lengthens the time for recovery.

On-premises appliances can enable more speed and full control but will cost more and have limited scale. Cloud-hosted tools will always react faster and can deploy nearly unlimited scale, but will cost more and also lie outside of the direct control of the organization.

Bottom Line: Prepare Now or Suffer Later

With the increasing sophistication and capabilities of attackers, defenders must be on alert. Not only will stopping DDoS attacks become more difficult, but attackers will also continue to increase the speed at which they exploit windows of opportunity. Organizations should prepare now for future DDoS attacks and take advantage of the capable tools and services available to help them.

Learn about the best tools to defend against bots that cause DDoS attacks. In the article, you’ll find their features, pros and cons, and more.

The post How to Stop DDoS Attacks in Three Stages appeared first on eSecurity Planet.

The post Video: How Two Crypto Scammers Stole $230 Million in Bitcoin appeared first on eSecurity Planet.

Read more:2.9 Billion Records Exposed in NPD Breach: How to Stay Safe

The post Video: Protect Your Identity After the NPD Data Breach appeared first on eSecurity Planet.

Why the Need for the Resilience Initiative?

Following the CrowdStrike outage that crashed over 8 million Windows PCs and servers and caused an estimated $5.4 billion in losses over the summer, Microsoft was faced with the crucial task of ensuring that this would never happen again and regaining the trust of their users. With cyberattacks on operating systems, applications, and networks becoming more sophisticated, the tech giant formulated a strategy to enhance the protection of Windows systems, focusing strongly on phishing attacks.

During the Ignite 2024 conference, Microsoft announced the Windows Resiliency Initiative to address these security concerns. The goal of the Windows Resiliency Initiative is to prevent future system outages and to add other security features to protect against exploiting the operating system and accessing users’ personal data.

David Weston, VP of enterprise and OS security, said in a blog post, “We are committed to ensuring that Windows remains the most reliable and resilient open platform for our customers.”

Key Components of the Initiative

Microsoft’s Windows Resiliency Initiative covers four areas of focus: apply the lessons learned from incidents to improve reliability, enable apps and users to run without admin privileges, create stronger controls for what apps and drivers are allowed to run, and strengthen identity protection tools to defend against phishing attacks.

Strengthening Reliability

After learning from July’s outage, Microsoft is implementing measures to make Windows more stable. This includes its new Quick Machine Recovery feature, which allows IT administrators to remotely diagnose and repair compromised or non-bootable devices, minimizing downtime and potential data loss. Administrators will also no longer be required to have physical access to the machines to make changes to Windows Updates.

Reducing Administrative Privileges

When attackers attempt to gain access to a system, they tend to target systems and applications that will grant them privileged access to the computer and network. This is typically elevated or admin-level user access that’s required for the application to function properly. Microsoft sought to address this issue, and as a result, they created a new feature called administrative protection. Users will be given standard user accounts by default.

In addition, developers will now be able to develop products outside of the kernel, which means fewer Windows applications will require administrative privileges to run, limiting the potential impact of successful attacks. This approach also helps to contain the spread of malware and ransomware, which, according to Microsoft’s Digital Defense Report, resulted in 93% of these attacks being successful due to them having access to so many privileged user accounts.

Stronger Apps & Drivers Controls

Microsoft is implementing stricter controls over the installation and execution of unsafe drivers and applications. The new “Smart App Control” feature will reduce the risk of malicious software infiltrating systems by ensuring only verified apps can run on the PC. IT admins can select a template that only allows “signed and reputable” apps to run and add unknown apps through policy changes.

Improving Identity Protection

According to Microsoft’s Entra ID data, more than 600 million identity attacks occur daily, and 99% of them are password based. As a result, Microsoft is investing in advanced identity protection technologies to safeguard user accounts and prevent phishing attacks and unauthorized access. This includes strengthening password policies, implementing multi-factor authentication, and leveraging advanced threat detection techniques.

Other Improvements from the Initiative

Weston also highlights other commitments made by Microsoft to enhance the security and resilience of Windows devices in order to remain a secure platform for their partners, developers, and customers. This includes working with security vendors, adding new encryption features to protect personal information, and even implementing new coding languages into their platform.

Collaboration with Security Partners

Microsoft is actively collaborating with security vendors and researchers through initiatives like the Microsoft Virus Initiative (MVI) to share threat intelligence and improve the security posture of Windows devices. These partnerships will involve:

• Safe deployment practices: Microsoft will adopt safer and more secure product update deployments and recovery procedures.
• Enhanced monitoring: Rollouts will be monitored to minimize negative impacts from updates and patches.

Data Protection

Windows 11 Enterprise introduced a new Personal Data Encryption feature. This feature uses Windows Hello authentication to help protect files stored in known locations like the Desktop, Documents, and Pictures folders. Users and device administrators won’t be able to view files, and they will remain encrypted until they’re authenticated with Windows Hello.

Transition to Rust

Microsoft revealed that they’re gradually transitioning specific components from C++ to Rust, a popular language known for its safety, to improve code security and reliability.

Bottom Line: The Initiative Is a Step in the Right Direction

The Windows Resiliency Initiative has the potential to enhance the security and reliability of Windows devices significantly. It represents a significant step forward in Microsoft’s commitment to securing its flagship operating system. By addressing critical vulnerabilities from past mistakes, reducing attack surfaces, and improving recovery capabilities, Microsoft plans to protect users from a wide range of cyber threats while ensuring improved stability and reliability.

Although security relies on several other components — user education on best practices; strong passwords; proper implementation of systems, applications, and third-party solutions; and constant research and development — to stay one step ahead of cybercriminals, the Windows Resiliency Initiative takes a proactive approach to protect its users.

Learn more about the CrowdStrike outage and the class action lawsuit that resulted from it.

The post Microsoft Announces Security Update with Windows Resiliency Initiative appeared first on eSecurity Planet.

The post Video: Salt Typhoon Hacks Major Telecom Giants Using Malware appeared first on eSecurity Planet.

The post Video: Russia Fines Google for $2.5 Decillion appeared first on eSecurity Planet.

Read more: Complete Guide to Cybersecurity for Small Businesses

The post Video: Cybersecurity Tips for Small Businesses appeared first on eSecurity Planet.