Identifying and Mitigating DDoS Attacks

In this archived panel discussion, experts from various sectors shared effective strategies for responding to DDoS attacks. Panelists include Cassandra Mack, head of security and GRC, and CISO at Spekit; Cory Wolff, director of offensive security at risk3sixty; Nia Luckey, senior cybersecurity business consultant at Infosys; and Steven Hill, independent analyst, data center technologies, for ToneCurve Technology, LLC.

The session highlighted the severe impact downtime can have on modern enterprises, especially when subjected to repeated attacks. The panelists explored the pros and cons of different DDoS response options, what you can do to prepare for inevitable attacks, and how to quickly bounce back.

This segment was part of our live virtual event, “Cyber Resilience in 2024: Availability Is Your Best Ability,” presented by ITPro Today and InformationWeek on May 2, 2024.

Transcript:

The following transcript was lightly edited for clarity.

Steven Hill: Now, it was interesting when I first got this topic to discuss. Hearing about DDoS, it was like, “Is that still happening?” But really, the problems of DDoS have been around for just about a quarter of a century. Even though it may seem like an old-fashioned annoyance when compared to other security challenges, the problem is still alive and kicking. A 2024 report from Cloudflare said it mitigated more than 5.2 million HTTP-based DDoS attacks and over 8.7 million network-layer DDoS attacks in 2023 on its own, so it's likely that the online ecosystems are dealing with billions of attacks on an annual basis.

Just one example: On Super Bowl weekend 2023, the most significant attack ever measured exceeded 71 million requests per second, making it the largest HTTP DDoS attack in history.

So, welcome everybody. Keeping that in mind, the goal of DDoS is still to deny access to services for both companies and their customers. The average cost of downtime could be as high as $5,500 per minute. So, what can a company do to recover from an attack swiftly and efficiently?

Well, let's start the panel off with Nia.

Nia Luckey:Great question. It'sno surprise that in 2024, it's less about the singular DDoS attackitself. In 2024, we're starting to seethe emergence of layered attacks. So, you'll experience the DDoS attackitself, and that may be layered in with someransomware and other vector pointsof attack.

But with that said, I’d like tokind of go back to my time with thepublic sector and the government andrely on some advice coming out of theCyber Security and Infrastructure Security Agency – a little bit of a mouthful there –the CISA. In 2024, they are leaning in with this eight-pillar approach that says, “Let's take a step back and look at this more comprehensively. Do we have an immediate response plan activation? What does that look like? What are the steps, and how many can we run in parallel? Does it include the re-establishment of Border Gateway Protocols? What about restarting your firewalls? What about the consistent monitoring and analyzing of traffic and leveraging anti-DDoS services?” So, some of the trends that didn't exist when they came up with this idea in 2022 exist today, in that we have products and services in the market that can come in and absorb and mitigate the excess traffic during the attack itself.

And then, “What are we doing after the attack is done? What does that post-attack analysis and that root cause analysis look like? Is it baked into your incident response plans?” That is a little bit of where I would start.

Hill: Absolutely. How about you Cassandra?

Cassandra Mack: Myanswers typically would be a little bitmore tactical, just coming from software. For me, It really comes down to this: Are you defining and practicing abusiness continuity plan and a disasterrecovery plan? Are youphoning it in, or are you really makingsure that you have something to failover to quickly for your customers, whether it's a separate instance on aseparate network or somethingthat's just behind the network thatyou're able to push out quickly? Thoseare important.

Businesscontinuity looks at that first day, anddisaster recovery looks at, “If you'redown, what do you do?” You need toplan for both. And you need to notonly put it on a paper agreement, but youneed to practice that. You need to comeup with your “Lessons Learned” andgo fix the things.

Where Isee a lot of places falling short isthat they're just phoning it in andnot practicing. Then, something comes, and they finally musttake those Lessons Learned and dosomething about it.

Hill: Absolutely. AndCory?

Cory Wolff: Yeah, I think I would echo what bothNia and Cassandra mentioned there. It'ssuper-important to have disasterrecovery plans in place.

The other thingthat I would call out is something thatI think Nia was talking abouta little bit. There aresituations where this is a smoke screen. A denial service attack is asmoke screen because you know they'relooking to do something else.Nation states are known to dothis all the time, where they mightDDoS some state agency just todistract, but the real motive issomewhere else. So, to again echo what Cassandra is saying, that's why your incident response process is super-important. How do you react when these types of things happen? Do you keep your focus where you need to keep it? Then, how do you respond? Have you walked through these? Tabletops are great for that. Adversary emulation and more tactical hands-on tests are great for that. But it's just about business continuity, incident response, and don't necessarily take your eye off the other aspects of the infrastructure in the business.