Cybersecurity News

CISA, FBI, MS-ISAC Provide Guidelines For DDoS Incident Response

CISA, the FBI, and MS-ISAC offered several response procedures that federal and private agencies should take to prevent and remediate a DDoS attack.

Source: Getty Images

By Sarai Rodriguez

- The Cybersecurity and Infrastructure Security Agency (CISA), alongside the Federal Bureau of Investigation (FBI) and the Multi-State Information Sharing and Analysis Center (MS-ISAC), released a joint guide containing recommended procedures to reduce the likelihood and impact of distributed denial-of-service (DDoS) incidences.

A standard denial-of-service (DoS) is a type of cyberattack that occurs when threat actors exhaust a system’s network server, making the system unavailable to the intended users.

DDoS attacks have increased in popularity as more IoT devices come online. IoT devices often have shaky IT security postures, and attackers can easily compromise them.

A DDoS attack occurs when the overloading traffic originates from more than one attacking machine. Typically threat actors will leverage botnets—a group of hijacked devices connected over the internet— to carry out large-scale attacks that appear to originate from multiple networks.

For healthcare, a DDoS attack may bar access to critical services such as bed capacity, data sharing services, and appointment scheduling services. Although a DDoS attack is unlikely to impact the confidentiality or integrity of a system and associated data, it is usually a cover-up for more malicious attacks such as malware.

“In a progressively interconnected world with additional post-pandemic remote connectivity requirements, maintaining the availability of business-essential external-facing resources can be challenging for even the most mature IT and incident response teams,” the CISA, FBI, and MS-ISAC wrote in the guidance report.

“It is impossible to completely avoid becoming a target of a DDoS attack. However, there are proactive steps organizations can take to reduce the effects of an attack on the availability of their resources.”

The “Understanding and Responding to Distributed Denial-of-Service Attacks” guide aims to help network defenders and leaders understand, prevent, and resolve DDoS attacks, which lead to a loss of organization time, money, and reputational damage.

Before a DDoS attack, organizations should identify critical assets and services, understand how users connect to networks, and enroll in a DDoS protection service.

By identifying services that may be exposed to the public internet and the disparate ways your user base connects to networks, organizations can implement ways to mitigate disruption.

Additionally, the government agencies recommended that organizations engage with internet service provider (ISP) and cloud service providers, understand dedicated edge network defenses, review system/network design, develop an organization DDoS response plan, and others.

If a potential attack occurred, the primary signs would include network latency, sluggish performance, usually high network traffic, or inability to access websites.

For agencies experiencing a DDoS attack, the guide recommends organizations to contact the appropriate technical professionals such as ISP, to gain a greater grasp of the attack and get DDoS threat actors blocked.

“Contact your ISP to determine if there is an outage on their end or if their network is the target of the attack, and you are an indirect victim,” the government agencies stated. “They may be able to advise you on an appropriate course of action. Communicate the findings and work with service providers to better understand the attack.”

Organizations should also monitor other network assets as DDoS attacks often use the initial attack to deflect away from their intended target.

Lastly, targeted organizations should provide an attacking IP address to ISP, enable a firewall and deny Network Time Protocol (NTP) monlist request traffic to reduce the opportunity of being a reflector of future DDoS attacks.

The government agencies identified three guidelines for organizations after a DDoS incident. The guidelines urge DDoS victims to monitor other networks for a secondary attack, update the DDoS response plan, and create a baseline of regular network activity to pinpoint future attacks.