Prolexic Recommends Developing Mitigation "Playbook" to Reduce Impact of DDoS Attacks
In simple terms, a playbook is a rehearsed and tested plan that outlines in detail who in an organization needs to be involved in the event of a DDoS attack, their roles and responsibilities, as well as a detailed communications strategy.
“DDoS attacks are deliberate, targeted events – happening on a daily basis – that demand a preparedness plan much like homeowners preparing for hurricane season,” said Neal Quinn, Prolexic’s vice president of Operations. “When the hurricane inevitably hits, they don’t panic because they knew what to expect and what steps to take to protect their investment.”
To maintain business continuity, Prolexic encourages online businesses to make DDoS mitigation part of their enterprise incident response practices. During the first quarter of 2012, more than six of Prolexic’s top global financial services clients received significant DDoS attacks. Because they had worked with Prolexic to develop and test a mitigation playbook in advance, the usual panic that can grip an organization during a DDoS attack was avoided. In addition, Prolexic was able to deploy its mitigation services faster and more efficiently.
Building a proven playbook
Prolexic recommends that companies work with their DDoS mitigation service provider to create a simulated DDoS attack or dry run that makes no actual changes to the network. This will help management see the best way to manage both internal and external communications when confronted with a DDoS attack. The incident response team then works through the DDoS attack without doing an actual live test, much like a military training drill in which no live ammunition is used.
Depending on the size and complexity of the organization, this type of dress rehearsal exercise can be completed in a little more than an hour, or slightly longer if the company’s incident response plan has additional requirements. Executive management will understand how long it takes to put the mitigation plan into action. Following this exercise, optimizations may be developed to ensure a rapid, repeatable and predictable action plan.
Optimizing communications during attack events
To streamline communications and ensure a fast, controlled response to DDoS attacks, Prolexic recommends that organizations focus on three critical areas of communications:
- Managing communications – DDoS attacks have an impact not just on IT, but on all users of the company’s services, including non-technical departments. It should be clear who is to be called and what to do when issues arise during a DDoS attack. Prolexic advises incident response teams to have a single point of contact for relaying information and sending short Twitter-like updates internally across the organization. These notes should be confidential and help people understand what is going on during the attack so that they don’t panic and create an additional internal crisis.
- Identifying key contact persons – The main goal of the playbook is to eliminate organization-wide panic that can delay the mitigation response when a DDoS attack occurs, so it is vitally important that the right people be notified of the attack immediately. By completing a simulation exercise, everyone in the triage team will understand what their role is in the DDoS mitigation process, what changes they need to make to the network, and how they can continue to maintain business as usual even when some resources are unavailable.
- Organizing information for easy, fast accessibility – Something as simple as keeping all names and phone numbers of key contacts in a single place can save valuable time. This facet of the DDoS mitigation process is all about containment and order – how to turn a DDoS attack from a major disaster into an incident that is routine when handled according to the well-rehearsed playbook.
As part of the playbook, Prolexic recommends outlining procedures and policies for setting up teleconference bridges. Typically, these would include:
- A Mitigation Bridge – primarily for engineers to coordinate and monitor mitigation efforts
- A Troubleshooting Bridge – primarily for engineers and application owners to investigate any problems arising during the on-ramping
- A Security Emergency Response Team (SERT) Bridge – primarily for security and forensics participants
“When everyone in an organization – not just IT staff– understands what it is really like to be under a DDoS attack before one actually occurs, they will be able to face the actual event with more confidence, control and calm,” said Quinn. “As a result, the DDoS mitigation process will go more smoothly for a faster return to business as usual. That is why Prolexic advises all of our customers to prepare themselves for the real thing with a simulated DDoS incident and to incorporate DDoS into their incident response plan.”
For more information on building a DDoS mitigation playbook, go to www.prolexic.com/playbook to download the free Prolexic white paper, Plan vs. Panic: Making a DDoS Mitigation “Playbook” a Part of Your Incident Response Plan.
Prolexic is the world's largest, most trusted Distributed Denial of Service (DDoS) mitigation provider. Able to absorb the largest and most complex attacks ever launched, Prolexic restores mission critical Internet facing infrastructures for global enterprises and government agencies within minutes. Ten of the world's largest banks and the leading companies in e-Commerce, SaaS, payment processing, travel/hospitality, gaming and other at-risk industries rely on Prolexic to protect their businesses. Founded in 2003 as the world's first "in the cloud" DDoS mitigation platform, Prolexic is headquartered in Hollywood, Florida and has scrubbing centers located in the Americas, Europe and Asia. For more information, visit www.prolexic.com.