Krebs On Security, the website of security researcher Brian Krebs…banks and post offices in New Zealand…Internet infrastructure provider Cloudflare…Russian Internet search company Yandex – all slammed in recent weeks with distributed denial of service (DDoS) assaults by a threat actor dubbed “Meris.”
Meris is an IT botnet believed to command thousands of routers in the biggest DDoS attacks ever seen; Yandex reported 21.8 million bogus requests per second to its servers.
If your board or senior management asks, “What’s our loss exposure from getting DDoSed?”, Tony Martin-Vegue, Chair of the San Francisco Chapter of the FAIR Institute and Senior Information Security Risk Engineer at Netflix, has some tips, delivered in a talk he gave at FAIRCON16.
Watch the video of Tony’s talk now (FAIR Institute membership required): Measuring DDoS Risk Using FAIR
5 Tips for Running Quantitative Risk Analysis of DDoS
1. Identify your likely attackers.
Step one is to ask, “Who’s mad at you and do they have any cyber capabilities?” Tony says. Threat actor communities include hacktivists, foreign governments (the U.S. accused Iranian officials of DDoS attacks on U.S. banks in 2012), cyber criminals (who may use DDoS as a distraction to cover other activities or to extort victims) and cyber vandals. Identifying the actors will help you determine the strength of any likely attack.
2. Identify assets at risk.
These could be public-facing websites, applications, DNS or email servers whose loss of availability would knock out sales or operations. Tony’s tip: Start with your organization’s Business Continuity team. They probably have identified critical assets and dependent services, risk scenarios and perhaps loss exposure, saving you a lot of research time.
3. Estimate probable Threat Event Frequency (TEF).
This is an important but potentially tricky factor to fill in for FAIR analysis, Tony says, particularly if your organization has never been subject to DDoS attack. Start with calibrated estimation to set a probable range, then start researching reported DDoS incidents in your industry, using public sources. For example, the Cyentia Cybersecurity Research Library has 448 pages of research reports on this tactic. Go back and re-calibrate and re-research till you arrive at a likely TEF.
4. Focus Loss Magnitude Data gathering on productivity and response costs.
While FAIR offers six forms of loss as targets for analysis, Tony’s advice is that the impact of a DDoS-induced outage will mostly fall in the lost productivity and the direct costs of incident response (which might include paying for extortion).
5. Present decision makers with the ROI on building resistance strength.
Finally, run your FAIR analysis, factoring in probable frequency of attack and magnitude of impact, and including Monte Carlo simulation to show a range of outcomes for annualized loss exposure in financial terms. As Tony says, you’re really presenting the background for decision-makers to judge, “Should we invest more in resistance strength (such as DDoS mitigation software or services, or a content delivery network) or does the return on investment (ROI) in terms of risk reduction, and our risk appetite, not warrant it?”
Watch the video now (FAIR Institute membership required): Measuring DDoS Risk Using FAIR