February 12, 2018

Cyber Coalition Enhances Framework Profile to Include Botnet Mitigation in Response to Report Calling for Increased Public-Private Partnerships in the Cybersecurity Community

Cyber Coalition Enhances Framework Profile to Include Botnet Mitigation in Response to Report Calling for Increased Public-Private Partnerships in the Cybersecurity Community

Washington, D.C. – Feb. 12, 2018 – This morning, the Coalition for Cybersecurity Policy & Law expressed support for the call from the departments of Commerce and Homeland Security for increased public-private partnerships to address growing cybersecurity threats. The Coalition filed comments at the National Telecommunications and Information Administration in response to the departments’ joint report on making the Internet more resilient to automated and distributed attacks, such as those by botnets.

“Despite years of attention botnets continue to be a major source of cybersecurity threats.   Public-private collaboration between the wide range of actors that sustain our cybersecurity ecosystem will be essential for success in dealing with these threats,” said Ari Schwartz, coordinator of the Coalition and former special assistant for cybersecurity to President Obama. “It’s our hope that including botnet mitigation in the DDoS profile the Coalition has created under the NIST Cybersecurity Framework will better equip public and private organizations to partner in determining their vulnerabilities and subsequently develop a more robust cybersecurity posture against automated attacks.”

The Coalition supports and agrees with the findings and recommendations of the report, titled “Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats.” Specifically, the Coalition was encouraged by the report’s findings that public-private partnerships are critical to addressing the ongoing and growing risk that automated, distributed threats present to the global cybersecurity community.

In mid-2017, the Coalition drafted a Framework Profile for organizations to use in determining and managing risk related to Distributed Denial of Service (DDoS) attacks. Adapted from the National Institute of Standards and Technology’s Cybersecurity Framework, the Coalition’s profile helped further the discussion on ways to combat botnets. In response to this latest request for comment, the Coalition has updated that profile to include a clear section on botnet mitigation techniques, tools and services. A copy of the updated Framework Profile can be found here.  This Profile will be important in several ways including:

  • Developing a means to require government agencies to help stop botnets and defend themselves,  and the citizen information they hold, against DDoS attacks.
  • Providing companies with a playbook to help prevent DDoS attacks in the future.

As part of its effort to encourage partnerships to combat cyberthreats, the Coalition is planning a public workshop on the Framework Profile to engage public and private stakeholders.

About The Coalition for Cybersecurity Policy & Law

The mission of the Coalition for Cybersecurity Policy & Law is to bring together leading companies to help policymakers develop consensus-driven policy solutions that promote a vibrant and robust cybersecurity ecosystem; support the development and adoption of cybersecurity innovations; and encourage organizations of all sizes to take steps to improve their cybersecurity. For more information, visit www.cybersecuritycoalition.org.

Press Contact
Bri Law

Coalition for Cybersecurity Policy & Law
+1 202 344 4411

February 12, 2018

VIA EMAIL: counter_botnet@list.commerce.gov

Evelyn L. Remaley

Deputy Associate Administration

National Telecommunications and Information Administration

1401 Constitution Avenue, NW

Room 4725

Washington, DC 20230

Re: Comment of the Coalition for Cybersecurity Policy & Law on the Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats

The Coalition for Cybersecurity Policy & Law (“Coalition”) submits this comment in response to the Request for Comments (“RFC”) issued by the Department of Commerce (“DoC”), regarding the Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats (“Report”). The Coalition appreciates the opportunity to provide feedback on the Report.

The Coalition is comprised of leading companies with a specialty in cybersecurity products and services dedicated to finding and advancing consensus policy solutions that promote the development and adoption of cybersecurity technologies.1 We seek to ensure a robust marketplace that will encourage companies of all sizes to take steps to improve their cybersecurity risk management, and we are supportive of efforts to identify and promote the adoption of cybersecurity best practices and voluntary standards throughout the global community.

Representatives of Coalition member companies actively participated in the workshop hosted by the National Institute of Standards and Technology (“NIST”) that was held to inform this report.

The Coalition broadly supports and agrees with the findings and recommendations of the report. In particular, we commend the Department of Commerce and the Department of Homeland Security (“DHS”) for repeatedly and effectively highlighting the importance of public and private collaboration, as well the international policy and standards development and adoption that are essential to long term success.

In support of this, the Coalition intends to host an event bringing together government and private sector leaders and experts to further discuss this important issue and drive progress.

In regards to Action 2.2, the Coalition notes that it has previously provided NIST with a DDoS Mitigation and Prevention Profile based on the combined experience and expertise of its member companies, who include providers that offer a range of services specifically designed to achieve the stated goal. We look forward to working with NIST and other private and public sector partners to expand and refine this Profile.

Additionally, we believe that a Botnet Prevention and Mitigation Profile is a necessary addition to the body of available knowledge, and would be highly complementary to the DDoS Mitigation and Prevention Profile discussed. To that end, the Coalition is providing a Profile for your consideration and to help foster conversation within the broader community.

Conclusion. The Coalition thanks the Department of Commerce and the Department of Homeland Security for its leadership in coordinating this important effort and for the opportunity to comment.

Cybersecurity Framework DDoS and Botnet Prevention and Mitigation Profile(s)

Executive Summary

The Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework) version 1.0, developed by the National Institute of Standards and Technology (NIST), with extensive private sector input, provides a risk-based and flexible approach to managing cybersecurity risk that incorporates industry standards and best practices. The Cybersecurity Framework is by design crafted to allow individual organizations to determine their own unique risks, tolerances, threats and vulnerabilities, so that they may prioritize their resources to maximize effectiveness.

The Framework is general in nature to allow for broad applicability to a variety of industries, organizations, risk tolerances and regulatory environments. A Framework Profile is the application of Framework components to a specific situation. A Profile may be customized to suit specific implementation scenarios by applying the Framework Category and Sub-Categories appropriate to the situation. Profiles should be constructed to take into account the organization’s:

  • Business/mission objectives
  • Regulatory requirements
  • Operating environment

Organizations can use Profiles to define a desired state for their Cybersecurity posture based on their business objectives, and use it to measure progress towards achieving this state. It provides organizations with the ability to analyze cost, effort and risk for a particular objective. Profiles may also be used by industry sectors to document best practices for protection against specific threats.

The below Cybersecurity Framework Profile focuses on Distributed Denial of Service (DDoS) and botnet prevention and mitigation. DDoS attacks are increasing in complexity, size, and frequency. Botnets have long been used as a method for orchestrating DDoS and other attacks. The range of targets and methods (e.g., from using individual PCs to using connected Internet of Things (IoT) devices) has also broadened. These threat profiles emphasize how the Cybersecurity Framework can address DDoS attacks and prevent and mitigate devices that have become parts of a botnet.

To develop the threat profile, we have reviewed all the Cybersecurity Framework Categories and Subcategories and determined those most important to combat the DDoS and botnet threats. The Categories and Sub-Categories were then labeled into different priorities as follows:

P1 – Minimum actions required to protect network and services against relevant attacks.

P2 – Highly recommended actions to protect network and services against relevant attacks.

P3 – Recommended actions to protect network and services against relevant attacks.

The DDoS and Botnet threat mitigation profile represents a Target Profile focused on the desired state of organizational cybersecurity to mitigate DDoS and botnet threats. It may be used to assist in identifying opportunities for improving DDoS and botnet threat mitigation and aiding in cybersecurity prioritization by comparing current state with this desired target state.

The Coalition developed this profile based on version 1.0 of the Cybersecurity Framework. The comments provided as part of the profile give appropriate guidance to refine the understanding of relevant Framework subcategories as they apply to DDoS and botnet threat mitigation. While Coalition members believe that Framework version 1.0, and its associated Core categories and subcategories, allow for adequate flexibility to develop an effective DDoS threat mitigation profile, we welcome the updates in draft 2 of version 1.1 of the Framework, as they reflect changes in the evolving nature of cybersecurity threats and risk management practices, which can further assist organizations in defending against and mitigating DDoS attacks

Examples of beneficial changes in draft 2 include updates in Section 3.0 ‘How to Use the Framework’ on how the Framework can be applied in design, build/buy, deploy, operate, and decommission system lifecycle phases. Cybersecurity practices must be considered throughout the full range of information technology activities of organizations as industries across all sectors increasingly develop and leverage IT applications and connected devices. In addition, new Framework Core categories and subcategories focused on managing supply chain risk will help organizations better defend against key threat vectors for DDoS attacks.

Overview of the DDoS and Botnet Threats

A DDoS attack attempts to overwhelm a network, service or application with traffic from multiple sources. There are many methods for carrying out DDoS attacks. These can include

  • Low bandwidth connection-oriented attacks designed to initiate and keep many connections open on the victim exhausting its available resources.
  • High bandwidth volumetric attacks that exhaust available network or resource bandwidth.
  • Protocol oriented attacks that take advantages of stateful network protocols such as TCP.
  • Application layer attacks designed to overwhelm some aspect of an application or service.

Although each of these methods can be highly effective, in recent years, there has been considerable attention given to volumetric attacks as the result of several high-profile incidents.

One prominent example of a volumetric DDoS attack vector is reflection amplification. This is a type of DDoS attack in which the attacker fakes the attack target’s IP address and launches queries from this address to open services on the Internet to solicit a response. The services used in this methodology are typically selected such that the size of the response to the initial query is many times (x100s) larger than the query itself. The response is returned to the real owner of the faked IP. This attack vector allows attackers to generate huge volumes of attack traffic, while making it difficult for the target to determine the original sources of the attack traffic. Reflection amplification has been responsible for some of the largest DDoS attacks seen on the Internet through the last decade.

DDoS is often referred to as a ‘weaponized’ threat as technical skills are no longer needed to launch an attack and services to conduct DDoS have proliferated and become easily obtainable for relatively low cost. Attackers can build out their attack capability in many ways, such as the use of malware to infect Internet connected computers, deploying servers within hosting environments, exploiting program flaws or other vulnerabilities, and by exploiting the use of inadequate access controls on Internet connected devices to create botnets.

Botnets are created when an attacker infects or acquires a network of hosts, then controls these devices to remotely launch an attack at a given target. Increasingly, botnets are incorporating Internet of Things (IoT) devices, which continue to proliferate at a remarkable rate. Botnets allow for a wide variety of attack methods aimed at evading or overwhelming defenses. Compromised devices within an organization can be used by the botnet to carry out attacks; DDoS or otherwise, targeting assets and infrastructure inside or outside the organization. This can have a significant negative impact on the overall risk posture of the organization and its reputation and responsibility in the community. The United States continues to be the most frequent target of DDoS attacks and infected hosts within the US public and private infrastructure are most frequently leveraged as the source of DDoS and botnet attacks. Availability is a core information security pillar but the operational responsibility and discipline for assessing and mitigating availability-based threats such as DDoS often falls to network operations or application owners in addition to Risk and Information Security teams. Because of this divided responsibility, fissures in both risk assessment and operational procedures for addressing these threats may occur. The goal of this profile is to ensure the strategic and operational discipline needed to protect and respond to DDoS threats is comprehensively addressed by applying the appropriate recommendations and best practices outlined in the Cybersecurity Framework.

See PDF document for additional details and tables.

1 The views expressed in this comment reflect the consensus view of the Coalition and do not necessarily reflect the views of any individual Coalition member. For more information on the Coalition, see www.cybersecuritycoalition.org.