Jul 28, 2017

Coalition Creates First Ever Threat Profile for DDoS Attacks Using NIST Framework

Cybersecurity Framework DDoS Profile

Executive Summary

The Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework) version 1.0, developed by the National Institute of Standards and Technology (NIST), with extensive private sector input, provides a risk-based and flexible approach to managing cybersecurity risk that incorporates industry standards and best practices. The Cybersecurity Framework is by design crafted to allow individual organizations to determine their own unique risks, tolerances, threats and vulnerabilities, so that they may prioritize their resources to maximize effectiveness.

The Framework is general in nature to allow for broad applicability to a variety of industries, organizations, risk tolerances and regulatory environments. A Framework Profile is the application of Framework components to a specific situation. A Profile may be customized to suit specific implementation scenarios by applying the Framework Category and Sub-Categories appropriate to the situation. Profiles should be constructed to take into account the organization’s:

  • Business/mission objectives
  • Regulatory requirements
  • Operating environment

Organizations can use Profiles to define a desired state for their Cybersecurity posture based on their business objectives, and use it to measure progress towards achieving this state. It provides organizations with the ability to analyze cost, effort and risk for a particular objective. Profiles may also be used by industry sectors to document best practices for protection against specific threats.

The below Cybersecurity Framework Profile focuses on Distributed Denial of Service (DDoS). DDoS attacks are increasing in complexity, size, and frequency, and the range of targets and methods (e.g., from using individual PCs to using connected Internet of Things (IoT) devices) has also broadened. This threat profile emphasizes how the Cybersecurity Framework can address DDoS attacks, which NIST has acknowledged is a growing risk.

To develop the threat profile, we have reviewed all the Cybersecurity Framework Categories and Subcategories and determined those most important to combat the DDoS threat. The Categories and Sub-Categories were then labeled into different priorities as follows:

P1 – Minimum actions required to protect network and services against DDoS attacks

P2 – Highly recommended actions to protect network and services against DDoS attacks

P3 – Recommended actions to protect network and services against DDoS attacks.

The DDoS threat mitigation profile represents a Target Profile focused on the desired state of organizational cybersecurity to mitigate DDoS attacks. It may be used to assist in identifying opportunities for improving DDoS threat mitigation and aiding in cybersecurity prioritization by comparing current state with this desired Target state.

In the development of this profile we did not identify the need for any additions or changes at the Category or Subcategory level. Instead, the comments provided as part of the profile give the necessary guidance to refine the understanding of the Subcategory as it applies to DDoS threat mitigation.

Overview of the DDoS Threat

A DDoS attack attempts to overwhelm a network, service or application with traffic from multiple sources. There are many methods for carrying out DDoS attacks. These can include

  • Low bandwidth connection oriented attacks designed to initiate and keep many connections open on the victim exhausting its available resources.
  • High bandwidth volumetric attacks that exhaust available network or resource bandwidth.
  • Protocol oriented attacks that take advantages of stateful network protocols such as TCP.
  • Application layer attacks designed to overwhelm some aspect of an application or service.

Although each of these methods can be highly effective, in recent years, there has been considerable attention given to volumetric attacks as the result of several high-profile incidents.

One prominent example of a volumetric DDoS attack vector is reflection amplification. This is a type of DDoS attack in which the attacker fakes the attack target’s IP address and launches queries from this address to open services on the Internet to solicit a response. The services used in this methodology are typically selected such that the size of the response to the initial query is many times (x100s) larger than the query itself. The response is returned to the real owner of the faked IP. This attack vector allows attackers to generate huge volumes of attack traffic, while making it difficult for the target to determine the original sources of the attack traffic. Reflection amplification has been responsible for some of the largest DDoS attacks seen on the Internet through the last decade.

Attackers can build out their attack capability in many ways, such as the use of malware to infect Internet connected computers, deploying servers within hosting environments, exploiting program flaws or other vulnerabilities, and by exploiting the use of inadequate access controls on Internet connected devices to create botnets.

Botnets are created when an attacker infects or acquires a network of hosts, then controls these devices to remotely launch an attack at a given target. Increasingly, botnets are incorporating Internet of Things (IoT) devices, which continue to proliferate at a remarkable rate. Botnets allow for a wide variety of attack methods aimed at evading or overwhelming defenses.

DDoS is often referred to as a ‘weaponized’ threat as technical skills are no longer needed to launch an attack and services to conduct DDoS have proliferated and become easily obtainable for relatively low cost.

Availability is a core information security pillar but the operational responsibility and discipline for assessing and mitigating availability-based threats such as DDoS often falls to network operations or application owners in addition to Risk and Information Security teams. Because of this divided responsibility, fissures in both risk assessment and operational procedures for addressing these threats may occur. The goal of this profile is to ensure the strategic and operational discipline needed to protect and respond to DDoS threats is comprehensively addressed by applying the appropriate recommendations and best practices outlined in the Cybersecurity Framework.

See PDF document for additional details and tables.