CISA, FBI and MS-ISAC Release New Joint DDoS Guide

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the  Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint guide, “Understanding and Responding to Distributed Denial-of-Service Attacks”, to provide organizations with proactive steps to reduce the likelihood and impact of distributed denial-of-service (DDoS) attacks.

Although DDoS attacks are unlikely to impact the confidentiality or integrity of a system and its associated data, they affect availability by interfering with the legitimate use of that system, thereby imposing a cost of time and money, and possibly reputation on the victim’s business. Some of the actions listed in the joint DDoS guide that should be taken by organizations before an incident are:

• Understand your critical assets and services: Identify which services you have exposed to the public internet and the vulnerabilities of those services. Prioritize assets based on mission criticality and need for availability.
• Enroll in DDoS protection service: Protect systems and services by enrolling in DDoS protection service that can monitor network traffic, confirm the presence of an attack, identify the source, and mitigate the situation by rerouting malicious traffic away from your network.
• Determine the coverage and limitations with internet service providers defenses: Engage with your internet service providers (ISP) and cloud service providers (CSP) to understand existing DDoS protections, which should include reviewing Terms of Service agreements.
• Develop an agency DDoS response plan: The response plan should guide the organization through identifying, mitigating, and rapidly recovering from DDoS attacks.

Depending on the scale of the DDoS attack, the impact may be negligible or severe to include loss or degradation of critical services, loss of productivity, extensive remediation costs, and acute reputational damage. If an incident is suspected, some the action that can be taken include;

• Review indicators in the guide that can help confirm a DDoS attack, as well as contact your upstream network service provider to determine if there is an outage on their end or if their network is the target of the attack and you are an indirect victim.
• Deploy mitigation to include continue working with the service providers to get the DDoS attacks blocked, as well as configuration changes to the current environment and initiating business continuity plans that may assist in response and recovery. MS-ISAC offer a Guide to DDoS Attack that provides several recommended mitigations.
• DDoS attacks may also be used to divert attention away from other more malicious acts—malware insertion or data exfiltration--being carried out by the threat actor, so victims should stay on guard throughout a DDoS response.

In the near future, CISA plans to offer a tabletop exercise that can be used by any organization to assess their security and resilience to a DDoS attack.

CISA, FBI and MS-ISAC urge every organization to apply the recommended actions in this joint DDoS Guide, as well as adopt our Shields Up guidance and take steps to implement necessary security and resilience measures that can reduce the likelihood of compromise.