Why a DDoS is NOT a Security Incident

Josh Lemon
Article by Josh Lemon

Digital Forensics and Incident Response Managing Director & Certified SANS Instructor

One of my common bugbears with businesses is the idea that a Distributed Denial of Service (DDoS) attack is an incident that should be managed and handled by your Cyber Security Incident Response team. It's not and here is why.....

Receiving rubbish traffic to a web server, or any service for that matter, that you stick on the internet is just a part of being online and businesses need to accept this upfront and plan for it. It's no different to planning when you drive a car, you decide on the best route with least traffic and when there is traffic you either have to deal with it or park the car and get off the road - you don't call in the Police Detectives every time you get stuck in a traffic jam.

So the rubbish traffic you start receiving may not be a DDoS straight away, and maybe never, but rubbish traffic hitting your public facing anything is a way of life online not an anomaly requiring your skilled Incident Response team.

So why is a DDoS not the responsibility of your Incident Response team?

A DDoS is an availability event, or sometimes a misconfiguration event, that should be managed and run by Networks Teams or Engineering Teams that play all day long with your network or internet facing services. In trying to determine the right team to manage a DDoS incident asking yourself who in the organisation is responsible for;

  • Border gateway routing changes?
  • Your ISP connections?
  • System availability monitoring?
  • Front end service/application or engineering configurations?

The team that manages the majority of the above responsibilities should be responsible for leading your DDoS incidents. They are best placed to make changes to your environment and are far less likely to cause further damage to your organisation. One common downfall of organisations responding to a DDoS is making changes at the appropriate time and in the correct order, that's why it is so important to use teams that spend their day job just playing with your public facing networking equipment.

Now your Incident Response team aren't off the hook when it comes to a DDoS incident, they still play an important part of supporting the lead team, however it's purely a support role they fulfil. The Incident Response team still need to provide advice on; what type of attack is occurring, what techniques of defence will or won't be successful, along with gathering evidence in the event you decide to run a full blown investigation. But that's pretty much it, their responsibilities stop there, or at least they should. If you want to go down the path of attribution, which is extremely hard and time consuming for a DDoS, that's your Cyber Security Intel's team to do.

Attribution for a DDoS Attack

Let us assume for a minute you do want to play the attribution game because you've had a big outage and that has upset the upper echelons of the business. You Incident Response team are trained in investigating IT based attacks so surely they should be spending time one this, right? Well sort of, but hopefully not. As I previously mentioned determining who was actually behind a DDoS is, in most cases, extremely difficult. Sure your Incident Response team can take sample packet capture evidence and tell you where the traffic came from and maybe even the type of botnet that generated it, however this is very different to determining who actually instrumented the attack. To find out who the act(ors) are behind a DDoS takes a lot of intense investigation work, and usually an existing network of fake prisoners already in locations where actors may actually be discussing their attacks. Again, this is something your Cyber Security Intel team should be doing, not your Incident Response team, and if you don't have a dedicated Intel team with this level or technical setup already in place maybe you should be questioning if you even should look for attribution.

DDoS is the new BAU

DDoS is not an incident your Incident Response team should be running, and likely not an incident your Security teams should be running either, they certainly provide support and expert advice but they shouldn't be running an incident of this type. DDoS is now a way of life for living on the internet, a DDoS should be consider Business As Usual (BAU) operations. Put your Incident Response to work where their efforts yield outcomes that are not already covered by other parts of the business.