ddos best practice countermeasures
TRANSCRIPT
Distributed Denial of Service (DDoS)
Best Practice Countermeasures
9 July 2015
T. Christian Kentopp MCSE, GSLC, CHFI, CEH Computer Science University of the Virgin Islands 340-692-4286 Office [email protected] Carpe Diem
2
Table of Contents
The Current Challenge 3
Domain 1: University Personnel Training & Awareness
3
Domain 2: Objective Expertise - Contractors 5
Domain 3: Network Security Enhancement 6
Domain 4: Automated Systems Management 6
Domain 5: Role-Based Access Control (RBAC) 7
Domain 6: Alignment with International Standards 8
Domain 7: Emerging Threats & Contingencies 9
References 11
3
The Current Challenge
The rapid and unrelenting pace of change across the cyber threat landscape is among the
greatest challenges technology professionals face today. Before a scope of work to remedy a
given vulnerability can be completed, new exploits surface. Experts contend targeted attacks
will continue to demand serious attention through 2015 (Olson, 2014). Social engineering
continues to be a factor in targeted attacks. Although true Defense-in-Depth methods address
a comprehensive range of infrastructure, people, and process, a best practice approach to
university policy and procedure revision must begin with the human element. Efficient,
effective measures ultimately depend upon those who perform them, and all the more as
frequent revisions become necessary. Conversely, countermeasure enhancements and updates
can be undermined without a deliberate commitment to training, policies, and awareness
(International Council of Electronic Commerce Consultants, 2009). A solid foundation for best
practices begins with policies to foster investment in university personnel, and continuous
improvement of university infrastructure and operations. In contrast with traditional, legacy
policy statements, a policy framework centered upon technology domains provides for granular
revision that is well-suited for dynamic environments. For each domain presented, essential
background is provided as a justification for the related policy statements that follow.
Domain 1: University Personnel Training & Awareness
Clear, objective expectations and a knowledge of the standards for routine operations form the
backdrop for practiced, measured responses to incidents. The human domain provides a
foundation for effective IT policy framework through a focus on the continuous training and
professional development of local IT staff who preserve the university interest. Certification
validates an individual is adequately prepared to achieve responsibilities of record for a given
job description. For all technology system users, clear expectations for data and systems access
includes responsibilities, contingencies, and penalties as part of the hiring process and periodic
4
refresher training. As threats evolve, standards and practice must promptly change to sustain
the security and reliability of campus systems. Industry experts recommend frequent sessions
with employees to cultivate awareness of changes in the cyber threat landscape. Organization
leadership and the IT staff require a special efforts in this regard, as IT staff often restrict
management less and a compromise for either group can involve much greater loss (Kaspersky,
2015). Recent university losses associated with the registration DDoS attack could have been
minimized, perhaps prevented outright by the decisive action of skillful personnel. The
following policy codifies the standards for training and certification of university IT staff,
including a comprehensive awareness program for all campus personnel.
Training & Awareness of University Personnel
Prior to deployment of new systems and technology, or major upgrades to existing systems and
technology, the university shall provide training and certification opportunities for a primary
and alternate member of IT staff. A quarterly awareness program for all university personnel
shall articulate essentials of change in the cyber threat landscape, gauge progress with metrics,
and apply refinements for continual improvement. In addition, university administration and IT
staff shall publish and disseminate monthly updates.
The following standards are mandatory:
- no access shall be granted to mission-critical and core university systems without
appropriate certification; and
- formal job descriptions, assigned responsibilities, and role-based access control shall
reference specifics of the certification.
Within thirty (30) days, the following milestones shall be completed:
- newly qualified staff shall conduct essential orientation for remaining IT staff; and
- select changes in assigned responsibilities for IT staff shall trigger a training and certification
review to determine if training and certification is warranted.
5
Domain 2: Objective Expertise - Contractors
The timing, ferocity, and duration of the registration DDoS attack raises the specter of an
internal or external adversarial interest. Best practice incident handling provides for subject
matter experts (as needed) to complement local IT capabilities, and to scale up for prompt
countermeasures (Green, 2015). As a disinterested third party, a Certified Ethical Hacker (CEH),
or equivalent, can provide essential objectivity. The contract requirement for mandatory
discretion (non-disclosure) will preserve the integrity and dignity of university interests in the
aftermath of such an event. As contractors augment and stand in for local IT staff in an
operational context, assessment of university infrastructure can require extensive access.
Therefore, similar requirements for certification must be honored. The following policy codifies
the standards for engagement of credentialed contractors.
Contractor Engagement
The university shall hire credentialed contractors whenever gaps in local staff qualifications or
operational conditions occur. Prior to access and assessment of university systems and
technology, the contractor shall provide valid certification and reference documentation to the
university. The following standards are mandatory.
- No access shall be granted to mission-critical and core university systems without
appropriate validation of certification(s) and work references.
- The assigned scope of work (SOW), and role-based access control shall reference credential
specifics, communication protocols, and validation of access removal upon completion.
- The contractor shall honor existing university policy regarding ethical practices, in particular
standards that preclude conflict of interest.
- The SOW shall also serve to validate the efficiency of existing policies and procedures.
- Changes in the SOW shall trigger a certification review to determine if alternate contractor
assignments are warranted.
6
Domain 3: Network Security Enhancement
One of the root causes for the registration DDoS attack was the successful use of a password
sniffer. Authentication across the campus network was not protected with common
safeguards. Basic methods to encrypt the exchange of credentials could have prevented
unauthorized use of a privileged account. Outward-facing network appliances failed to detect
remote control chatter that would signal a growing problem inside the campus. The following
policy specifies measures to enhance network security.
Network Security Enhancement
The university shall continually assess, refine, and/or upgrade network security practices and
infrastructure to promptly counter vulnerabilities and exploits. Such enhancements shall
include, but are not limited to:
- the reconfiguration of network appliances to monitor and assess internal and outbound
traffic flows to detect threats inside the campus;
- the use of automated notification and “always on” dashboard features to alert when
threshold conditions present; and
- the deprecation of outdated network transport and online logon methods, replacing
legacy practices with current, secure methods (e.g., replace NTLM with Kerberos,
unencrypted http with SSH/SSL, unencrypted IP traffic with IPSEC).
Domain 4: Automated Systems Management
Malicious software installed on a modern, highly managed and hardened enterprise client
would trigger an alert and an automated quarantine response. Automated patches, fixes and
updates often provide a client with “immunity” as exploit conditions used by malware are
eliminated up front. Active Directory group policies can enforce more than 5,000 system
7
settings, including: user restrictions to preclude unauthorized software installation, application
whitelisting, update sources and schedules, USB access restrictions, and event logging (Minasi,
2010). Clients infected with persistent malware can be promptly wiped and reimaged to
prevent a local foothold from spreading. Had university computer lab clients been managed by
such automated methods, botnet masters would likely be less capable of remote access and
automate control for a DDoS attack. The following policy outlines select practices for a best
method approach to automated systems management.
Automated Systems Management
The university shall implement, maintain, assess, and refine automated client management to
enhance event detection and notification, system health checks and logging, client creation,
control, and update administration. Such methods shall include, but are not limited to:
- centralized endpoint protection including signature updates pushed to clients;
- Windows Deployment Services, Microsoft System Center Configuration Manager;
- Active Directory group policy, AppLocker, and Windows Server Update Services.
Domain 5: Role-Based Access Control
Unrestrained user privileges and existing access controls were a factor in the installation of
malicious software that set the stage for the DDoS attack. By implementing role-based access
controls (RBAC) as a basis to manage user access and privileges, malware installation can be
prevented. Simply put, RBAC is a method to provision the minimum access required to perform
the defined responsibilities of a position. As a best practice, this highly structured approach
actually reduces the overhead of system administration for environments that need better
definition and granularity in the control of user access (Northcutt, n.d.). RBAC requires
appropriate access control revision as the job responsibilities of a user changes, and audit
measures ensure results are achieved. By enforcing appropriate user privileges and access, the
8
installation of unauthorized software can be prevented. The following policy articulates
university mandates to use best practices for access control.
Role-Based Access Control
The university shall coordinate closely with Human Resources and all levels of supervision to
define, implement, manage, and revise role-based access control (RBAC) in providing access to
all university technology systems. Upon change of defined responsibilities, role-based access
will be assessed and provisioned per the revised responsibilities of record. At the time of
separation from the university, role-based access will be removed without delay. RBAC
responsibilities shall be part of the formal job descriptions and scope of performance evaluation
for supervisors and IT staff who provision access. A formal, annual audit of all provisioned
access will be conducted to ensure alignment.
Domain 6: Alignment with International Standards
With a large campus population and global online access, there is more potential and growth
for multi-national constituencies and research each year. This also means the university is
exposed to foreign sovereign jurisdiction, regulatory, and risk management scenarios. DDoS
attacks are often coordinated by overseas actors (botmasters). Effective action against such
actors requires conformity of detail and process to internationally recognized standards and
conventions. ISO 27002 standards, ratified in 2013, are congruent with US federal standards.
The National Institute of Standards and Technology (NIST), a leading aegis of US federal
information assurance standards, has validated this in recent publications (NIST, 2013). By
adopting ISO 27002, the university ensures policies and practices are universally applicable (ISO,
2013). It is likely measures implemented by the adoption of ISO 27002 could have prevented
conditions that allowed for the registration DDoS attack (e.g., effective incident management, §
16.1). The following provides a basis to extend university interests internationally.
9
Alignment with International Standards
The university shall review and adopt ISO 27002 information assurance standards as the basis
for university policies and practices wherever they meet or exceed US federal standards.
Examples of ISO 27002 standards that are ready for review and adoption include, but are not
limited to: role-based access controls (§ 9.2 and 9.4), malware (§ 12.2), vulnerability
management (§ 12.6), network security (§ 13.1), incident management (§ 16.1), and
redundancy (§ 17.2). In cases where federal, state, or local statutes exceed the ISO requirement,
the university will adopt the more stringent standard to ensure compliance. Regardless,
university policies and practices may exceed measures specified by all regulatory levels when
operational conditions warrant. For example, two-factor authentication may not be indicated
for a given context, though an account of local risk and potential losses warrant implementation
for select users.
Domain 7: Emerging Threats & Contingencies
The threat landscape can change overnight, raising serious questions about current efforts and
expenses to safeguard university mission critical systems. Left to local stakeholders with vested
interests and bias, the testing and trial of disaster recovery (DR) and business continuity
planning (BCP) can suffer a classic form of institutional quicksand, brought on by ambiguous
scenarios and hypothetical losses. By contrast, the pre-emptive, objective assessment of
countermeasure efforts, the early identification of potential gaps, and the validation of BCP
trials are best accomplished by credentialed, disinterested, third party experts. Positive results
serve to further indemnify the university by documenting that best practices translate into best
effort. Negative results provide early, inconspicuous insight into future gaps and vulnerabilities,
often before attackers discover them (Northcutt, et al., 2006). Contract services provided at
pre-determined and random intervals by a Licensed Penetration Tester (LPT), or a suitable
alternative to assess vulnerabilities, will preserve the continued vigilance required for effective
university contingencies. Had such efforts been part of university policies and procedures the
10
previous season, registration DDoS attack vulnerabilities could have been identified and
nullified. The following policy establishes a deliberate commitment to identify vulnerabilities,
to assess cost-effective remedies, to validate chosen contingencies, and to apply appropriate
refinements to university DR and BCP efforts.
Emerging Threats & Contingencies
The university shall provide adequate budget, access, and resources to consistently engage
credentialed, disinterested, third-party contract expertise to confidentially vet university DR and
BCP programs. The independent contractors shall conduct penetration testing, vulnerability
assessments, and assess suitable revisions and adjuncts to countermeasures. Such
countermeasures shall include, but not be limited to:
- local and cloud-based failover systems;
- customized security systems such as web application firewalls (WAFs); and
- specialized DDoS attack mitigation firms.
Contract services shall be provided on a pre-determined and random basis appropriate for the
context of operations and systems assessed. University leadership and IT staff shall duly
consider the findings of contract assessments in reaching informed decisions.
Quality defense-in-depth begins with the human element at the university. Best practices begin
with policies and standards that establish aggressive yet attainable objectives. By developing
local capabilities, increasing access to qualified expertise, applying low-cost enhancements to
network security, automating client management, implementing granular role-based access
controls, aligning university policies and practices with global best practice standards, and by
committing to a posture ready to face emerging threats with adaptive contingencies, the
university can emerge stronger, resilient, and ready for world-wide online opportunities.
11
References
Greene, T. (2015, June). 7 things to do when your business is hacked. Retrieved from http://www. csoonline.com/article/2938659/data-breach/7-things-to-do-when-your-business-is-hacked.html
ISO/IEC. (2013). ISO/IEC 27002:2013 Information technology – Security techniques – Code of
practice for information security controls. Geneva, Switzerland: ISO/IEC.
International Council of Electronic Commerce Consultants. (2009). Ethical hacking and
countermeasures: Threats and defense mechanisms. (1st ed.): Student Resource Center. Course
Technology, Cengage Learning.
Kaspersky Lab. (2015). Top ten tips for educating employees about cybersecurity. Retrieved
from http://go.kaspersky.com/rs/kaspersky1/images/Top_10_Tips_For_Educating_Employees_
About_Cybersecurity_eBook.pdf?mkt_tok=3RkMMJWWfF9wsRonuKXNcO%
2FhmjTEU5z16OglWa%2BzlMI%2F0ER3fOvrPUfGjI4ITMZjI%
2BSLDwEYGJlv6SgFQrDHMalq1LgPXxE%3D
Minasi, M. (2010). Mastering Microsoft Windows server 2008 R2. Indianapolis, Indiana: Wiley
Publishing.
NIST. (2013, April). NIST special publication 800-53 revision 4: Security and privacy controls for
federal information systems and organizations. Retrieved July 9, 2015, from
http://dx.doi.org/10.6028/NIST.SP.800-53r4
Northcutt, S. (n.d.). Role based access control to achieve defense in depth. Retrieved July 9,
2015, from http://www.sans.edu/research/security-laboratory/article/311
12
Northcutt, S., Shenk, J., Shackleford, D., Rosenberg, T., Siles, R., & Mancini, S. (2006, June).
Penetration testing: Assessing your overall security before attackers do. Retrieved July 9, 2015,
from https://www.sans.org/reading-room/whitepapers/analyst/penetration-testing-assessing-
security-attackers-34635
Olson, R. (2014, December). A forecast of the cyberthreat landscape in 2015. Retrieved June 18,
2015, from http://www.scmagazine.com/a-forecast-of-the-cyberthreat-landscape-in-2015/
article/388921/