Reevaluating DDoS protection for a changing threat landscape
The past few years have seen seismic changes across industries as the pandemic greatly accelerated digitisation initiatives and shifted the balance of how we live and work. Tasked with navigating a borderless world of work, businesses have upped their dependence on the cloud to help meet new demands for flexibility and accessibility. Along with this shift comes added risk, and with more critical resources out of their immediate control, enterprises are increasingly vulnerable to Distributed Denial of Service (DDoS) attacks.
DDoS attacks are gaining in frequency, intensity, duration, and complexity, with attackers employing more vectors, utilising a wider range of methods – like ransom DDoS, SSL-based, carpet bombing and application layer attacks – and using DDoS attacks in combination with other, more focused activities.
At the same time, cybercriminal gangs have embraced enterprise-inspired business models – delivering ‘as-a-service’ offerings that give even novice attackers the ability to launch a botnet with just one click, malware licensing agreements, and even standing up help desk capabilities – to create steady revenue streams and broaden accessibility to new aspiring threat actor customers.
This poses serious risks to organisations, from lost access to customers, partners, and employees, to exposure to exorbitant ransom demands. And nowhere is the DDoS risk more pronounced than Asia Pacific. In 2021, APAC saw a more significant increase in DDoS attacks than any other region in the world. To mitigate this risk and ensure data security, it is more critical than ever for organisations to reevaluate their approach to DDoS protection – assessing both their own priorities and the capabilities of external mitigation partners – to ensure they are working to support a sound strategy.
Assessing your mitigation strategy
Enterprises should begin by taking a fresh look at their risks, what needs to be secured, and any budget constraints. Given the increasing size and intensity of modern DDoS attacks, no organisation with extensive digital assets or a large web presence can rely exclusively on an on-premises solution. A comprehensive strategy must include a relationship with a cloud-based service provider that can mitigate attacks. There are three primary mitigation strategy options:
- Always-on protection. For organisations that require secure access to and constant availability of extensive network assets, always-on protection offers the most comprehensive and reliable DDoS protection. If an attack occurs, the provider automatically manages the response and mitigation. All network traffic is routed through the service provider’s platform, so any breach will be identified quickly without the need for extra equipment or demands on a business’s IT staff.
- On-demand protection. Where the company partners with a cloud-based provider that is on call to mitigate attacks. The organisation’s IT team works with the provider to develop a procedure for rerouting traffic to the mitigation platform, either manually or based on preset traffic thresholds. While this is the easiest, fastest and least expensive solution to implement, some risk is involved in rerouting traffic in the event of a DDoS attack and it requires the active involvement of the IT team. An on-demand approach should suffice for organisations that have less extensive online assets, or for those for whom constant network access and availability is less critical.
- Hybrid protection. Large companies with extensive on-premises or on-prem mitigation equipment can select a hybrid on-prem/on-demand protection strategy. In the event of a smaller attack, the on-prem mitigation equipment can be initiated, while larger attacks will bring in an on-demand cloud provider. On-prem solutions require extensive capital expenditures and IT resources to monitor and respond to attacks, so this solution generally makes sense only for large enterprises with legacy installations of on-prem mitigation equipment.
Once you’ve settled on which mitigation strategy works best for your organisation, you’ll be ready to evaluate potential partners.
Assessing a potential mitigation partner’s capabilities
Mitigating attacks at scale requires a sophisticated DDoS strategy, so finding the right external mitigation partner is critical. As is done in securing any outside contractor, check the company’s reputation, customer support and experience in the industry, then go deeper to discover their methods, tools and technologies. When assessing potential cloud-based solution providers, keep the following questions in mind:
- What is their mitigation capacity and scale? Make sure a provider’s mitigation platform has sufficient capacity to handle multiple large, intense DDoS attacks simultaneously. It will need to be substantially overbuilt. But it’s not just the overall scrubbing capacity that’s important – you’ll also want to know the platform’s ingestion capacity (the volume of traffic it can take in).
- How are mitigation sites distributed globally and where are they located? Consider how the locations of a provider’s mitigation sites relate to the locations of your assets. Closer geographic proximity means reduced latency and quicker mitigation.
- What tools are they using – and how? The provider should use best-of-breed mitigation appliances that incorporate automated countermeasures as part of their design — for example, the ability to detect signals that indicate a specific attack, or adjustable alerts triggered by anomalies observed in network traffic or the wider network environment. The platform’s automation capabilities are also critical, as these functions can significantly increase the efficiency and effectiveness of mitigation efforts.
- How flexible and adaptable are they to your needs? Be sure a provider is willing and able to adapt its tools and services to your specifications. Think beyond configuring the DDoS protection to cover all your network assets and appropriately tuning the thresholds in automated traffic monitoring applications – can they also augment automated mitigation with intervention by experienced security professionals when necessary?
- How much mitigation experience do they have, and how committed are they to customers? A provider with a long track record of mitigating DDoS attacks is more likely to have the skills and expertise to handle large, multiphase attacks or innovative attacks using new vectors. Be sure they regularly invest in equipment upgrades and incorporate advances in automation into their orchestration platform.
- What kind of service do customers get? You should expect professional expertise and availability beyond just the initial configuration phase. Even with an always-on solution, complex attacks often require expert intervention, so make sure a provider has DDoS specialists on duty 24/7 to coordinate the response if an attack defeats automation.
There are other considerations for this process. You’ll want to find out how data, including remote data access, is safeguarded and how it is restored if it is lost; how authorised users and sensitive information is managed; and what measures are taken to prevent security breaches for clients as well as for the vendor’s own company. Do they frequently perform vulnerability scans and updates? Do they have security certificates and implement best practices? Can they share a recent external security audit? These questions can offer great insight into their processes and help ensure you find a mitigation partner that best aligns with your needs and values.
Organisations must periodically reevaluate core components of their cybersecurity strategy, like DDoS protection, to keep pace with a changing threat landscape. Without taking the necessary steps to properly evaluate their DDoS protection needs and select the right mitigation partner, businesses put themselves at greater risk of attacks that could cripple core business operations, put customers at risk and do incalculable damage to their brand's reputation.