Addressing DDoS in Risk AssessmentsThe Importance of Analyzing Cyberthreat Intelligence
In defending against distributed-denial-of-service attacks, enterprises must comprehend the motives of the cyber-assailant, Booz Allen Hamilton's Sedar Labarre says."[Organizations] need to do a better job of identifying not just the threat vector, but the characterization of the threat vector," Labarre says in an interview with Information Security Media Group [transcript below].
What it comes down to, Labarre says, is assessing the organization's unique qualities: "What's valuable to you, and, in light of that, where do you see the most likely threat vectors coming in?"
From there, he says, organizations should review their IT security capabilities and identify tools and controls they need to assess the specific risks and vulnerabilities they face.
"I don't think the answer is to say, 'Listen, everybody needs to go out there and chase DDoS right now,'" Labarre says. "They need to figure out what's right for their particular organization, company or mission."
In an interview, Labarre:
- Outlines steps organizations should take to assess their vulnerability to DDoS attacks;
- Explains how nation-states pose different threats than do criminal gangs and hacktivists to enterprises; and
- Discusses the importance of gathering intelligence in defending against DDoS attacks.
Labarre has been with the consulting firm Booz Allen since 1998. As a principal and director, a post he has held since October 2011, Labarre is a commercial practice leader for the company's cross-market strategic cybersecurity assessments and program development offering.
Assessing DDoS Risks
ERIC CHABROW: First off, let's get right to the point. Is there a thorough risk assessment process organizations go through that outlines all the threats and vulnerabilities related to DDoS attacks?
SEDAR LABARRE: There are two parts to your question. First, we're seeing many organizations do a much better job of identifying the threat vectors, which is a great and needed first step. Where we're seeing these organizations challenged is that they're not doing a great job in prioritizing them. The process of identification is often very subjective. It's based on feel, based on what they're seeing and other organizations in their sector are seeing. They're using that as their primary prioritization mechanism.
What we're seeing from leading-class organizations, though, is they're starting to do a much better job at taking a scientific approach to the prioritization, calculating the likelihood of these attacks. The ranking is based on adversary preferences and decision tradeoffs for conducting those attacks. We see these leading organizations using an analytical hierarchy process to prioritize the threat vectors. This is nothing new. It's not something that's been invented in the security field. It's just a structured and proven technique for an organization to analyze complex decisions. What it does is it doesn't force-fit you into one single, absolute best answer. Rather, it allows you a range that incorporates human factors in there.
What are the steps that organizations are taking in this process? The first step is they're doing a better job of identifying and gathering the data around the cyberthreat and actor profiles, essentially defining the anatomy of the attacks, pulling from malware reports and threat assessments. Next [is] in-depth [identification] of the active profiles, pulling from trends stated intent that you can get from open sources or their certain intelligence capabilities, and looking at the actual capability maturity itself.
Step two, then, is the characterization of these threats. This is where it starts getting interesting, where they're starting to look at the actual payoff that they see the threat actors hoping to get, looking at the confidence related to these threat vectors, risk of detection and retribution, scope of retribution and the tools and the techniques. From this data, you can start to imply this analytical hierarchy process that these leading organizations are doing. They do this by applying the weights or values to each of these particular characteristics, both from a payoff of the attack as well as the confidence of the attack to be successful. They look at the cost, both from the perspective of the sophistication of the tools needed for the attack, sophistication of the adversary tactics, techniques - basically the weight that's needed to actually get the attack to come off - and then calculate a value related to the risk. Back to the detection probability, [they] look at how likely attribution is in the attack and then the scope of what the retribution can be, and then they calculate.
Once you get these values, you run the model and you produce prioritized threat vector profiles paired with a series of attack sequences. Going from DDoS then, you can ... start to identify not only where we see a high likelihood of where we're going to be attacked but also how we're going to be attacked.
Focusing Risk Assessments
CHABROW: Continue and tell us what these organizations should do when they're assessing these vulnerabilities.
LABARRE: [For] organizations to go through that process that I just talked about, they need to do a better job of identifying not just the threat vector but the characterization of a threat vector. We can't just all go out there and prepare for high bandwidth volumetric DDoS saturation. It's just unrealistic at the smaller, mid-tier organizations to effectively prepare for that if, in fact, the threat's not there. It comes down to not just looking at the press, not just looking at kind of what the zeitgeist today is around threat vectors, but actually looking at your particular business, looking at what's valuable to you, and, in light of that, where you see the most likely threat vectors coming in. Then, from that, take the necessary next step of not just identifying what they are but actually look across your capability suite and identify the tools and controls that you need to actually be able to mitigate those threat vectors.
I don't think the answer is to say, "Listen, everybody needs to go out there and chase DDoS right now." They need to figure out what's right for their particular organization, company or mission.
CHABROW: So DDoS is just one threat among many that they're considering, obviously?
LABARRE: It's one threat among many, and it's kind of been the threat de jour. But that's what makes this space interesting as a practitioner and challenging as a business leader. ... While it's necessary to do your due diligence, things can change tomorrow. It gets to some of the other questions that you and I talked about. In the past, taking an approach where I prepare for everything, taking an approach where I focused on the perimeter defense, taking an approach where I'm focusing on 15,000 vulnerabilities, and I've got to figure out a way to kind of mitigate all of them - you can't do that anymore. You have to create anticipatory intelligence capability. You have to recognize that the perimeter is no longer the defense posture that you need to invest in. You have to get away from just fixing their vulnerabilities and start to really understand what your attack surface is. Where are the bad guys most likely going to go after you? As such, mitigate and prepare in those areas.
Difference in Attacker
CHABROW: Does it make a difference who the bad guy is - a hacktivist, criminal or nation-state?
LABARRE: Absolutely. We're seeing a proliferation of tools, but at some level, the ability for almost anyone to go out there and get a pretty highly valuable attack vector is becoming more commonplace. Despite that, you do very much see a difference in the maturity of nation-state attackers who have considerably more resources. They have the ability, from a longer-term perspective, to wage a campaign on you versus what I think we see more in some of the other organizations. They're trying for the easy win. They're figuring out the vectors that you can go in pretty quickly, make an attack and make a splash. If it works, it's great; if it doesn't, I'll move on somewhere else to try to make my point. I do think you're seeing a profound difference in who the actual actor is.
Using DDoS to Hide Other Attacks
CHABROW: As you look at DDoS attacks, are they camouflage for other kinds of attacks that might be going on at the same time? Or are they basically there just to provide the kind of disruption that we read about?
LABARRE: Honestly, I can't answer that in full disclosure to compromise anything that we're seeing with any individual organization, but I do think that's a good question to ask as a CISO of any organization when you see something coming in. Unfortunately, it does take a fair amount of resources now to combat some of these DDoS attacks. ... I would absolutely wonder if that's not a play that's basically getting me to look in one area and allowing some other things to come through.
That being said, what we're looking at is more mature. We're looking at a lot of the financial services institutions out there. They have disciplined and comprehensive programs that I wouldn't be as worried about. ... Now, when I get to smaller organizations, or I get to sectors like healthcare that haven't traditionally had the investment, any noise in the system's going to be a distraction. It could open up another door.
CHABROW: If you do the proper risk assessment, that could prevent you from being distracted by some of this noise out there, right?
LABARRE: That's a great question. Actually, you can take the lessons learned from what financial services has been doing the last couple of years and essentially not waste your time. I go back to getting away from the mentality of a perimeter defense, getting away from a myopic focus on just looking at vulnerabilities. Be smart about what you're doing. Focus on the intelligence out there that tells you where you could be attacked. Look at the attack itself and figure out how to protect that. You can do it a lot less expensively than financial services has done traditionally in the past.