All online businesses should develop a mitigation playbook to minimise the disruption and confusion that typically occurs at the outset of a DDoS attack. In simple terms, a playbook is a rehearsed and tested plan that outlines in detail who in an organisation needs to be involved in the event of a DDoS attack, their roles and responsibilities, as well as a detailed communications strategy.
DDoS attacks are deliberate, targeted events – happening on a daily basis – that demand a preparedness plan much like homeowners preparing for hurricane season. When the hurricane inevitably hits, they don’t panic because they knew what to expect and what steps to take to protect their investment.
Building a proven playbook
I recommend that companies work with their DDoS mitigation service provider to create a simulated DDoS attack or dry run that makes no actual changes to the network. This will help management see the best way to manage both internal and external communications when confronted with a DDoS attack. The incident response team then works through the DDoS attack without doing an actual live test, much like a military training drill in which no live ammunition is used.
Depending on the size and complexity of the organisation, this type of dress rehearsal exercise can be completed in a little more than an hour, or slightly longer if the company’s incident response plan has additional requirements. Executive management will understand how long it takes to put the mitigation plan into action. Following this exercise, optimisations may be developed to ensure a rapid, repeatable and predictable action plan.
Optimising communications during attack events
To streamline communications and ensure a fast, controlled response to DDoS attacks, I recommend that organisations focus on three critical areas of communications:
- Managing communications
DDoS attacks have an impact not just on IT, but on all users of the company’s services, including non-technical departments. It should be clear who is to be called and what to do when issues arise during a DDoS attack. I advise incident response teams to have a single point of contact for relaying information and sending short Twitter-like updates internally across the organisation. These notes should be confidential and help people understand what is going on during the attack so that they don’t panic and create an additional internal crisis.
- Identifying key contact persons
The main goal of the playbook is to eliminate organisation-wide panic that can delay the mitigation response when a DDoS attack occurs, so it is vitally important that the right people be notified of the attack immediately. By completing a simulation exercise, everyone in the triage team will understand what their role is in the DDoS mitigation process, what changes they need to make to the network, and how they can continue to maintain business as usual even when some resources are unavailable.
- Organising information for easy, fast accessibility
Something as simple as keeping all names and phone numbers of key contacts in a single place can save valuable time. This facet of the DDoS mitigation process is all about containment and order – how to turn a DDoS attack from a major disaster into an incident that is routine when handled according to the well-rehearsed playbook.
As part of the playbook, I recommend outlining procedures and policies for setting up teleconference bridges. Typically, these would include:
- A Mitigation Bridge – primarily for engineers to coordinate and monitor mitigation efforts
- A Troubleshooting Bridge – primarily for engineers and application owners to investigate any problems arising during the on-ramping
- A Security Emergency Response Team (SERT) Bridge – primarily for security and forensics participants
When everyone in an organisation – not just IT staff– understands what it is really like to be under a DDoS attack before one actually occurs, they will be able to face the actual event with more confidence, control and calm. As a result, the DDoS mitigation process will go more smoothly for a faster return to business as usual. That is why I advise all of my customers to prepare themselves for the real thing with a simulated DDoS incident and to incorporate DDoS into their incident response plan.