A DDoS Security Control Framework - VUrORE · A DDoS Security Control Framework Version 1.0 Student...

ADDoSSecurityControlFrameworkVersion1.0

Studentname :LarsDrostStudent# :1673726Thesisnumber:2040Date :31March2015Version :1.0Final

ADDoSSecurityControlFramework

2

VrijeUniversiteitAmsterdam(VU)FacultyofEconomicsandBusinessAdministration

POSTGRADUATETHESIS

ADDoSSecurityControlFrameworkOctober2014–March2015

AUTHOR

LarsDrost,MSc.(1673726)LangeVijfmatlaan64

2035LGHaarlem,[email protected]

THESISSUPERVISORPaulHarmzenRERA

PartnerControlSolutionsInternationalDeBoelelaan1105

1081HVAmsterdam,[email protected]

SECONDSUPERVISOR

ir.ShyamSoerjoesingRECISASeniorManagerITRisk&Assurance

AntonioVivaldistraat1501083HPAmsterdam,TheNetherlands

[email protected]

©Copyright2015Allrightsreserved.Nopartofthispublicationmaybereproducedortransmittedinanyformorbyanymeans,electronicormechanical, including photocopying and recording, or stored in any information storage and retrieval system, withoutpermissioninwritingfromtheauthor.


3

PREFACEThisresearchmarkstheendofthePostgraduateITAuditdegreeoftheVrijeUniversiteitAmsterdam (VU). The research process has been a process thatwent through ups anddowns.In thebeginningoftheresearch itwasdifficultto find literature thatwassuitable for thetopicchosen.ThereisnoframeworkinwhatformwhatsoeverthatspecificallydealswithDDoS.Manyoftheacademicliteraturedealswithtypesofattacksormeasuresthatcanbetaken,buttheseelementsneededtobeputtogethertoestablishaDDoSspecificframework.When I foundtheNIST frameworkwhich isusedas abasis for theDDoSSecurityControlFrameworkestablishedinthisresearch,theresearchstartedtotakeoff.DDoSisatopicwhichhasbecomemorenoticeableforeveryoneandhasbecomeanactualthreat for organizations. By means of this research I wanted to offer organizations aframeworkwhichcouldgivethemguidanceonhowtodealwithDDoSattacksandimprovetheirDDoSstrategies.Duringthisresearch Ireceivedsupport fromseveralpersonswhichIwould liketothank.ThefirstpersonIwouldliketothankforhissupportismyThesisSupervisorattheVU,PaulHarmzen. Paul has been very patient with me and has kindly provided his view andconstructiveinputoncertainelementsincludedinthereportandthereportasawhole.IalsowanttoextendmygratitudetoShyamSoerjoesing.ShyamisSeniorManagerITRisk&AssuranceatEYandhasbeenoneofmybiggestsupportersduring thisresearch.Hehasinvestedmuchofhis time inbrainstormingwithmeanddiscussing the framework itselfandseparateelementsincludedinorunderlyingtheframework.Withouthimthisresearchwouldnothavebeensuchanexperienceasithasbeennow.Furthermore, IwishtoexpressmysincerethanksandappreciationtoalltheintervieweesfromZiggo,KNABandEY for taking the time to takepart in the interviewsdespite theirbusyschedulesandtoprovidemewithvaluableinsightstoenhancetheframeworktowhatithasbecome.Finally, I would like to thank my family who has been motivating me from the verybeginningtofinalizemythesis.Specialthanksgotomygirlfriend,Sabien,whohasprovidedmethetimeandsupportneededtobeabletocompletethisthesis.L.(Lars)Drost,MSc.


4

TABLEOFCONTENTS

1 INTRODUCTION......................................................................................................................................................61.1 ResearchContext..........................................................................................................................................61.2 ProblemDefinition......................................................................................................................................61.3 ResearchQuestions.....................................................................................................................................81.4 AcademicRelevance...................................................................................................................................81.5 Stakeholders...................................................................................................................................................81.6 ResearchScope..............................................................................................................................................9

2 RESEARCHMETHODOLOGY..........................................................................................................................102.1 ResearchDesign.........................................................................................................................................102.2 ResearchProcess.......................................................................................................................................102.3 StructureOfThisThesis........................................................................................................................11

3 THEORETICALBACKGROUND.....................................................................................................................123.1 WhatisaDDoSattack?...........................................................................................................................123.2 TheOSImodel.............................................................................................................................................133.3 ThelayeringtechniqueoftheOSImodel......................................................................................153.4 DifferenttypesofDDoSattacks.........................................................................................................16

3.4.1 Attacksontheapplicationlayer.................................................................................................................163.4.2 Attacksonthepresentationlayer..............................................................................................................163.4.3 Attacksonthesessionlayer..........................................................................................................................173.4.4 Attacksonthenetworkandtransportlayer.......................................................................................173.4.5 Attacksonthedatalinklayer.......................................................................................................................183.4.6 Attacksonthephysicallayer........................................................................................................................18

4 THERISKSOFDDOS..........................................................................................................................................194.1. TypesofDDoSattacks............................................................................................................................19

4.1.1 Volumetricattacks..............................................................................................................................................194.1.2 Networklayerattacks......................................................................................................................................194.1.3 Applicationlayerattacks................................................................................................................................194.1.4 Attacksonlayer3,4and7.............................................................................................................................20

4.2 Differenttypesofrisks...........................................................................................................................204.2.1 OperationalRisk..................................................................................................................................................204.2.2 ReputationalRisk................................................................................................................................................204.2.3 DataintegrityRisk..............................................................................................................................................214.2.4 FraudRisk...............................................................................................................................................................21

4.3 Conclusion.....................................................................................................................................................21


5

5 ESTABLISHINGTHEFRAMEWORK...........................................................................................................225.1 FrameworkforImprovingCriticalInfrastructureCybersecurity...................................225.2 Adynamicframework............................................................................................................................235.3 AdynamicDDoSSecurityControlFramework..........................................................................25

5.3.1 The‘Identify’level..............................................................................................................................................265.3.2 The‘Protect’level...............................................................................................................................................275.3.3 The‘Detect’level.................................................................................................................................................295.3.4 The‘Respond’level............................................................................................................................................315.3.5 The‘Recover’level..............................................................................................................................................335.3.6 The‘Assess’level.................................................................................................................................................345.3.7 The‘Adjust’level.................................................................................................................................................35

5.4 HowdoestheDDoSSecurityControlFrameworkcovertheidentifiedrisks............365.5 HowtoapplytheDDoSSecurityControlFramework...........................................................37

6 VERIFICATIONANDVALIDATIONOFTHEDDOSSECURITYCONTROLFRAMEWORK386.1 Verificationandvalidationdefinition.............................................................................................386.2 Approach.......................................................................................................................................................386.3 Results.............................................................................................................................................................396.4 Conclusion.....................................................................................................................................................40

7 CONTRIBUTIONANDCONCLUSION..........................................................................................................417.1 Contribution.................................................................................................................................................417.2 ConclusionPerSub-Question..............................................................................................................41

7.2.1 WhatisaDistributedDenial-of-Serviceattackandwhydoesthistrendrequireproperconsiderations?...........................................................................................................................................................................427.2.2 What are the security risks and impact imposed byDistributed Denial-of-Serviceattacks? .......................................................................................................................................................................................427.2.3 Which controls can be implemented to minimize the impact of risks related toDistributedDenial-of-ServiceAttacks?.........................................................................................................................43

7.3 ConclusionOnTheMainResearchQuestion..............................................................................437.4 FurtherResearch.......................................................................................................................................43

8 APPENDIX...............................................................................................................................................................458.1 Bibliography................................................................................................................................................458.2 SubjectMatterExperts...........................................................................................................................478.3 Listoffigures...............................................................................................................................................478.4 ListofTables................................................................................................................................................478.5 DDoSQuickGuide.....................................................................................................................................48


6

1 INTRODUCTIONThischapterprovidesashortintroductiontothisthesis.Itdescribestheproblemwhichiscentraltothisthesisandintroducestheresearchquestionsthatneedtobeanswered.Thischapter also highlights the overall context of this research, its academic relevance anddefinesthescopeofandstakeholdertothisresearch.

1.1 ResearchContextThisthesisisamandatorypartofthePostgraduatedegreeofRegisterITAuditorattheVrijeUniversiteitAmsterdam,hereaftercalledVU.Thisthesiswaswrittenunderthesupervisionofmr.P.Harmzen (FEWEB).Ernst &YoungLLP,hereafter calledEY,requires that its ITauditors obtain this degree in order to become a registered IT auditor. Due to thisrequirement,thisdegreeformsamandatorycomponentforthepersonaldevelopmentplanwithintheorganization.TheclientsofEYarealsoconfrontedwithagrowingnumbersofDDoSattacks.Therefore,the results of this research are relevant for the clients and theworkofan ITauditor toensuretheITsecurityoforganizationsareset-up,monitoredandassessedcorrectly.

1.2 ProblemDefinitionDuring theyears1997 till2000 the internethypehas skyrocketedandorganizationsareeager tomakeuseofallopportunitiesthe internethastooffer them.Theinternetand itsintegration in the commercial and business world dramatically changed the wayorganizations do business nowadays. There are organizations that solely conduct theirbusinesson the internet, thesocallede-businesses, suchasonlineauctions, socialmediaorganizationsandonlinebrokers.Besidesthepuree-businessorganizationstherearealsoorganizationsthatuse the internetasoneof theirprimarysalesand/orservicechannels.Forexamplebanks thatoffer theirclients thepossibilityofonlinebanking,organizationsthatofferonlinegamingandorganizationsthatofferbookingservices.Duetothefactthatorganizationshavemassivelyembracedtheinternet,organizationsalsobecamedependentontheinternetandtheirITsystems(Smits,2011).Threatstothenetworkandinformationsecurityoforganizationsexistsincethedawnoftheinformationage,butthecomplexityandthescaleofattacksonthenetworkandinformationsecurity has grown and has become more intense. In recent years, organizations areconfronted with enormous challenges with regard to protecting and defending theirvulnerablenetwork.Now thatcyber-crimehasbecomemore lucrative,and far less riskythanillegaldrugtrafficking,itishardlysurprisingthatthelevelofcriminaltalentdevotedtothe Internet has risen tremendously (Symantec, 2009). Consequently, threat levels andattack impacthave skyrocketed.For example, in just a few years,DistributedDenial-of-Service(DDoS)attackshavejumpedinsizefromdozenstohundredsofgigabitspersecond(Prolexic,2013)(Prolexic,2014)(ArborNetworks,2014).


7

RecentstudyshowswhyDDoSattackshaveskyrocketedoverthelastfewyears.NowadayseverybodycanbuyaDDoSserviceattackonline forapriceas lowas10US$ foronehour,150US$foranattackforaweekand1,200US$foranattackforamonth(Goncharov,2012)(ArborNetworks,2013).Besides the opportunity tobuy aDDoSattack, there isalso thepossibility tobuyyourownDDoSbot net for pricesup till700US$ (Goncharov,2012).Thesedevelopmentsmakeitrelativelyeasyforanyoneto launchaDDoSattack.Basedonthis information thequestion isnot if a companywillbe attackedbyDDoS,butwhen acompanywillbeattacked?Verisign (Verisign, 2012) conducted an online survey amongst 225 IT executives anddecisionmakersintheUSfromlargeandmediumsizedorganizations.Morethanhalfoftherespondents(53percent)experiencedwebinfrastructuredowntimeinthepastyear,withDDoSattacksaccountingforonethird(33percent)ofalldowntimeincidents(pleaserefertofigure1).Asurprising15percentofthe76percentofrespondentswithane-commerceplatform,reportedhavingnoDDoSsolutioninplace,while33percentreportedtheyhaveexperiencedthreeDDoSattacks in thepast12monthsthat lasted7hoursonaverage.Ofthose who experienced DDoS attacks, three-quarters reported that impact on theircustomers has been themost common consequence, followed by impact on brand andrevenueloss(pleaserefertofigure2).

Figure1:Reasonsforwebinfrastructuredowntime

overthelast12months(2012)

Figure2:MostcommonconsequencesofDDoSattacks

DuetothesedevelopmentstherisktobecomeatargetofaDDoSattackhasbecomehugeand should not be underestimated. It is of significant importance that organizationsimplementsecuritycontrolsand(counter)measurestodeflectandminimizetheimpactofaDDoSattackasitcanseverelycompromisetheavailabilityoftheirbusinessandwillleadtocustomerimpact,employeeproductivityimpactandrevenueloss(Verisign,2012).This thesis aims toprovide an insight of thedifferentDDoS attack techniques, the risksassociatedwiththeseattacksanddesignacomprehensivesecuritycontrolframeworkthatcanbeusedbyorganizationstoimplementcontrolsandmeasurestodeflectandminimizethe impact of a DDoS attack and enables IT auditors to audit DDoS security controlframeworks.

•65%Network outage•41%DNS failure•37%Hacker attack

•33%(D)DoS Attack

•51%Power Failure

•75%Impact on customer

•68%Impact on brand

•65%Revenue loss


8

1.3 ResearchQuestionsThisstudywillanswerthefollowingmainresearchquestion:With what control framework can security be improved to mitigate identified risksrelatedtoDistributedDenial-of-ServiceAttacks?Themainresearchquestionissubdividedintoseveralsub-questions:1) What is aDistributedDenial-of-Service attack andwhy does this trend require proper

considerations?2) WhatarethesecurityrisksandimpactimposedbyDistributedDenial-of-Serviceattacks?3) WhichcontrolscanbeimplementedtominimizetheimpactofrisksrelatedtoDistributed

Denial-of-ServiceAttacks?

1.4 AcademicRelevanceBesidestheeconomicandpracticalrelevance,thisresearchalsohasanacademicrelevance.This research aims to improve an existing (cyber-security) framework by integratingrelevant,existingtheories.TheDDoSSecurityControlFramework,whichistheendproductof this thesis,provides a framework fororganizationsandalsoprovidesmore insightonDDoSattacks,protectionmeasures,andbecauseofthis,roomfordiscussionsandreflectionontheseattacksandtheprotectionmeasuresidentifiedinacademicliterature.

1.5 StakeholdersBasedon theprevious,the followingstakeholdersto thisresearchcanbeidentified:mainstakeholderandotherstakeholders.Mainstakeholders:stakeholdersthathaveadirectbenefitfromthisresearch.· PostGraduateITAuditDepartmentoftheVU;theirinterestliesinthecontributionthis

researchmakestotheacademicrelevanceofthisresearchfield.· EY ITRisk andAssurance (ITRA)practice;within the ITRApractice there is agroup

which focusses on IT Security solutions. As there is no standard security controlframework for DDoS at this time, their interest lies in the DDoS security controlframework.TheframeworkofferstheminsightsthatwillleadtonewadvisoryandauditopportunitieswithinthefieldofITSecurity.

Otherstakeholders:stakeholdersthathaveageneralinterestoraneedforfurtherresearch.· NOREA, the professional association for IT-auditors; DDoS attacks have already been

pinpointedasoneoftherisksthatneedattentionwithinthefieldofITAudit.· (External) IT Auditors; the frameworkwill provide them with guidance to provide

advisoryandauditservicesrelatedtotheDDoSdomain.· Organizations which offerweb-services; the DDoS Security Control Frameworkwill

providethemguidanceandinsightsonwhichcontrolmeasurestoimplementandhowtomaintaintheirframeworktobeabletodeflectand/orminimizetheimpactofaDDoSattack.


9

1.6 ResearchScopeTheaimofthisresearchistodevelopa‘buildingblock’fortheITcontrolframeworkwhichspecifically focuses on DDoS. Therefore, it is assumed that an IT control framework isalready inplacewhichcontains the fundamentalorganizational,proceduraland technicalcontrolsbasedon awell-knownandaccepted framework, forexampleCOBIT.BecauseofthisaimthisthesiswillonlyfocusonDDoSmeasuresandnotonanyother(cyber-)securityrelatedissues.


10

2 RESEARCHMETHODOLOGYIn thischapter the focuswillbeon theresearchdesign, thepreparations taken, thedatacollectedandtheanalysisandsharingofthisresearch.

2.1 ResearchDesignTheresearchdesignistheconceptualstructureofthisresearchandisformsablueprintonhowtoachievetheoverallobjectiveandanswertherelevantresearchquestions.Aproperdocumentationofthisprocessallowsotherresearcherstoadaptandreplicatethisresearchbyprovidingsufficientinformation.Tomakesurethatthisisaproperresearchthatmeetsthe relevant academic standards, the case study approach ofRobertK. Yin is chosenasresearchdesign.Thisapproachcontainsacollectionofscientificmethodswhichenablesaresearcher to achieve the research objective (Yin, 2013). The case study approach iscomprisedofthefollowingprocesses:

Figure3:Avisualrepresentationofthecasestudyapproach

2.2 ResearchProcessNow that the research design has been chosen, the specific activities relevant for thisresearchneedtobesetout.Theseactivitiesformapathwhichneedstobefollowedduringtheresearchperiodandsetsoutthegoalsandobjectivesthatneedtobeachievedalongthewayandintheend.Figure4providesaconceptualschemaofthisresearchprocess.


11

PLAN, DESIGN & PREPARE

COLLECT

ANALYSIS

SHARE

Document location: CH01Define problem, research

question, objectives & goals

Document location: CH02Define Research Design

Document location: CH02(planning)

Prepare planning forexecution

Document location: CH03Literature Study –

Distributed Denial-of-ServiceAttacks

Document location: CH04Risk Assessment of

Distributed Denial-of-ServiceAttacks

Goal:SQ1

SQ1: What is a Distributed Denial-of-Service attack andwhy does this trend require proper considerations?

Goal:SQ2

SQ2: What are the security risks and impact imposed byDistributed Denial-of-Service attacks?

Document location: CH05Security Control Framework

for Distributed Denial-of-Service Attacks

Goal:SQ3

SQ3: Which controls can be implemented to minimizethe impact of risks related to Distributed Denial-of-

Service Attacks?

Document location: CH06Verification and validation of

the DDoS Security ControlFramework

Case Study

Document location: CH07Conclusion

Goal:MRQ

Main Research Question: With what control frameworkcan security be improved to mitigate identified risks

related to Distributed Denial-of-Service Attacks?

Figure4:Aschematicoverviewoftheresearchprocess

2.3 StructureOfThisThesisThisthesisconsistoffivechaptersthatcoversthepreviouslydescribedresearchprocess.· Chapter3providesa theoreticalbackground to theresearch.Thischapter introduces

the theories used in this thesis to establish and modify the DDoS Security ControlFramework.

· Chapter4providesanoverviewofthemostimportantrisksassociatedwithDDoS· Chapter5describesthestepstakentodevelopandestablishtheDDoSSecurityControl

Frameworkandtheframeworkitself.· Chapter 6 describes the verification and validation of the DDoS Security Control

Framework. The framework is verified and validated by interviews conductedwithsubjectmatterexpertsinthefieldofDDoSandcybersecurity.

· Chapter7describestheeconomicandacademiccontributionmadebythisresearchandtheanswerstotheresearchquestionsdescribedinchapter1ofthisthesis.


12

3 THEORETICALBACKGROUNDThis chapter describes the theoretical background to the main research question. ThischapterprovidesabriefoverviewofwhataDDoSattackisandthedifferenttypesofDDoSattacksthatcanbeperformed.ToprovideanunderstandingofthetypeofattackstheOSIlayerisaddedtothecontextwhichprovidesinsightsintothelocationoftheattack.Finallyabriefoverviewoftheattacktypesperlayeraredescribed.TheOpenSystem InterconnectionReferenceModel, orOSImodel in short,will form thebasistothischapter.ThereasonforchoosingtheOSImodelasthebasisforthischapteristhat theOSImodel is a commonly accepted standard,well-known andmost referred tonetworkmodel (Fitzgerald &Dennis,2009),whichmakes this thesismore accessible toreadsincemostpeoplewillbefamiliarwiththismodel.TheOSImodelwillbediscussedinmoredetail in this chapter, but first the basicquestion ‘what is aDDoSattack?’willbediscussed.

3.1 WhatisaDDoSattack?ADDoSattack,alsoknownbyitsfullname‘distributeddenial-of–service’attack,isa“large-scale, coordinated attack on the availability of services on a victim’s systemornetworkresources,launchedindirectlythroughmanycompromisedcomputersontheInternet”(EC-Council, 2010). The services that are being attacked are the services of the victim alsoknownas ‘primaryvictim’.The compromisedsystems thatareused for the launchof theattackareoften seenas ‘secondaryvictims, since the attack (mis)uses the compromisedsystemstowagea largerandmoredisruptiveattackwhileinthemeantimealsoshieldingthehacker,whichmakesitmoredifficultfortheprimaryvictimortheauthoritiestotrackthehackerdown.Anattackgenerallyconsistsoffoursteps.Thefirststep isthattheDDoSattackerwritesavirus thatwill sendpingpackets to a targetnetworkor awebsite.Thesecond step is toinfectasmanysystemsaspossibleandmakethemintoso-called‘zombies’.Thethirdstepisto launchtheattackbywakingupthezombiesystemsandthelaststep isthatthezombiesystemswillattackthetargetwebsiteornetworkuntilitisdisinfected(EC-Council,2010)(McDowell,2013).


13

Figure5:AvisualrepresentationofaDDoSattack(Science&Lifestyle,2012)

Nowthat thebasicprinciplesofaDDoSattackarediscussed, the focuswillbeon theOSImodelandthedifferentcategoriesandtypesofDDoSattacks.

3.2 TheOSImodelIn1947 the International StandardOrganization,betterknownas ‘ISO’wasestablished.Thegoalof ISO istoreachaworldwideagreementon internationalstandards.Dueto theneed for worldwide standards for heterogeneous information networks, ISO in 1977established a new subcommittee for the open systems interconnection (SC16). Theobjective of SC16was to come upwith standards thatwere required for open systemsinterconnection. Discussions in this committee lead to a layered architecture that couldmeet the current requirements for open systems interconnection, but could also beexpended inthe futurewhenneeded.In1983thislayeredarchitecturewasintroducedbyISOastheOSImodel.TheOSImodelcoversallelementsofnetworkcommunicationandcanbeused for theunderstandinganddesigning anetwork that is flexible, interoperableandrobust(Tanenbaum,2002).


14

TheOSImodelconsistsofsevenlayers:

Figure6:ThesevenlayersoftheOSImodel

ThelayersoftheOSImodelwillbeseparatelydiscussedbelowinmoredetail(Tanenbaum,2002)(Blank,2004)(Fitzgerald&Dennis,2009):PhysicallayerThis layerdetermineshowbits ofdata that are send and receivedaremoved along thenetwork.Thislayertakesbitsofdataoffthewireandputsthemonthewire.ExamplesofthephysicallayerareEthernetandFDDI.DataLinklayerInthislayerthedataispreparedfordeliverytothenetwork.Thedatalinklayerconsistsoftwosub-layers:(I)thelogicallinkcontrolorLLCsublayerand(II)themediaaccesscontrolorMACsublayer.TheLLC layer isthe interfacebetweenthenetwork layerprotocolsandthemediaaccessmethodsuchasatokenorEthernet.TheMACsublayerisinchargeoftheconnectiontothephysicalmediasuchasthecoaxialcabling.ExamplesofthedatalinklayerarePPPandIEEE802.5/802.2.NetworklayerRoutingisperformedbythenetworklayer.Inthislayeritisdeterminedtowhichcomputerthemessage should be send next tomake it follow thebest routepossible through thenetwork.ExamplesofthenetworklayerareIPandIPX.TransportlayerTheend-to-end issues aredealtwithby the transport layer. Logical connections for thetransport of data between the place of origin and the final destination are established,maintained and terminated by this layer. It controls the flow of data to ensure that nosystemisoverflowingwithdataitreceives.Thetransportlayertogetherwiththenetwork

7. Application Layer

6. Presentation Layer

5. Session Layer

4. Transport Layer

3. Network Layer

2. Data Link Layer

1. Physical Layer


15

layerformsonegroupoflayersknownasthe ‘internetworkgroup’or ‘internetworklayer’.ExamplesofthetransportlayerareTCPandSPX.SessionlayerManagingandstructuringallsessionsistheresponsibilityofthesessionlayer.Sessionscanbetheperformanceof asecuritycheckbutalso transferring files fromoneapplication toanother.ExamplesofthesessionlayerareSQLandRPC.PresentationlayerTheformattingofthedataforpresentationtotheuserisdonebythepresentationlayer.Itgivemorestructuretothedatathatisbeingexchangedbyformattingandeditingtheinputandoutputofusers.Themaintaskofthislayeristomakesurethatthedataexchangedisexchanged in a form that is understood by the receiving system. Examples of thepresentationlayerareJPEGandGIF.ApplicationlayerThislayerprovidesnetworkaccesstotheend-user.Itmanagesthecommunicationbetweenapplications. Everything in the application layer is application-specific and it providesservicesfornetworksoftwareservicessuchase-mailandwebsites.Thisisthelayerofthemodelinwhichtheapplicationsrequestsforandreceivesdata.ExamplesoftheapplicationlayerareHTTPandFTP.

3.3 ThelayeringtechniqueoftheOSImodelThe layering technique used in theOSImodel enables people to view open systems assystemlogicallycomposedofasuccessionoflayers.Eachlayerisconsideredtobelogicallycomposedof asuccessionofsubsystems.IntheOSIsystemany layer isreferred toas the(N)Layer,whilethelayerabovethe(N)layerisreferredtoasthe(N+1)layerandthelayerbelowthe(N)layerisreferredtoasthe(N-1)layer.Ateach(N)layer,two layers(layerNpeers)exchangeprotocoldataunitsthroughalayerNprotocol(Saxena,2014).

Figure7:ThelayeringtechniqueoftheOSImodel

(N)

(N+1)

(N-1)


16

The basic principle to OSI layering is that each layer provides added-value to servicesprovidedbythelayersbelowthatparticularlayer.Basedonthisprinciplethehighestlayerconstitutesthesetofserviceswhichareneededforthedistributionofapplications(Saxena,2014).

3.4 DifferenttypesofDDoSattacksThebasicideabehindaDDoSattackistoidentifyaweaknessandcreateamass-exploitinaneffort to compromise the system. Per layerof theOSImodel different typesofDDoSattacks can be identified. The National Cybersecurity and Communications IntegrationCenter of theU.S.Department ofHomeland Securitypublished aDDoSQuickGuide (werefer to8.5) (NationalCybersecurityandCommunications IntegrationCenter,2014).TheDDoSQuickGuideprovidesanoverviewofthetypesofDDoSattacksperOSIlayer.Thesetechniquesper layerandalsosomeadditionalexampleswillbediscussedbelow inmoredetail.

3.4.1 AttacksontheapplicationlayerAttacks on the application layer concentrate around the protocols such as HTTP. TwocommonknownattacksaretheHTTPPostattackandtheHTTPGetFlooding.HTTPPostattackIfanattackerlaunchesa(slow)HTTPPostattacktheattackerssendsPOSTheaderswithalegitimate“content-length”fieldthatinformsthewebserversoftheamountofdatathatisarriving.OncethePOSTheadersaresentthemessagebody issend inaslowspeedwhichresultsinagridlockoftheconnectionandexhaustionoftheserverresources.HTTPGetFloodingAHTTPGetFloodingrequestattack is launchedby sendinga largenumberofHTTPGetRequeststothetargetwebservertoexhausttheresourcesofthetargetwebserver(Yang,2014). Due to the facts that these requests have a legitimate content and are send vianormal TCP connections the server treats these requests as normal requests until itsresourcesareexhausted(Kim,2013).

3.4.2 AttacksonthepresentationlayerAttacks on thepresentation layeraremalformed Secure SocketLayer (SSL)attacks. SSLprovidessecurityinweb-servicesandnowadaysmostonlinetransactionsareprotectedbySSL.DuringatransactionthereisasessionofthenetworklayerforSSLhandshakeaftertheTCPhandshake is finished.During the SSLhandshakemessages are exchangedbetweenbothcommunicatingentitiestovalidatetheauthenticity.Severalattacksmakeuseof thisSSLhandshaketoexhaustserverresources.Oneexampleisthe‘Pushdo’botnetattack.Thistypeofattacksendgarbagedatato the targetSSLserverwhichgeneratesextraworkloadfortheservernowthatishastoprocessthegarbagedataasalegitimatehandshake.AsaresulttheservermayrestarttheSSLconnectionsorevenstopacceptingthematall(Kumar,2004).


17

3.4.3 AttacksonthesessionlayerAttacksonthesessionlayerexploitthelogonandlogoffprotocols.AnexampleofanDDoSattack on the session layer is a Telnet attack. A Telnet application enables a system toremotely communicatewith a counterpart.Telnet attacks can be sub-divided into threecategories:(i)Telnetcommunicationsniffing,(ii)Telnetbrute forceattackand(iii)TelnetDoS–DenialofService.SincethelastcategoryconcernsDoSattacks,thiscategorywillnotbediscussed.TelnetcommunicationsniffingDuetothefactthattheTelnetprotocolislackingencryptionitisveryeasyforanattackertosniff thecommunicationbetween thenetworkdeviceand theremotedevice since it is inplain text.Anattackercanseehow thedevice isconfiguredandseewhichpasswordwasusedtogainaccesstothedevice.DuetothisproblemSSHisnowusedasadefaultinmanycases,sinceSSHdoesencryptthecommunication.Becauseofthischangethisattackbecamelesseffective.TelnetbruteforceattackWhenanattackerwantstogainremoteaccesstoanetworkswitchtheattackercanuseaTenetbruteforceattack.Toretrievethepasswordused,theattackerwilldesignaprogramwhich will try to establish a Telnet communication session by using for example adictionary or by creating sequential character combinations in attempts to guess thepasswordandgainaccess(Popeskic,2011).

3.4.4 AttacksonthenetworkandtransportlayerAttacksonthenetworkandtransportlayer,alsoknownasnetworkinfrastructureattacks,arealwaysattacksthatcontainanextremelyhighnumberofpacketsordatawiththegoaltoconsumebandwidth,slowdownthewebserverandpreventusersfromgettingaccess.SYNfloodattacks,teardropattacksandInternetControlMessageProtocol(ICMP)floodingarelayer3and4attacks.WhenanattackerstartsaSYNFloodattackhesendsanunlimitednumber of SYN (synchronized) packets to the host system, but never responds whichresults inphantomconnectionrequestswhichwilloverwhelmthetargetmaking itunabletorespondtorealSYNrequests.A teardrop attack is an attack inwhich the attacker sends fragments, or teardrops, ofpacketstothetarget.These‘teardrops’havebadvaluesinthem.Duetothesebadvaluesthetargetsystemcrasheswhenittriestoreassemblethefragments.ICMPfloodingisanumbrellatermforavarietyofattacksthatuseICMP.ExamplesofICMPfloodingattacksare:theSmurfattack,thePingofdeathandthepingflood:SmurfattackASmurfattack isanattack inwhich theattackeruses asoftwareprogram to send ICMPpackets to a large number of network hosts on the Internet. By default most network


18

deviceswillresponsetothisbysendingareply.Duetothelargenumberofresponsesthesystemcrashesorgetsparalyzed(Cao,2014).PingofdeathIn caseof a ‘Pingofdeath’ theattackerssendsanextremely large sizeechopacket to itstarget.Apacketsizeofwhichheknowsthetargetcannotaccept it.Asaresult,thetargetcrashes.PingfloodThePing flood isrelated to the ‘Pingofdeath’. Incaseof aPing floodanextremelyhighnumberofICMPpacketsaresendtothetargetbytheattackerwiththegoaltooverwhelmthetarget.NowadaysthePingfloodisnolongerusefulasaDOSattack,butasaDDOSattackitisstillproventobeanveryeffectiveattackduetothelargenumberofcoordinatedsourcesystemsattackingonesingletarget(Easttom,2014).

3.4.5 AttacksonthedatalinklayerMACfloodingisanattacktargetingthedatalinklayer.AMACfloodingisanattacklaunchedtocompromisethesecurityofnetworkswitches.TheMAC flooding iscausedbysendingahugeamountofAROreplies,eachofthemcontainingadifferentsourceMACaddress,totheswitch.Asaresultthecamtableoftheswitchisoverloading.Whentheswitchisflooded,itswitchesintotheso-called ‘hubmode’.Whentheswitchisinthehubmodeitwillforwardthe traffic to every computer connected to thenetwork.After a successfulMAC floodingattack,anattackercanuseaso-calledsniffer toretrievesensitivedata that istransmittedbetween network hosts. This would not be possible with a switch that is functioningnormally(Baloch,2014).

3.4.6 AttacksonthephysicallayerAttacks on the physical layer are attacks that result in physicaldestruction,obstruction,manipulation ormalfunctionofphysical assets.An example of an attack on thephysicallayer istolauncharelativelysimpleDDoSattacktargetingwirelessnetworksby jammingorinterferingcommunicationwithinthesewirelessnetworks(Gu,2012).


19

4 THERISKSOFDDOSInorder to setupaneffective frameworkand,with that,effectivemeasures to fightoff aDDoS attack, it is essential to understand the variousDDoSmethods. Currently, awiderangeofDDoSattackscanbe identifiedthatareusedbyattackers.TheseDDoSattacks,ofwhichseveralwerediscussedinchapterthree,canbedividedintobroadlythreetypes.

Figure8:TypesofDDoSattacks

4.1. TypesofDDoSattacks

4.1.1 VolumetricattacksIncaseofvolumetricattackstheattackersendsalargeamountofdatatothetargetedhostinordertosaturatethebandwidth.TheseattacksusuallycomeintheformofUDPfloodsorICMP floods(asdiscussed inchapterthree).Volumetricattacksarethe leastsophisticatedattacks as they simple overwhelm the host with data and do not rely on for exampleweaknessesinapplications.Despitethis,volumetricattacksareoftenveryeffective.Evenifthe traffic is easily filtered, it remains difficult and also expensive for organizations toeffectivelymanagelargeamountsofdata

4.1.2 NetworklayerattacksNetworkand transport layerattacks, alsoknownas layer 3attacksmakeuseofpacketswhicharespecificallymadeanddesigned to causeprocesses toberesource intensive, tomaketargetdevicesrespondslowlyand/ordisruptTCPstateinformation.Examplesofthelayer 3 attacks are SYN floods and Teardrop attacks (as discussed in chapter 3). Theseattacksusemuchlessbandwidthasthevolumetricattacksandmakeuseoftheflawsintheprotocolsapplicabletolayer3.

4.1.3 ApplicationlayerattacksApplicationlayerattacksorlayer7attacksmakeuseofweaknessesinanapplicationbyforexampleexploiting layer7commandswhichcauses theapplication to slowingdown theprocess or even crash and as a result the service of the application is disrupted.Mostapplication layerattackstargetHTTP.The layer7attacksaremuchmoredifficultto filterthanlayer3/4attacksandbecauseofthisrequiremoremeasures,suchaschangestowebapplications.

VolumetricAttacks

NetworkLayer

Attacks

ApplicationLayer

Attacks


20

4.1.4 Attacksonlayer3,4and7Asdescribedabove,almostallDDoSattacks initiatednowadays targeteither thenetwork(network layer attacks), the network and transport layer (volumetric attacks) or theapplication layer(application layerattacks).Thenumberof layer7attacksare increasing.This can be explained by the fact that layer 3/4 attacks are more easily detected andfiltered,whichmakesthechanceofsuccessof layer7attacksmuchhigherthan the layer3/4 attacks. Layer 7 attacks are more sophisticated and can be very effective from aprotocolperspectiveandatlowtrafficrates.Theattacksisoften‘seen’aslegitimate.Basedontheabovedescribedattackvectors,the layerswhichareatriskthemostarethenetwork,transportandapplication layer.Asaresult theprotectivemeasuresdiscussed inchapter five and in the DDoS Security ControlFrameworkwill therefore focus on thesethreelayers(Kostadinov,2013).

4.2 DifferenttypesofrisksAsaworkingassumptionthefollowingriskformulaisused:

Risks=ThreatsxVulnerabilitiesxImpact.Basedontheattackdescriptionsadefinitionofthevulnerabilitiesisdescribed.Whilethreatlevelsandimpactcandifferperorganization,theresultingriskscanbecategorizedinthefollowing (most important) types ofrisks :(i)operational risk; (ii) reputational risk; (iii)data integrityriskand (iv) fraudrisk.The typesofriskswillbediscussedbelow inmoredetail.

4.2.1 OperationalRiskInalmostallcasesthegoalofaDDoSattackistomakeservicesunavailable.Dependingonthe typeofservicesprovided,DDoSattackscanhave a (significant) impactoncustomersand employee productivity. for example, a DDoS attack can make it impossible forcustomerstoreachtheironlinebankingapplicationorforemployeestousetheirbusinessapplications.DuetotheDDoSattack,anorganizationisunabletoprovideitsservices,whichcanresultinsignificantrevenue losseswhentheservicescannotbeprovidedforalongerperiodoftimeoriftheorganizationprovidesanessentialserviceand,incaseofaservicelevelagreement,violatestheservicelevelagreementwhentheorganizationaffectedbytheDDoS attack is the service provider under the agreement. (Verisign, 2012) (FederalFinancialInstitutionsExaminationCouncil,2012)

4.2.2 ReputationalRiskAnotherimportantriskassociatedwithDDoSattackisthereputationalrisk.Iforganizationscannotprovidetheirservices,customersareimpactedbythatandtheirexperiencewiththeservicewithbeaffectednegatively.When theorganization is the targetofmultipleDDoSattacks, as we have seen with the large Dutch banks, customers will start ranking theservices as unreliable and even rank the service below expectation. These negativeexperiences will negatively impact the brand and image of the organization and the


21

reputationtheorganizationhaswithitscustomersandwithinthemarket.(Verisign,2012)(FederalFinancialInstitutionsExaminationCouncil,2012)

4.2.3 DataintegrityRiskAssystemsarehighlyconnectedanddependentoninternalandexternaldata,connectiondisruptionsordelaysindataprocessingwillimpactdataintegrity.Ifoneapplicationinthebusiness (data)processingnetwork isattacked, theapplicationsareno longercapableoftransferring data to the targeted application and the targeted application is no longercapabletotransferanydatatoanyoftheotherapplicationswithinthebusinessnetwork.Asaresultthedataisnolongeraccurate.

4.2.4 FraudRiskBesidestheabovementionedrisksthereisanactualriskthatisoftenoverlooked,butcouldimpact a company severely. This risk occurs when a hacker uses a DDoS attack as adiversion todraw theattention from theiractualgoal.TheDDoSattackcouldbecoupledwithafraudattempt.Insuchcasesorganizationsmayalsoexperiencefraud losses,whichmight in turnresult in liquidityandcapitalrisks.ForexampleDDoSattacksservedasadiversionary tacticbycriminalsattemptingtocommit fraudusingstolencustomerorbank employee credentials to initiate fraudulent wire or automated clearinghousetransfers.(FederalFinancialInstitutionsExaminationCouncil,2012)

4.3 ConclusionToenableorganizationstoeffectivelyusetheDDoSSecurityControlFrameworkassetoutin thenext chapter of this thesis, it is essential that an organization is familiarwith thedifferentthreats,vulnerabilitiesandtheimpactwhichtranslatesinaspecificriskassociatedwith the organization and the services it provides. Familiarity with the DDoS methodsenablestheorganizationtorecognizetheDDoSattacksandfamiliaritywiththeDDoSrisksmakestheorganizationawareofitsweaknessesandtheconsequencesassociatedwiththerisks. Together they enable an organization to mitigate the risks associated with DDoSattacks.


22

5 ESTABLISHINGTHEFRAMEWORKThepreviouschapterdiscussesdifferentDDoSattacksperOSIlayer.Theseattacksposeathreat to the ITsystemsofgovernments, companies, institutionsandotherentities, sinceDDoSattacksnotonlyresultinITdisruptions,butalsoinforexamplereputationaldamage.Inordertobecomeawareofthepossiblerisksandtoputeffectivemeasures inplace, it isessentialforentitiestohaveaDDoSSecurityControlFrameworkinplace.

5.1 FrameworkforImprovingCriticalInfrastructureCybersecurityTheNationalInstituteofStandardsandTechnology(NIST),anon-regulatoryfederalagencywithin theU.S.Department of Commerce, has introduced the Framework for ImprovingCritical InfrastructureCybersecurityon12February2014.TheNIST framework,which iscreated through collaboration between industry and the U.S. government, consists ofstandards,guidelinesandpracticestopromotetheprotectionofcriticalinfrastructure.TheNIST framework is designed to help owners and operators of critical infrastructures tomanagecybersecurity-relatedrisk(NationalInstituteofStandardsandTechnology,2014).TheNISTframeworkconsistsoffivemainfunctions:

Figure9:FrameworkforImprovingCriticalInfrastructureCybersecuritybyNIST

TheNISTframeworkfocusesonCybersecurity-relatedrisks,whichmakesittoobroadtobeusedasaDDoSspecific frameworksinceDDoSisonly asmallpieceof theCybersecurity-related risks faced by entities. The NIST framework provides organizations with

•Develop the organisational understanding to managecybersecurity risk to systems, assets, data, and capabilities.Identify

•Develop and implement the appropriate safeguards to ensuredelivery of critical infrastructure services.Protect

•Develop and implement the appropriate activities to identify theoccurrence of a cybersecurity event.Detect

•Develop and implement the appropriate activities to take actionregarding a detected cybersecurity event.Respond

•Develop and implement the appropriate activities to maintainplans for resilience and to restore any capabilities or servicesthat were impaired due to a cybersecurity event.Recover


23

structure and multiple approaches to cybersecurity which are known today byassembling standards, guidelines and practices that are working effectively in theindustry today. The fact that the NIST framework only focuses on the multipleapproacheswhich are known todaymakes it static by nature. It does not take intoaccountanyfuturechanges,itonlyprovideinformationaboutthecurrentsituationanentityisinwithregardtocybersecurity-relatedrisks.

5.2 AdynamicframeworkTo improve the NIST framework and the processes it contains, the Deming Cycle alsoknown as thePDCA Cycle, is a tool that canbe used. TheDemingCycle is a continuousimprovementmodel to improve thequalityofprocesses,whichconsistsof fourrepetitivesteps(Deming,2000):

Plan:Designandrevisebusinessprocess components to improveresults.Do: implement the plan andmeasureitsperformance.Check:studytheresultsAct: decide on the changes thatneed tobemade to improve theprocess.

Figure10:TheDemingCycle

IfyoureviewtheNISTframeworkfromaDemingCycleperspective,the ‘identify’functiontogetherwithapartofthe ‘Protect’functioncanbeseenasthe‘plan’step.IncaseofDDoSyouwould identify,forexample,whichapplicationsare inplaceandyouwoulddevelopaplantoprotecttheseapplicationsagainstDDoSattacks.The‘revise’elementfromthe‘plan’stepisnotpartoftheFramework,duetoitsstaticnature.So,a ‘revise’elementshouldbeincorporated intotheFramework inorder tomake itmoredynamicandcompatiblewiththe‘plan’stepoftheDemingCycle.Theimplementationassetoutinthe‘Do’stepoftheDemingCycleis(partially)coveredbythe‘Protect’,‘Detect’and‘Respond’functionsoftheNISTframework.The‘check’stepoftheDemingCycleisonlypartiallycoveredbythe‘Recover’functionoftheNISTframework.Dueto thestaticnatureof theNIST framework, the ‘Recover’ function isonly focusingon thesituationtoberestoredtotheoldsituationbeforetheDDoSattackoccurred.Theelementofstudying the results of thedetection, responses and recoveryandmaking adecision onwhichchangestomakeisnotincludedinthe‘recover’functionoftheNISTframework.

Plan

DoCheck

Act


24

InordertomaketheNISTframeworkmoredynamicandbetterfittingtotheDemingCycle,twonew functionsare introduced: ‘Assess’and ‘Adjust’.Thenew ‘Assess’ functionof theNISTframeworkshouldfocusondeterminingwhetherthedetectionofandtheresponsestotheDDoSattacksareeffectiveandwhethertherecoveryofthesystemisgoodenoughaftertheattack.Theresultscollectedduringthe ‘Assess’functionneedtobeusedaspartofthe‘Adjust’ function.Basedontheresultstheorganizationneedstodeterminewhichchangesneed tobemade to either one of theother functions in order to improve itsprotectionagainst,detectionof,responsetoandrecoveryofaDDoSattack.Taking intoaccount thechanges to theNIST frameworkasdescribedabove, thedynamicframeworkwilllookasfollows:

Figure11:ThesevenfunctionlevelsoftheDDoSSecurityControlFramework

ByaddingtheprinciplesoftheDemingcycletotheexistingmodel,theframeworkismoredynamic,butfurtherstepsneedtobetakentomaketheframeworkmorespecificforDDoS.

•Develop the organisational understanding to manage DDoSrisk to systems, assets, data, and capabilities.Identify

•Develop and implement the appropriate safeguards toensure delivery of critical infrastructure services.Protect

•Develop and implement the appropriate activities to identifythe occurrence of a DDoS event.Detect

•Develop and implement the appropriate activities to takeaction regarding a detected DDoS event.Respond

•Develop and implement the appropriate activities tomaintain plans for resilience and to restore any capabilitiesor services that were impaired due to a DDoS event.Recover

•D

eter

min

ew

heth

erth

epr

evio

usDD

oSfu

nctio

nsfu

nctio

ned

effe

ctiv

ely

and

are

able

toco

pew

ithne

wid

entif

ied

DDo

Sde

velo

pmen

ts.

Asse

ss•

Det

erm

ine

whi

chch

ange

sne

edto

bem

ade,

base

don

the

asse

ssm

ent

resu

lts.

Adju

st


25

5.3 AdynamicDDoSSecurityControlFrameworkInparagraph4.1ofthisthesisthemostimportantOSIlayers,namelythenetwork,transportandapplicationlayer,andtherisksassociatedwiththeDDoSattacksontheselayerswereidentified. The three OSI-layers and the risks identified form the basis for determiningwhichmeasuresagainstDDoSattacksshouldbeincludedintheframework.Theframeworkconsistsofthreelevels:1. The function level: this level consists of all the function phases of the dynamic

frameworkasdescribedinparagraph5.2;2. Thecontroltypelevel:thislevelconsistsofthetypesofcontrolsdescribedbelow;and3. Themeasurespertypeofcontrol.AlthoughDDoSattackscanbelinkedtothedifferentOSIlayers,aframeworkthatstronglyfocuses on these OSI layerswould only cover technical infra components, which is toolimited toestablisha trulyeffectiveDDoS securitycontrol framework.Notonly technicalinfracomponents,butalsoproceduralcomponentsareimportantinthebattleagainstDDoSattacks. As mitigating DDoS risks requires a combination of procedural and technicalmeasures.Inordertokeeptheframeworkaccessibleandunderstandableforbothtechnicalandnon-technical persons, themeasures are not specified perOSI layer or risk, but per type ofcontrol.Theframeworkcontainsthefollowingtypesofcontrols:· Procedural controls e.g. incidentresponseprocesses,management oversight, security

awarenessandtraining;· Technicalcontrolse.g.userauthentication(login)and logicalaccesscontrols,antivirus

software,firewalls;There are a number ofmeasures that organizations can take in order to prevent DDoSattacks, to detect attacks when happening and respond to these attacks. Themeasuresdiscussed in this research are adopted from existing researches and publications:(Govcert.nl, 2006) (IntruGuard, 2008) (Govcert.nl, 2010) (Nationaal Cyber SecurityCentrum, 2012) (Nationaal Cyber Security Centrum, 2012) (National Cybersecurity andCommunicationsIntegrationCenter,2014)(NationalInstituteofStandardsandTechnology,2014) (Verisign,2014)and ifnecessary,adjustedorexpanded tomake themsuitable forthisresearchandthespecifictopicthisresearchcovers.


26

5.3.1 The‘Identify’level

Figure12:Theidentifylevel

RelevanceIn order to create an environment in which DDoS attacks are effectively detected andrespondedto,itisessentialthatanorganizationisfamiliarwithitsnetworkinfrastructure,data flowsand thecapacitywithin thenetwork.Toget familiaranorganizationneeds todevelopanoverviewofitsnetworkanditskeyappliances.Onlyifanorganizationhassuchanoverview,itcaneffectivelyprotectitselfagainstDDoSattacks.GoalThegoalofthemeasuresatthe‘Identify’levelistocreateanetworkschemewhichcontainsall key appliances, data flows and bandwidth between these appliances that enables anorganization to identify weaknesses within their network. Furthermore, it helps anorganization to createawareness thatavailabilityand even integrity cannotbe taken forgrantedandrequiresseriousattention.MeasuresToenableanorganizationtopinpointDDoSrelatedweaknesseswithinitsnetworkcertainstepsneed tobe taken.These steps consist ofmeasures that systematicallymap-out thenetwork components and identifying critical areas that need to be protected. Possiblemeasuresareidentifiedinmoredetailbelow.ControlType

# Measure

Proc

edur

al

I1.1 Physicaldevicesandsystemswithintheorganizationareinventoried.I1.2 Software platforms and applications within the organization are

inventoried.I1.3 Organizationalcommunicationanddataflowsaremapped.I1.4 Externalinformationsystemsarecatalogued.I1.5 Resources (e.g. hardware, devices, data and software) are prioritized

basedontheirclassification,criticalityandbusinessvalue.I1.6 Roles and responsibilities for the entire workforce and third-party

stakeholders(e.g.suppliers,customers,partners)areestablishedI1.7 FutureDataCenterPlans/Roadmap:Whatelementsareyouplanningon

changing?Howwill theseaffectthecomplexityofyourdatacenteranddotheypresentanynewrisks?Addingnewhardwareorservicescomeswithmanyknownandunknownchallenges.

•Develop the organisational understanding to manageDDoS risk to systems, assets, data and capabilities.Identify


27

I1.8 IdentifystoragerequirementstobeabletomaintainlogdatawhenunderaDDoSattack.

I1.9 BasedonthegathereddataariskassessmentisperformedtoidentifytheDDoSrelatedriskswithintheITenvironmentwiththeuseoftheoverallnetwork schema. As part of this assessment organizations need toaddresstheirriskappetite,defineweaknesseswithintheirnetworkanddeterminetheassetsthatrequireprotection.

Table1:Overviewofpossiblemeasuresattheidentifylevel

5.3.2 The‘Protect’level

Figure13:Theprotectlevel

RelevanceThefirststepforanorganizationtoprotectthemselvesofbeingtargetedbyaDDoSattackistomakeitasunattractiveaspossibleforhackerstochoosethemastheirtarget.Numerousattacksareperformedbyhackersor scriptkiddieswhousestandard toolkits toperformtheir attack.Themajority of attacksusewell-knownvulnerabilities,whichorganizationscaneasilyprotectitselfagainst.Itisbestcomparedtoaburglarwhoseizesanopportunitybasedonthelikelihoodthatonetargetiseasiertobreakintothantheother.Sodowhatliesinyourspanofcontroltomakehackersgoforyourneighbors’propertyinfavorofyours.GoalThe ‘protect’ level focusses on which pre-emptive measures can be implemented tosafeguardanorganizationsnetwork.Thegoalofthesemeasuresistominimizethenumberofopportunities forhackerstoattacktheorganizationononehand.Ontheother, ithelpsorganizationtopreparethemselvesonhowtodealwithDDoSattackswhentheyareunderattackbyhavingaresponseplanthattellsthemhowtoreactandtherelevanttechniquesinplacethatprovidesthemwiththeabilitytocopewithDDoSattacks.MeasuresToenableanorganizationtohardenitsnetworkagainstDDoSattacks,protectivemeasuresneedtobeimplemented.Possibleprotectivemeasuresareidentifiedinmoredetailbelow.ControlType

# Measure

Proc

edur

al P1.1 Create baseline configuration of information technology/industrialcontrolsystemsandmaintainthesebaselines.

P1.2 Validate that information technology/industrial control systems aresetupaccordingtotheirrespectivebaseline.

P1.3 DDoSresponseplans(IncidentResponseandBusinessContinuity)arein

•Develop and implement the appropriate safeguards toensure delivery of critical infrastructure services.Protect


28

placeandmanaged.TheseplansneedtobedefinedscenariobasedTheseresponseplansneed tobe scenariobasedand specifywhichmeasuresneedtobetakentodealwiththespecifiedDDoSscenario.Furthermore,itneedstoclearlyspecifywhoperformswhat,howandwhenandwhohasmandatetotakecertaindecisions.

P1.4 DDoSrecoveryplans (IncidentRecoveryandDisasterRecovery)are inplaceandmanaged.

P1.5 The response and recovery plans are periodically tested (e.g. BulkVolumetricTesting).

P1.6 AgreementsrelatedtoDDoSareinplacewithnetworkproviderstoassistinblockingaDDoSattack.

P1.7 DDoS communication plans are in place and managed. Thesecommunicationsplans need to coverpublic relations, authorities, legalandclearlyspecifywhoperformswhat,howandwhen.

P1.8 Define (technical) measures according to the outcome of the riskassessmentperformedaspartofmeasureI1.9withinthe‘Identify’level.

Tech

nica

l

P1.9 A SYN proxy is implemented to ensure that under SYN flood, allconnectionrequestsarescreenedandonlythosethatarelegitimateareforwarded.

P1.10 AnomalyRecognition;byperforminganomalychecksonheaders, stateandrate,anappliancecanfilteroutmostattackpacketswhichotherwisewouldpasssimplefirewallrules.

P1.11 DarkAddressPrevention,IPaddressesthatarenotyetassignedbyIANAareblocked.

P1.12 White-list and black-list are maintained. Within network, there willalways be some IP addresses that you want to deny or allow. White-listing and Black-listing capability are useful during DDoS attack toensurethatsuchrulesarehonoreddespiterateviolationsorinspiteofrate-violations.

P1.13 Connection limiting; by giving preference to existing connections andlimiting the new connection requests. By limiting the number of newconnectionrequests,youcantemporarilygivetheserverrespite.

P1.14 Active verification; SYN Proxy combined with caching identifiedlegitimateIPaddressesintoamemorytableforalimitedperiodoftimeandthenlettingthemgowithouttheSYNproxy.Mustbecombinedwithrate limiting incasezombiesareable tocomplete3-way-handshakes toavoidmisuse.

P1.15 Implement anti-spoofing measures (e.g. unicast Reverse-PathForwarding(uRPF),Bogonlist,AccessControlList(ACL))toprotectoratleastreduce the likelihoodofsource IP spoofing takingplace (EG,NTP,SNMP,DNSetcetera).

P1.16 Firewallsareconfigured toapplycertain filteringtomonitor the trafficfor certainprotocols such asFTP andHTTP andexaminewhether the


29

trafficmeetsthepurposeoftheRFCs.P1.17 Firewallssettingsareconfiguredwhich ‘tell’thefirewallwhat isnormal

behavior of a particular traffic flow such as a maximum number ofconnectionsfromonespecificIP-address.

P1.18 SystemsarehardenedtoimprovetheperformanceofthesystemsduringaDDoSattackorganizationcanconfigureaTCP/IPstack.Toprovidetheperformancethefollowingconfigurationscanbemade:

· Expansionofthe‘TCPwindowsize’;· Expansionofbuffersforhalfopensocketsandopensocketsthat

waitforan‘accept’oftheapplication;and· Reductionofthetime-outvalueoftheTIME_WAITstatus.

P1.19 Implementadequatestorage facilitiestoretainloggingfileswhenunderattacktoenabletheopportunitytoperformforensics.

P1.20 FirewallsareconfiguredassuchthattheymonitorthemaximumnumberofconnectionsmadefromoneIP-address

Table2:Overviewofpossiblemeasuresattheprotectlevel

5.3.3 The‘Detect’level

Figure14:Thedetectlevel

RelevanceAlthoughorganizationscan takenumerousmeasures toprotect themselvesagainstDDoSattacks, it isimpossible tocompletelyprevent it fromhappening.For these instances it isimportantthatanorganizationisabletodetectaDDoSattack.Inthiscasedetectiondoesnotmeanourwebsite isdown,weareunderattack!,butbeingabletopinpointabnormalbehaviorwhenitoccurs.Ifabnormalbehaviorisidentified,itcanbedealtwithaccordinglytopreventanattackofreachingitsgoalofdisruptingaservice.GoalThis level focusseson implementingmeasures that enable anorganization to identifyanattackasoonaspossible,whichenablesittorespondadequatelytominimizetheimpactoftheDDoSattack.MeasuresTo enable an organization to detect DDoS attacks, detection measures need to beimplemented.Possibledetectionmeasuresareidentifiedinmoredetailbelow.

•Develop and implement the appropriate activities toidentify the occurrence of a DDoS attack.Detect


30

ControlType

# Measure

Proc

edur

al

D1.1 DetectedeventsareanalyzedtounderstandattacktargetsandmethodsD1.2 DetectionprocessesaretestedD1.3 DetectionprocessesarecontinuouslyimprovedD1.4 Define the basic or standard behavior of the systems and network

environment.Thebasic information isbasedonanumberofdata,suchas: (i) theaveragenumberofvisitorsorusers; (ii) theaveragepackagesizeof thedata; (iii) theaveragememory spaceused; (iv) theaverageprocessoruse;(v)theaveragebroadbanduseoftheinternetconnectionand (vi) the average reading/writing actions on the hard drive. ThisinformationtogetheristheoverallaveragebehaviorandcanbeusedasabasisforthedetectionofoddbehaviorsuchasDDoSattacks.

Tech

nica

l

D1.5 AnIntrusionDetectionSystem(IDS)isinplacewhichmonitorswhetherthe content of a network package meets certain requirements orstandardsandflagspatternsthatareplausibleDDoSattacks.

D1.6 AnIntrusionPreventionSystem(IPS)issetuptoblockdatatrafficeitherbyitselforbylettingitapplycertainrulesinafirewallorrouter.

D1.7 Flow-based accounting: netflow is an application that can be used inroutersand isanadditiontotheprocesswhichdeterminestherouteofanIPpackage.ForeachIPpackageenteringtherouterthehashvalueiscalculatedandthencomparedwiththeflowcache.Ifthepackagehasthesamehashvalueisdetectedintheflowcachethepackageisaddedtothestatisticsofthatparticularflow.Netflow can be a very effective weapon against DDoS attacks. If anorganization transports thecollectednetflowdata to a central storage,various application can interpret this data. There are even specialapplicationswhichcanmonitorDDoSattackon thebasisof thenetflowdata.

D1.8 GranularRateLimitingisatechniquethatidentifiesrateviolationsfrompastbehavior.

D1.9 Applydynamicfiltering,whichisperformedbyidentifyingundisciplinedbehaviorandpunishingthatbehaviorforashorttimebycreatingashort-spanfilteringruleandremovingthatruleafterthattime-span

D1.10 Source Rate Limiting; by identifying outlier IP addresses that breaknorms,youcandenythemaccesstoexcessivebandwidth.

D1.11 Within the ‘protect’ levelnumerousmeasures havebeen implementedthat besides protection are able to provide organizations withinformation to detect DDoS attacks. Organizations need to implementmonitoringmeasurestodealwiththisinformationaccordingly.

Table3:Overviewofpossiblemeasuresatthedetectlevel


31

5.3.4 The‘Respond’level

Figure15:Therespondlevel

RelevanceEven if an organization has all prevention and detectionmeasures in place, it can stillhappen that the systems are attacked by a DDoS attack. So it is important for anorganization tohaveprocedures andprotocols in place on ‘how to respond in case of aDDoSattack’.GoalAs already mentioned in the introduction of this paragraph, it is essential for anorganizationtohaveproceduresorprotocolsinplaceon‘whotoreacttoDDoSattacks’.Theproceduresneedtospecifywhoisinthelead,whichpersonshavewhichauthority,howtocommunicate and aboutwhat. In case the systems aremanaged by a hosting-provider,procedures needs tobe implementedwhich included both the actions that needs to betakenbythehostingproviderandtheorganizationitself.MeasuresTo enable an organization to respond in a structured matter when under attacks,responsivemeasuresneed tobe implemented.Possiblemeasures are identified inmoredetailbelow.ControlType

# Measure

Proc

edur

al

R1.1 DDoSresponseplanisexecutedduringorafteraneventR1.2 DDoS communication plan is executed during and after an event to

address public relations with the press, customers, organization,authorities and legal obligations based on the DDoS communicationplan.

R1.3 DDoSresponsestrategiesareupdatedR1.4 DDoSresponseplansincorporatelessonslearnedR1.5 NotificationsfromdetectionsystemsareinvestigatedR1.6 TheimpactoftheincidentisunderstoodR1.7 ForensicsareperformedR1.8 IncidentsarecategorizedconsistentwiththeDDoSresponseplansR1.9 IncidentsarecontainedR1.10 IncidentsaremitigatedR1.11 Newly identified vulnerabilities are mitigated or documented as

acceptedrisks

•Develop and implement the appropriate activities totake action regarding a detected cybersecurity event.Respond


32

Tech

nica

l

R1.12 Quality-of-Service (QoS):QoS thedata canbeblocked, thebandwidthcanbelimitedortheorganizationcandecidetodonothing.Dependingon the typeof IP-addressesused for theattack,adecisionneeds tobemade

R1.13 Null-routingis inplaceandthepotentialDDoSattackIPaddressescanberoutedtothenullinterface

R1.14 AnACLcanenableanorganization toblock (orpermit)certainsourceor destination IP-addresses and/orprotocols to respond to an DDoSattack

R1.15 Aggressive aging involves removing connections from the tables andmayalsoinvolvesendingaTCPRSTpackettotheserver/firewall.

R1.16 White-list and black-list are maintained. Within network, there willalwaysbe some IPaddresses that youwant todenyorallow.White-listing and Black-listing capability are useful during DDoS attack toensurethatsuchrulesarehonoreddespiterateviolationsorinspiteofrate-violations.

R1.17 Organizationscanapplyasocalled‘DDoSwashstreet’.Internettrafficisredirected when a potential attack warrants traffic redirection. Thistechniqueisalsocalled 'Off-Ramping'.Thedataisthenreceivedbythe(third)party,where it is 'washed', as it goes through specialpurposebuiltappliances to filter illegitimatetrafficoutwith theuseofspecificalgorithms.Oncethetrafficis'washed'itisreroutedbacktotheclient,socalledOn-Ramping.

R1.18 SpecificDDoSappliancesareavailable,whichcanbeplacedwithinthenetworkthatareabletodealwith(moresophisticated)DDoSattacks.

R1.19 OrganizationsareabletodeflectsophisticatedDDoSattacksbyhavingmultipledatacentersatdifferent InternetExchanges, theorganizationcanpoint theDNSentryof theirwebsites to these companieswho inreturn, handle all the requestswhere each packet is then inspected.Thereuponbasedonthesignatures,illegitimatetrafficcanbedetectedand discarded. Next, legitimate traffic is sent back to end-users'browsersbasedontheirgeographicallocation.

Table4:Overviewofpossiblemeasuresattherespondlevel


33

5.3.5 The‘Recover’level

Figure16:Therecoverlevel

RelevanceAsdescribedintherisksection,therisksrelatedtoDDoSattacksarefierceandcanhaveasevereimpact.Thereforeitisofhigh importanceforanorganizationtobeabletorestorecapabilitiesorservices,thatwere impairedbyaDDoSattack, inastructuredmattertobeabletokeeprecoverytimeasminimalaspossible.Itiskeyfororganizationstogetbacktoa‘businessasusual’state to limit lossesdue toe.g.nosalesoremployeesnotable to fulfiltheirjobduetoserviceoutage.GoalThegoalof therecover level is toensurethatanorganization isprepared tore-establishoperations at an acceptable level to limit the downtime of a disruption and to resumeoperationsinaphasedapproach.MeasuresToenableanorganization torecoverafteraDDoSattacks,recoverymeasuresneed tobeimplemented.Possiblerecovermeasuresareidentifiedinmoredetailbelow.ControlType

# Measure

Proc

edur

al

R2.1 DDoSrecoveryplanisexecutedduringorafteranevent.R2.2 DDoSrecoverystrategiesareupdated.R2.3 DDoSrecoveryplansincorporatelessonslearned.R2.4 Publicrelationswiththepress,customers,organization,authoritiesand

legalobligationsaremanagedbasedontheDDoScommunicationplan.R2.5 Reputationafteraneventisrepaired.R2.6 Recovery activities are communicated to internal stakeholders and

executiveandmanagementteams.Table5:Overviewofpossiblemeasuresattherecoverlevel

•Develop and implement the appropriate activities tomaintain plans for resilience and to restore anycapabilities or services that were impaired due to aDDoS event.

Recover


34

5.3.6 The‘Assess’level

Figure17:Theassesslevel

RelevanceImplementingaframeworktomitigatetherisksassociatedwithDDoSshouldbeseenasthefirststep.Simply,implementingaframeworkisjustnotgoingtocutitinthelongrun.TheworldofDDoS is in continuousdevelopment and new attack techniques are introducedconstantly.ThereforeitisofgreatimportancethattheframeworkisabletocopewiththesechangesbybeingabletoassesstheimpactofchangesinthefieldofDDoSinrelationtotheimplemented framework.Only,whenanorganizationisabletoassesstheimpactofthesechangeitisabletocopewithitandadjusttheframeworkaccordingly.GoalThegoaloftheassess level istoevaluatethepreviousstepstakeninorderto identifythefocus areas where measures will need to be implemented. It does so by gatheringinformation resulting from the previous function levels. Management should not onlyevaluates but also analyses the results to determine if the implemented measuressufficientlymitigatetherisksoratleastreducetherisktoanacceptablelevel.Anyfindingsresultingfromtheevaluationandtheanalysisarethenaddressedwithcorrectivemeasures.MeasuresToenableanorganizationtoassesstheeffectivenessof implementedmeasures,aprocessneedstobeinplacetogatherinformationateachlevel.Thegathereddataisthenevaluatedandactionsaretaken.ControlType

# Measure

Proc

edur

al

A1.1 ExecutemonitoringproceduresA1.2 ReviewandmeasureeffectivenessofcurrentDDoScontrolsA1.3 ConductInternalDDoSAuditsA1.4 A Security Team monitors DDoS trends and validates whether the

current control framework is able to cope with these trends ordevelopments

A1.5 UndertakemanagementreviewA1.6 RecordactionsandeventsthatimpactDDoScontrols

Table6:Overviewofpossiblemeasuresattheassesslevel

•Determine whether the previous functionsperformed/functioned effectivelyAssess


35

5.3.7 The‘Adjust’level

Figure18:Theadjustlevel

RelevanceBasedon theassessmentsperformedattheprevious level, findingswillbe identifiedandtheorganizationneedstotakeactionbymeansofanalyzingandremediatingthefindings.By analyzing the findings and actions needed an organization will need to update thecontrol framework inordertopreventrecurrenceofattacksatthe identifiedweaknesses.Attheadjustmentleveltheinitiationofthecontinuousimprovementcycleisactivatedandthelessonslearnedcanbeusedasareferenceforfutureanalysis.GoalThegoaloftheadjust levelistoprovideanorganizationwithatooltoeffectivelydefineacorrective action plan that not only enables improvement of the current measuresimplementedbutalsocreatesabasisforcontinuousimprovement.MeasuresToenableanorganization toadjust theeffectivenessof implementedmeasures,aprocessneeds to be in place which supports a continuous improvement cycle. The followingmeasurescanenableanorganizationtoachievethis.ControlType

# Measure

Proc

edur

al

A2.1 TheDDoSSecurityControlFrameworkisupdatedA2.2 PreventiveprocessesarecontinuouslyimprovedA2.3 DetectionprocessesarecontinuouslyimprovedA2.4 Respondprocessesarecontinuouslyimproved

A2.5 Communicateactionsandimprovements

Table7:Overviewofpossiblemeasuresattheadjustlevel

•Determine which changes need to be made, based onthe assessment made.Adjust


36

5.4 HowdoestheDDoSSecurityControlFrameworkcovertheidentifiedrisksThere is no universal approach that can cover all DDoS security risks. As described inchapter 4, if organizations want to implement an effective DDoS security controlframework.Itisessentialthatanorganizationisfamiliarwiththespecificrisksthatapplytothe service they provide and enables them to identify the weaknesses within their ITenvironment.The familiarizationwith the associatedrisks isestablishedbyapplying the‘identify’functionlevel.Inordertosetupaneffectiveframeworkand,aspartofthisframework,effectivemeasuresto fight off aDDoS attack, it is also essential tounderstand the variousDDoSmethods.Currently,awiderangeofDDoSattacksareusedbyattackers.TheseDDoSattacks,canbedivided into three typeswhich takeplaceon layer3, 4and7of theOSI layermodel.ToeffectivelybattleDDoSattacks, it iskey fororganisation toimplementtechnicalmeasuresthatnot onlyprevent orminimize risks on.one of these layers,butprevent orminimizerisksonlayers3,4and7.ThisiswhytheDDoSSecurityControlFrameworkcoversthesethreelayers,asshowninthemappingbelow. Protect Detect RespondOSILayer3 P1.10, P1.11, P1.12,

P1.13, P1.14, P1.15,P1.16, P1.17, P1.18,P1.19,P1.20

D1.5, D1.6, D1.7,D1.8,D1.10,D1.11

R1.12, R1.13, R1.14,R1.16,R1.17,R1.18

OSILayer4 P1.9, P1.10, P1.11,P1.12, P1.13, P1.15,P1.18,P1.19

D1.5, D1.6, D1.7,D1.8, D1.9, D1.10,D1.11

R1.13, R1.15, R1.16,R1.17,R1.18

OSILayer7 P1.11, P1.12, P1.13,P1.14,P1.19

D1.5,D1.6,D1.11 R1.16,R1.18,R1.19

Table8:MappingofmeasuresperrelevantOSIlayer

Besidesthetechnicalmeasures,organizationalsoneedtoimplementproceduralmeasuresattheprotect,detectandrespondlevel.Theaimoftheseproceduralmeasuresistotriggeractions and to create awareness. The combination of both types ofmeasures is key forcreatinganeffectivefunctioningDDoSmitigationenvironment.Takingawayeveryvulnerabilityisanutopia.Thismakesitimportantfororganizationsthattheyhavetheabilitytorecoverandbyintroducingacontinuousimprovementcycleaspartof the framework,organizationscanstart implementingcontrolswhichmitigate themostimportantrisksidentified,whilestrengtheningthecontrolsetwitheachcycletoreducethelevelofvulnerabilitiesinthenetworkandasaresultminimizetherisksrelatedtoanattack.


37

5.5 HowtoapplytheDDoSSecurityControlFrameworkThisresearchhasnowresultedinadynamicDDoSSecurityControlFramework.Butbeforeorganizationsstarttoimplementorusethisframeworkinanyway,theyneedtocomeupwith a plan. Simply implementing this frameworkwill not provide themwith theDDoSsecuritycontrolenvironmenttheywouldlike.Everyorganizationisdifferentinmanyways.Thisneedstobetakenintoaccountwhenusingtheframework.Organizationsneedtoadoptaso-calledriskbasedapproachwhenusingthis framework.Thismeansthattheyhavetoask themselvesquestionssuchas:“howmuchriskarewewilling totake?”,“whatare therisks associated with the services we provide?” and “what are the weaknesses of ournetwork?”.Based on the answers to thesequestions organization canuse (parts of) theframeworktosetuporimprovetheirDDoSsecuritycontrolenvironmentaccordingly.The frameworkcontainsmulti-disciplinaryelements.Someelementsare technical,othersaremore risk focused.Therefore it is recommended that the framework is appliedby amulti-disciplinary team which preferably consists of IT Security Experts, IT Risk andmanagementtocoverthewholespectrumandhavesufficientknowledgewithintheteamtoapplytheframeworkcorrectly.


38

6 VERIFICATIONANDVALIDATIONOFTHEDDOSSECURITYCONTROLFRAMEWORK

In chapter 5 a DDoS Security Control Framework was established which can helporganizationsmitigateDDoSattacksandtherisksassociatedwiththeseattackseffectively.Inthischaptertheframeworkwillbeverifiedandvalidated.Pleasenotethatthevalidation,assetoutbelow,islimitedandpurelybasedontheexperienceofsubjectmatterexperts.

6.1 VerificationandvalidationdefinitionThe terms verification and validation originate from software project management,softwaretestingandsoftwareengineering.Verificationandvalidationentailstheprocessofchecking that a software systemmeets requirements and fulfils its intendedpurpose. Inotherwords,verificationandvalidationaremethodstocontrolthequalityofthesystem.Verificationandvalidationareeasilymixedupormistakenbyassumingthattheyareoneandthesame,buttheyarecertainlynot.BelowthedefinitionofverificationandvalidationasdescribedbyBoehmarecited(Boehm,1989):

· Verification:Arewebuildingtheproductright?· Validation:Arewebuildingtherightproduct?

ThegoalofthisthesisistoestablishaDDoSSecurityControlFrameworkandnotasoftwaresystem.Still,withsomeminoralterations,validationandverificationareusefultoprovidethe necessary quality control and help gain an understandingwhether this frameworkprovidesaddedvaluewithinthefieldofDDoSandcybersecurity.

6.2 ApproachFor theverificationandvalidationof theDDoSSecurityControlFramework anumberofsubject matter experts within the field of DDoS and cyber security were consulted. Adetailedlistoftheconsultedsubjectmatterexpertscanbefoundinparagraph8.2.

Figure19:Schematicoverviewoftheverificationandvalidationprocess

The consulted subject matter experts were requested to review the established DDoSSecurityControl Framework as presented in chapter5.Furthermore, the subjectmatterexpertswere clearly instructed that the framework shouldbe interpretedas a ‘buildingblock’andtofunctionproperlyan‘effective’ITcontrolframeworkneedstobeinplace.This

Experts takenotice of DDoS

Security ControlFramework

Verification Validation Analyse Data AdjustFramework


39

framework needs to contain the fundamental organizational, procedural and technicalcontrolsbasedonawell-knownandacceptedframeworksuchasCOBIT.VerificationTheverificationstage focussesonverifyingwhether thecontrol frameworkwasdesignedproperly.

· ArethereanycontrolsthataremissingfromtheDDoSSecurityControlFramework?· Are thereanyspecificelementsmissing thatyoumightexpect in aDDoSSecurity

ControlFramework?ValidationByvalidatingtheframework,wegainconfirmationthattheframework,asestablished,willfulfil its intendeduse.The followingquestionswereasked tovalidatewhether theDDoSSecurityControlFrameworkwillfulfilitsintendedgoal:

· DoyouthinkimplementingthisDDoSSecurityControlFrameworkhelpsmitigatingtheriskofDDoSasoriginallypresented?

· Dothelevels ‘assess’and ‘adjust’maketheDDoSSecurityControlFrameworkabletocopewithchangesinthefieldofDDoS?

· Do you think implementing this DDoS Security Control Framework will enableorganizationstomitigatetherisksofDDoS?

· CouldtheDDoSSecurityControlFrameworkaddvaluetoyourcurrentpractice?Aftertheverificationandvalidationstageallinputiscollectedandanalyzed.Theresultswillbediscussedinmoredetailbelow.

6.3 ResultsBased on the fruitful interviewsheldwith the subjectmatter experts the following keyfeedbackwasprovided:· Theintervieweepointedoutthattheassessandadjustfunctionlevelsarenowplacedat

thebottomoftheframework.Thisplacementofthesetwofunctionlevelsmaysuggestthat these levelsareseparate items.However,whenanalyzingtheeffectivenessof theexisting plan, all previous function levels are assessed: is the system sufficientlyprotected? has the response been successful? and so on. After the assessment thefunctionlevelsmaybeadjustedtomaketheplanevenmoreeffective.

o I can understand the point made by the interviewee. To improve the visualrepresentationofthe function levels in the frameworkIdecidedtoremovetheassessandadjustfunctionlevelsfromthebottomoftheframeworkandplacethemalongsidethefivepreviousfunctionlevelstoreflecttheiroverallcoverage.

· The interviewee points out that the frameworkmentions that forensics need to be

performed on the available data. The interviewee indicated that it isdifficult to run


40

forensics,becausedue toDDoS attacksdatamightbe incompleteorunavailable.Theframeworkdoesnottakethisproblemintoaccount.

o To perform forensics data is needed. To trigger organizations to really think aboutsafekeepingandmaintainingdata,evenafterorduringaDDoSattack, Ihave includedmeasureI1.8andP1.19intheframeworkpointingoutthatorganizationsneedtomakesurethatforensicscanbeperformed.

· TheintervieweeaskedthequestionwhethermeasuresP1.3upandincludingP1.6falls

withinthescopeoftheprotect function levelor thatthesemeasurescould fallwithinthescopeoftheeithertheresponseand/ortherecoverfunctionlevel.

o ThemeasuresincludedunderP1.3upandincludingP1.6formthefoundationoftheseplansandarethereforeprotectiveinnature.Withintheresponseandrecoverfunctionlevels these plans are applied, but it is of great importance that these plans areestablishedwithinthemeasuresincludedunderP1.3upandincludingP1.6.

· The intervieweepointedoutthat themeasurespreviouslynumberedD1.7,D1.10and

D1.13where not includedunder the correct function level.Themeasureswere of aprotectivenature.

o Although thesemeasuresenableorganizations tocreate thenecessary information todetectDDoSattacks.Iagreedwiththeintervieweeanddecidedtoremovethemeasuresfromthedetectfunctionlevelandincludethemundertheprotectfunctionlevel.D1.11wascreatedtocoverthatthesemeasurescanalsobeusedtodetectDDoSattacks.

· The interviewee indicated that several layers can be identifiedwithin the response

functionlevelasorganizationsareabletotakecareoftheresponse itself,outsource ittowards for example an ISP and other third parties or maybe even more apply acombination.

o This is a valet point made by the interviewee. I have widened and included themeasuresfortheseadditionallayers.

Besidethe frameworkspecificsuggestions,thesubjectmatterexpertsalsoprovidedsomesuggestionsforfurtherresearchsuchastheestablishmentofaquickscan.

6.4 ConclusionTo verify and validate the framework interview sessions were organized with subjectmatter experts. Based on the results of these interviews it can be concluded that theestablishedframeworkcontainstherelevantelementsandmeasuresand formsavaluablebasis for organizations to establish or improve their security tomitigate identified risksrelatedtoDDoS,butthatsomeimprovementscouldbemadetomaketheframeworkevenmore effective. These improvement mostly concerned moving measures around theframeworkandaddingsomeadditionalinformationormeasures.Besidesthevalidationandverification of the framework the interviews alsoprovided some suggestions for furtherresearch.


41

7 CONTRIBUTIONANDCONCLUSIONInthischapterthecontributionofthisthesistotheresearchdomainandtheconclusiontothe researchwill be discussed. First the contribution of the researchwill be discussedfollowed by the conclusion per sub-question and the overall conclusion on the mainresearchquestion.Finally,possiblefurtherresearchwillbediscussed.

7.1 ContributionThecontributionofthisthesiscanbedividedintotwocategories:(i)academiccontributionand (ii) economic contribution.With regard to theacademic contributionorrelevance itneedstobenotedthatthisthesisusedtheexistingframeworkoftheNationalInstituteofStandardsandTechnology(NIST)asthebasisfortheDDoSSecurityControlFrameworkitwantstoestablishandincorporatedacademicinformationregardingDDoSattacksandtherisksrelatedtotheseattacksinthisframework,tomaketheNISTframeworkdynamicandsuitable for use by organizations to establish or enhance their DDoS strategy. Theframework incorporatesreadilyavailableacademicinformationtoimprovetheusefulnessof the existing (NIST) framework. The enhanced model contributes to the body ofknowledgeandalsoprovides anewstartingpoint for furtherresearchanddiscussiononthe frameworkandthetopicofDDoSattacks.While theNISTmodelprimarily focusesonbuildingasetofDDoSsecuritycontrols,thenewmodelincorporatesimprovementcyclestocontinuouslyimprovetheappliedcontrolsinlinewiththeorganizationsriskprofile.Besides the academic contribution of the thesis, it also makes a more practical andeconomiccontribution.ByprovidingmoreinsightintherisksrelatedtoDDoSattacksandintroducing themeasures that canbe taken by organizations, it canmakeorganizationsmorefamiliarwiththetopicandmakethemmoreawareoftherisksandthestepstheycantaketocontinuouslyimprovetheirDDoSprevention,detectionandprotectionstrategies.IforganizationsbecomemoreawareofthepossibilitiestomitigatetherisksassociatedwithDDoS attacks such as reputational damage and revenue losses, while not entirelyquantifiable,theeconomicvaluearebelievedtobebeyondthesetupcosts.

7.2 ConclusionPerSub-QuestionIn thebeginningofthisresearch amainresearchquestionwas formulated inaccordancewiththegoalofthisresearch,asintroducedinchapter1ofthisthesis.Themainresearchquestion is: “Withwhat control framework can securitybe improved tomitigate identifiedrisksrelatedtoDistributedDenial-of-ServiceAttacks?”Inordertoanswerthismainresearchquestion,threesub-questionswereintroduced:

1. WhatisaDistributedDenial-of-Serviceattackandwhydoesthistrendrequireproperconsiderations?

2. What are the security risks and impact imposed by Distributed Denial-of-Serviceattacks?


42

3. Which controls can be implemented to minimize the impact of risks related toDistributedDenial-of-ServiceAttacks?

Belowtheconclusionpersub-questionwillbediscussed.

7.2.1 What is aDistributedDenial-of-Serviceattackandwhydoes this trendrequireproperconsiderations?

ADistributedDenial-of-Serviceattackisa“large-scale,coordinatedattackontheavailabilityof servicesonavictim’s systemornetworkresources, launched indirectly throughmanycompromisedcomputersontheInternet”.InthepastorganizationswereonceinawhileconfrontedwithaDDoSattackandinmanycasestheimpactofthisattackwasonlylimited.DuethedevelopmentsinthefieldofIT,thecomplexityandthescaleof theDDoSattackson thenetworkand informationsecurityasgrownextensively and theattackshavebecomemore intense.Furthermore, cyber-crimehavebecomemorelucrativeandlessriskyinthelastyearsandthethresholdsforinitiatinga DDoS attack have been lowered significantly. Nowadays DDoS attacks can be boughtonlineforverylowprices.DuetoallthesedevelopmentstheimpactofDDoSattacksandthelikelihoodofbeing a target ofan attackhas skyrocketed. Itno longer is aquestion IF acompanywill be attacked, butWHEN a companywill be attacked.Because of this, it isimportantthatorganizationsgiveproperconsiderationtothistrend.

7.2.2 WhatarethesecurityrisksandimpactimposedbyDistributedDenial-of-Serviceattacks?

ManyrisksareassociatedwithDDoSattacks.Thetypesofrisksthatcanbeidentified,whicharemostlikelytooccurorhavethehighestimpactare:

i. operational risk:Depending on the typeof servicesprovided,DDoS attacks canhave a (significant) impact on customers and employee productivity.Due to theDDoSattack,anorganization isunable toprovide itsservices,whichcanresult insignificantrevenue losses. Incaseof a service levelagreement, aDDoSattackcanresult inaviolationof theagreementwhentheorganizationaffectedby theDDoSattackistheserviceproviderundertheagreement;

ii. reputational risk: if organizations cannot provide their services, customerswillhaveanegativeexperiencewiththeorganization.Ifthishappensmultipletimes,theservices can be ranked unreliable and thiswill negatively impact the brand, theimageandreputationoftheorganization.

iii. dataintegrityrisk:DDoSattackscandisruptconnections.Sincesystemsarehighlyconnectedanddependentoninternalandexternaldata, aDDoSattackcan impactthedataintegrityofthesystem;and

iv. fraudrisk:This riskoccurswhen ahackeruses aDDoS attackas adiversion todraw the attentionof theiractualgoal.TheDDoSattackcouldbe coupledwith a


43

fraudattempt, insuchcasesorganizationsmayalsoexperiencefraud losses,whichmightinturnresultinliquidityandcapitalrisks.

The impact imposedbyDDoS attacksdependenton several factors, such as the servicesprovidedbythetargetorganizationandthenumberofcustomersandemployees,andcanonlybedeterminedperorganization.

7.2.3 Which controls can be implemented to minimize the impact of risksrelatedtoDistributedDenial-of-ServiceAttacks?

Themeasuresthatcanbeimplementeddifferperorganization.TheDDoSSecurityControlFrameworkenablesanorganizationtodeterminewhichmeasures itshould implement tominimize the impactofrisksrelated toDDoSattacks.While ariskbasedapproach isnotaimingattakingawayeveryvulnerability,byintroducingacontinuousimprovementcycletoanexistingmodel,anorganizationcanstart implementingcontrolswhichmitigate themost important risks identified, while strengthening the control setwith each cycle toreducethelevelofvulnerabilitiesinthenetworkandasaresultminimizetherisksrelatedtoanattack.

7.3 ConclusionOnTheMainResearchQuestionAsalreadyintroducedabove,themainresearchquestionis:“Withwhatcontrolframeworkcan securitybe improved tomitigate identifiedrisksrelated toDistributedDenial-of-ServiceAttacks?”Theabovediscussedsub-questionshaveidentifiedthenatureofaDDoSattack,haveshownthat,duetothequicklygrowingimpactandlikelihoodofDDoSattacks,itisveryimportantfororganizations togiveproperconsideration tothis trend.Furthermore, the impactandrisksassociatedwithDDoSattacksandthemeasuresthatcanbeimplementedtominimizetheseriskshavebeenidentified.Theinformationgatheredonthebasisofthesub-questionswas incorporated and taken into account when structuring the DDoS Security ControlFramework in order tomake the framework asdynamic and asuseful as possible.Theresult istheDDoSSecurityControlFrameworkassetout inChapter5ofthis thesis.Thiscontrol framework canenableorganizations tomanage therisksrelated toDDoSattacksand,asaresult,improveitssecurity.

7.4 FurtherResearchThe framework has not been designed for a specific sector ormarket, but canbe usedacrossmarkets.Now that the framework is established, the frameworkwill need tobevalidated by organizations which are active in different sectors and markets. Furtherresearchneedstobeconductedtodeterminewhethertheframeworkisindeedsuitableforall sectorsandmarkets or that the framework is only suitable for a certainnumbers ofsectors/markets due to, for example, the risks profiles associated with thosesectors/markets. The current framework has been validated and verified based on


44

interviews,assuchtheresultingmodelservesasaworkinghypothesiswhichcouldproveit’sworthandcouldbeimprovedbyappliedvalidationandverification.Besidesthevalidationandverificationtheframeworkwillalsoneedtobeadjusted.Step6and 7aredesigned tomake the framework adjust to new developmentson the topic ofDDoSattacks.ItisimportantthatresearchregardingthetypesofDDoSattacksandtherisksassociatedwiththesetypesofattacksisalsocontinuedinthefuture.Thisresearchwillformthebasisfortheadjustmentstotheframeworkandwillhardentheframework.


45

8 APPENDIX

8.1 BibliographyArborNetworks. (2013).UnderstandingDDoS.RetrievedDecember8,2014, fromDigital

AttackMap:http://www.digitalattackmap.com/understanding-ddos/ArborNetworks.(2014).LargestDDoSAttackReported.Burlington:ArborNetworks.Baloch,R.(2014).EthicalHackingandPenetrationTestingGuide.BocaRaton:CRCPress.Blank,A.(2004).TCP/IPFoundations.Alameda:SYBEXInc.Boehm,B.(1989).SoftwareRiskManagement.IEEEComputerSocietyPress.Cao,W. a. (2014). Introduction of theSmurfAttackPrincipl.Proceedingsof International

ConferenceonSoftComputingTechniquesandEngineeringApplication(p.316).NewDehli:SpringerIndia.

Deming,W.E.(2000).OutoftheCrisis.Cambridge:MITPressLtd.Easttom,C.(2014).SystemForensics,investigationandResponse.Burlington:Jones&Barlett

Learning2014.EC-Council. (2010).EthicalHackingandCountermeasures:TreatsandDefenseMechanisms.

CliftonPark:CengageLearning.Federal Financial Institutions Examination Council. (2012). Distributed Denial-of-Service

(DDoS)Cyber-Attacks,RiskMitigation,andAdditionalResources.Arlington:FederalFinancialInstitutionsExaminationCouncil(FFIEC).

Fitzgerald,J.,&Dennis,A.(2009).BusinessDataCommunicationsandNetworking.Hoboken:JohnWiley&Sons.

Goncharov,M.(2012).RussianUnderground101.Cupertino:TrendMicroInc.Govcert.nl. (2006). Aanbevelingen ter bescherming tegen Denial-of-Service aanvallen.Den

Haag:Govcert.nl.Govcert.nl.(2010).WhitepaperRaamwerkBeveiligingWebapplicaties.DenHaag:govcert.nl.Gu,Q. a. (2012).Denial ofServiceAttacks. InQ. a.Gu,Handbookof ComputerNetworks:

DistributedNetworks,NetworkPlanning,Control,Management,andNewTrendsandApplications(pp.454-468).Hoboken:JohnWiley&Sons,Inc.

IntruGuard. (2008,November10).10DDoSMitigationTechniques.RetrievedFebruary2,2015, from www.slideshare.net: http://www.slideshare.net/intruguard/10-ddos-mitigation-techniques-presentation

Kim, S. K. (2013). DDoS Analysis Using Correlation Coefficient Based on KolmogorovComplexity.GridandPervasiveComputing(p.445).Heidelberg:Springer.

Kostadinov,D. (2013,October24).LayerSevenDDoSAttacks.Retrieved January10,2015,from InfoSec Institute: http://resources.infosecinstitute.com/layer-seven-ddos-attacks/

Kumar, G. (2004, October). Understanding Denial of Service (Dos) Attacks Using OSIReferenceModel.InternationalJournalofEducationandScienceResearch,1(5),10-17.

McDowell, M. (2013, February 6). Understanding Denial-of-Service Attacks. RetrievedDecember7,2014,fromUnitedStates-ComputerEmergencyReadinessTeam(US-CERT):http://www.us-cert.gov/ncas/tips/ST04-015


46

NationaalCyberSecurityCentrum.(2012).ICT-Beveiligingsrichtlijnenvoorwebapplicaties -Deel1.DenHaag:NationaalCyberSecurityCentrum.

NationaalCyberSecurityCentrum.(2012).ICT-Beveiligingsrichtlijnenvoorwebapplicaties -Deel2.DenHaag:NationaalCyberSecurityCentrum.

NationalCybersecurityandCommunicationsIntegrationCenter.(2014).DDoSQuickGuide.Arlington:NationalCybersecurityandCommunicationsIntegrationCenter.

National InstituteofStandardsandTechnology. (2014).Framework for ImprovingCriticalInfrastructure Cybersecurity. Gaithersburg: National Institute of Standards andTechnology.

Popeskic,V. (2011,December17).Telnetattacksways to compromiseremoteconnections.Retrieved January 2, 2015, from How does internet work:http://howdoesinternetwork.com/2011/telnet-attacks.

Prolexic.(2013).QuarterlyGlobalDDoSAttackReportQ32013.Hollywood:Prolexic.Prolexic.(2014).QuarterlyGlobalDDoSAttackReportQ12014.Hollywood:Prolexic.Saxena, P. (2014). OSI Reference Model – A Seven Layered Architecture of OSI Model.

InternationalJournalofResearch(IJR),1(10),1145-1156.Science&Lifestyle.(2012,July4).HowaDDoSattackworks.RetrievedDecember20,2014,

fromScienceandlifestyle:http://scilifestyle.com/how-a-ddos-attack-works.htmlSmits,M.S. (2011).Hoehet internetdeNederlandse economieverandert.Amsterdam:The

BostonConsultingGroup.Symantec.(2009,September10).Newsroom-pressreleases.RetrievedSeptember4,2014,

from Symantec:http://www.symantec.com/about/news/release/article.jsp?prid=20090910_01

Tanenbaum,A.S.(2002).ComputerNetworks.UpperSadleRiver:PrenticeHallPTR.Verisign.(2012).DistributedDenialofService(DDoS):finallygettingtheattentionitdeserves.

Reston:VerisignPublic.Verisign.(2014).DDoSProtectionServicesOverview.Reston:VerisignPublic.Yang,X.e.(2014).ARMed-http:AnUnsupervisedMachineLearningMethod forDetecting

HTTP-floodingAttack. InternationalConferenceon Computer Science andNetworkSecurity(p.398).Lancaster:DEStechPublicationsInc.

Yin,R.K.(2013).CaseStudyResearch:Design&Methods.ThousandOaks:SAGEPublicationsInc.

8.2 SubjectMatterExpertsName CurrentRoleVincentJoosen SeniorSecuritySpecialistatZiggoJacquesvanderHeide SeniorSecuritySpecialistatZiggoJanineFeddes ManagerSecurityOperationsCenteratZiggoMichaelWillems DirectorNetworkOperationsCenteratZiggoIngridTerlien SecurityManageratKNABTonydeBos SeniorManagerITRisk&AssuranceatEYJatinSehgal GlobalPracticeLeaderatEYCertifyPoint

SeniorManagerInformationSecurityatEY

8.3 ListoffiguresFigure1:Reasonsforwebinfrastructuredowntimeoverthelast12months(2012)................7Figure2:MostcommonconsequencesofDDoSattacks..............................................................................7Figure3:Avisualrepresentationofthecasestudyapproach...............................................................10Figure4:Aschematicoverviewoftheresearchprocess.........................................................................11Figure5:AvisualrepresentationofaDDoSattack(Science&Lifestyle,2012)..........................13Figure6:ThesevenlayersoftheOSImodel...................................................................................................14Figure7:ThelayeringtechniqueoftheOSImodel......................................................................................15Figure8:TypesofDDoSattacks............................................................................................................................19Figure9:FrameworkforImprovingCriticalInfrastructureCybersecuritybyNIST.................22Figure10:TheDemingCycle...................................................................................................................................23Figure11:ThesevenfunctionlevelsoftheDDoSSecurityControlFramework.........................24Figure12:Theidentifylevel....................................................................................................................................26Figure13:Theprotectlevel.....................................................................................................................................27Figure14:Thedetectlevel.......................................................................................................................................29Figure15:Therespondlevel...................................................................................................................................31Figure16:Therecoverlevel....................................................................................................................................33Figure17:Theassesslevel.......................................................................................................................................34Figure18:Theadjustlevel.......................................................................................................................................35Figure19:Schematicoverviewoftheverificationandvalidationprocess....................................38

8.4 ListofTablesTable1:Overviewofpossiblemeasuresattheidentifylevel................................................................27Table2:Overviewofpossiblemeasuresattheprotectlevel.................................................................29Table3:Overviewofpossiblemeasuresatthedetectlevel...................................................................30Table4:Overviewofpossiblemeasuresattherespondlevel...............................................................32Table5:Overviewofpossiblemeasuresattherecoverlevel................................................................33Table6:Overviewofpossiblemeasuresattheassesslevel...................................................................34Table7:Overviewofpossiblemeasuresattheadjustlevel....................................................................35


48

Table8:MappingofmeasuresperrelevantOSIlayer...............................................................................36

8.5 DDoSQuickGuide

A DDoS Security Control Framework - VUrORE · A DDoS Security Control Framework Version 1.0 Student...

Documents

Transcript of A DDoS Security Control Framework - VUrORE · A DDoS Security Control Framework Version 1.0 Student...