After the infamous Estonian cyberattack early this year, CyTRAP Labs proposes the 7 lessons learnt from the attacks, and points out how Estonia responded accordingly to these issues. Among the lessons and issues pointed out were:
- Critical incidence response matters, which suggests the need to have a systematic and clearly understood procedure in place that allows a quick identification of what a critical incident response is and what kind of responses must be invoked rapidly (i.e. automatisms) to have a chance to defend against an emerging threat. Estonian responders first focused on the targets rather than sources. Filtering technology was used to throttle back on traffic aimed at target systems, which, at its peak, reached between 100 to 1,000 times the normal amount of traffic.
- The need for the team to make critical decisions fast. In Estonia, it was decided to protect certain systems. Once those were identified, all connections to those systems from outside the country were blocked. In addition, efforts were undertaken to lure away attackers from critical systems those that were less critical ones.
- Critical infrastructure can mean something different. For Estonia, where much business is being done on the net, critical infrastructure meant financial and communication services by private business were under attack and these are critical to the country’s well-functioning economy. Soon after 27 April 2007, people were unable to buy such essentials as gas and groceries using their payment cards.This is in contrast to what we usually accept as being critical infrastructure, namely electricity and transportation networks.
- No new attack techniques emerged. The level of traffic was not surprising and the mitigation tactics used were tried and true. But what will happen if the attackers are using fast-flux networks or DNS amplification attacks?
- Coordination is vital. All the above can be further complicated if the defense has to be coordinated in real time with several hundred or thousands of ISPs. As Estonia’s experience illustrates, coordination and cooperation with a centralized incident response is critical to achieve success. This was the case with CERT-EE working closely with private ISPs and banks, etc. Unfortunately, in many countries such centralized approach will be difficult to achieve unless the right things are put in place now.
- Trusted social networks as the key to coordinate a successful response. Even CERT-EE needed help and support from others, and social networks came in handy. How else can one convince an ISP in another country to take off a server that is part of a fast-flux network? Developing trust takes time and effort while both parties have to give. A certain degree of sharing or disclosure may result in further growth of trust needed to defend better next time.
- Post mortem analysis - learning to improve. Without analyzing past events learning cannot occur. The challenge with the Estonian example is that other countries must learn from the Estonian experience. This type of international collaboration must be improved beyond government CERTs.
Hence, without getting the major ISPs and financial institutions involved in other countries, post mortem analysis might not help us much in preparing for the next attack of this kind or worse.
This list was made in reference to the presentation of Hillar Aarelaid, eSStonia - the case of the Estonian DDoS attacks, given at the GovCERT.NL IT Security Symposium, Response & Responsibility, in Noordwijk, Netherlands.
Read the full article here.