1. Activate your response plan

Rather than responding to the waves of panic that are likely circulating around the sales and executive teams, the most productive thing to do is to rely on your advance planning to start the response process rolling.  Remembering that the key to solving problems is usually communications, you should focus on providing company executives with regular updates. Then you can focus on the technology issues without undue badgering.

This is, I think, the right time to remind that one of the best antidotes to security crises is to have an computer security incident response team (CSIRT) capability.  This resource, whether in-house or contracted out, can save countless amounts of downtime. You can learn more about incident response from places like the Forum of Incident Response and Security Teams (FIRST).

2. Set up a war room

When Skype suffered a major outage — which, though not a DDoS, had some of the massive but temporary service disruption characteristics of a DDoS — we set up two war rooms: one near the company executives and one in the heart of the engineering center. This kind of arrangement not only allows “the right people” to come together face-to-face, it also allows for a focal points to form for network operations, media/PR, and the executive team.  This location is focused on communication, so be sure to have redundant means at your disposal in case your chosen system (phone line, Jabber, Skype, etc.) is itself impacted by the attack.

3. Think tactically

Your first general priority is limiting downtime, so you have to quickly assemble the data available to you to identify the cause of the problem and its target. Work with your ISP or network peers to maximize your options within the terms of your service contract, and preferably without incurring additional costs.

While you can have traffic shunted or blackholed, do keep in mind that such measures as having new network addresses assigned to critical resources may likely cause lasting secondary effects, such as the invalidation of IP-bound digital certificates. For lengthy attacks, it may be worth the effort to have a plan for a temporary customer notice website, which can keep customers informed of the company’s efforts to restore service.

For small businesses, these kinds of services can often be arranged ad hoc, but it’s best to have a planned service with a specified DDoS service level agreement. In addition, cutover of these services may require coordination with your domain registrar or your ISP.

4. Think strategically

Your next general priority is preventing further downtime. This requires more thought and more research; you need to identify the rationale for the attack. In other words, why did someone target your infrastructure to attack today? Is there a pot of gold at the end of the attack?  Is the attack you’re experiencing merely cover for another, separate attack whose aim is to steal valuable customer data?

There are many possibilities here, but the point to make is that the CISO of the organization needs to be well aware not only of the technology in play, but also of the risk matrix relating to data available on the network and even things like public perception of the company. Many otherwise mundane companies have been hit by hackers or so-called hacktivists merely due to the public position of a single member of the company’s board of directors.

5. Document, review and train

If there’s one silver lining to an attack, it’s that the event can serve as a crucible for learning for the entire staff, including people far outside the technical teams. Take notes as the event unfolds, including the time that decisions (even mundane ones) were made. Also take time to understand the cost impact of the attack and its remediation. During a post-mortem, these notes will serve better than any cockamamie exercise could to develop better processes and procedures for the next time.  The bad news is that there probably will be a next time.

I remember going to my very first FIRST annual conference in Monterrey, Mexico, back in 1998. At that time, I was an an official representative for Sun Microsystems to the organization and was amazed by the level of international participation. Since then, interest in computer security incident handling has grown exponentially, and therefore the breadth of the audience has become far more diverse, both in geography and in mission, than it was even ten years ago. I think that this change speaks volumes about the information security business, and I think it’s a trend to which we should pay close attention.

My goal for this keynote is to set out what I think incident handling will mean in the context of cultural changes in the information security handling profession. After all, even the smallest of organizations is investing — willingly or not — in response measures to security threats. In the face of the present economic downturn, it will be very interesting to see how many companies will remain interested in computer security.  But because even the most Luddite of company executives sees the risk that comes along with ignoring the perils of information security, I doubt the lights in the IT security department will be going out anytime soon.

If you’re in the information security industry, I highly recommend the FIRST annual conference.  If you can make it, by all means please attend!