1. Activate your response plan

Rather than responding to the waves of panic that are likely circulating around the sales and executive teams, the most productive thing to do is to rely on your advance planning to start the response process rolling.  Remembering that the key to solving problems is usually communications, you should focus on providing company executives with regular updates. Then you can focus on the technology issues without undue badgering.

This is, I think, the right time to remind that one of the best antidotes to security crises is to have an computer security incident response team (CSIRT) capability.  This resource, whether in-house or contracted out, can save countless amounts of downtime. You can learn more about incident response from places like the Forum of Incident Response and Security Teams (FIRST).

2. Set up a war room

When Skype suffered a major outage — which, though not a DDoS, had some of the massive but temporary service disruption characteristics of a DDoS — we set up two war rooms: one near the company executives and one in the heart of the engineering center. This kind of arrangement not only allows “the right people” to come together face-to-face, it also allows for a focal points to form for network operations, media/PR, and the executive team.  This location is focused on communication, so be sure to have redundant means at your disposal in case your chosen system (phone line, Jabber, Skype, etc.) is itself impacted by the attack.

3. Think tactically

Your first general priority is limiting downtime, so you have to quickly assemble the data available to you to identify the cause of the problem and its target. Work with your ISP or network peers to maximize your options within the terms of your service contract, and preferably without incurring additional costs.

While you can have traffic shunted or blackholed, do keep in mind that such measures as having new network addresses assigned to critical resources may likely cause lasting secondary effects, such as the invalidation of IP-bound digital certificates. For lengthy attacks, it may be worth the effort to have a plan for a temporary customer notice website, which can keep customers informed of the company’s efforts to restore service.

For small businesses, these kinds of services can often be arranged ad hoc, but it’s best to have a planned service with a specified DDoS service level agreement. In addition, cutover of these services may require coordination with your domain registrar or your ISP.

4. Think strategically

Your next general priority is preventing further downtime. This requires more thought and more research; you need to identify the rationale for the attack. In other words, why did someone target your infrastructure to attack today? Is there a pot of gold at the end of the attack?  Is the attack you’re experiencing merely cover for another, separate attack whose aim is to steal valuable customer data?

There are many possibilities here, but the point to make is that the CISO of the organization needs to be well aware not only of the technology in play, but also of the risk matrix relating to data available on the network and even things like public perception of the company. Many otherwise mundane companies have been hit by hackers or so-called hacktivists merely due to the public position of a single member of the company’s board of directors.

5. Document, review and train

If there’s one silver lining to an attack, it’s that the event can serve as a crucible for learning for the entire staff, including people far outside the technical teams. Take notes as the event unfolds, including the time that decisions (even mundane ones) were made. Also take time to understand the cost impact of the attack and its remediation. During a post-mortem, these notes will serve better than any cockamamie exercise could to develop better processes and procedures for the next time.  The bad news is that there probably will be a next time.

What’s most interesting about this report is not the specifics of any particular set of cybercriminals, but instead in the number of channels used to convey the goods as well as the pedestrian style of commerce, including several online How-To guides, used to entice would-be sellers to peddle their stolen goods.

Although this report is heavily biased toward reporting numbers and statistics, by enumerating price lists for stolen data and of the number of command-and-control networks used on a daily basis by cybercriminals, CISOs can put a much more firm opportunity cost estimate for failure to apply proper controls to sensitive customer data. In addition, in an appendix to the report, Symantec offers readers its recommendations for mitigation strategies to shore up data security risks.