September 07, 2020 | SSS Security Consulting
The recent distributed denial-of-service (DDoS) attacks have had a major impact on several major organisations in New Zealand and many more globally.
In the New Zealand Stock Exchange attack, it was noted that the attack was preceded by a ransomware note, and then further demands when the NZX did not comply. CERT NZ has some really useful information if you should fall victim to to a ransomware attack.
Here are some recommended mitigations:
- Understand your critical services on the internet – websites and services delivered over the web.
- Analyse the business impact of these systems being unavailable due to a DDoS attack or similar.
- Implement additional DDoS mitigation controls where it makes sense to (CloudFlare / Imperva / Akamai).
- Consider having a failover site in a Public Cloud that you can cutover to and have the process defined.
- Subscribe to a Managed DDoS Protection service, designed to detect and block malicious traffic from entering your network. Some services are able to block these attacks from a "global gateway", blocking offshore attacks on entry to New Zealand.
- Consider actively monitoring external email addressed to executives and their PA/EA for ransom demands. Also email addresses associated with your publicly available domain registrant information, and those listed on your website. In some cases, but not all, a ransom demand may be sent prior to an attack. If one of these is received you are advised to report it to CERT-NZ and the Police.
- The safest firewall configuration is based on the principle of 'block everything by default and allow only by exception'. We also recommend putting all web servers behind a reverse proxy or Web Application Firewall (WAF) if possible. If not, ensure that open ports are locked down to the source if possible. Also make sure that systems that are open to the internal should always be patched for any known vulnerabilities.
- Ensure all redundant or unused services and protocols are disabled.
- As part of your proactive incident response planning you have probably developed a good relationship with your ISP (Hint: If you haven't already, you really, really should). This relationship will prove invaluable during an attack, as they will be able to quickly block malicious traffic.
- Make sure you regularly patch your systems including critical servers and all network devices.
How can we help you?
We can help you understand your internet-facing assets, the associated risks, and your vulnerabilities so that you can be in a better position to plan for events such as these.
In addition we can also work with you to empower your staff so they don't accidentally fall victim to sophisticated cyber attacks and they will have a better awareness of what to do if they receive ransomware demands.
- The National Cyber Security Centre released an advisory around the ongoing campaign of DoS attacks affecting New Zealand entities.
- CloudFlare has a useful page on DDoS attacks, what they are, and describes some of the common attacks such as SYN Flood attacks, and HTTP flood attacks. Allow for tuning and tweaking in your DoS protection system in a way that will not interrupt your BAU practices.
- CERT NZ have some info on DoS attacks here: https://www.cert.govt.nz/individuals/explore/denial-of-service/?topic=denial-of-service (CERT NZ is a valuable resource for relevant cyber security alerts).