Playbook Objectives
- To prepare the company’s IT and cybersecurity teams to detect, respond to, and mitigate a sophisticated DDoS attack.
- To assess the current resilience of the company’s network infrastructure against high-volume traffic intended to overwhelm systems.
- To validate the efficacy of the company’s Incident Response Plan (IRP) tailored for DDoS attacks and improve upon it.
- To ensure appropriate action is taken to minimize downtime and maintain business continuity during an attack.
- To train personnel in the use of deployed DDoS protection tools or services.
- To establish a communication protocol for stakeholders during a cybersecurity crisis.
Difficulty level
- Advanced. Participants should have a solid understanding of network security, incident response, and experience with real-time monitoring and mitigation tools.
Scenario
- COMPANY: CyberGuard Inc., a prominent financial services provider specializing in secure online transactions.
- NETWORK: CyberGuard Inc. operates a distributed network with multiple data centers and uses cloud-based services to manage clients’ transactions.
- PEOPLE: The exercise involves the entire IT department including the CISO (Chief Information Security Officer), Johnathan Pierce, IT Managers, Simon Gregson and Alisha Kaur, and Network Administrators, along with a Cybersecurity Incident Response Team (CSIRT) led by Ava Chen.
- SYSTEMS: Primary systems include the company’s transaction server clusters, client database servers, DNS servers, and the corporate website front-end.
Category
- Distributed Denial of Service (DDoS) Mitigation and Incident Response.
Exercise Attack Steps
- Preparation Phase:
- Compile a briefing for all participants describing the objectives and expected outcomes of the Cyber Range exercise.
- Establish monitoring capabilities, ensuring all traffic can be adequately analyzed and parsed for anomalies.
- Review and distribute current DDoS response plans to all team members.
- Attack Simulation Phase:
- Begin with a low-level traffic flood directed at the company’s external-facing IP addresses, specifically targeting the website to mimic a botnet’s initial phase of probing and weakness identification.
- Escalate to a multi-vector attack, simultaneously engaging different resources, including transaction servers and DNS, using a combination of volumetric, protocol, and application-layer attacks.
- Simulate the behavior of an actual attacker by adapting and shifting strategies throughout the exercise, trying to evade detection and mitigation, including switching between direct IP and DNS name attacks.
- Detection and Response Phase:
- Trigger alerts for anomalous traffic spikes and system performance disruptions.
- Enact the IRP with specific focus on identifying and categorizing DDoS traffic.
- Deploy rate limiting, IP blacklisting, and Web Application Firewall (WAF) rules as part of the initial mitigation strategy.
- Engage external DDoS mitigation service providers as per the IRP and corporate protocols.
- Coordinate with the network team to reroute traffic through DDoS scrubbing centers if applicable.
- Communication and Coordination Phase:
- Execute the communication protocol, ensuring that Johnathan Pierce (CISO) and all stakeholders are kept informed about the incident and the response status.
- Document all team actions and decisions during the exercise to facilitate post-event evaluation.
- Recovery and Post-mortem Phase:
- Once the attack simulation concludes, restore normal operations and verify the integrity of all systems.
- Conduct a thorough debriefing to discuss the effectiveness of the IRP and the team’s performance.
- Produce a comprehensive report detailing the observed outcomes, tool effectiveness, team coordination, and any identified weaknesses in the infrastructure or response plan.
- Recommend strategic improvements to the network’s DDoS resilience and update the IRP accordingly.
