HHS releases DDoS attack response plan
Halting the botnet invaders
HC3 said security hygiene is the single best way to find potential vulnerabilities, and the authors identify vectors for attack before one happens. Specifically, they recommend regular security audits, real-time monitoring of traffic in and out of the network, and the creation of a security response plan that includes tasks for trained staff.
The key to minimizing damage from a DDoS attack is early detection. But, since a botnet invasion can start slow and ramp up very quickly, traffic volume isn’t always the best metric for rapid detection.
“Rate-based detection is usually discussed first when it comes to DDoS attacks, but most effective DDoS attacks are not blocked using rate-based detection,” HC3 warned.
Instead, HC3 recommends healthcare institutions have a system in place to filter traffic, one that can automatically drop unwanted access to the network before it has time to build up to a larger threat. When filtering, unwanted traffic should be diverted to part of the network that isn’t connected to services, mainly a “sinkhole” or “scrubbing center,” the agency said.
This diversion gives healthcare organizations a chance to track the DDoS attack and find out where it came from. This information should be used to bolster security and eliminate avenues for future intrusions.
Regardless of attack origins, HC3 recommends organizations not respond with a counterattack.
“While it may be tempting to try and kill off the botnet, it can create logistical problems and may result in legal ramifications. Generally, it is not recommended,” HC3 noted.
Lastly, they recommend equipping every crucial system with a backup, specifically an alternate delivery network that allows relevant content, such as a patient portal, to stay active even if the attack is disrupting other primary services.
The full HC3 document, including a list of resources to help develop an effective strategy against DDoS cyberattacks, can be found here.