A Distributed Denial of Service (DDoS) attack shuts down your business for hours or days at a time, disrupting supply chains, turning away clients/patients and causing significant $$ losses. The frequency and magnitude of attacks warrants a management team analysis similar to data breach, to ensure that your company remains open for business.
DDoS attacks are not new, but they are escalating and growing in complexity. The objective is to deny service to the victim through attacks on their infrastructure. Whether your data is in your data center, the cloud or a hybrid, you are susceptible. A denial of service can result from a ransomware event where all data is encrypted. Or, it could be a bandwidth saturation attack combined with attacks on application servers. Regardless, the victim has limited or no ability to function and serve its clients. We tend to pay attention to DDoS during the mega events but like data breach, they occur everyday and hit businesses of all sizes, across verticals.
Denial of Service is expensive. With the NotPetya virus, we saw TNT Express in The Netherlands business disrupted and its parent corp FedEx stated that it would cost $300 million. A.P. Moller-Maersk A/S shipping also lost an estimated $200 million. Merck & Co. had an insurable claim of over $300 million after drug production was halted. The Wannacry attack is estimated to have caused over $4 billion in damages with little or no insurance cover because most of the damage was in Europe. Wikileaks Vault 7 Coderelease could unleash tools that impact US based companies. Graeme Newman of CFC Underwriting estimates a potential insurable events of $2.5 billion if a new NotPetya occurs.
Costs related to bandwidth attacks are startling. It can be hard to quantify all of the related losses within days of an event but estimates from the Arbor Networks for enterprise clients look at $$ loss per minute. Losses range from $500 per minute to over $20,000 per minute. The Ponemon DDoS Report estimates company losses at $1.5 million per event with surveyed companies experiencing four events over 12 months. Imperva survey reports 49% of DDoS attacks last between 6-24 hours at an estimated cost of $40,000 per hour or $500,000 per event with some costing $100,000 per hour. In addition to lost revenue or damage to systems, the business disruption is immense and could have long term business impacts as clients go elsewhere to buy.
How common are these attacks? Across all reports from 2017, the numbers are high. "45% reported they were hit with 70% hit 2 or more times." (Imperva) "53% reported seeing 51 or more attacks per month." (Arbor) "16,600 attacks in Q1 2017."(Nexusgaurd) Similar to data breach, many attacks are not seen or understood until its too late. All providers report seeing multi vector attacks which combine a Volume attack (UDP flood) with a State Exhaustion attack (SYN flood) on a firewall or load balancer and an Application attack (HTTP) on a server. Attackers will shift between strategies to confuse the victim and open the door to other threats, such as data theft.
These multi vector attacks are the norm and they make it tougher for victims to defend on their own. Arbor Networks Worldwide Infrastructure Report for 2017, states 42% of enterprise, government and education surveyed experienced a DDoS attack last year. 75% of DDoS attacks were directly against the customer (not the ISP). The top target verticals include: Gaming, Government, Financial, eCommerce and Education. Most of the attacks are under 2 Gbps, but one confirmed attack in the UK was 579 Gbps. The average duration was only 55 minutes but are often repeated over many hours. The size, frequency and scale are getting worse and the protocols and infrastructure which are used to attack victims have inherent weaknesses (DNS, BGP, NTP, etc).
Denial of service is not new and has gone through many iterations over the past decade. Back in 2012, banks in the northeastern US, including the NYSE, were hit by Muslim hacktivists that caused outages and could have triggered severe systemic problems. In 2015, we saw a state sponsored attack from China against Github, which was posting anti-censorship tools. The "Great Cannon" intercepted traffic destined for China and redirected it at Github and flooded its bandwidth and shut down the service. Last year the Mirai botnet, took advantage of some 100,000 poorly configured IoT devices to unleash a 1.2 Tbps DDoS on DNS service provider Dyncorp and affect many downstream clients such as Netflix and Twitter. Botnets used with ransomware, Ransomware as a service and DDoS as a service that leverages IoT devices, has increased the threat surface exponentially. Now, for $15 to $50 per hour, criminals can launch an attack to shut down a company's internet access.
The battle against DDoS has been ongoing at the ISP's but increasingly this is an Enterprise threat that risk managers must learn about. With significant amounts of data hosted in the cloud, attacks may hit the ISP provider or the enterprise directly. Akamai uses its content delivery network (CDN) to absorb threats at the edge. Firewall and load balancers attempt to stop DDoS but according to Cisco "aren't in the best position, cant see anomalies and lack anti spoofing capabilities." Purpose built applications like Arbor Networks operate in the cloud and uses a layered approach where application and state exhaustion attacks are handled at the customer data center. When it looks like a large volume attack is coming, traffic automatically re-routes to a cloud scrubber and sends clean traffic back to the enterprise. Handling these attacks requires a combination of software and incident responders and time is of the essence. As with the malware attacks, global threat intel that is operationalized for DDoS is needed to spot entire attack campaigns. It is worth asking your ISP who is protecting their bandwidth, don't just check the box on this capability.
But as complicated as the DDoS threat is, the cyber insurance coverage adds a layer of complexity. Risk transfer is needed for DDoS and it may come under cyber insurance or may be an endorsement to a property policy. Business Interruption (BI) coverage is needed when an attack is launched directly against your network and Contingent or Dependent BI is needed if the attack is upstream at your vendor/provider. The coverage is triggered upon notice by the insured that their network is unavailable and waiting periods for valid claims can be as many as 12 hours. Another consideration is your retention or deductible that will apply against any loss. Cyber insurance can be difficult to underwrite because the losses or the magnitude are not foreseen. One Merck employee simplified the impact from NotPetya, “[I]t just shut down the whole network site, without computers these days you can’t do anything… There’s not much you can do without access.”
Scott Godes an insurance recovery partner with Barnes & Thornburg LLP, pays close attention to the wording of all policies and shared some comments. "The question of business interruption coverage can vary by insurance policy and insurance carrier. Some policies, for example, look to whether the insured’s business was interrupted or suspended. Other policies, for example, look to whether there was an interruption or suspension of the relevant computer system. Although many policies use 12 hours for a waiting period, other policies may use have shorter windows, such as 8 or 10 hours. Certain policies include CBI coverage explicitly, whereas other policies may provide the same coverage through varying terms and conditions. "
Kurt Suhs, SVP at Ironshore stated, “ Today, most markets offer full limits for business and dependent business interruption for claims arising from a network security incident while coverage for system failure is generally sub-limited. We are also seeing traditional property markets offering coverage for business and dependent business interruption from a cyber event. A turning point for some markets on the ability to profitably write this coverage was the Petya malware that significantly impacted the operations of several Fortune 500 companies.”
David Lewison of AmWINS Brokerage commented on BI coverage. "Some of the business interruption costs are what we call betterment (“improved computer hardware”) and internal expenses (“overtime wages for staff”). Betterment has always been excluded. CFC is now offering some coverage, up to $50,000, on their new form. Most policies get you back to where you were, not buying new, upgraded equipment. The policies are a mixed bag right now. I would expect nearly all cyber policies with BI included to cover events impacting their own networks and devices. That contingent or dependent coverage is a little more fuzzy. Some markets cover that cloud outage or other critical vendor going down. Some cover when an IT person kicks a plug out of the wall. It’s hard to keep it all straight. Recently, a client received a handful of cyber insurance quotes and each one has a different amount of time limit on the business interruption (period of restoration). One covers lost profits for 30 days and some go up to 6 months."
On calculating losses, Jesus added: "Wording in a typical policy will be for 'actual loss sustained' and you can expect to have the insurers hire a forensic accounting firm on their behalf to quantify the loss. The insured/victim should have their own forensic accounting firm prepare the claim on their behalf. There is no 'single form' of quantifying claims as every client and situation is unique, which is why it is invaluable to prepare a 'Proof of Loss' template to attach to the policy as a pre-agreed endorsement."
The takeaway is that you need to spend time with your broker and counsel so that they can understand your business, your network architecture, how to calculate your business losses from downtime and then select/negotiate with one of the carriers to find the best coverage. BI that results from a DDoS attack will need to address the nuances of multiple, short duration attacks that result in claims calculated over days. DDoS doesn't have the mitigation options available that a potential data breach does. Unlike data theft where multi-factor authentication (Okta, InAuth) can prevent credential theft that leads to database access or proper encryption that can mitigate the risk if data is stolen, or working back ups for data extortion events... DDoS protection involves infrastructure outside of your control and is a team sport!
Recently, there has been DDoS attacks on ICO offerings, as a smokescreen for an APT and via a wireless Android botnet. The growing IoT devices footprint includes little or no security and the protocols that are utilized as part of the DDoS attack, will not be easily fixed. Don't think of DDoS as a technical problem that you can issue a patch for...dig in on this business risk now.