Data Protection Report - Norton Rose Fulbright

Several significant distributed denial-of-service (“DDoS”) attacks have taken place in the last few weeks, including a major event involving a domain name service provider (Dyn), which caused outages and slowness for many popular sites like Amazon, Netflix, Reddit, SoundCloud, Spotify, and Twitter. This significant attack came on the heels of two major DDoS attacks against KrebsonSecurity and France-based hosting provider, OVH, in late September—each of which set records as the largest of these attacks in history. Most recently, nearly 900,000 Deutsche Telekom routers in Germany were attacked, causing significant internet and television outages across the country. While DDoS attacks have been around for some time, what stands out in these cases is the attackers’ exploitation of security weaknesses in tens of thousands of Internet-of-Things (“IoT”) devices to launch the attacks. Unfortunately, these types of widespread outages may be more common in the future if these weaknesses are not addressed.

At their most basic level, DDoS attacks work by sending a high volume of data from different locations to a particular server or set of servers. Because the servers can only handle a certain amount of data at a time, these attacks overwhelm the servers causing them to slow significantly or fail altogether. This prevents authorized users from being able to use or access the services being provided by the attacked servers.

The DDoS attackers that hit Dyn disrupted a wide number of websites by targeting two Domain Name System (“DNS”) servers maintained by the company. DNS is an essential component of all websites, responsible for translating human-friendly website names into numeric, machine-readable Internet Protocol (“IP”) addresses needed to find and connect with the right servers so that they can deliver requested content. Anytime an individual user sends an email or browse a website, the computer sends a DNS look-up request to help route the traffic to the correct location. For scale, Google’s Public DNS handles 70 DNS billion requests a day. As such, a DDoS attack against key DNS servers that prevent those requests from going through can cripple vast parts of the Internet almost instantly. Unfortunately, these type of widespread outages may be more common in the future because of security weakness of IoT devices.

There are service providers like Akamai or Cloudflare that provide DDoS mitigation defenses designed to combat these attacks by absorbing or deflecting DDoS traffic. In their simplest form, DDoS mitigation tools serve as remote network traffic filters that attempt to redirect and disregard the high volume of malicious traffic while filtering the good traffic through to the server. Because the success of these basic measures necessarily depends upon the ability to identify and distinguish the good traffic from the bad, which is not always an easy task, these services have evolved to offer a more layered approach for defenses, including redistributing traffic to the service provider to absorb the increased traffic, scattering traffic to multiple locations and performing various additional background checks to validate traffic.

However, the success of these defenses ultimately depend on the volume of the attack. If the attackers are able to utilize enough bandwidth, they can defeat even those DDoS defense mechanisms designed to prevent these attacks from succeeding. For example, the recent attacks outlined have more than doubled or tripled the amount of traffic that DDoS mitigation companies have previously seen. As Brian Krebs reported in the aftermath of the attack on his site, “Martin McKeay, Akamai’s senior security advocate, said the largest attack the company had seen previously clocked in earlier this year at 363 [Gigabits of traffic per second (“Gbps”)],” but the attack on KrebsonSecurity exceeded 600 Gbps and the attack on OVH exceeded 1 Terabit per second or 1,000 Gbps.

As evidenced by the activity in these recent attacks, the increasing prevalence of IoT devices present a heightened risk of DDoS attacks. The attackers are able to exploit the relative security weaknesses in IoT devices, like internet-connected cameras and DVRs, using malware to create networks of these computers, known as botnets, that report to a central control server that can be used as a staging ground for launching powerful DDoS attacks. Due to the number of IoT devices that can be compromised at once, the amount of traffic that an attacker could generate by using a botnet “army” is far more substantial than the DDoS attacks of the past. The source code for one variant of this malware, “Marai,” was recently released publicly, which, experts predict, will lead to more of these attacks occurring. This malware is able to gain control over numerous IoT devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords. Although one of the manufacturers of devices that were found to be used in these attacks recently announced a recall, many other devices remain vulnerable.

Exacerbating the issue is the increased use of IoT devices in the United States and worldwide. One information technology research and advisory company forecasted that 6.4 billion connected things will be in use worldwide in 2016 and that the count of IoT devices in use will reach 20.8 billion by 2020. In 2016, an estimated 5.5 million new IoT devices will get connected every day.

While the release of Marai’s source code and worldwide increase in IoT devices may contribute to the recent rise in frequency and scope of DDoS attacks, the motives behind the attacks may also play a role. Many attacks in the past have been motivated by politics, business competition or revenge. However, more recent large-scale attacks appear to stem from more nefarious purposes–financial extortion and theft of information. These types of motivations might not be readily apparent during the initial response to a DDoS attack when visibility into network traffic and server activity may be compromised.

DDoS extortion is often carried out through several different methods. In some cases, companies receive ransom notes prior to a purported attack, demanding payment in exchange for a guarantee that the extortionist will not launch a DDoS attack in the near future. In other circumstances, the ransom note arrives after the initial flood of internet traffic from a DDoS attack has already begun–with a warning that the attack will be amplified if payment is not made within a specified amount of time. These notes may have similar bitcoin demands and time constraints as ransom notes that a company might receive after experiencing a ransomware attack.

Additionally, many DDoS attacks occur in conjunction with some other type of theft or data security incident, indicating that some hackers are using the attacks as “smokescreens” to divert attention away from their true purposes. In 2013, banks and other financial institutions suffered millions of dollars in losses after DDoS attacks to customer websites created enough “smoke” to allow hackers to complete fraudulent wire transfers and open unauthorized payment cards without alerting employees. DDoS attacks have also coincided with the theft of personal data, such as customer user names and passwords, which could trigger further legal obligations to provide notice to customers and regulators.

In addition to parallel attacks and extortion attempts, a potentially more costly issue is the business interruption costs that these attacks can impose on organizations. For organizations with an e-commerce presence, the impact is clear—each minute of downtime results in fewer sales. However, these attacks can also create downtime and internal expenses for other organizations, including the time associated with internal efforts to restore activity as well as non-financial consequences, like the loss of customer trust or loss of intellectual property. Furthermore, these attacks can create potential liability to customers if an organization is not provide services. For service providers, DDoS attacks may result in potential losses based on contractual uptime and reliability guarantees contained in Service-Level Agreements or other similar contract provisions. A recent survey found that the average cost of a DDoS attack on a business was approximately $40,000 per hour.

Our Take

With the increase of these attacks in the last few months, along with the projections that they will become much more common in the coming months and years, organizations should take steps to prepare for, respond to, and mitigate some of the potential fall-out associated with a DDoS attack. Outlined below are some of the steps that organizations can consider to mitigate their exposures before, during and after a DDoS attack.

Before an Attack

  • Incident Response Planning. As with any potential security incident, business harms and legal consequences of a DDoS attack can be alleviated before the attack occurs. Companies should include in their Incident Response Plan (IRP) emergency situations like DDoS or Ransomware attacks that have the propensity to affect critical business operations. Companies like Twitter and Netflix, who rely on DNS service providers like Dyn to support their websites, may wish to set up relationships with additional DNS providers that can be used in the event of website failure following a DDoS attack.
  • Negotiating/Reviewing Contractual Liability. Companies should consider whether and to what extent a loss of service would impact its contractual obligations. As outlined above for service providers, unavailability of resources may impact uptime and reliability guarantees contained in Service-Level Agreements or other similar contract provisions. Contracting parties should be certain to raise and adequately address these issues during the contract negotiation process to ensure that the risks associated with these incidents are properly allocated between or among the parties involved. Specifically, the repercussions of a DDoS attack may need to be addressed in various terms, including: (i) revising force majeure provisions or other exceptions to contractual service guarantees to exclude downtime attributable to these type of incidents from uptime or reliability calculations; (ii) creating disclaimer or limitation of liability language in agreements that expressly limits or eliminates potential liability associated with the inability to perform transactions during a system or website outage; (iii) carefully drafting security incident notification clauses to avoid contractual liability where notice might be required under a contract, but would not be required under any other law or regulation; and (iv) allocating risk and liability for potential outages in terms governing limitations on liability and indemnity.
  • DDoS Mitigation. We recommend that organizations consider retaining third parties to provide the types of DDoS mitigation services described above. For companies that are already using these services, we recommend reviewing the level of services provided to ensure that they have an adequate amount of protection in light of the volume of the recent IoT-based attacks. Historical levels of protection may be insufficient in light of the increasing numbers of IoT devices that are becoming more easily exploitable.
  • Documenting Security and Preventative Measures. Organizations should be certain to document the various security measures taken, including those designed to prevent and mitigate the effects of DDoS attacks. As outlined further below, these incidents have the potential to generate litigation against the victim organizations. Because of this, companies should evaluate their litigation and regulatory action risk from various sources and which actions are likely to be seen as reasonable under the circumstances when viewed in hindsight by a court, jury, or regulator. Organizations must remain cognizant of the fact that documenting their security decisions and practices can significantly bolster defenses against claims of negligence or breach of contract by litigants or non-compliance by regulators. Companies should seek a “reasonable” level of security and mitigation with respect to DDoS attacks to help defend against litigation.

During an Attack

  • Establishing and Preserving Attorney-Client Privilege. A key step in the investigation of and response to any cyber incident is working with internal or outside legal counsel to ensure that the investigative findings and documents are protected under the attorney-client privilege and/or work-product doctrine. As we have previously outlined, important steps in preserving privilege include: (i) retaining or involving legal counsel early in the process, (ii) focusing the investigation on providing legal advice to the organization, including providing legal advice in anticipation of litigation and regulatory inquiries, and (iii) retaining forensic or security experts through legal counsel.
  • Balancing Remediation and Investigation Objectives. The primary objective for most businesses following a DDoS attack is to ensure that websites are back online and critical business functions are protected. However, steps to remediate the attack are often taken at the expense of preserving evidence that may be extremely useful in the subsequent investigation of the incident. Organizations should confer with forensic experts as soon as possible following the start of an attack to ensure that the actions taken in response will not compromise important evidence.
  • Involving Law Enforcement. The decision about whether to involve law enforcement sometimes involves competing considerations as well. On one hand, the increase in the prevalence of these attacks has led to significant more attention from various law enforcement agencies, which has resulted in significantly more success in identifying and prosecuting attackers. Federal law enforcement frequently has significant intelligence on various groups responsible for these attacks which can provide important information in responding to, containing, and remediating these attacks. On the other hand, law enforcement agencies may be hesitant to share much information, leaving some organizations feeling like information sharing is more of a one-way street than a mutual exchange. Additionally, alerting law enforcement can result in having the agency become significantly more involved in, or even controlling, the investigation of the incident. This can have implications on privilege issues and, more generally, may not be ideal in all circumstances. Organizations should consult with legal counsel to evaluate the potential advantages and disadvantages of notifying law enforcement based on their specific circumstances.
  • DDoS Mitigation. Companies should be aware that many DDoS mitigation vendors, including Cloudflare and Akamai offer emergency DDoS hotlines or protection services that can be deployed for new customers, even where a company has not proactively secured such services. Engaging a DDoS mitigation service provider after an attack has started can help to reduce the length and severity of an attack, allowing a company to get its affected servers and websites back up and running more quickly.

After an Attack

  • External Communications. When and how an organization communicates about a DDoS attack may have significant impacts on its exposure and liability following an incident. These communications may include: (i) general communications about the incident with media, investors, customers, or regulators; or (ii) formal notifications ranging from those necessitated by legal or regulatory requirements to formal contractual notices necessary to exercise force majeure or emergency circumstances.
  • Further Investigation. Once business critical functions and website functionality have been restored, further investigation to investigate the circumstances surrounding the attack and to help determine what types of legal consequences may have been triggered by the attack will likely be necessary. From a technical perspective, the attacked company should utilize any built-in incident detection measures to identify indicators of compromise and confirm that the malicious activities were limited to the DDoS attack. Forensic analysis may also be employed to determine whether any unauthorized access or acquisition to customer information or confidential business information occurred under the guise of a potential DDoS “smokescreen.”
  • Preparing for Potential Litigation or Claims. DDoS attacks may lead to litigation or regulatory scrutiny in a variety of contexts. For example, civil liability could potentially arise where financial services customers are prevented from accessing financial accounts or buying and selling stock during an attack, leading to potential lawsuits alleging consequential damages and lost profits against the website operator or service provider. DDoS attacks could also give rise to claims against service providers for failing to provide contractually-guaranteed service levels. The theft of customer information, trade secrets, intellectual property, or other confidential or protected information could also give rise to multiple sources of liability—both contractual and under state and federal laws. Following a failure of any type of service provided through or bolstered by the Internet could result in a variety of lawsuits based on a company’s own failure to adequately protect against a DDoS attack or appropriately limit liability in its agreements with customers. Clearly documenting the start and duration of any outages as well as identifying actions the organization has taken in response will better position it for defending against these claims.

Relatedly, organizations have an obligation to preserve potentially relevant information and documents once they reasonably anticipate litigation. Organizations should consult with legal counsel to determine when it is appropriate to put litigation holds in place to ensure that they avoid potential spoliation issues and sanctions. Note that the timing of the litigation hold may need to take into account assertion of privilege protections under the work-product doctrine. To the extent that a company argues that materials prepared by and with legal counsel are being prepared “in anticipation of litigation” and are therefore protected, it should consider whether this assertion triggers an obligation to preserve evidence at the same juncture.