Norton Rose Fulbright - Data Protection Report blog

Slightly over one year ago, several major distributed denial-of-service (“DDoS”) attacks took place, including a major event affecting the domain name service provider Dyn, which caused outages and slowness for a number of popular sites, including Amazon, Netflix, Reddit, SoundCloud, Spotify, and Twitter.

Now, a new Internet of Things (IoT) botnet, called IoT Reaper, or IoTroop, has been discovered by researchers and could present a threat that could dwarf the 2016 attacks and create a major disruption to internet activity around the world.

As we have explained previously, at their most basic level, DDoS attacks work by sending a high volume of data from different locations to a particular server or set of servers. Because the servers can only handle a certain amount of data at a time, these attacks overwhelm the servers causing them to slow significantly or fail altogether. This prevents authorized users from being able to use or access the services being provided via the attacked servers. As we warned a year ago, we expect that these type of widespread outages may be more common in the future because of security weakness related to the Internet of Things, coupled with increased adoption of IoT devices in the United States and worldwide.

Last year, at least some of the sizeable attacks were attributed to a malware variant named Mirai, which commandeered various internet-enabled digital video recorders (DVRs), cameras, and other IoT devices and was then utilized by attackers to launch multiple high-profile, high-impact DDoS attacks against various Internet properties and services. Mirai operated primarily as a “DDoS-for-hire” service in which attackers launch DDoS attacks against a target in exchange for payment, generally made in Bitcoin.

While these Mirai-based attacks were successful in creating extensive outages, the method for gaining control over the IoT devices was relatively straightforward—it relied on using weak or default passwords on these devices. Conversely, as researchers from Netlab 360 and Check Point recently reported, a new IoT botnet, named IoT Reaper or IoTroop, builds on portions of Mirai’s code. Instead of exploiting passwords of the devices it infects, the new botnet uses known security flaws in the code of those insecure devices to take control of them and then searches for other vulnerable devices to spread itself further. Vulnerable devices include various routers made by leading manufacturers, such as D-Link, Netgear, and Linksys, in addition to the types IoT devices used by Mirai.

Although there has been some confusion about the current size of the Reaper botnet, with current estimates ranging from 10,000 to 30,000 infected systems, Netlab 360 advised in an updated post that one of the Reaper control servers appears to have a queue of 2 million IoT devices that have been identified as vulnerable to a Reaper attack, but had not yet been compromised. If this number is correct, this would be a substantial increase of the infected devices used in the Mirai attacks.

To date, the motivation behind Reaper is unknown, however researchers have found that it uses a Lua-based software platform that allows new code modules to be downloaded to infected machines. That means that, depending on the types of devices under its control, it could have the capability to shift its tactics at any time if the attackers simply distribute a new module to the command server.

While some commentators have suggested that Reaper has some design flaws, including the fact that its control servers rely on static domain names and IP addresses and it communicates over unencrypted HTTP channels, which make it a less potent threat than Mirai, they acknowledge that Reaper could, one day, pose a serious threat because of its exploit mechanism, which targets specific firmware vulnerabilities, particularly because recently discovered exploits appearing in the malware suggests attackers are actively and diligently expanding the base of vulnerable devices Reaper may be able to infect. Indeed as Pascal Geenens, a researcher at security firm Radware, explained: “if [Reaper’s] developers were to substantially overhaul their malware to add new exploits and better protect its control infrastructure, Reaper has the potential to grow into an unprecedented size. What’s more, the developers’ use of the Lua programming language makes it easy to use Reaper for a variety of attacks beyond DDoSes.”

Our Take

With the increasing threat of these attacks, coupled with the number of different ways that they can be leveraged, organizations should take steps to prepare for, respond to, and mitigate some of the potential fall-out associated with a DDoS attack. Outlined below are some of the steps that organizations can consider to mitigate their exposures before, during, and after a DDoS attack.

Before an Attack

  • Incident Response Planning. As with any potential security incident, effective planning can help reduce or eliminate some of the potential business harms and legal consequences of a DDoS attack before an attack occurs. Companies should include in their Incident Response Plan (IRP) emergency situations like DDoS or Ransomware attacks that have the propensity to affect critical business operations. E-commerce companies and others that rely heavily on website traffic may wish to identify “mission critical” resources and identify alternative solutions that can be used in the event of website failure following a DDoS attack.
  • Negotiating/Reviewing Contractual Liability. Losses of service could affect an organization’s contractual obligations; for example, unavailability of resources may impact uptime and reliability guarantees contained in Service-Level Agreements or other similar contract provisions. Contracting parties should be certain to consider and address these issues during the contract negotiation process to ensure that the risks associated with these incidents are properly allocated between or among the parties involved. Organizations may wish to address the potential repercussions from a DDoS in various contractual provisions, including: (i) revising force majeure provisions or other exceptions to contractual service guarantees to exclude downtime attributable to these type of incidents from uptime or reliability calculations; (ii) creating disclaimer or limitation of liability language in agreements that expressly limits or eliminates potential liability associated with the inability to perform transactions during a system or website outage; (iii) carefully drafting security incident notification clauses to avoid contractual liability where notice might be required under a contract, but would not be required under any other law or regulation; and (iv) allocating risk and liability for potential outages in terms governing limitations on liability and indemnity.
  • DDoS Mitigation. Organizations should consider retaining third parties like Akamai or Cloudflare to provide DDoS mitigation services designed to combat these attacks by absorbing or deflecting DDoS traffic. For companies that are already using these services, we recommend reviewing the level of services provided to ensure that they have an adequate amount of protection in light of the increasing data volume seen in some of the more recent IoT-based attacks. Historical levels of protection may be insufficient in light of the increasing numbers of IoT devices that are becoming more easily exploitable.
  • Documenting Security and Preventative Measures. In anticipation of potential litigation and regulatory enforcement, we recommend that organizations document the various security measures that are being implemented, including those designed to prevent and mitigate the effects of DDoS attacks. Documenting security practices and decisions as they are being implemented and made can help bolster arguments that a companies’ actions were reasonable under the circumstances. Although, in the context of litigation or a regulatory investigation, these actions will be viewed in hindsight by a court, jury, or regulator, contemporaneous information about these can significantly bolster defenses against claims of negligence or breach of contract by litigants or non-compliance by regulators. Companies should seek to implement a “reasonable” level of security and mitigation with respect to DDoS attacks to help defend against litigation.

During an Attack

  • Establishing and Preserving Attorney-Client Privilege. A key consideration in the investigation of and response to any cyber incident is establishing and preserving attorney-client privilege or work-product doctrine protections. As we have previously outlined, important steps in preserving privilege include: (i) retaining or involving legal counsel early in the process, (ii) focusing the investigation on providing legal advice to the organization, including providing legal advice in anticipation of litigation and regulatory inquiries, and (iii) retaining forensic or security experts through legal counsel.
  • Balancing Remediation and Investigation Objectives. Unfortunately, remediating an attack and restoring operations may adversely impact evidence needed to investigate an incident. We recommend that organizations confer with forensic experts and legal counsel as soon as possible following the start of an attack to ensure that the actions taken in response will not compromise important evidence.
  • Involving Law Enforcement. Organizations often reflexively want to contact law enforcement in response to a data incident and while this may be beneficial in many circumstances, there are some legal considerations that organizations should weigh before doing so. The frequency and severity of these attacks has led to more attention from various law enforcement agencies and significantly more success in identifying and prosecuting attackers. Federal law enforcement agencies often have intelligence on various groups responsible for these attacks and, as a result, may be able to provide important information in responding to, containing, and remediating these attacks. However, law enforcement agencies may not always be able to share much information, particularly where the information relates to an ongoing investigation. Additionally, alerting law enforcement can result in having the agency become significantly more involved in, or even controlling, the investigation of the incident. Law enforcement involvement could impact privilege issues and, more generally, may not be ideal in all circumstances. We suggest that organizations consult with legal counsel to evaluate the potential advantages and disadvantages of notifying law enforcement based on their specific circumstances.
  • DDoS Mitigation. Companies should be aware that many DDoS mitigation vendors offer emergency DDoS hotlines or protection services that can be deployed for new customers, even where a company has not proactively secured such services. Engaging a DDoS mitigation service provider after an attack has started can help to reduce the length and severity of an attack, allowing a company to get its affected servers and websites back up and running more quickly.

After an Attack

  • External Communications. When and how an organization communicates about a DDoS attack may impact its exposure and liability following an incident. These communications may include: (i) general communications about the incident with media, investors, customers, or regulators; and (ii) formal notifications ranging from those necessitated by legal or regulatory requirements to formal contractual notices necessary to exercise force majeure or emergency circumstances.
  • Further Investigation. Following an organization’s remediation and restoration efforts, it is often necessary to conduct a further investigation into the circumstances surrounding the attack and to determine whether and to what extent any legal obligations have been triggered. Depending on the organization’s capabilities and resources, it may be possible to leverage any incident detection measures the organization has to identify indicators of compromise and confirm that the malicious activities were limited to the DDoS attack. In some circumstances, retaining independent forensic investigators may be necessary to conduct a thorough investigation into whether any unauthorized access or acquisition to customer information or confidential business information occurred prior to or during the attack.
  • Preparing for Potential Litigation or Claims. As mentioned previously, DDoS attacks could result in litigation or regulatory scrutiny for a variety of reasons. Examples of potential actions stemming from such an attack include:
    • An action brought by financial services customers alleging consequential damages and lost profits based on an inability to access financial accounts or buy and sell stock during an attack;
    • Claims against service providers for failing to provide contractually-guaranteed service levels;
    • Claims based on allegations of the theft of customer information, trade secrets, intellectual property, or other confidential or protected information
    • Claims alleging negligence or fraud based on a company’s failure to adequately protect against a DDoS attack or appropriately limit liability in its agreements with customers.

Anticipating and preparing for this type of potential exposure can better position the organization for defending against these claims. Relatedly, organizations are required to preserve potentially relevant information and documents once they reasonably anticipate litigation. To that end, organizations should consult with legal counsel to determine when it is appropriate to put litigation holds in place to ensure that they avoid potential spoliation issues and sanctions. Organizations in this position must also consider whether and how an assertion of privilege protections under the work-product doctrine may affect its preservation obligations. If a company asserts that materials have been prepared by and with legal counsel “in anticipation of litigation” and are therefore protected, it should consider whether this assertion also triggers an obligation to preserve evidence at that time.