IndexBrief Risk AssessmentRuined ReputationService DisruptionFinancial LossesContainmentEradicationRecoveryLessons LearnedPlan EngagementUsing a Blended ApproachLearning from OthersInternet gambling and online crime go hand in hand, Internet gambling attracts quite a large number of online criminals who are hungry for easy money. Since March 2018 I have been the IT security manager at The Marble Online casino. Since then, we have faced many different online threats in casinos, but not like the latest ones. Last Monday we received a cyber extortion email from an online criminal group threatening to take the casino offline using a Distributed Denial of Service (DDoS) attack unless the casino paid a ransom of 5 BTC. When this happened, we alerted the casino's IT security team so they were prepared for a possible imminent DDoS attack and then took no further action. Say no to plagiarism. Get a tailor-made essay on "Why Violent Video Games Shouldn't Be Banned"? Get an original essay At the time, the best European online casinos did not have an existing system for preventing this type of attack. Not long after, four days later, on a Friday evening the DDoS attack was launched against the casino's online resources and for 30 minutes the casino website was forced offline. As a result, casino users could not play for 30 minutes as the casino was unavailable to them. Analysis and InvestigationLater that Monday we met as a cybersecurity team and performed an analysis of the attack. After extensive investigation, we linked the attack to the same criminal group that sent the extortion email. Threat actors spend large amounts of time compromising an environment for malicious purposes. We found that the traffic was coming from both Australian and overseas IP addresses. The analysis also showed that it was a volume-based attack that included UDP flooding, ICMP flooding, and other spoofed packet flooding. UDP flooding targeted website User Datagram Protocol (UDP) packets which flooded random ports causing a repeat check for the application listening on that port. Since no application was found in the endless loop of requests, this process took over the resources of the casino website, consequently making it inaccessible to users. ICMP floods overwhelmed the casino's online resources with ping packets without waiting for a response. This consumed the online casino's bandwidth resulting in slowdowns. Volume-based attacks like this saturate the bandwidth of the targeted resource, in this case casino resources. We have received yet another email threatening a much longer attack unless a ransom of 10 BTC is paid to the criminal group. Brief risk assessment High risk profile; Having a large online presence and being a well-known and established brand, The Marble Casino was most likely high on the criminal's target list. In this case, the criminals were clearly motivated by financial gain as they demanded a large ransom. High risk industry; with online gambling, minimal downtime interrupts the services and user experience. Marble Casino must be online and running 24/7, therefore creating a single point of failure where criminal groups can attack. Casino users depend on a consistent and reliable online presencecasino web pages. Potential business impact includes: Ruined reputation A DDoS attack could reduce customer trust in casino services and online security and will result in overall reputational damage. A study organized by Corero established that deteriorating customer trust is the most damaging consequence of DDoS attacks for online businesses today, ranking it at 42%. Service disruptionVolume-based attacks cause disruptions to an online service, resulting in users being unable to access it. services. DDoS attacks could take over the casino's online resources, leaving none of its intended users. Cybercriminals can use such attacks to disrupt an online business, such as The Marble Casino, by flooding its domain with illegitimate traffic. Financial losses A DDoS attack can make online businesses sweat. A casino could lose a significant amount of revenue when its online services are interrupted, even for a short period of time. Furthermore, a deterioration in customer trust in the casino due to the attack could push them to play at the casino's competitors. In this way, the casino's market share is reduced and its profits consequently decrease. Steps for the upcoming DDO attack Containment Make changes to the casino network to contain the attack. Some of the possible network modifications to perform include: Distribute the attack traffic Move to alternate sites or networks using DNS (Domain Name Server) Route targeted traffic to casino services Use caching/proxying Terminate unwanted processes and connections to servers and routers of the casino Allow other communication channels (VPN Control packet delivery based on session and user details. Eradication To eliminate future DDoS attacks on the casino, implement bandwidth blocking and prioritization such as denying connections to the site based on geographic information, IP and traffic signatures Implement traffic scrubbing on casino online resources with high-performance hardware capable of scrubbing algorithms Place limits on the amount of traffic, priority of traffic on individual packet types, minimum and maximum size of bursting resulting in redirection of traffic (spoofed traffic in this case). from the intended destination to a server of choice so as to reduce unwanted requests to the casino's web services.RecoveryCheck normal status:Ensure that affected online services can be operational again and that infrastructure performance has returned to baselineVerify that traffic is normal, without sudden increases. Allow some time to pass after the last attack before traffic flow is considered normal again. Ensure there is no collateral damage, manage any damage and plan for the future. Rollback; Starting all suspended services and applications. Initiating any mitigation measures and announcing the end of the incident to relevant stakeholders. Restoring the original network, with all relevant changes in place. Lessons Learned The main lesson we can take from this unfortunate incident is the vital importance of having installed DDoS protection hardware at the edge of the Internet – something IBM and ABS thought they didn't need. This type of protection is the only way to protect an organization's entire security infrastructure in the event of an attack. If our customers had suffered an attack like this, they probably wouldn't have even noticed the attack taking place and it certainly wouldn't have compromised them from a security perspective. Since DDoS attackstarget a full spectrum of security risks, it's important to defend your entire security infrastructure and data from potential threats. Be ready to respond. A proactive and robust cybersecurity strategy, clearly communicated throughout your organization, is your company's best defense against cyber attacks. Designing and implementing an incident response plan is a critical component of an effective cybersecurity program. One of the reasons Dyn was able to quickly mitigate the attack is that it had a response plan ready. The hackers involved in this incident designed and implemented a unique attack approach, and Dyn was still able to stabilize the breach before it destroyed the company. Your company's cybersecurity strategy must incorporate the ever-changing nature of cyber threats. Focusing too much on specific incidents could hinder your company's ability to respond. CFOs must ensure their companies are prepared to respond to new attack methods by running "what-if" scenarios and testing response capabilities. Your company may not always be fully prepared for designed attacks, but by testing your controls you can reduce recovery times and costs. On the other hand, it's important not to overcomplicate your response plan. Including recovery steps for all possible scenarios will result in a complex document that will not allow employees to act quickly. Your plan should instead focus on specific recovery scenarios for critical business data, functions and supply chain. Focus on creating an incident response program that works in multiple scenarios, taking into account people, places, procedures and communications. Invest in people, not just technology. Dyn clearly had a team of experienced professionals at their disposal to resolve an attack that could destroy their business. Every business, large or small, can take a similar approach to combat cybercriminals. CFOs are spending millions of dollars on software and technology to protect their companies from cybercrime and should invest more money in training their staff. According to Verizon's 2016 Data Breach Investigations Report, human error is the leading cause of cybercrime. Training employees on the dangers of cyber attacks shouldn't be limited to simply sending around a list of dos and don'ts. Become more creative. Consider using gamification for training exercises to present real-life scenarios to employees. One way to achieve this is to pretend that hackers are trying to obtain proprietary information from your employees. If your office doesn't respond appropriately, the experience could prove to be a great lesson for everyone. For example, if you don't want your employees to click on suspicious links in emails, you train them to forward suspicious links to the security team. Then you send test emails to see what they do. When a user answers correctly, they are rewarded by being entered into a drawing for a $100 gift card, the winner is drawn quarterly. How to implement the playbook to ensure stakeholders are aware and engaged in the recommended steps. Be clear about the purpose of stakeholder engagement. Purpose will underpin the entire approach, influencing who will be involved, how they will be involved and what to commit to. Involve the right people: To identify the right stakeholders, it should be clear why you need to involve them and what the purpose of the engagement will be. Who needs.