You are the CISO of a multinational trading company. Your company implements a large scale web site selling products to global consumers. A network intrusion detection system (IDS) is implemented to detect abnormal traffic and potential attacks. Your incident response (IR) team receives a report from users that the web site is not available and shows HTTP error 404. An IR team member suspects that it’s a distributed denial of service (DDOS) attack, but the IDS didn’t trigger any alert. What action should the IR team take FIRST?
A. Document the incident in the incident management system.
B. Inform and ask the contracted internet service provider to mitigate the DDOS traffic
C. Analyze the incident report from the end user and notify the senior management
D. Ask for more details from the end user to realize the real situation
I would ask for more information about web server’s status to confirm if it’s a DoS attack or not. Generally, IDS technologies an not always detect Dos attacks.
I would ask for more information about web server’s status and incoming WAN traffic(Internet) statistics to confirm if it’s a DoS attack or not. Generally, IDS technologies don’t always detect DoS attacks.
Sorry to find out your comments so late.
DoS attack is an umbrella term and hinders the availability.
Implementation issues are complicated and vary case by case.
I don’t dive into the implementation details, but generally, you have to define the problem, analyze it, and work out the solution.
The following posts may be helpful:
1. https://en.wikipedia.org/wiki/Denial-of-service_attack
2. https://www.sans.org/reading-room/whitepapers/firewalls/paper/818
3. https://www.scirp.org/Journal/PaperInformation.aspx?PaperID=86682
D