HHS outlines DDoS attack prevention, response tactics for healthcare

The HHS Health Sector Cybersecurity Coordination Center (HC3) released an analyst note regarding distributed denial-of-service (DDoS) attacks, reminding the healthcare sector of best practices for defending against these threats.

DDoS attacks involve an attacker using a botnet to send a high volume of traffic or requests to a network or system, often rendering network resources unusable amid the attack. While denial-of-service (DoS) attacks originate from a single system, DDoS attacks originate from multiple sources, making them difficult to detect and eradicate.

“DDoS attacks have continually grown in size and sophistication, but 2023 accelerated this trend at an unforeseen pace,” HC3 explained.

“Last year alone, cybercriminal groups, geopolitically motivated hacktivists, and malicious actors utilized the relatively inexpensive cost of launching DDoS attacks, the scale of massive botnets built from everyday digital and Internet of Things (IoT) devices, and protocol-level zero-day vulnerabilities to launch record-breaking attacks on businesses, government institutions, and, most disturbingly, on critical but vulnerable public infrastructure, including hospitals.”

HC3 emphasized that DDoS attacks against healthcare organizations can result in detrimental impacts on a provider’s ability to provide care, as well as financial downturns and operational challenges.

Threat actors who use DDoS attacks do not have to possess an advanced skillset to launch this attack type – as the attack method gets more complex, it is also becoming easier and cheaper to perpetrate, HC3 explained.

Although any type of threat actor could launch a DDoS attack, researchers have observed notable shifts in DDoS trends recently as hacktivist groups and politically motivated threat actors increasingly leverage these attacks.

DDoS attackers may have financial, ideological, state-sponsored, or extortion motives for launching DDoS attacks. As variable as the threat actor profile can be, there are also varying methods of launching a DDoS attack. Some DDoS attacks last only seconds or minutes, while others may last hours or days.

HC3 also noted that these attacks can be defined by which layer of the Open Systems Interconnection (OSI) model they attack. DDoS attacks are most common at the network, transport, presentation, and application layers.

HC3’s analyst note provided detailed explanations of each type of DDoS attack and the tools that threat actors use to further their attacks.

When it comes to preventing DDoS attacks, best practices include performing regular security audits, maintaining an incident response plan, monitoring traffic, using a security information and event management (SIEM) solution, or leveraging a DDoS mitigation service.

When prevention fails, organizations should be prepared to respond effectively to a DDoS attack. HC3 stressed that early detection is critical, and organizations should look for common warning signs to identify the attack.

Additionally, organizations should implement a transparent filtering process that drops unwanted traffic, as well as diversion and redirection techniques that divert traffic away from critical resources.

“Understanding where the DDoS attack originated is important,” HC3 added. “This knowledge can help you develop protocols to proactively protect against future attacks. While it may be tempting to try and kill off the botnet, it can create logistical problems and may result in legal ramifications. Generally, it is not recommended.”

While DDoS attacks have been a known threat in the cyber landscape for a while, the increase in hacktivist group activity and the general willingness to target critical infrastructure make this attack method more relevant to healthcare today.