News & Commentary

09:56 PM
Rodney Joffe, Neustar
Rodney Joffe, Neustar
Commentary
50%
50%

What Smaller Financial Institutions Can Learn From DDoS Attacks on Big Banks

The experiences of big U.S. banks that were targeted with large denial of service attacks this past year could provide valuable lessons for smaller firms as they seek to minimize risks.

Since last fall, several waves of distributed denial of service (DDoS) attacks have targeted major players in the U.S. banking industry. Eventually, the top-50 institutions found themselves in the crosshairs. Websites crashed, customers couldn't connect to make transactions and banks scrambled to get back online -- and stay there as long as they could. In the months to come, security experts would praise the banks' collective response, from heightened DDoS protection to candid customer communications. While the danger is hardly over, these larger institutions have learned some painful lessons that smaller firms might heed as they seek to minimize risks. This two-part series will discuss just how smaller financial institutions can stay ahead of DDoS attackers

[Five IT Security Predictions for 2013]

DDoS Attackers Are Fast Learners

The attacks on banks are the work of the Cyber Fighters of Izz ad-din Al Qassam, a group claiming to protest an anti-Moslem video, though many observers believe a nation-state, possibly Iran, is responsible. To date, the attackers haven't stolen customer data or siphoned off funds, being content to disrupt operations and get the industry's attention.

In doing this, they've launched some of the largest DDoS attacks ever, up to 150Gbps. Even more sobering, as banks have fortified defenses and sharpened DDoS responses, the attackers too have made adjustments to stay a step ahead. For example, after banks got better at defending their websites and DNS, attackers began to focus their attention on ISPs. Some attacks zeroed in on email servers and VPNs. Another adjustment: Initially, al Qassam made voluminous requests for super-sized files like annual reports, brochures and loan applications. At 4-5 Mbps, these assets devoured outbound bandwidth. When some banks removed the files or switched to a CDN, the attackers started probing other cracks in the wall.

The bad guys have also seen how application-layer attacks drain human as well as computing resources, creating all-hands-on-deck emergencies, some lasting days or weeks. Code-red situations aren't ideal for deploying anything, including DDoS protection hardware and mitigation procedures. The larger banks already had certain defenses in place. Smaller banks and credit unions with little or no protection would be even more hard pressed to keep pace under duress.

Al Qassam Has Provided a Template Your Adversaries Might Use

The very first DDoS attacks occurred in 2001, aimed at e-commerce sites like eBay and Yahoo. The tactics were later refined by the Russian Mafia, other criminal gangs and socio-political protesters, all of whom turned DDoS attacks into a kind of art form. Now Al Qassam has raised the bar again.

DDoS attackers form a nefarious community of learners, taking notes and sharing tips via, what else, the Internet. While a nation-state, for example, may not target local credit unions or regional banks, good old-fashioned cyber thieves do it every day. The scenario that worries security pros: DDoS as a distraction for payroll theft and more, used in tandem with malware like SpyEye, Zeus and Citadel. Again, the al Qassam attackers haven't tried to steal, but their goal is political influence, not financial gain. Criminals hitting businesses that use small to mid-sized banks, however, now have a way to distract their victims for hours on end. Imagine a DDoS attack on a bank in Somewhere, Kansas, timed for 4:45 on a Friday afternoon -- just as payroll funds are whizzing through cyber-space. Sophisticated crooks are hard enough to catch when you're focused. When you can't confirm wire transfers because your bank's gone dark, your chances of being defrauded increase dramatically.

With bigger and more successful attacks than anyone else to date, al Qassam has drawn the blueprints for the ultimate cover-and-delay.

This is the first article of a two-part series on what smaller institutions can learn from DDoS attacks on big banks. Part 2 will cover how smaller banks can properly plan and develop responses through smart technology investments.

Rodney Joffe is Senior Vice President and Senior Technologist of Neustar, Inc. He oversees and guides the technical direction of the company's Neusentry security offering as well as heading the company's cyber-security initiatives.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DDoS Protection
50%
50%
DDoS Protection,
User Rank: Apprentice
7/9/2013 | 2:31:10 PM
re: What Smaller Financial Institutions Can Learn From DDoS Attacks on Big Banks
With the 300 gbps DDoS attack that happened a couple of months ago, banks should be prepared to face another attack like this. If it happens again, damage should be considerably less.

DDoS methods have involved since 2001, but mitigation methods as well.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.