A spate of recent DDoS attacks forced banks to change their threat response – and that's a good thing, reports Teri Robinson.
When the first wave of distributed denial-of-service (DDoS) attacks hit several, large financial institutions in the fall of 2012, a scramble ensued to get websites back up and quell the fears of understandably rattled customers. By the time the third and final wave rolled through in early 2013, banks had learned how to shut down attacks quickly and had taken significant steps to restore the public's faith.
While the concentration of incursions left in their wake a heightened awareness, the series also ushered in major changes to the way banks handle such incidents, marked by an unprecedented level of communication among banks, their executives, government agencies and customers.
Although bigger banks have learned to mitigate the impact of DDoS attacks, and indeed the large-scale campaigns have tapered off, experts say the financial industry, particularly smaller banks, are still at risk. There's little doubt that DDoS attacks on the rise – a Digital Attack Map, developed by Google and threat-monitoring company Arbor Networks, shows that the U.S. is one of two countries to get hit every day for a five-month period in 2013 – and these strikes and the threat of further attack, pose a significant threat.
“Knocking over” banks is nothing new. Frank and Jesse James, Butch and Sundance, Bonnie and Clyde, Willie Sutton all have relentlessly – and often successfully – tried to breach whatever passed as the top-of-the-line bank security of the day. But those outlaws were lured by money buried deep in the bank vault. The large-scale DDoS campaigns of 2012 and 2013, by and large, were driven by ideology, with no other goal but to shake things up and grab headlines. And, that they did, with the first attacks – breathtaking in their scope and impact – coming on the eve of the 2012 presidential election to maximize their PR value.
The nature of the attacks originally led security experts to believe that the campaigns were the work of forces within the Iranian government – a charge that officials there have denied. “The big difference in 2013 is nation-states started using [DDoS attacks] as tools for retribution for the U.S.,” says Avivah Litan, a distinguished analyst at Gartner.
Though these assaults didn't result in theft of money, there were copy cats and other criminals who took advantage of the attacks to breach accounts and steal funds, she adds. The super-sized campaigns, which commandeered servers to compromise bank websites instead of individual laptops and PCs as previous attacks had done, pointed to the burgeoning skills of actors inside Iran with planning and instigating internet campaigns.
For example, the hacktivist group Iz ad-Din al-Qassam Cyber Fighters claimed credit for the attacks, dubbed Operation Ababil (after a story in the Quran about Mohammad dispatching swallows to defeat elephants and defend Mecca). The campaign was reportedly waged to issue a biting indictment of “unfavorable” U.S. policies and in protest of a YouTube video that Muslims found offensive.
The first campaign was launched against 10 of the biggest names in banking – HSBC Holdings, Citibank, Capital One, JPMorgan Chase, U.S. Bancorp, SunTrust Banks, Bank of America, PNC, Wells Fargo and Regions Bank. Initially, the financial institutions were caught offguard and slow to react as large volumes of unwanted traffic flooded their networks, blocking customers from their accounts and otherwise disrupting business.
But, if there were any doubts that banks were under siege, Iz ad-Din al-Qassam dispelled them by issuing a series of warnings on Pastebin leading up to a second DDoS campaign. However, this time, as banking giants JPMorgan Chase, Wells Fargo, U.S. Bancorp, PNC, SunTrust Banks and Citibank saw unwelcomed traffic pour into their networks, they were prepared for the onslaught. Though they couldn't prevent the attacks, even with pointed warnings, they quickly shut them down with minimal disruption.
“Banks became more proficient in stopping DDoS or mitigating the effect,” says Al Pascual, an analyst at Javelin Strategy & Research.
A new strategy
That the financial institutions were able to minimize the impact of the third wave speaks to the aggressive – and in some cases, unprecedented – tactics taken in the wake of the first attacks and which quickly evolved traditional bank strategy for dealing with cyber incidents.
Not surprisingly, as a first line of defense, banks took advantage of the tremendous amount of bandwidth at their disposal and simply over-provisioned. Just as adding eight additional lanes to a busy six-lane interstate highway would relieve traffic congestion, the extra bandwidth let normal banking activity proceed – even as large volumes of junk traffic passed through their networks.
“They have a decent amount of bandwidth,” says Pascual. “And over provisioning is tried and true.” Rerouting traffic to alternative sites also helped balance the load and smooth traffic flow.
The financial institutions also turned to anomaly detection, identifying attributes that characterized an impending attack, and conducted regular scans of their systems to uncover zero-day exploits. Larger banks, too, could afford the luxury of expensive appliances that analyze traffic and separate the good from the bad, with bad traffic routed off of the website.
But the real progress against the hacktivists came after financial institutions broke with established protocol and opened the communication lines in all directions.
In the past, financial institutions had remained almost pathologically tight-lipped when targeted by cyber criminals. To preserve their reputations and, in part, to prevent customer panic, they had quietly mitigated network problems. But, caught in waves of such sweeping and public attacks that slipped by their defenses, these organizations had virtually no choice but to exchange information with other financial institutions, flagging servers and IP addresses that might indicate the beginnings of additional attacks.
“At first, they weren't talking and they got hit hard,” says Pascual. “When they talked they could stop the attacks. They were all in the same boat – [being attacked] by the same people.”
The dialog among banks quickly moved up the food chain to the executive suite, where CEOs and other top management uncharacteristically shared information with their counterparts at other financial institutions and became an integral part of taking the bite out of future DDoS strikes. “It became a CEO-level issue in large financial institutions,” says John Carlson, executive vice president of BITS, the technology division of the Financial Services Roundtable. Javelin's Pascual agrees, noting that banks had always communicated about fraud, but at lower levels of the organization, like the IT and security departments.
Indeed, says Ashley Stephenson, CEO at Corero Network Security, CEOs often, like everyone else, “found out about attacks on the news.”
In the aftermath of the 2012 attacks, CEOs sat up and took notice and met regularly with other industry groups, like the American Bankers Association (ABA) and Financial Services Information Sharing and Analysis Center (FS-ISAC). The Financial Services Roundtable, which represents 100 of the largest financial institutions, brought bank leaders together to discuss the attacks and hash out solutions.
Executive involvement helped drive awareness down throughout the organizations and sparked a concerted campaign to educate employees. By schooling workers, banks increased the likelihood that they would not only recognize potential threats but would understand the protocols they should follow – from reporting suspicious activity to activating security measures – before a threat spun into an outright attack.
This well-informed constituency and united front were instrumental in the banks eventually and effectively managing the DDoS threat.
Likewise, banks openly and freely exchanged information and worked closely with regulators, ISPs and government agencies – such as the Treasury Department, DHS, the FBI and the Secret Service – to identify solutions and to hash out guidelines for mitigating the impact of attacks and thwarting future campaigns. The attacks were “a catalyst for the industry and government to step up and focus on cyber security,” says BITS's Carlson. Both industry and government took steps to raise awareness among financial institutions to the ongoing threat of DDoS. The Financial Services Information Sharing and Analysis Center (FS-ISAC) bumped the U.S. banking industry's cyber threat level from “elevated” to “high.” And the Office of the Comptroller of the Currency issued an alert to banks, providing some details on the attacks as well as guidelines for mitigating risk.
The close collaboration between banks and government even drew kudos from the likes of U.S. Secretary of Homeland Security Janet Napolitano. But probably the most marked change came in the way that banks dealt with their customers. The high-profile attacks set off a mini-panic among account-holders who were convinced that their accounts and private information were in jeopardy. Banks subsequently spent considerable time reaching across the lobby to explain to customers the difference between a DDoS and a breach.
“You have to communicate with customers what a [DDoS] is and what it is not, and it is not a data breach,” says Carlson. “It's like flooding a highway with traffic to bring things to a halt,” not blowing a bridge that the cars are trying to get across.
Financial institutions have a vested in interest in keeping accounts visible to account-holders. Customers play a critical role in bank security – no one more diligently monitors bank accounts than the account-holders themselves. “Half of fraud is detected by customers,” says Pascual. When spam and other unwanted traffic obscures normal banking activities, customers simply aren't able to engage in that critical monitoring. Instead of scaring off customers, the admission that banks had been under attack – and the subsequent campaign to educate account-holders – paid off and their fears never bubbled over into full-scale panic.
It helped, too, that the attacks dwindled and large banks seemingly moved out of the crosshairs of the ideologues who launched the DDoS strikes. If the point was to dazzle and draw attention to their cause, then Pascual and Carlson don't anticipate an escalation in DDoS because the industry is now more adept at spurning attacks and they're not as likely to draw headlines.
While the heat may be off banking giants for the time being, security gurus don't expect DDoS threats to disappear, but rather to shift in nature. Arbor Networks reported that while the duration of attacks was down in the first half of 2013 – with 86 percent lasting less than an hour – both the size and the frequency of attacks increased. DDoS strikes over 10 Mbps now account for 41.6 percent of the activity, and the number of attacks over 20 Mbps doubled in the first six months of 2013, compared to all of 2012. The financial industry will always be a lucrative target, but experts expect cyber criminals to shift their focus to smaller banks and credit unions, which don't have the budgets and resources to fend them off quite so deftly. “Smaller banks are in more trouble,” says Gartner's Litan. “They rely more on services.”
The goal of DDoS strikes also are likely to shift. While the campaigns of 2012 and 2013 were driven by ideology, many experts predict cyber criminals will revert back to a more traditional goal: stealing money.
As a 2012 Christmas Eve attack against San Francisco's Bank of the West demonstrated, DDoS attacks are effective smokescreens for tapping and draining accounts. In that case, cyber criminals walked away with more than $900,000. And unlike bank robbers of old, they didn't have to risk life and limb or shoot their way out of a bank lobby.