Nine Best Defenses Against Cyberhacktivist Attacks

The recent round of massive distributed denial of service attacks that have hit Bank of America, JPMorgan Chase, Wells Fargo, U.S. Bancorp, Capital One, SunTrust, Regions Financial and more recently HSBC and Ally Financial are unusually hard, but not impossible, to thwart.

One challenge is that the attacks are not coming from known malicious sources. Therefore the traditional line of defense — keeping a blacklist of cybercriminals, chains and groups that can be prevented from accessing a web server — doesn't work.

Attackers can also spoof IP addresses, so the identity of the incoming user is easily muddled. "These reports are coming out of Iran, but there are plenty of countries, people and competitors that want to diminish the effectiveness of websites for banks and companies everywhere," says Marty Meyer, CEO of Corero Network Security in Hudson, Mass. "To me, this is a cyberwar and people have to be prepared to protect themselves against it."

In a distributed denial of service attack, a web server is flooded with so many requests from multiple sources that it struggles to keep up and therefore its performance is slowed and sometimes stopped altogether. This does not necessarily lead to theft or even access to any sensitive information, but it is extremely inconvenient for banks and their online banking customers. "All the banks now are scrambling to figure out what to do," observes Meyer. "I think these hacktivists want to create some sort of doubt in the American consumer in the financial institutions, and create instability that way."

But this is a cyber war that can be won, he and others say. "It requires a layered approach, but it's totally preventable," Meyer says. "A lot of the articles out there have people throwing up their hands saying 'What can we do?' which is really scary if you're a consumer and your money's in the bank. There are really good technologies out there." Here are some examples of solutions to help banks before, during and after a DDOS attack.

1. Receive early warnings. "Cyberhacktivists that do denial of service attacks often will advertise what they're going to do," notes Jon Ramsey,chief technology officer at Dell SecureWorks. For example, in the recent round of DDOS attacks against large U.S. banks, the Cyber Fighters of Izz ad-din Al Qassam have periodically announced their intentions beforehand on Pastebin. "If you know where to look, you can get some indication and warning," he says. "In some cases you can even get the attack pool they're going to use so that you can be prepared, muster the troops and get everybody ready. Depending on the kind of DDOS attack, you need to have a game plan around how do I best mitigate it? Do I use content distribution networks? Do I use an anti DDOS cleaning service? Do I degrade the capability of my website so it doesn't do much damage if it's a DOS attack? There's a lot of things you can do to prepare."

FS-ISAC is acting as a clearinghouse for security threat information for financial institutions. Banks send the organization information about security incidents and the group anonymizes that information and sends it back out in the form of reports and alerts to all its members.

Many companies offer security intelligence services that similarly alert banks to potential security threats. Dell SecureWorks has counter-threat unit made up of white-hat hackers that delivers a quarterly trend analysis report and an hourly XML feed that can be ingested by a company's security controls. Verizon Business and Wolters Kluwer are among other companies that offer security and threat investigation services to banks.

2. Analyze network activity to detect malicious behavior on the fly. Corero's network device sits in front of a firewall, monitors the behavior of every incoming IP address, and compares it against thresholds set by the client company to distinguish good from bad and of course, block the bad. For instance, an incoming IP address might make a request for pages that don't exist on the server. The software would block that IP address from making further requests until it began behaving normally again.

"Firewalls aren't really designed to do that, they don't really protect the servers from a variety of DDOS attacks that are out there, known as application layer attacks, which are very sophisticated attacks that look like normal customer traffic," Meyer says.

Prolexic, a DDOS mitigation company, has its staff monitor network traffic flow through internet-edge routers to detect bandwidth-related anomalies in their clients' networks. It notifies companies of malicious denial of service/DDoS traffic and provides a protection action plan.

3. Work with your telco provider. "It's very important in the DDOS arena to establish good relationships with your internet service providers and work with them so that when an incident occurs, you know who to call and what they need to know to take action," Ramsey says. A denial of service attack affects the internet service provider as well; if not addressed it could affect the company's other customers. The provider might be able to help distribute the traffic load or move service to a different IP address. The ISV can also implement controls such as scrubbing, rate limiting, and source blocking.

Advertisement

4. Consider using a content distribution network. This is a cloud-hosted service that distributes web content, reducing the likelihood that any one server will be bogged down by a DDOS attack. "If you can move the bull's eye to someone else, that's a mitigation strategy," Ramsey says. "For most DDOS attacks, the attackers themselves are using cloud. They're creating clouds by using these large bot nets and sending commands to sets of compromised servers and using them to launch the attack."

5. Stage fake attacks. Former hacker Alex Horan, who is now product manager at Core Security will examine a company's network or environment through eyes of a hacker and discover points where defenses are weak. "Our goal is to think like the attacker, and follow the steps that person would take, which is quite different from how defenders think," he says. "Defenders think more about blanket defense, whereas attackers are looking for that one way in. The defenders have to be right 100% of the time, the hacker can be right once and get in."

6. Build DDOS defense into your risk management strategy. "If you're a bank interested in doing business on the web, which is most banks these days, it's important to plan for situations like this and expect them to happen and form your contingency plans accordingly," says Joram Borenstein, senior director of product marketing at Nice Actimize. A contingency plan could outline how the bank would communicate via its call centers and social media when a DDOS attack occurs.

7. Look for fraud and other attacks during the DDOS. It's a mistake to let the DDOS attack consume all IT and security resources. "The primary thing is not to let yourself believe this is only a DDOS attack," Horan says. "Even though it could very well be a DDOS attack, security people are paid to be paranoid and you have to be extra vigilant. Look for alerts inside the DDOS attack or look at some of your lesser, tertiary level sites and see if someone's trying to do something malicious to those."

Advertisement

8. Work with law enforcement to help track down and turn off the attack. The FBI investigates such cases and could use detailed information to help defend against future attacks. In an advisory sent out October 19, BITS, the Financial Services Roundtable's security arm, advised banks to inform their primary regulator of attacks and seek assistance from the US Treasury Department and other agencies for assistance if attacked or threatened with attack. The BITS advisory also provides a long list of messages to provide to consumers in the event of an attack, for instance, "The slowdowns do NOT involve a data breach or hacking."

9. Conduct a post-mortem. After an incident, it's useful to review what happened and learn from it, Ramsey says. "When we do incident response, we record the actions we took and decisions we made so we can review them to determine how we can get better," Ramsey says.

U.S. banks have been struggling to ward off a flurry of distributed denial of service attacks over the last few weeks. Here are ways in which the cyberwar can be won.

Comments (1)
The Department of Defense recently did a vendor bake off to determine the best solution for network monitoring and network security including 42 key capabilities (including abiltiy to thwart DDOS attacks) and Promia, a Navy vendor out of San Fransicso, was determined to be the clear winner because they were the only vendor capable of doing everything on their list of requirements. I think the larger banks ought to take a look, the sooner the better....
Posted by Stephen Lange Ranzini | Tuesday, October 23 2012 at 1:06AM ET
Post a Comment
You must be registered to post a comment.
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.

 

Already a subscriber? Log in here
Please note you must now log in with your email address and password.