How and Why the Cyber War on Banks Has Escalated

"Banks are worried about getting Stuxnetted," says Rick Holland, senior analyst at Forrester Research. "But most of the attackers, including Iran, probably don't yet have the resources to develop that grade of weapon."

Holland is referring to malware on the order of the now famous Stuxnet [the computer worm the United States and Israel created to attack Iran's nuclear facilities]. It is widely assumed that nation states like China, Russia, and the U.S. have these kinds of cyber weapons.

"Imagine," says a senior cyber risk executive at a major bank, "malware that knows when it is being hunted and takes evasive action — changes file size, file name, and other signature elements. It can move through a network and attach itself to firmware level so that the operating system cannot detect it. When it activates it does major damage to IT infrastructure, and it can delete itself before it is detected."

Such worries were visibly manifest in mid-July, when security blogs briefly buzzed about what some feared might be a new, offensive cyber weapon aimed at banks. Tensions eased after a closer look revealed the KINS malware was a tweaked version of the old ZeuS banking Trojan.

Which isn't to say such well-known malware can't do major damage. Late last year the Saudi company ARAMCO was hit with a piece of commodity malware that wiped the disks of more than thirty thousand machines.

While banks are waiting for the next big thing in cybersecurity attacks, they should expect more of what they've been getting lately, including volumetric distributed denial of service attacks from the same bad actors.

"We have seen an increase in the Al Qassam Cyber Fighters' botnet activity," says Carlos Morales, vice president of global sales engineering and operations at security vendor Arbor Networks, speaking of the hacktivist group that has claimed responsibility for many of the DDoS attacks on banks of the past year. "Their brobot command and control has started building out the botnet and verifying the members. It's like a country preparing for war, the army doing drills, after it has been stagnant for awhile."

The group's brobot is estimated at about 4,500 machines. This is not huge when compared with other botnets, but the machines are web servers, many in North America and Europe. So what the brobot lacks in size it makes up for in power and location. You can't fight it by blocking traffic from Latvia or Brazil.

And while these DDoS attacks have become familiar, banks should expect their attackers have learned some lessons.

"A more sophisticated DDoS attack will use a bank's own defense systems," warns Michael Smith, director of the customer security incident response team at Akamai. "Fraud detection, for example, checks for location when you enter your password. This is good, but it burns CPU cycles and could make you more vulnerable to a DDoS attack."

The KINS scare was partly an attempt to drum up business in the increasingly competitive malware black market.

The commercialization of cyber crime is a trend that is likely to continue.

"You can buy DDoS as a service on the open market," says Al Pascual, senior analyst at Javelin Strategy and Research. "You can buy cyber crime kits too with components such as card swipe modules that can pick up bank card numbers from outgoing web traffic, filters to protect the attacker from tracking, log parser plug ins that can filter large data streams for the information you want to intercept, and automatic iFramers that help attackers embed fake pop ups in web portals."

Outsourced DDoS-as-a-service often comes with a help desk. Brian Krebs, an independent security blogger, says the bad guys need customer support. "If you are running a botnet," he explains, "a lot of things can go wrong, so you need to be constantly upgrading your malware to protect it against all the antiviruses out there, bullet proofing your hosting, driving traffic to your site, infecting new machines to keep your botnet size stable. If you don't know how to do it yourself, you gotta outsource it."

It is well known that quality DDoS and cyber crime kits are sometimes used in tandem. The DDoS works as a distraction while the criminals use other tools to grab money or account information. Joe Nocera, principal at PricewaterhouseCoopers, says banks have gotten better at defending against these tactics, but they can also expect more sophisticated attacks. "To use the castle wall metaphor," he says, "the banks have gone from ten foot walls to twelve, but some of the bad guys now have fourteen foot ladders."

Bill Stewart, senior vice president at Booz Allen Hamilton, says one of the themes at this year's Black Hat cyber security conference was that the attackers are getting better at using familiar weapons. It means, he explains, "Old tactics like spear phishing, SQL injections, and cross site scripting still work. Just when you thought it was safe to go in the water ..."

KNOW YOUR ENEMY

Who is waging cyber war on U.S. banks and why?

Attackers fall roughly into three big buckets. "You have nation states, hackster groups such as Anonymous, and there is always organized crime," says William Nelson, president and CEO of the Financial Services - Information Sharing and Analysis Center (FS-ISAC).

Of course things are never so simple. For example, is the group that made new threats in July, Al Qassam Cyber Fighters, merely a hackster group like Anonymous with a more Islamic agenda? Avivah Litan, vice president at Gartner Research, is not afraid to say publicly what many have said in private: that Iran is behind the group. "Everyone knows it's Iran," says Litan. "The FBI, the CIA, and those who were hit. They all know the attacks stopped for awhile after the (Iranian) elections. Expectations were they would resume after the elections, and that's exactly what happened." Litan is referring to the Cyber Fighters' Pastebin posts the week of July 21, announcing phase four of their cyber attacks on banks.

She also thinks it would make no difference whether or not the video that the group says it wants removed from YouTube comes down or stays up. "Iran is in a political war with the United States, so these attacks are not really about that YouTube trailer."

Which raises the question, if Litan is right, what do nation-state sponsored groups like Al Qassam Cyber Fighters want? A top cyber risk executive at a major bank says the answer is what keeps bank CISOs up at night. "These groups are not out to steal money, sensitive account information, or intellectual property. They just want to break stuff on a massive scale. That, and the fact that they have resources, makes them the most dangerous of all the attackers."

"Iran doesn't have that much to lose," says Pascual, who won't confirm that Iran is the real force behind the Cyber Fighters but will say the country's economy "has been so crippled by economic sanctions, all bets are off as to the amount of destruction they would be willing to wreck on the American banking system."

This is, in part, a reference to a consensus in the cyber security community within financial services that nation states like China would not engage in massive disruptive and destructive attacks. "We can assume that most rational governments, including ours, have these capabilities," says Nocera, "and so we can rely on a MAD (Mutual Assured Destruction) doctrine to keep these more aggressive attacks in check."

On this analysis, the nation state perpetrators divide into two sub categories — the rational and the irrational. The thinking is, a rational state like China can launch highly destructive and disruptive attacks, but probably won't. Rather China will want to stay in stealth mode and probe consumer companies for intellectual property, investment banks for new trading algorithms, and government systems for military intelligence. APT (Advanced Persistent Threat) is the military derived acronym for this type of computer break-in, and the APT from less rational state sponsored actors could be far worse.

Most agree that banks can expect more DDoS attacks from Al Qassam Cyber Fighters and others in the MENA (Middle East, North Africa) region. "Now we are getting noise from the Syrian Electronic Army," says Pascual.

Smith at Akamai Technologies is also watching these groups. "The Tunisian Cyber Army is generating a lot of activity, but so far these are just cyber skirmishes," says Smith.

Holland says there is speculation that Iran may be outsourcing development of its cyber attack arsenal. If so, this could point to an alliance between nation states and organized crime or hackster groups.

Outsourced or not, the result so far has been volumetric DDoS, and a major pain. A bank CISO's real nightmare scenario would be sophisticated malware, on the order of a Stuxnet, launched by an actor with resources and the sole intent of causing major disruption and destruction of critical infrastructure.

In a thinly veiled reference to Iran, Nocera says, "There is evidence that some of the less rational states are behind recent DDoS attacks. So they have reached one level of maturity, and it is reasonable to assume they will increase these abilities over time."

Anxieties like these give rise to nostalgia. "Many of us would call them the good old days, when the attackers were just kids in the basement," says Paul Smocer, president of BITS, the technology division of the Financial Services Roundtable. "But," he adds, "today's hacksters are also a significant threat."

Significant, but somewhat lacking in discipline and resources: "The FBI likes to paint hacksters with the same brush they use for the Al Qasssams, but I don't buy it," says Pascual. "Take Anonymous, for example: what they have are some young, smart people, but they lack the same level of resources, and you can't get eighteen year olds to agree on anything."

A top cyber risk executive at a major bank agrees. "These folks are looking to destabilize and discredit the banking industry, so far without much impact."

More significant is organized crime. "These groups are definitely in a different category," says Nelson, "and we are seeing more of a commoditization and specialization here. The cyber criminals can go to one web site and buy malware to launch an attack. You go to another one to buy your spam to get people to click on a link, another place to buy your money mill network which you use for your ACH or Western Union cash grab. It's like a big shopping mall online."

There is widespread agreement that the large-scale fraud from organized crime usually originates in Eastern Europe, but Nelson says it is a mistake to think it is all coming from a few syndicates or the Russian Mafia. "You have sellers," he explains, "who are often bright individuals, good at writing code. Maybe they have worked for the government and are now ready to go into the private world to make some money."

At least these threats are more familiar. "Russian wire fraud, ACH theft: these are problems," says a cyber risk executive at a major bank, "but not our biggest concern."

Commenting on that biggest concern, PwC's Nocera says, "Finanical institutions need to ask, 'At what point does an attack escalate from business, to national security. This is an ongoing debate, how the public/private partnership should work here."

Less rational, more dangerous attackers may be asking the same question, speculates John LaCour, founder and president of cyber security firm PhishLabs. "Maybe one reason we haven't yet seen the worst is because a truly devastating cyber attack on U.S. banks might be viewed as an act of war."

SHARING DATA, SEEKING CLUES

One of the best defenses against DDoS attacks is sharing information. Banks, not exactly known for sharing with competitors, are starting to recognize this. The top fifty U.S banks now belong to the Financial Services - Information Sharing and Analysis Center; total membership is now at 4,400.

Though it's sometimes dubbed a quasi-government organization, "We are not government at all," Nelson is quick to say. "We did respond to the federal governments call to share information in 1998, and again after 9/11."

The organization shares information such as malware signature information, any new threat indicators, and how to defend against them. "It has been compared to the insect world, the individuals quickly come together to defend the hive as soon as an attack is detected," Nelson says.

Not all hive members are equal. Membership is tiered from free "notification-only" participation to a $50,000 per year platinum level, at which members have full access to the organization's entire database.

"FS-ISAC is a poster child for how competitors can share information properly," says Smith at Akamai. "Sharing Al Qassam's brobot code signatures to identify attack activity is just one example."

Two other groups, the Financial Services Sector Coordinating Council (FSSCC) and BITS, add power to the knowledge defense arsenal. The FSSCC works closely with the federal government to implement executive orders and new legislation pertaining to financial and cyber security. "We are the policy arm," says Doug Johnson, vice chair of the FSSCC. "For example, we are currently working with DHS to build an incentive structure to encourage financial institutions to adhere to a cyber security framework when it is published in October."

BITS is the technology policy division of the Financial Services Roundtable. "Think of BITS as a think tank around new and emerging security issues," says Smocer. "FS-ISAC is mostly about information sharing, and FSSCC is about coordinating defensive tactics."

Currently Smocer says the threat vectors are more or less the same; it's the bad guys who have changed. "Bank CIOs and CISOs are concerned about this new tranche of nation state attackers."

On defense, Smocer says, "A tactic that is starting to pay off is more cooperation from ISPs. We are learning better ways to re-route and block bad traffic. This requires interception and sharing with ISPs and telecoms, but all this is currently underway."

Smocer says banking industry specific domain names could buttress barricades at the cyber war front. "We are watching for changes from ICANN (Internet Corporation for Assigned Names and Numbers)." he says.

There are also products and services to help banks detect a DDoS attack before it brings a system to its knees. CDN (Content Delivery Network) vendors like Akamai and CloudFlare claim to lessen your DDoS vulnerability by "tiering out your web." Another option is additional hardware and software in front of your server from vendors like Arbor Networks. You can also partner with your ISP, many of which use some of these same security services.

Forrester's Holland says banks also need to look inside the network. "Volumetric DDoS is at layer three or four, it just floods the server. Now we are seeing application layer/layer seven attacks as well."

Application software may also have structural weaknesses that open the door to older, tried and true methods such as SQL injections, functional injections, cross-site scripting, and buffer overflow attacks. Vendors such as CAST Software probe for these kinds of vulnerabilities. "We work with a lot of banks," says Bill Curtis, senior vice president and scientist at Cast. "These (structural attacks) are often what attackers try to mask with a diversionary DDoS attack."

SQL injection, while still a problem, is fairly easy to fix once detected, according to Jeremiah Grossman, CTO of WhiteHat Security. "Cross-site scripting exploits your browser to grab sensitive information and is trickier," he says. "The most effective fix is to employ textually aware output encoding to ensure the data the system takes in is rendered non-executable." WhiteHat tests for these vulnerabilities from the outside, a "hack yourself first," approach.

Booz Allen Hamilton's Stewart advises banks think beyond the firewall. "Firewalls, encryption, standard intrusion detection: you need all this, but you should also assume the bad guys are going to get in. "Governments protect themselves this way. It is partly a philosophy."

Putting it into practice involves something that everyone is talking about: big data. "Now, we really do have the ability to capture and look at all the traffic data, not just a sample," says Stewart. "If you apply the right analytics you start to see patterns and trends outside the network, and recognize malware signature patterns."

The Federal Financial Institutions Examinations Council is pushing banks to do more of this kind of anomaly detection and behavioral analysis. "This will likely involve advanced analytics on big data," says PwC's Nocera, "but I don't think anyone has yet written the manual for bank cyber detectives."

Such a manual might have a chapter titled, "The Honeypot." This tactic sets up a decoy network designed to attract attackers. "Only the biggest banks can afford to do this," says Holland. "You lure the bad guys in, and then you just sit back to watch and learn how they operate."

Some suggest banks should take the next step and fight back. "It is a hot debate right now," Holland says, "as to how much offense enterprises should use. I certainly advise against launching counter attacks."

Nocera says this is a gray area. "It is not a common practice, but banks are talking about hacking back to shut down the enemy's command and control systems."

The Linux ADHD (Active Defense Harbinger Distribution) system offers a more affordable way to test some of these emerging tactics, Nocera says. "ADHD is more of a honey pot system, but it provides some basic hack back tools as well," he says.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER