Shortly after Anonymous hackers attacked several Israeli government websites in early April, an Israeli hacker broke into Anonymous' Operation Israeli website. Within hours, he had replaced all the anti-Israel messages with a recording of Israel's national anthem.
"When I read that, I thought, 'All right!'" says Avivah Litan, vice president and distinguished analyst at Gartner.
Such chutzpah is a rare among cyberattack victims.
Banks that have been hit since September with several waves of distributed denial of service attacks, in which protestors flood a bank's web servers with requests to slow and disable the machines, have taken a defensive posture. This is appropriate, as the enemy is still not fully known. The Izz ad-Din al-Qassam Cyber Fighters Group has claimed responsibility for the attacks. This Muslim group says it's going after U.S. banks because it wants YouTube to remove a video called Innocence of Muslims from its site. It has announced each attack beforehand, more or less accurately. Yet many observers believe that the scale and sophistication of the attacks indicate a nation-state, possibly Iran, is behind them.
The threat is being taken seriously by more banks. In a poll American Banker conducted at the end of March, editors asked, "Do cyberattacks pose a grave threat to banks?" More than half (51) agreed that yes, the bad guys could cause the financial system to seize up. About 40% felt it depends — banks that make serious commitments can protect themselves. Only 9% said no, that the threat is overblown and more a costly nuisance than a serious danger.
ANATOMY OF A DDOS ATTACK
There are two types of distributed denial of service attacks, according to Lawrence Orans, research director at Gartner. The first, a volumetric attack, fills the target's bandwidth pipe with junk — or fake requests — in an attempt to knock out its servers. The cybercriminals create malware that harnesses a large number of computers into a botnet and directs traffic from the servers to a target location, such as an online banking login page. Another target might be an annual report on the bank's website available for download. "If you launch thousands of PCs within a few seconds to download that PDF, that's going to cause a DDoS attack," Orans says.
The second type of DDoS attack goes after applications. The attackers send an application server commands that max out the server's CPU or memory, either of which could cause the application to fail and to deny service to legitimate users. This is also called resource starvation.
"An example would be 'search *.*'; that would put a big hit on the CPU and on memory," says Orans.
At least a dozen banks have been subject to DDoS attacks in the past seven months, and most of them have been among the largest, such as Wells Fargo and JPMorgan Chase. More recent targets have included Regions Bank, TD Bank, BB&T and American Express.
So smaller banks can't sit back and relax. "Regional banks are next in line to be targeted and some are being targeted now," notes Alphonse Pascual, senior analyst of security, risk and fraud at Javelin Strategy & Research.
Since September, the DDoS attacks on banks have been getting deeper and more sophisticated. In the early days, the banks were receiving excessive traffic on their website home pages. Then the attackers got more specific, drilling down to find, say, a specific file that could be downloaded from Wells Fargo's customer service page, and issuing millions of requests to download that file. "It's not a rocket science attack but it's targeted toward different parts of banks' websites," says Litan. "Banks generally go through the same network providers, so [the attackers] want to overwhelm the carriers so they can't filter out the traffic."
The volumes of the attacks have grown larger over time. Where traditionally, DDoS attacks have been launched from botnets of PCs, recent attacks on banks have come from powerful servers. "Servers have quad-core processors, big pipes, and a lot of bandwidth, so a botnet of servers creates a more powerful attack than we've seen from typical botnets of PCs," says Orans.
Most banks are turning toward service providers for DDoS mitigation, in one of the categories described below.
"Mitigation services are helpful in that they have a lot of expertise," Orans says. "In a typical attack, the bad guys start out slowly and ramp things up slowly to determine the minimal amount of traffic volume it would take to DDoS the site." A good mitigation service will see and react to that suspicious behavior in the early stages, he says.
A few larger banks are buying and implementing in-house DDoS detection and mitigation technology explained later in the article.
DDoS mitigation from an ISP. Some internet service providers offer a service intended to detect and remove malicious traffic before it gets to clients' servers. Such "clean pipe" services are offered at a 10-15% premium above what the client pays for bandwidth. Verizon, for instance, will monitor a client's traffic to determine what is normal in terms of volume and protocol, and when spikes occur during a normal business day, "That information is then used to start looking for anomalies," says Bart Vansevenant, executive director of security solutions at Verizon. "As soon as we see anomalies, a trigger goes off and mitigation kicks in." Traffic is rerouted so that it bypasses the bank and goes to the provider's mitigation center where it is "cleaned" of suspicious traffic before being sent to the bank's servers.
Who offers it: AT&T, Savvis, Verizon
Pros: An ISP can choke off malicious traffic further upstream so it never reaches the bank. "The ISP can control the spigot," Pascual notes. "ISPs see everything at that macro level and they have a better idea of what the inflows are looking like and coming from."
Cons: DDoS mitigation is one of several things ISPs do, they're not specialists in this area.
DDoS mitigation from a specialty provider. Specialty DDoS mitigation providers run dedicated data centers with high-capacity networks (100 gigabytes or more) called "scrubbing centers." What a bank recognizes it's under attack, it reroutes all traffic heading toward its website to a scrubbing center. The specialty provider "scrubs out" the bad stuff and sends the good traffic back to the bank.
Who offers it: Prolexic, Verisign. Corero Network Security
Pros: "The specialty providers have the best expertise to mitigate an attack, this is all they do," says Orans.
Cons: These services need to be thoroughly tested in advance as well as quarterly, to be sure they will work when needed.
Content distribution networks. A CDN provider hosts all of a company's web traffic on its network of servers. With DDoS mitigation built into the service, it's the CDN's job to detect and block malicious traffic to the bank's website. The bank doesn't need to do anything.
Who offers it: Akamai, CloudFlare
Pros: "The more distributed your network is, the better off you are," says Litan. One bank targeted in the first wave of DDoS attacks in the fall withstood the attack better than most because it distributed its content over geographically diverse web and app servers," she says.
Cons: A content distribution network can only mitigate the attacks against a website, not those that target app servers or other types of servers. And potentially, attackers could figure out where all the CDN servers are and attack them. "These guys are dedicated and capable," Pascual says. "Throw them off for a day, but you're not going to throw them off for a year."
Do-it-yourself IT techniques. There are a few standard IT techniques that can help ameliorate the effect of a DDoS attack.
One is overprovisioning — purchasing excess network bandwidth to handle the extra traffic of a DDoS attack. "It's an expensive option and it's not unlimited either," Pascual says. "That cost makes it prohibitive for many banks."
Another is blackholing — rerouting traffic that's been identified as malicious to another location. "It's easy if you know where the malicious traffic is coming from," says Pascual. "That's where [cyberthreat information sharing] groups like FS-ISAC have been instrumental." Banks are able to share intelligence on the locations and sources of these attacks, and that will help them implement tools such as blackholing."
The downside is, attackers tend to be very good at spoofing accounts and websites. They're often using IP addresses that do not appear on any black list.
Another problem is that it's hard to get specific. A bank might determine that malicious traffic is coming from Europe, but a global bank with customers in that region, it can't very well shut off all traffic coming from that direction. "They have to identify the exact systems that are responsible for these attacks and shut down access one at a time," Pascual says.
There's also specialized DDoS equipment banks can buy.
In-house DDoS mitigation equipment. Specialized on-premises appliances monitor network traffic for signs of DDoS attacks and try to block them. About 5% of large financial services firms purchase such equipment, Orans estimates.
Who offers it: Arbor Networks, Radware
Pros: The bank is in control of DDoS efforts and the solution is always on. The bank could potentially respond more quickly. According to Rakesh Shah, senior director of product marketing and strategy for Arbor Networks, his company's technology is deployed at 90% of service providers, therefore it has visibility into traffic patterns around the world. "We're able to create specific fingerprints of attacks and feed them to our device to block that traffic," he says.
Cons: "If there's a volumetric attack filling up your pipe, you're not choking it off further upstream, your pipe is saturated with junk," Orans says. Such devices also require someone in the organization to have the expertise to work with them,Orans says.
Intrusion detection/prevention systems. The most obvious security technology for detecting DDoS attacks, which many banks already use, is the more generic intrusion detection system, software that monitors network traffic for potentially malicious behavior and alerts administrators to it. Its sister technology, the intrusion prevention system, blocks traffic from the "bad actor" IP addresses.
Who offers it: Cisco, McAfee, HP (Tipping Point), IBM, Intel (McAfee), Juniper.
Pros: It's effective for certain types of identified threats, such as a cybercriminal using a stolen IP address.
Cons: Most IDSs and IPSs aren't designed to deal with DDoS attacks. "They're meant to keep people from getting into your system, they're not necessarily for dealing with excessive traffic," Pascual says.
WHY HAS NONE OF THIS WORKED SO FAR?
One question we've been asking since these attacks began is, why aren't the technologies and services banks have in place effectively protecting them against the attacks. Experts give several reasons.
"The DDoS mitigation techniques are working," asserts Orans. However, when an attack is new and different, it takes longer to respond to and mitigate its effects. "That's why you sometimes see more pronounced outages."
"The true zero-day attack there's no perfect defense for," agrees Rich Bolstridge, chief strategist for financial services, Akamai Technologies. "When an attack does come in on one of our customer sites, we can apply a rule to our other customers. Some days, every 15 minutes an attack moves from one to another. Thursdays are usually the worst. Attackers sometimes vary their techniques within a day."
The high volumes are a big factor. "Most of banks' networks are capable of handling 10 gigs per second, but the level getting through to them in these attacks is 40-50 gigs," notes James Barnett, a retired Rear Admiral in the Navy who recently joined Washington, D.C. law firm Venable as a partner; he is the former Chief of the Public Safety and Homeland Security Bureau for the Federal Communications Commission.
A comparable example would be getting four to five million emails per second in your email inbox, he says. "That would be pretty hard to handle," he notes.
Litan argues that vendors are not yet able to distinguish good and bad traffic because they're being reactive instead of proactive. "They have to study the new attacks and then put in a new control to stop them," she says. What's needed is behavioral modeling of normal activity that will help show up anomalies that could indicate an attack. "The current technology is all old-fashioned, backward-looking and rules-based, which is true for security software generally."
There are several pre-made DDoS toolkits available as commercial products, which makes creating the attacks easier, points out John Linkous, security research fellow at eIQnetworks.
Part of the challenge comes from the need to keep website availability up and provide security at the same time. "You still want usability by customers, you still need to be able to conduct complex and secure transactions," Barnett points out. "So you have to have utility and functionality as well as that type of protection."
Signs are that banks are getting better and that online banking outages are getting shorter.
"For financial services at this time, the best answer out there is a layered answer, which is not something I would have said a year ago," says Vansevenant.
As with so many other areas of life, there's no single answer. "It's really about working together," Pasqual notes. "No one technology is perfect and the cost factor is significant if you're trying to take this on by yourself. It's like turning around the Titanic, it's not going to turn on a dime," Pascual says. "It's going to take time and resources. The more cooperation we have among institutions themselves, the better off everyone is going to be."
Future attacks may harness the 100 million mobile devices in the U.S., which tend to be left unprotected. "On their desktop PCs now everyone has anti malware software, but people are not familiar with securing mobile devices," Pascual says. "We see an exponential growth in mobile malware, and we're already starting to see programs that could be used for mobile devices." Some malware programs have "ddos" in their very name.
"It's just a matter of time. Consumers open themselves up with poor security habits, they download stuff off Google Play," Pascual says. "There's a lot out there that opens this up to being a potential issue. It's a horrible scenario. Imagine what happens if a million mobile devices all over the U.S. target one location?"