On a scale of one to ten, Greg Garcia puts a threat made by the hacktivist collective known as "Anonymous" to hit banks with distributed denial of service attacks on September 11 at around a five.
Anonymous has made vague threats against the U.S., Israel and U.S. banks in an operation they call OpUSA and OpIsraelReborn.
In a warning about the threat, the FBI said, "Op USA is described as a cyberattack on U.S.-based web sites and servers, with a focus on the financial industry. Organizers previously claimed Op USA was in response to alleged war crimes the U.S. has committed against Iraq, Afghanistan, and Pakistan."
Garcia, who is advisor to the Financial Services Information Sharing and Analysis Center and former Assistant Secretary for Cyber Security at the Department of Homeland Security, points out that Anonymous made a similar series of threats on May 7 and no attack on banks materialized. The September 11, 2013, iteration of Op USA targets the same list of financial industry targets.
Financial institutions have been on high alert for several months during various DDoS campaigns over the past year, Garcia points out. "We're not seeing evidence yet or serious chatter that lead us to believe they'll pull it off" Wednesday, he says. "Nevertheless, we don't take anything for granted. The FS-ISAC and its members are working together to build DDoS mitigation tools that members can use, and are in constant contact with the Department of Homeland Security and law enforcement to share intelligence as it happens. For now, we're not seeing it."
Alphonse Pascual, senior analyst security, risk and fraud at Javelin Strategy & Research, agrees and goes a step further: "It looks like larger banks have the problem pretty well in check," he says. "If you're doing this on September 11, you're doing this for attention. It's a matter of symbolism. You wouldn't necessarily strike out against smaller institutions."
Attacks against the largest banks will fail, he says, because they have shored up their DDoS defenses and banks as a whole have gotten much better at sharing threat information. "As long as the banks keep doing what they've been doing for the past couple of months, it shouldn't be a major issue," he says. Government sites might suffer site defacement as they did on May 7, but banks should be fine, he says.
Through the FS-ISAC and other outlets, bank security and network staff have been sharing information about where DDoS attacks are coming from so they can then redirect the traffic. "U.S. banks, especially larger banks, get traffic from across the country and around the world, so it's hard to parse out legitimate traffic from malicious traffic," Pascual notes. "When one bank has been attacked, they can then identify the source and let other banks know so they can react and protect themselves. They're also acting more quickly, they're more aware of attacks, they can monitor network traffic and quickly adjust, whereas before they didn't have the ability to mitigate the attacks."
No one is counting Anonymous out, however. "Its hard to say if this will happen, but typically the FBI is right and they wouldnt put out this warning needlessly," says Avivah Litan, vice president at Gartner. "Its a very diffuse group and there are plenty of crazy anarchist hacker types that are happy to pitch in to make Anonymous successful."