In the wake of eight sophisticated distributed denial of service attacks aimed at leading U.S. banks in recent weeks, financial institutions are bracing for more.
See Also: Rethinking Endpoint Security
The hacktivist group Izz ad-Din al-Qassam, which took credit for the online outages, said it planned to spend the weekend of Oct. 13-14 planning its next wave of attacks. And if the trend continues, those attacks could come as soon as Oct. 16, because the previous waves both started on Tuesdays.
So, what lessons have the industry learned from these incidents? First and foremost, it's clear banking institutions have to take these threats seriously, says Bill Wansley, a fraud expert at financial-services consultancy Booz Allen Hamilton.
The advance warnings the hacktivists provided indicate they "have a certain level of confidence that they can make these claims and successfully pull the attacks off," he says.
Through posts on Pastebin, the hacktivists gave banks at least 24 hours advance warning.
That also means that when a site goes down, the targeted institution can't really deny it was hit, Wansley adds.
And even if they have yet to be attacked, all banking institutions should reach out to customers now to explain how these highly-publicized DDoS attacks work and to spell out the steps they are taking to protect accounts, says Gregory Nowak of the Information Security Forum.
"Failure to communicate makes the banks look bad," he says.
Communication is Key
In the wake of the eight attacks, which were far more sophisticated than most previous DDoS attacks, it's time for banks and credit unions to review their defensive strategies, enhance their anomaly detection and get response plans in place, experts say. Banks also need to be aware that the attacks could be precursors to fraud on other channels, they note.
Financial institutions also can learn lessons from how the affected banks handled communication. All the banks acknowledged their online-banking sites suffered intermittent outages. But only two, Capital One and PNC, went so far as to say the outages were linked to DDoS attacks.
CapOne in the days following the attack posted a note on its site Oct. 9 about the outage, saying the online-banking site was suffering from intermittent outages related to high volumes of traffic. "Other banks have experienced similar issues in recent weeks due targeted efforts designed to flood online systems, also known as a Distributed Denial of Service attack," CapOne said. "We want to thank you for your patience and assure you that your customer and account information was not exposed. We are working with federal law enforcement and other authorities to investigate these attacks and further enhance defenses against these types of events."
PNC, which has been the most forthcoming about the reasons for its online outages, posted a notice on its website detailing the takedown.
"Beginning at 6:45 a.m. on Sept. 27, 2012, PNC's Internet connection experienced sustained attacks that flooded our Web sites with an extremely high volume of electronic traffic from thousands of locations around the world," the notice states. "This flood of traffic, commonly known as a distributed denial of service (DDoS) attack, was intended to crowd out legitimate customers at PNC's Web sites, preventing them from accessing online banking and other Internet-based services. ... The attack had been pre-announced by an extremist group calling itself Izz ad-din Al qassam, and PNC was in contact with regulators, federal law enforcement officials and Internet security experts from the beginning."
The notice goes on to say the attack continued for 31 hours and did not end until the afternoon of Sept. 28.
PNC's approach to communications provides an example that others should follow, Nowak says.
"Banks can use the website to include links to talk about security and explain the attacks," he says.
Attacks Are Sophisticated
The first wave of DDoS attacks started Sept. 18. The targets included Bank of America, Chase Bank, Wells Fargo, PNC Bank and U.S. Bancorp.
Banks should take note that these DDoS attacks have been much more sophisticated than most previously seen.
The bank attacks did not use a typical botnet, Wansley says. "The attackers are using content management servers to wage these attacks, so they are more sophisticated and there is definitely more volume."
Mike Smith, a senior security evangelist at Akamai Technologies, an Internet platform provider, notes that in the bank attacks, the traffic coming in was the equivalent of about 65 gigabytes per second. "Even at the height of the Anonymous attacks, we saw traffic coming in from 7,000 or 8,000 people [at approximately 1 gigabyte per second] involved in attacks at any given time," he says.
One executive at a financial institution with $3.75 billion in assets, who asked to remain anonymous, says the attacks have been successful because few institutions have invested in DDoS defenses.
"Many institutions do not invest in a true defensive, in-depth strategy and infrastructure to mitigate DDoS," the executive says.
Prelude to Fraud?
Experts also warn the attacks could be precursors to fraud in other channels.
"There are anecdotes about money loss during these attacks, e.g. through calls to the call center to get wire transfers done while the website was down," says Avivah Litan, a fraud analyst at financial consultancy Gartner.
Jason Malo, a financial security and fraud research director at CEB TowerGroup, also warns banks and credit unions against DDoS distractions.
"Take a look at Sony," Malo says. "They got hit with DDoS attack, and then right after that they got compromised. No one knows if it's tied, but they were so distracted by the DDoS attack, they lost track of what was going on."
Izz ad-Din al-Qassam claims it's waging a cyberwar against top-tier banking institutions because of outrage over a YouTube movie trailer believed by the group to be anti-Islam. Experts question whether that outrage is just a front for something more nefarious.
But Nowak says the motivation behind the attacks in this case is not important. "It's not generally useful to try to figure out the motivation, unless it helps you come up with defensive measures," he says. "Worrying about motives distracts from countermeasures."
Defense Can be Improved
Malo says institutions need to work closely with vendors and continue sharing information.
"One of the biggest mistakes we make when it comes to DDoS is assuming that all attacks are just about brute force pounding on the servers," he says. "In more sophisticated attacks, there are usually smaller DDoS attacks launched at the same time."
Some of those smaller attacks could be directed at the domain naming server, which Malo says he believes to be the case now. And fighting a DNS reflector attack is much different than just fighting an attack based solely on traffic, he says.
During a DNS attack, the DNS server is overwhelmed with queries or requests for information related to certain URLs. DNS servers translate text-based URLs into IP addresses, which is the standard process. But when too many requests come in at once, the server cannot handle all the requests.
"Many of the larger institutions manage their own DNS servers," Malo says. "But to cover the full breadth, you do need scale."
To get that scale, Malo recommends a hybrid model - one that relies on servers on-site as well as servers in the cloud. "Relying solely on intrusion prevention is a big no-no," he adds. "That only protects from one thing. This is why banks need a hybrid approach."