Distributed-denial-of-service attacks and threats posed by hacktivists - they continue to pose big risks to banking institutions and other critical-infrastructure industries. And both were key threats noted by experts at our Fraud and Data Breach Prevention and Response Summit in Dallas.
Other hot topics, not surprisingly, revolved around emerging global payments risks posed by the U.S.'s migration to EMV, and how cross-industry cyberthreat intelligence and information sharing are helping organizations predict threats.
"90 percent of all cyberattacks involve DDoS."
But the discussion surrounding DDoS and hacktivism caught my attention, namely because we don't hear cybersecurity experts talking enough these days about why DDoS and hacktivism are especially worrisome now, and what organizations can do to keep themselves from being targets.
During his keynote address, retired U.S. Air Force General Dr. Dale Meyerrose noted that 90 percent of all cyberattacks involve DDoS - i.e., DDoS is used as a mode of distraction to veil some other attack taking place in the background (such as account takeover), or DDoS, in and of itself, is the attack.
What's more, Meyerrose points out that the DDoS attacks on banks waged between September 2012 and spring 2013 by the self-proclaimed hacktivist group known as Izz ad-Din al-Qassam Cyber Fighters comstituted the longest-running cyberattack campaign ever recorded against the U.S. financial sector.
al-Qassam's attacks were waged as part of a campaign known as Operation Ababil, and the sole purpose of this hacktivist group was to disrupt online financial services, not perpetrate fraud or extort banks for money.
But the reputational damage caused by those attacks proved costly. Operation Ababil spurred the public's fear of how these attacks could impact the country's financial stability. The attacks eventually proved to be the catalyst for more collaboration and information sharing between U.S. banking institutions and the government.
Operation Ababil put the Financial Services Information Sharing and Analysis Center at the heart of information and threat intelligence sharing, and catapulted the organization's status among global banking institutions to a new level of acceptance and respect. Good things came out of Operation Ababil, and because of heightened threat intelligence and cyberattack sharing among institutions and the government, al-Qassam's later attacks were unsuccessful at taking any institution's online presence down for long.
DDoS for Extortion: A Growing Threat
Today, however, DDoS attacks are bigger. And even though we don't hear much about DDoS, today's attacks are actually far more damaging than they were three years.
In August, Joseph Loveless of DDoS mitigation and telecommunications firm Neustar told me that many banks lack adequate defenses to fight today's DDoS attacks. And while a majority of institutions are doing better jobs than they were three years ago at detecting DDoS attacks sooner, the potential for damage is much greater now than it was during Operation Ababil (see DDoS Attacks Against Banks Increasing).
In fact, Loveless says banks and credit unions have the potential to lose $100,000 per hour because of downtime and possible fraud during a DDoS attack.
In September, Roland Dobbins of online security and DDoS mitigation firm Arbor Networks told me that DDoS had emerged as a primary tool for extorting banks (see DDoS for Extortion: How to Fight Back).
The emergence in July 2014 of the DDoS extortion group known as DD4BC, DDoS for Bitcoin, has shifted the focus for DDoS.
Financial fraud expert Avivah Litan, an analyst at the consultancy Gartner, noted during an interview with me in late August that some top-tier banks hit by DD4BC were paying ransoms of up to $5 for every $100 worth of damage or loss due to downtime. That's huge.
It seems these types of DDoS extortion attacks are a growing concern for regulators. On Nov. 3, the Federal Financial Institutions Examination Council issued an alert about the severity and frequency of DDoS and other cyberattacks waged against banks and credit unions for extortion (see FFIEC Issues Extortion Attack Alert).
And recent news that a more streamlined version of the ransomware known as CryptoWall is now on the market reminds us that cyber extortion is ramping up.
In a story posted Nov. 6, my colleague Mat Schwartz, executive editor of DataBreachToday, notes that the three most common types of online extortion attacks today are ransomware, DDoS and the theft of intellectual property.
During our Summit in Dallas, these concerns came through loud and clear. Assistant U.S. Attorney Camelia Lopez, who works for the Eastern District of Texas, noted that DDoS and hacktivist attacks are among the leading cybercrimes her office has investigated in the last year.
Jarret Kolthoff, a former U.S. Army Counterintelligence special agent, echoed Lopez' take on the emerging risk posed by DDoS and hacktivism.
Kolthoff says hacktivists are increasingly waging DDoS attacks to mask more nefarious deeds, such as the theft of intellectual property and business secrets. And the purpose of stealing this information is to blackmail companies in the future.
So, our last Summit of 2015 likely set the stage for what we can expect to see more of in 2016 - DDoS and extortion.
I'm looking forward to our 2016 summits, where EMV, real-time payments and authentication enhancements for biometrics, in addition to DDoS and extortion, will be key topics we and our experts discuss. And that's the best part - the in-person discussion.
I've enjoyed my interactions this year with speakers, sponsors and attendees, and I look forward to continuing the dialogue in person, around the world, in 2016.