DDoS: Are Attacks Really Over?
Expert Says Attacks Likely After More than Publicity
Bill Stewart, a senior vice president and online security expert at the consulting firm Booz Allen Hamilton, says this new wave is yet another sign that institutions can never let their defenses weaken.
"What I think most folks are doing is working pretty diligently to not let their guards down," says Stewart during an interview with Information Security Media Group [transcript below].
"One of the benefits of the recent attacks is that they've raised visibility about the need to continue to be diligent and enhance our cybersecurity infrastructure," he says.
The hacktivist group Izz ad-Din al-Qassam Cyber Fighters, which has taken credit for what's now become three waves of attacks aimed at U.S. banking institutions since mid-September, claimed Jan. 29 it would suspend its campaign -- a gesture, the group claimed, to show its appreciation for YouTube's removal of a popular link to a movie trailer deemed offensive to Muslims. Since the attacks began during the early fall of 2012, the group has pointed to the video's presence on YouTube as the catalyst for its attacks.
But now the attacks have resurfaced, as industry experts such as Stewart predicted. "We've really seen another issue that has heightened awareness around the challenge of cybersecurity and the challenge of protecting our credible infrastructures," he says.
"Use this as an opportunity to [review] those strategies and plans that you have in place, and then also to build a cast for continuing to invest and continuing to provide the level of diligence needed," Stewart adds.
During this interview, Stewart discusses:
- Why the banking industry is concerned about fraud and advanced persistent threats linked to DDoS attacks;
- The challenges of identifying DDoS targets;
- How organizations should address DDoS prevention.
Stewart has more than 25 years of professional experience in designing, developing and deploying cybersecurity solutions. At Booz Allen Hamilton, he leads the firm's Cyber Technologies Center of Excellence, which helps clients secure critical business systems and accomplish mission-critical goals. Before joining Booz Allen, Stewart worked for a major electronics firm, where he developed communications security and key management devices.
Halting DDoS Attacks
TRACY KITTEN: Why did the hacktivists stall their attacks?
BILL STEWART: What we believe is that these attacks are a demonstration of capability. A DDoS attack, while a troublesome thing that does cause an institution being attacked to divert resources, and it can be an annoyance; in and of itself, a DDoS attack is not typically the primary issue at hand. Often what's going on is some other potential exploitation, some other diversionary tactic that's going to be used to open up a vulnerability or take advantage of the fact that we've got resources expended to defend against the DDoS attack and allow an adversary to come at an institution through another vulnerability.
I think the entities were issuing attacks to make a point that they can do this and they can do it in a way that's more substantial than what we've seen in the past. Now they're looking at other means to send the message, and also as a way to provide other things in other exploitations and to focus in other areas of the network and other areas of an institution's capabilities.
The reality is, as I said before, with a DDoS attack, you're using a lot of resources and it's troublesome and you do cause some harm; but when you step back and look at what's really going on, it's more of a distraction and a nuisance. There are other opportunities to potentially do more damage and create more harm to some of these institutions. Depending on who the adversary is and what they're trying to achieve. If they're trying to achieve notoriety and get some press for their cause, they've done that and they've achieved that. If they're trying to do this as a way to get to something else to cover up some other attack or to prove a capability that can be somehow used in the future as part of a negotiation or threat, I think it achieves those things as well.
Banks Still Being Targeted
KITTEN: Is there evidence to suggest that these attacks never actually stopped?
STEWART:We've seen somewhat of a drop-off in the recent past, but we've seen other attacks emerge in other places. It's hard to say what's really going to happen next with an adversary like this. But these DDoS attacks, the overall technology that it takes and the know-how that it takes, are not, in the grand scheme of things, all that sophisticated. What's a little different here is just the sheer volume of information and sheer volume of data that's on these networks.
Impact to Other Industries
KITTEN: Is there any evidence that suggests other industries or other brands have been targeted by the same group?
STEWART: We do know that other industries have experienced some similar attacks. Again, it's always difficult to have inclusive evidence in cyber around who's doing what and exactly how the attacks are being generated, so it's very easy to create the same type of attack in different places and have it look the same. But there are a lot of similarities to the recent events that have occurred, and it does seem like, perhaps, there's been a shift in focus.
Attack on Amazon
KITTEN: Do you think that Amazon's DDoS strike, which took the e-commerce leader offline for approximately 45 minutes, could be related to the same group?
STEWART: Again, it's hard to know with certainty, but it's certainly worth investigation. ... Amazon is a significant Internet presence, and so to have them offline for any period of time does take a fairly substantial capability; and that's one of the traits and characteristics of what we have seen with these attacks on the financial-services industry. I'm not in a position to say absolutely, and I'm not sure that anyone is, but there are some similarities between what's occurred.
Targeting Smaller Institutions
KITTEN: Another suspicious piece of this puzzle is that days before the hacktivists announced they planed to halt their attacks took aim at smaller banks and credit unions. Why would the hacktivists shift gears?
STEWART: That's a very good question. There could be lots of reasons for that. One would be their objective is to gain recognition and notoriety for what they're doing, to gain more public acknowledgement of their claims. Them shifting focus to other entities is a way to do that. You get another community; you keep the story out in the press. Another piece of speculation could be that the attacks are a diversion for something else and that there's more going on. And in that case, shifting the focus would then allow things to happen in other places or in relation to these attacks that would be different than what they were trying to achieve before. Again, that's speculation, just a potential that could be happening based on thinking about what an adversary could be doing.
KITTEN: Has there been any evidence to suggest that fraud is being attempted while these attacks occur?
STEWART: There's always the potential for that, and that's one of the things that could be going on here. It's hard to know without hard evidence inside the institution, and so I don't have any firsthand knowledge; but I think it's a real possibility and could be part of why these things could be more of a diversionary tactic.
KITTEN: What about evidence to suggest that these hacktivists are not working alone?
STEWART: There's always potential for a nation-state engagement in cyber issues, and that's a question you have to ask yourself anytime you see an attack on a greater scale and/or of greater sophistication. It's hard to know that. It's hard to know with certainty; but there are certainly some indicators that would at least allow for speculation around that as a potential.
Reacting to Pause
KITTEN: How did financial institutions react to the claims about pausing the attacks?
STEWART: What I think most folks are doing is they're working pretty diligently to not let their guards down. Through these attacks, one of the benefits, if you will, of the recent attacks is they raised visibility of some needs to continue to be diligent and enhance our cybersecurity infrastructure and capabilities. Most of the institutions that we have relationships with are using this as an opportunity to continue to push forward with their capabilities, to continue to improve and put the capabilities and processes in place to mitigate things like this attack and other issues that we're all aware of in cyberspace around our credible infrastructures.
Advice to Organizations
KITTEN: What advice can you offer to institutions out there about how they should prepare?
STEWART: It's hard to have specifics around this kind of thing because there are just so many things that an adversary could do next. But, for certain, there's a real opportunity here to do the kinds of things I've mentioned. As a community, what's happened here is we've really seen yet again another issue that has heightened awareness around the challenge of cybersecurity and the challenge of protecting our credible infrastructures. The top-level advice is to use this as an opportunity to relook at those strategies and plans that you have in place, and then also to build a case for continuing to invest and continuing to provide the level of diligence needed to protect our credible infrastructures and protect our businesses in ways that allow us to continue to operate in what, at times, is a very difficult environment.