Next DDoS Targets: Community BanksNeustar's Rodney Joffe on Why Smaller Institutions Must Bolster Defenses
DDoS attacks on U.S. banks will continue, and community institutions may well be the next major targets. Rodney Joffe of Neustar offer tips for how smaller institutions can assess and mitigate DDoS risks.
Since the hacktivist attacks on banks began in Sept. 2012, the attackers have perfected their techniques of disruption and distraction, Joffe says. And these techniques aren't lost on cyber criminals, whom he says will now turn these tactics on smaller banks and credit unions, which lack the defenses and resources of the larger institutions.
"Within the last month or two, we've begun to see activities that show us that the criminals are starting to use the same kinds of capabilities for what they're doing," Joffe says. "By definition, those criminals are going to cause more of a problem for the smaller banks because that's ultimately the source of funds they go after when they attack local companies."
In an interview about DDoS threats and defenses, Joffe discusses:
- Why community banks must consider themselves the next targets;
- How organizations can make themselves less attractive to attackers;
- How to minimize the impact of a DDoS attack.
As SVP & Senior Technologist at Neustar, Joffe is responsible for defining and guiding the technical direction of the company's Neusentry security offering as well as heading the company's cybersecurity initiatives. Joffe joined Neustar in 2006 after the acquisition of UltraDNS Corporation, a directory services company, he founded in 1999. Prior to founding UltraDNS, Joffe was the founder and CTO of Genuity, one of the largest Internet Service and Hosting Providers in the world.
Types of DDoS Attacks
TOM FIELD: To start out with, tell us a little bit about the two distinct types of DDoS attacks that we've seen against financial institutions in recent months?
RODNEY JOFFE: We talk about two different types of DDoS attacks. What it really means is that there are two different objectives within the DDoS attacks. The first one is designed to disrupt. These are the DDoS attacks we've seen over the last eight or nine months, specifically from a group called Izz ad-Din al-Qassam Cyber Fighters. They have been targeting financial institutions, and it appears to be designed to disrupt their ability to do business, but not to the extent that it actually puts them out of business. It has been quite interesting in the way that it has evolved over time, because in each case they had done just enough to disrupt, but not enough to actually disable the banks.
The other type of DDoS that we see, or the other objective, is one that's designed to interrupt the ability for banks to do business, and even within that there are a couple of different things There have been [DDoS attacks] that were designed to actually stop banks from being able to do business, and they were probably hacktivist-based or, perhaps, someone that had a beef with a bank.
The second kind within that category is the one that was designed to stop victims of financial crime, corporate victims, from being able to identify the fact that they're actually having funds taken out of their accounts. In those cases, there was a prior attack with malware, which compromised systems within those companies, typically a controller in the company or whoever has access, to being able to make transfers or set up transactions in that company's banking account. What happens is that their system gets compromised when the treasurer, the controller or whoever it is in the company goes ahead and makes transfers, typically, by the way, in payroll accounts, and sets up payroll for let's say a Thursday evening. The criminals behind it will actually go in during the same session, connect to the bank via the compromised system, make transfers to their own mules or their own accounts or abroad.
Then, what they do is they launch a DDoS attack that makes sure that if the controller or if the victim attempts to log into their bank account to check on the status of either balances or to make sure that the payroll is going through, they have difficulty connecting to the bank. This is an attack that actually goes against the bank's website that's designed to cause a problem for the bank's customer, not the bank. There's obviously collateral damage that occurs because no one can get through to the bank, and the victim in this case is not the bank. It's actually the customer.
These are the two main of the three sub-groups of DDoS attacks that have really been an issue mostly for large banks when it comes to al-Qassam, but the financial attacks designed to attack bank customers are more likely to occur with the smaller companies that are more likely to do business with a bank, local banks or credit unions.
Community Banks: Next Targets
FIELD: That's a point I wanted to pick up on, because to this point we have seen the attacks against larger institutions. My question is: Why must the community banks and credit unions now accept that they could be the next big financial targets?
JOFFE: One thing that we've seen with consistency over the years is that criminals are more than happy to teach each other or learn from each other. What has happened with the attacks against the larger banks is a new mechanism, a new way of actually launching DDoS attacks, has been perfected over the last eight or nine months by the al-Qassam Cyber Fighters. It hasn't been lost on the criminals. The criminals have been watching exactly how the al-Qassam Cyber Fighters have been able to modify their attacks to adjust them to overcome the defenses that are being developed almost on the fly by the banks and by the service providers that protect those banks. The criminals have watched it and then, [over] the last month or two, we began to see activities that show us that the criminals are now using the same kinds of capabilities for what they're doing. By definition, those criminals are going to cause more of a problem for the smaller banks because that's ultimately the source of the funds that they go after when they attack local companies.
Level of Preparation
FIELD: How would you rate these smaller institutions' current level of preparation for DDoS?
JOFFE: If you were to ask me the question six months ago, I would have said that they're quite poor. The smaller banks really don't have the resources. They don't have the experience, and they don't have the exposure. But over the last six months, I think that many of them have gotten religion. They have really understood the real threat. Most of them have been concerned that they would become targets, interestingly enough, of the al-Qassam Cyber Fighters. In the conversations that I've had with smaller banks and credit unions that come to me for advice, it shows that they really have been looking at attacks against the larger banks, although the first three or four months they just assumed that it wouldn't be them.
Then, as there has been more awareness in the banking community, they've started to be much more concerned about al-Qassam Cyber Fighters. That obviously is going to stand in good stead when they have to deal with the attackers, the small financial frauds, the wire transfers and so on out of smaller companies.
However, while they've become much more aware, they really haven't prepared fully for the extent of those attacks. Remember that the al-Qassam Cyber Fighters had originally designed their attacks to disrupt in a limited way, but not to actually disable. The criminals have a different objective. Their objective is to make sure that no one can get through, and so their attack's going to be much more of a problem, and I think that the smaller banks are not going to have prepared sufficiently for a full-blown attack. They're going to prepare like most banks are for these limited attacks from al-Qassam Cyber Fighters. We have seen some banks come to us, and we have them now on some of our systems to solve those problems, but it's a very, very small percentage. There are still thousands of local banks and credit unions that I think are unprepared and unprotected, certainly with some of the monitoring that we do. As a global infrastructure company, we tend to see activities, we monitor, and we haven't seen major changes in the way that the smaller banks are really setting up their infrastructure.
Becoming a Less-Attractive DDoS Target
FIELD: It's clear that any institution can be a target, but how can one make itself a less-attractive DDoS target?
JOFFE: The first thing that's going to happen, when we talk about banks and credit unions, the major target vector that they're going to have to face is going to be these fraudulent bank transfers as a result of the malware, more specifically Zeus, SpyEye and something known as Citadel. What they first will be doing is trying to educate customers, educate staff and set up internal systems that monitor for indicators that the kind of malware campaign is going on.
But beyond that, there are things that they can do that will make it more difficult and less desirable. The first is to begin to put systems in place that at least defend the internal systems from the attacks, things like intrusion detection systems, intrusion prevention systems and firewalls. There are some technologies available in the routers to allow them to use what are called ACLs, or access control lists, and that will provide a first line of defense. But that's why if you can keep them up only for a few seconds, it's going to allow them to get maybe a bit of a breathing space before the campaign is launched.
Once they have that in place, what they want to be doing is making it visible to anyone on the outside that they've employed third-party organizations that specialize in defending. I guess the best way to describe this in terms of everyday activities is the typical burglar. When he walks down a suburban street, he's not going to choose the house that has the high walls, burglar alarms and the dogs. He's going to choose the house that has no gate, appears to have windows that have no alarms and bars on them, maybe even that are left half-opened. For the opportunistic kind of criminal, that makes a difference.
The equivalent of that in the cyberworld is when criminals actually have a look at targets. What they'll look at it is how the bank's infrastructure is set up. They'll look to see whether there's a third-party DNS provider, for example, one that's able to withstand large attacks. They'll perhaps do some testing, believe it or not, and see if the connectivity for a bank's website switches over to a CDM or perhaps to a DDoS mitigation company like ours. They know what to look for, they understand historically, and if they see those things in place they're much more likely to look for another target, a much softer target, and only come back to this target if there aren't any other good ones left. Those are some of the things that the bank can do to actually make themselves look less attractive.
Minimizing Attack Impact
FIELD: In the event that a smaller institution is struck, what can it do to minimize the impact upon the institution and the customers?
JOFFE: Great question, and there are some things that can be done. Obviously, the most logical thing to do is to prepare in advance. One of the toughest things is to try and solve the problem when you're in the middle of the problem. If you have the ability and you have the time to prepare, the best thing you can do is put things in place so that when you do get attacked - and mark my words, as you said, no one is exempt from being attacked; at some point everyone is going to be attacked by someone - what you really want to be doing is thinking about how you prepare in advance.
Among the things that you would do is make sure that you have a third-party provider online so that when the attack occurs, you can relatively quickly switch your resources to third-party providers. This is one way of obviously making sure that you have the resources to be able to survive certain levels of attack. The second thing you want to do is to have a communication process in place. Make sure that you have ways of letting your customers know that they need to go to Plan B for banking. One of the worst things in the world is for an organization to be attacked and for customers to not be able to get any kind of information that tells them, number one, what's going on; number two, gives them a sense of comfort that it's actually being dealt with; and number three, gives them some mechanisms or some paths to use in order to continue their business.
From a banking point of view, it would be letting customers know in advance, if for any reason they're unable to reach the website, to call in a local phone number or an 800 number and do your banking by phone. If you're able to get through on the phones, make sure that the banks have a plan in place that allows them to bring part-time tellers in or emergency crews in, because what's going to happen is people will come down to the bank in order to do their banking. The things you hope they don't do are come down to the bank and take all their cash out. That's something that we obviously see as a worst-case scenario. But if you actually have the resource and you have the support, people are going to continue to bank with the bank. They're not going to pull their funds out if they feel that in an emergency they have a way of getting access to it. That's one more thing that I would do.
Assessing Level of Preparation
FIELD: What can institutions be doing right now to assess their own level of preparation for DDoS?
JOFFE: There are a number of reports that are available. As a company, we have some data that will give people methods of being able to look at their ability to withstand attacks based on bandwidth. If a bank has connectivity, there are a number of ways of looking at the amount of bandwidth, understanding the kinds of DDoS and then assessing whether the bandwidth that they have in place or the mechanisms they have in place are useful.
The second thing is to actually practice, which is, at a given time or maybe temporarily replicating their infrastructure, to go ahead and have those dry runs or those drills. Understand what the limitations of existing systems are and where the weak points are, and then begin to actually shore-up those weak points, whether it's the DNS infrastructure. The web infrastructure is something I would expect most banks would afford.
But amongst the things, they will discover - one of those things you only discover after your first attack - that most banks have all of their resources on the same connection. The website, DNS servers, payment gateways, as well as the staff access and the VPN connections, are probably on the same circuit that's connected to the local ISP. In many of these DDoS attacks, those pipes or that bandwidth is fully saturated. If it's saturated in a case of an emergency, the banks are going to find it very difficult to have third-party systems actually engage. There will be no way for employees who might be at home, for example, to be able to VPN in remotely, because that VPN connectivity is shared with the website which is attacked.
In these exercises or in the preparation, the banks should be looking at how the various services connect to them. If they connect on the circuit, they should begin to look at splitting some of them off so that, in an emergency, when the most logical thing, which is the website, is being attacked, the other services are still available to either mitigate the attack or to conduct business.
Mistakes to Avoid
FIELD: What lessons can we draw from other institutions that have been through DDoS? In other words, what mistakes must the community institutions now avoid?
JOFFE: The largest one is to avoid the belief that what you have in place already is sufficient. When we look at the attacks from the al-Qassam Cyber Fighters, the largest banks in the world were attacked, and those banks for many years have put lots of resources and lots of money into actually protecting themselves from large-scale attacks of all kinds. What they discovered was that no matter how much you put into it upfront, the chances are if there's a concerted attack, your resources aren't going to be sufficient. What you have to have is the ability to call on outside resources that are specialized and have the ability to help you. That's the first and I think the biggest thing.
The next thing that organizations need to think about - something that we learned certainly over the last seven or eight months, we've been aware of it, worked on it over the years and really proved the mechanism over the last six or eight months - is the concept of sharing information, even with your competitors. One of the things that companies believe intrinsically is that the last thing in the world you want to do is share information about an attack or failures with competitors, because your competitors are going to jump on it and they're going to use it against you. As it turns out, with the nature of these attacks and the fact that the attacks target everyone, the best thing you can do is actually share information with your competitors because you may not be the first one to actually spot the problem. They may spot the problem. If they prepare to share information with you that helps you protect yourself, you probably are going to be expected to share information with them, and it's going to become a process that exists across your industry.
At the end of the day, all of you will come out in exactly the same position. In other words, you all have helped each other, number one, and, number two, you would have avoided your industry from getting a black eye. People lose faith not just in companies but they also lose faith in processes of industries. In the banking industry, it's a real issue and I don't know how many banks realize that. Certainly, the large banks now realize it, but I don't know if the small banks do. If people start to lose faith in the banking industry, the economy as a whole is going to suffer significantly. What you really want to be doing is making sure that both you and your competitors are sharing information about the profiles and the kinds of attacks, because if you weren't the company attacked today you will probably be the company attacked tomorrow using the same technique.