DDoS: The Need for Updated DefensesLessons Learned from a Year of Attacks Against Banks
Despite the recent lull in al-Qassam Cyber Fighters' distributed-denial-of-service attacks against U.S. banks, Doug Johnson of the American Bankers Association and Bill Nelson of the Financial Services Information Sharing and Analysis Center warn banks to avoid complacency, noting that DDoS attacks, whether waged by al-Qassam or some other group, pose an ongoing threat.
Johnson says banking institutions should keep their attention focused on adequate attack preparation, information sharing and risk mitigation.
"I don't think you ever assume that attacks are not going to continue," he says during an interview with Information Security Media Group [transcript below]. "It's [about] being dynamic and having perpetual evaluation of how those threats are coming into our institutions."
Moving forward, institutions should remain on the alert and ensure that they have proper information sharing mechanisms and defenses in place, Johnson and Nelson say.
"We need to be continually engaged with the parties that are providing those services to us to ensure that they have the right risk management process, which means perpetually understanding how the environment is changing and putting in new threat mitigation measures as a result," Johnson says.
DDoS preparedness requires planning and collaboration, Nelson says. "All of these strategies are outlined in the FS-ISAC DDOS Threat Viewpoint that was actually updated three times in the last year, as these tactics changed," he says. "It's made available to all FI [financial institution] members of the FS-ISAC. We've also, through our association members like the ABA and other associations, made it available to members of other organizations. And we're working with the regulators to make sure it gets out to other sectors.
During this interview, Nelson and Johnson discuss:
- What the industry and government have learned about al-Qassam;
- Why leaders of community banks are taking greater interest in DDoS attack mitigation; and
- What emerging cyberattack threats are on the horizon.
Nelson is the president of the Financial Services Information Sharing and Analysis Center, also known as FS-ISAC. Before joining the FS-ISAC, a non-profit association dedicated to protecting financial services firms from physical and cyber-attacks, Nelson was elected vice chairman of the ISAC Council, a group dedicated to sharing critical infrastructure information. From 1988 to 2006, he served as executive vice president of NACHA - The Electronic Payments Association.
Johnson leads the ABA's enterprise risk; physical and cyber security; business continuity; resiliency policy and fraud deterrence efforts. He has assisted in the ABA's release of a series of resources to deter bank robberies, assess information technology risk, deter phishing, safeguard customer information and buttress emergency preparedness. He also represents the ABA on the Financial Services Sector Coordinating Council, which advises the federal bank regulatory agencies on homeland security and critical infrastructure protection issues. And he serves on the BITS/Financial Services Roundtable Security Steering Committee.
Industry Reaction to DDoS Attacks
TRACY KITTEN: What can you tell us about the industry's reaction to the first waves of attacks, which hit in September 2012?
BILL NELSON: We realized early on that these DDOS attacks were different; they weren't like others we had seen. They were directed against multiple financial institutions. They were not one-off type events. They were actually sustained over days; and then, as it turned out, weeks. It was not like a DDoS we had ever seen before. We realized quickly that we needed to stand up an incident response team to this new DDoS threat. I think the reaction was actually very effective. This DDoS response team really demonstrated how effective information sharing can be. I heard one bank give a presentation on the benefit they saw, because you literally had dozens of other allies helping you, as you were being attacked, with advice, best practices and how to react to certain new types of tactics that they were using.
DOUG JOHNSON: One of the things that I've really been impressed with is that level of collaboration Bill spoke of; because it's not just about this particular set of cyber-attacks. It's about the broad number of DDoS attacks which the industry has been suffering from a variety of parties. A lot of times it's less about attribution than it is about what the nature of the attack is. When we saw, for instance, community banks being attacked, or when the ISAC saw the community banks being attacked, we were able to provide those resources to anybody that was suffering that kind of an event. I think that's very impressive to the community banks that were able to benefit from that. Also, their third-party service providers are a part of that as well. Absent that infrastructure, I think it really does make it difficult for banks to be able to get the lessons learned from the attacks that have occurred against financial institutions.
al-Qassam Cyber Fighters
KITTEN: What have learned about al-Qassam over the last year?
NELSON: Members of Congress actually have publicly raised the question of whether this is really a hacktivist group or whether it's somehow connected to the Iranian government. Obviously, if it's the latter, that's more of a question for our government and something that we in the financial sector really can't address. But we did learn that they had sophisticated capabilities, much more sophisticated than what we've seen from other hacktivist groups, like Anonymous, or from criminal DDoS activities that try to hide account takeover.
JOHNSON: To think about that from the community-bank perspective, it's really always less about that attribution. It's really about seeing the level of sophistication of the attacks increases, and Bill described. But everybody in the environment had access to that information, and that's why we're so interested in ensuring that the FS-ISAC has the capability to do that across the entire infrastructure. We don't assume that institutions have that information, and we think, in some cases, redundancy is good. But I think that just the very fact that the FS-ISAC has over 4,200 individual institution members now allows us to really have broad coverage as those attacks get more sophisticated.
Enhancing Mitigation Strategies
KITTEN: How would you say that financial institutions have progressively enhanced their mitigation strategies as well as their capabilities?
NELSON: DDoS preparedness really requires a plan and that includes ... hardware, making sure you have sufficient bandwidth, ISP collaboration established up-front, botnet DDoS mitigation service, remote redundancy and a whole bunch of other tactics. All of these strategies are outlined in the FS-ISAC DDOS Threat Viewpoint that was actually updated three times in the last year, as these tactics changed," he says. "It's made available to all FI [financial institution] members of the FS-ISAC. We've also, through our association members like the ABA and other associations, made it available to members of other organizations. And we're working with the regulators to make sure it gets out to other sectors.
JOHNSON: I think that the dynamic nature of the viewpoint has been extremely important as far as change, and it's also provided us with a tool that assists the third-party Internet-banking service providers, the other Web-hosting services and other entities that really have a very important role as we think about DDoS. One of the things that we focus on is the fact that a denial-of-service attack against, for instance, a web-hosting environment for a large number of institutions can impact not just that institution, but also the other institutions that are part of that web-hosting environment. What we want to do is ensure that those environments have those same tools so that not only can they protect themselves, but the customers of those providers know what questions to ask in terms of how they're protecting the environment. I think having those things like what you pointed are very important to accomplish that.
KITTEN: What more would you say needs to be done to ensure that all banking institutions, even those that aren't members of the FS-ISAC or the ABA, are properly enhancing their defenses?
JOHNSON: It takes the ability to make sure that the institution has the ability to ask the right questions of the folks that are providing them those services. As those questions change and as the threat changes, they [should] continually stay at that, because it's a dynamic process; it's not a one-off. It's recognition, because the threat environment over the course of the last year has been substantially different than it was previous to that. We need to be continually engaged with the parties that are providing those services to us to ensure that they have the right risk management process, which means perpetually understanding how the environment is changing and putting in new threat mitigation measures as a result. What we assume is that redundancy is good there so, to the extent that we have the authority to do so, we ensure that the kind of resources that the FS-ISAC has are available on the members-only side of our website as well. We encourage every other accredited association to do that and actively engage their membership and those that provide services to that membership.
NELSON: We heard from one institution that was attacked that they had those documents. They were able to actually prepare a business resilience plan for this new type of DDoS. When it actually occurred, they were ready. In fact, they said they couldn't have done it without that information, so it does work.
Lessons Learned from Past Strategies
KITTEN: From your perspective, what would you say over the last year the industry has learned as far as the mitigation strategies that work the best?
NELSON: [It's] looking at your hardware; your bandwidth; making sure you have the ISP collaboration set up, the remote redundancy; having DDoS mitigation providers that you can turn to. It's setting it up in advance, not just waiting to see your name on a Pastebin announcement and all of a sudden you're being attacked. If you're prepared, you'll be ready. Most of the stuff that we do produce though we make available to the members, but we don't produce on a public site.
JOHNSON: Going on what Bill was saying, what we have is recognition that it takes a variety of levels of defense in order to counteract these threats, and those levels of defense change as the threat changes. That really gets back to what I think is really important. I'll use an anecdote that's not associated with the Cyber Fighters, but with the more recent OpUSA exercise over the Labor Day weekend (see OpUSA: A Lackluster DDoS Operation).
As you know, there were a variety of large financial institutions that were targeted, but there were also some community banks that were targeted as well. What was really powerful was the fact that I could take the information about where the attacks were coming from, entry points the attack was going to, what tool kits were being utilized, and I could essentially provide that to the community bank that was being attacked directly after those other larger banks were being attacked. They were not currently members of the ISAC and so they were just exceedingly impressed with their ability to get that information at the time that they were notified the attack was going to occur. And rather than telling them that the attack was going to occur, we were also able to get them in contact with the folks that would directly engage them with institutions associated with that attack so they had the real-time availability of large bank practitioners to be able to predict their environment. I think that's very powerful.
Analyzing Phase 4
KITTEN: Going back to al-Qassam specifically, would you say that this phase is over?
NELSON: It's really up to them whether it's over or not, but I think it's too early to tell.
JOHNSON: I don't think you ever assume that attacks are not going to continue to occur, and it goes back to some of the points that Bill has made about being dynamic and having perpetual evaluation of how those threats are coming into our institutions. That's what the ISAC is all about frankly, to provide that 24/7 watch for that environment and to allow and give the institutions the capacity to report that centrally so you can report it out to the industry generally. I don't think you ever say that a particular attack vector is over.
KITTEN: Have their attacks exceeded their proverbial shelf-life?
NELSON: That's a question you have to ask al-Qassam Cyber Fighters. We hope they have run their course, but that's entirely up to the persons that have launched these attacks. I agree with Doug; we have to continue to prepare for more if that happens.
KITTEN: Do you think al-Qassam will partner with other hacktivist groups such as the Syrian Electronic Army?
NELSON: The Syrian Electronic Army supports the cyber-regime of Syria, and al-Qassam, because of their Iranian connection, whether that's formal or informal - I don't know if they're political hacktivists or whatever - theirs seems to be government brand that really seems to support the insurgence in Syria. I don't see them banding together.
JOHNSON: I think that from what I'm hearing from our bank leadership and particularly our community bank CEOs that are increasingly becoming engaged in this issue, they really would be less interested in whether or not there's a combination of forces than what that ended up looking like. It's less about attributions than it is about what these attacks look like so we can put proper mitigation in place. That's typically what I think we focus on as opposed to the attribution, and I think that's consistent frankly with the kind of information that we need from government, because when we're talking about the kinds of things we need from government, we don't necessarily need attribution. We need to know what it looks like. That's our purpose.
KITTEN: What about some of the risks that these DDoS attacks could pose where cybercrime comes into play or fraud linked to these attacks?
NELSON: That's hypothetical. I think nothing is a certainty. There's always a possibility that it can occur, but we have not seen that to date.
JOHNSON: I agree with Bill, but at the same time, we do have to be watchful of the extent to which that does combine, because in the community bank environment we have had cyber-attacks that combined DDoS with some kind of account takeover or other type of economic crime activity. One of the things that could happen at the customer level is, because they know that DDoS attacks have occurred, when they see one of those screens that come up in concert with an electronic crime that says the system is down when it's really not because essentially a session has been hijacked, they just assume that this is a DDoS attack against their institution. And they don't do what we always tell the customer to do, and that's contact the institution to ensure that the institution is in fact going through a denial-of-service attack, that the system is in fact down and that they're ensuring that they know what the actual activity at the institution is.
FS-ISAC's Ongoing Role
KITTEN: We've talked about information sharing, but can you explain the ongoing role that the FS-ISAC will be playing?
NELSON: The one thing is we'll continue to keep that DDoS threat mitigation tool kit updated. As I said earlier, it's been updated three times in the past year. As we see new techniques used, we'll get them out to the membership right away and update that. This is really valuable to prepare to mitigate the risk, not just from these DDoS attacks from al-Qassam but also other types of DDoS attacks: criminal ones and things we see from Anonymous. That's probably our lead role when it comes to DDoS mitigation.
JOHNSON: I'm very proud to be a member of the FS-ISAC board, and one of the primary reasons why we at ABA do that is to ensure that we can continue to drive a financial institution toward FS-ISAC membership. As I said before, I think it's just real impressive that the FS-ISAC has grown from essentially a "Big Boys' Club" of 60-or-so institutions to over 4,200 the members of this particular juncture. That just demonstrates the maturity of the ISAC. We have more work to do in terms of gaining additional membership, both domestically as well as internationally.