Connect with us

Hi, what are you looking for?

Biz Solutions

4 things banks need to know about DDoS attacks

Financial institutions have been battling waves of large distributed denial of service (DDoS) attacks since early last year. Many of these attacks have been the work of a group called the Qassam Cyber Fighters (QCF), who until recently posted weekly updates on Pastebin reminding readers of the reasons for their efforts and summarizing Operation Ababil, their DDoS campaign.

Artwork by Janis Dei Abad

By Avi Rembaum and Daniel Wiley, Check Point Software Technologies

To cope with an increased number of large distributed denial of service attacks, banks must not only have plans in place – they should consider a broad set of defensive tools that combine on-premise technologies and cloud-based scrubbing services.

Financial institutions have been battling waves of large distributed denial of service (DDoS) attacks since early last year. Many of these attacks have been the work of a group called the Qassam Cyber Fighters (QCF), who until recently posted weekly updates on Pastebin reminding readers of the reasons for their efforts and summarizing Operation Ababil, their DDoS campaign.

Other Hacktivist groups have launched their own DDoS attacks and targeted financial services institutions with focused attacks on web forms and content. There have also been reports of nation-state-organized cyber assaults on banks and government agencies, along with complex, multi-vector efforts that have combined DDoS attacks with online account tampering and even fraud.

Advertisement. Scroll to continue reading.

The past year-and-a-half points to a state of hacking activity that consistently increases in intensity and evolves regularly. The recent incidents against all sizes of banks have shown that there are many kinds of DDoS attacks. These have included traditional SYN and DNS floods, as well as DNS amplification, application layer and content targeted methods. Denial of Service (DoS) activities that have targeted SSL-encrypted web page resources and content are an additional challenge. In some instances, the adversaries have moved to a blended form of attack that incorporates harder-to-stop application layer methods alongside “cheap,” high-volume attacks that can be filtered and blocked through simpler means.

To cope with this level of malicious activity, CIOs, CISOs, and their teams need to have a plan in place and consider a broad set of defensive tools that combine on-premise technologies and cloud-based scrubbing services. They must also begin to explore and ultimately implement intelligence gathering and distribution methodologies that help lead to a comprehensive DoS mitigation strategy.

1. Have a scrubbing service or similar cleaning provider to handle large volumetric attacks.

The volumes associated with DDoS activity have reached a level where 80 Gbps of DDoS traffic is a normal event. There are even reports of attacks in the range of 300 Gbps. Few, if any, organizations can maintain sufficient bandwidth to cope with attacks of this size. And, when faced with DDoS incidents this large, the first thing an organization needs to consider is the option to route its Internet traffic through a dedicated cloud-based scrubbing provider that can remove malicious packets from the stream. These providers are the first line of defense for large volumetric attacks as they have the necessary tools and bandwidth to clean network traffic so that DDoS packets are stopped in the cloud and regular business as usual (BAU) traffic is allowed through.

2. Have a dedicated DDoS mitigation appliance to identify, isolate, and remediate attacks.

Advertisement. Scroll to continue reading.

The complexity of DDoS attacks and the tendency to combine volumetric and application methods require a combination of mitigation methods.
The most effective way to cope with the application and “low and slow” elements of these multi-vector attacks is to leverage on-premise dedicated appliances. Firewalls and intrusion-prevention systems are critical to the mitigation effort, and DDoS security devices provide an additional layer of defense through specialized technologies that identify and block advanced DDoS activity in real-time. Administrators can also configure their on-premise solutions to communicate with cloud scrubbing service providers to enable automated route away during attack.

3. Organizations need to tune the firewall to handle large connection rates.

The firewall will also be an important piece of networking equipment during DDoS attacks. Administrators should adjust their firewall settings in order to recognize and handle volumetric and application layer attacks. And, depending on the capabilities of the firewall, protections can also be activated to block DDoS packets and improve firewall performance while under attack.

4. Develop a methodology, or a strategy, to protect applications from DDoS attacks.

Secure technologies can provide robust protections to DDoS activities. But administrators should also think about tuning their web servers,
modifying their load balancing and content delivery strategies to ensure the best possible uptime. Also relevant to such efforts are the incorporation of safeguards against multiple log-in attempts. Another interesting approach is to block machine-led, automated activities by
including web pages with offer details, such as opportunities for interest rate reduction or information on new products, so that users much click on “accept” or “no thanks” buttons in order to continue deeper into website content. Additionally, content analysis is important. Such efforts can be as simple as ensuring there are no large PDF files hosted on high-value servers.

Advertisement. Scroll to continue reading.

The above methods are crucial to any DDoS mitigation strategy.

Organizations must also reach out to service providers and ISPs and work with them to identify novel mitigation techniques. ISPs must be involved in mitigation strategies. DDoS attacks use the same Internet as bank customers, and the ISPs carry both forms of traffic.

Of increasing importance is the need to investigate and implement intelligence gathering and distribution strategies. Such efforts should investigate data within company networks and expand to include other companies that operate in the financial services industry.

Getting more information about who the actor is, motivations behind the attack and methods used, helps administrators anticipate and proactively architect around those attacks. Attack profile information can range from the protocols used in the attack (SYN, DNS, HTTP), the sources of attack packets, the command and control networks, and the times of day during which attacks began and ended. While valuable in mitigating attacks, there is no easy way to communicate this data, and regulatory hurdles make it even more difficult to share attack information.

Right now, information-sharing consists of friends talking to friends. Information sharing needs to evolve into an automated system where organizations can log in to a solution and see correlated and raw log data that provide clues into attacks that have ended and that are in progress. Such systems could also be used to share attack intelligence and distribute protections. An industry information-sharing capability would help elevate financial services companies’ abilities to cope with DDoS activity and bring the industry as a whole to a new level of preparedness.

Advertisement. Scroll to continue reading.

Avi Rembaum is director of 3D consulting and Daniel Wiley is a senior security consultant at Check Point Software Technologies

Advertisement
Advertisement
Advertisement

Like Us On Facebook

You May Also Like

HEADLINES

In rigorous evaluations conducted by prestigious cybersecurity testing organizations, Kaspersky Plus (starting in Q4 2024, Kaspersky Premium), Kaspersky Endpoint Security for Business (KESB), and...

HEADLINES

"Given the Philippines' high exposure to cyber threats, it's important for both individuals and businesses to stay vigilant," said Adrian Hia, Managing Director for...

White Papers

When compared to 2023, Sophos saw a 51% increase in abusing “Living off the Land” binaries or LOLbins; since 2021, it’s increased by 83%.

HEADLINES

Someone illegally acquires or uses personal information such as bank account or credit card numbers of another person to obtain money, goods or services....

HEADLINES

GoTyme Bank will be treating its loyal customers to a limited-time treat, bringing back its 5% annual savings rate from January 1 to February...

HEADLINES

To stay ahead of these challenges, organizations need to invest in AI-driven defenses, transition to quantum-safe encryption, and adopt a Zero Trust approach to...

HEADLINES

There was a 121% Year-on-Year (YoY) increase in identity fraud in 2024 across the region, with significant surges recorded in Singapore (207%), Thailand (206%)...

HEADLINES

As part of RCBC’s 2024 Cybersecurity literacy program, the webinar aims to help Filipinos level up their online banking safety by providing them with...

Advertisement