It’s an arms race and – right now – banks are losing. A recent casualty was HSBC, which on January 29th saw its online banking system brought down for several hours by a distributed denial-of-service (DDoS) attack. DDoS attacks are getting larger, and better organised. According to a recent report by Massachusetts-based security consultant Arbor Network, attack strengths are now reaching 500 gigabits per second (Gbps), with attacks regularly measuring over 100 gigabits per second. According to Arbor Networks the average size of DDoS attacks have been increasing, with average attack size increasing by 29.4% between Q1 and Q2 of 2015. DDoS attacks work by linking innocent business and household computers into their botnets to ramp up their resources. They then use the botnet to overwhelm a website’s capacity to respond to page requests. Attackers are able to leverage vulnerabilities in intermediate servers to increase their firepower, in particular using reflection attacks that fool challenges to incomings messages by masking the origin of the traffic. They are also amplifying their botnet attacks by exploiting mismatches between the smaller query sizes of their requests to view a certain page and the size of the answer to that request on the host’s server. “The growing Internet of Things will see more and more devices connected to one another and that means that botnets – the main way that DDoS attacks are delivered – will be even easier to assemble,” says Alex Middleton, a consultant at Dionach, an Oxford-based penetration testing company. Banks, like every other major business, are dependent on their internet service providers to defend them. But the defences are being swamped because the ISP cannot distinguish between legitimate and malicious traffic. “Attacks that run into the hundreds of Gbps pose a threat even to the largest banks,” said Rich Bolstridge, chief strategist for financial services at Akamai Technologies, one the the largest US cloud computing service providers. “Techniques such as reflection and amplification have been around for many many years. It’s the scale to which these techniques can be leveraged that is problem. If they want to attack you, instead of having to assemble a botnet they can rent one cheaply. It’s DDoS as a service.” Banks are now quite clearly the number one target for attacks, and – like HSBC – they will be often be targeted on busy days such as when the processing payrolls for customers at the end of the month. “It used to be the online gambling sites,” said Ken Munro, Senior Partner at UK-based Pen Test Partners. “They would be hit on high traffic days, in the run up to a big sports match. It usually started with a short DDoS, followed by a ransom demand. If they didn’t pay, they were DDoS’d off the internet, losing business. Even if they did pay, they often got hit harder and a larger sum was demanded. The victims quickly turned to service providers to soak up the attack and carried on with business as usual. The service was still disrupted temporarily, but the attack could be contained.”
US attacks
For banks the stakes are higher, and even a temporary interruption of service can result in a damaging loss of trust from customers. However, the experience of banks in the US does hold out some hope that attacks on banks in Europe, even if they don’t go away, will peak. Especially if banks work together. The most notorious and successful of the attackers in the US was the group calling itself the al-Qassam Cyber Fighters. Starting in 2012, al-Qassam targeted financial firms with DDoS attacks in revenge for what it described as an anti-Muslim movie posted on You Tube. As many as 20 banks were attacked in a single week and eight banks all had their online services taken down on the same day. “Those US banks were faced with a major adversary leveraging new capabilities, and that caught them unguarded,” said Akamai’s Rich Bostridge. “It broke their security models. They had to invest and increase their defences. But most importantly they started to take the attitude that ‘An attack against one of us was an attack against all of us.’” Lesson number one is: share the knowledge. Banks in the US were in the fortunate position that the Washington administration had already, back in 1998, created the Financial Services Information Sharing and Analysis Center (FS-ISAC) to help firms prepare for Y2K and other technology challenges. After the 9/11 terrorist attacks and the creation of the Department of Homeland Security, the FS-ISAC – together with ISACs created for other industries – grew in importance and resources. And in the wake of the al-Qassam DDoS attacks, which lasted into 2013, the FS-SAC became forum for virtually all banks in the US to swap information on cyber-crimes and threat intelligence. More recently, the FS-ISAC has also organised meetings for banks outside the US; in January, for example, organising a seminar in Paris on information sharing which was (ironically, perhaps) hosted by HSBC.
Soaking it up
Another lesson for European banks is that is that they have to match the technology the criminals are using. In particular, soaking is designed to absorb rogue traffic while allowing legitimate customers through. Akamai, for example, employs deep packet level inspection – a way of monitoring data by searching for any anomalies – of network traffic to identify potential DDoS attack paths. Detected attack traffic is then dropped, while clean traffic is forwarded to the requested pages. But soaking techniques can mean slower response times for users. So banks have to choose between only turning on soaking when a DDoS attack occurs – and sacrificing a higher level of protection – or leaving soaking on all the time – entailing increased costs and lower levels of operating efficiency. Anti-spoofing networks are another way to defend against DDoS reflection attacks. Corey Nachreiner, CTO at WatchGuard Technologies, a US threat management hardware provider, explains that this technology can be used to prevent spoofed traffic – traffic that has disguised its origin – from leaving the network, preventing attackers from leveraging a reflection attack. The bad news is that all the security experts spoken to by QA Financial agree that attacks will get larger and harder to defend against. “Even the most advanced solution on the market today would be unable to fend off a sufficiently large sized botnet, which has been purposefully engineered to avoid the latest detection mechanisms,” said Dionach’s Alex Middleton. Over the long term, simply building up building technical defences will not be enough. Banks will have to learn to live with the constant threat of cyber attacks and the advice of Ken Munro is be ready to ride out the storm. “DDoS shouldn’t be a big issue for any organisation, so long as they have prepared for it,” he said. “If it does happen, have your incident response playbook ready to grab from the shelf. Everyone knows what to do, from the IT helpdesk, to the CIO, to the CEO, to your crisis PR manager.”
