Addressing the DDoS ThreatEssential Steps Institutions Should Take
When it comes to fighting distributed denial of service attacks attacks, banking institutions must understand the threats against them, says Bill Wansley of Booz Allen Hamilton. Not all DDoS attacks are created equally, and varying attack vectors require different modes of detection and prevention.
Wansley, a financial fraud and security consultant at Booz Allen Hamilton, says DDoS attacks happen frequently and they will continue. So institutions must ensure all appropriate detection and prevention measures are in place, he says.
"Banks should be very cautious about whether or not all the kinds of security protocols they have are, in fact, in place, and all the patches have been updated on their systems, and they don't have any random servers out there unprotected," Wansley says in an interview with Information Security Media Group's Tracy Kitten [transcript below].
DDoS attacks waged by the hacktivist group Izz ad-Din al-Qassam over the last month have targeted eight leading U.S. banking institutions, the most recent of which targeted Regions Bank.
Other targeted banks include Bank of America, Chase Bank, Wells Fargo, PNC Bank, U.S. Bank, Capital One and SunTrust.
Hacktivists claim they attacked those banks to make a social statement about outrage over a YouTube movie trailer deemed to be anti-Islamic.
But the why is not quite so important as the how, Wansley says. That's because different types of DDoS attacks require different modes of detection and prevention. In the end, the more institutions collaborate and share information with one another about the attacks each faces, the better off the financial industry will be, he says.
"Again, it goes back to: What's the objective of the attack?" Wansley says. "Are they trying to embarrass the institution? Are they trying to embarrass the country?"
And most DDoS attacks can be effectively managed, he adds, as long as the proper controls are in place and working. But attacks of a certain magnitude can impact operations and cause loss of revenue.
"Those are the ones we're concerned about, and those are a little more sophisticated and take a little more resources to be able to pull off," he says.
Financial institutions need to ensure they're collaborating with peer banks to discuss the different types of attacks and identify IP addresses being used so they can be blocked, Wansley says.
During this interview, Wansley discusses:
- Steps institutions should take to ensure the security protocols they have in place are actually effective at detecting and preventing a threat;
- Why information sharing has made a positive difference;
- How other industries should prepare themselves for cyberattacks.
Wansley leads multidisciplinary consulting teams at Booz Allen Hamilton, where he provides a range of operational level management and technology consulting services, including advanced analytics of financial data, operational and technology risk management, compliance and regulatory risk assessments, and payment process redesign. He has 30 years of professional experience as an operational U.S. Army officer, a national security policy planner, and a management consultant for the U.S. intelligence community. Wansley's operational military experience includes serving as a field commander, division level war planner, and national security strategist. For the past 13 years, he has supported U.S. Intelligence Community clients in solving national security risk-related challenges through strategic planning and advanced analytics.
Bank Attacks Increasing
TRACY KITTEN: In August, you and I spoke about cyberattacks oftentimes backed by nation states and other political adversaries aimed at U.S. banking institutions. Given the recent warnings issued by the FBI and the FS-ISAC, would you say these attacks are increasing or have they just reached a tipping point?
BILL WANSLEY: This really is a good point to continue the conversation we started back in August, because what we're seeing now is that the systems from the FBI, including the relationship with the FS-ISAC, are starting to work, and there was some early warning provided on the Internet of potential attacks. I'm not sure that this is an indication of anything really changing, though. This particular series of attacks is unique and seems to have a different character than previous attacks. But what we should take away from this is that we're now starting to get ahead of them and give notice and warning so banks can prepare.
KITTEN: Can you talk a little bit about the difference in character? How are these attacks different from what we've seen in the past?
WANSLEY: It's subtle in some ways. Typically, when you see a lot of noise on the Internet announcing that they're going to attack and then an attack happens, then there's usually some bragging about what was accomplished. That's the typical pattern of some of the hacktivist groups. In this case, there's a group that has an Arabic name that has never been associated with cyberactivity at all. It's more been associated with Hamas. And for them to, all of the sudden, become a hacktivist group is just really interesting. We've never seen that before. That doesn't mean they're not doing it, but it could also mean they're being used as a cover for some other country or organization to do something.
The second thing is the type of attack that you see publicly being put in place on the Internet, as hacktivist groups do, doesn't match with the impact of these attacks. In other words, it looks like there's a secondary parallel attack chain happening underneath the cover of this kind of noisy group up front. This one is kind of interesting, and you'll probably hear a lot of different reports about it. We're just watching to see how it develops.
Cyberthreat Level Raised
KITTEN: The cyberthreat level for U.S. banking institutions, which is monitored by the FS-ISAC, was for the first time recently elevated to "high." What does this mean, and what steps should financial institutions take now to ensure that they're adequately mitigating risk?
WANSLEY: First of all, the fact that they elevated it to "high" shows that there were specific threats to U.S. banks, and that's pretty obvious to confirm on the Internet. You can go out there and find that threat. The second thing is the banks should be very cautious about whether or not all the kinds of security protocols that [they think they] have in place are, in fact, in place, and all the patches have been updated on their systems, and that they don't have any random servers out there unprotected. There are ways to mitigate these different types of attacks, depending on how they are launched. We've seen three different types of attacks in the past couple of days. Each one of the banks, I'm sure, was collaborating with other peer banks to find out what those different types of attacks were, what IP addresses were used, so they could block them and really tighten up their own infrastructure to prepare for an attack.
KITTEN: Going to the FBI and its warning, it lists a number of areas of concern, including denial-of-service attacks, that could be used to distract institutions while account takeover attempts and other financial fraud schemes that are being waged in the background, which you've noted as well. Do you think that financial fraud is really the greatest concern?
WANSLEY: It's very difficult to ascertain exactly what they're after until it happens, frankly, because we don't know their intent all the time. In this case, it seems to be more politically motivated than anything. But you can imagine, as we talked about before, how that political cover could allow them to cause even greater embarrassment, if they were to penetrate a payments system and, perhaps, do some fraud while they're doing that. Again, it goes back to: What's the objective of the attack? Are they trying to embarrass the institution? Are they trying to embarrass the country? Or is it for retribution: Are they just trying to get payback for the sanctions against a particular country, for example?
KITTEN: Recent site outages experienced by several banks have gotten a lot of attention and they were suspected of being backed by the Iranian government. Do you believe there's merit to some of those rumors?
WANSLEY: There are indications that it's an Iranian group. The time stamp, when they did brag about the impact on taking down Wells Fargo, was seven-and-a-half hours in advance, and the only country in that time zone is Iran. There are a lot of indicators it's from that region of the world, but these hacktivist groups, frankly, can operate from a number of different locations and give the impression of being from one time zone when they're really not. So it's not conclusive, but there certainly have been some indicators, such as the use of Arabic names, Iranian names and the time zone, that would indicate something from that part of the world.
KITTEN: Based on what you said, it does sound like these types of attacks are increasing, but some industry sources have suggested that these denial-of-service attacks ... have been striking for a long time. There have been rumors that Citi, for instance, was hit back maybe in late 2011 or early 2012.
WANSLEY: Denial-of-service attacks are not that uncommon across any major institution. Some are just annoying and some are really distracting. If you're taking down, for example, a Wells Fargo site, the customers can't do business and that does impact both customer relationships and the revenue from that business. So the first answer is, yes, they happen all the time. But most of them can be managed very effectively by the institution, unless it's of such a magnitude that it actually impacts operations, which has been the case here. These attacks are increasing and it's something that all the financial institutions now are taking very seriously, and they're putting in measures to be able to mitigate those attacks.
Analyzing Attack Timing
KITTEN: Could the timing of some of these most recent attacks aimed at these leading U.S. institutions be linked to the U.S. presidential election?
WANSLEY: Certainly, there are a lot of things in terms of timeline. Clearly, there is a general assembly happening this week [the week of Sept. 24] and the president of Iran speaking at the U.N. [United Nations]. Our political environment is ramping up with the election, but it doesn't seem to be directly targeted at that, and then there's the response to the video [a YouTube movie trailer that Izz ad-Din al-Qassam claims casts Islam in a negative light]. So there are a number of potential timing relationships that are probably just as logical as a presidential election period.
KITTEN: What about smaller banking institutions? Are they being targeted as well and we're just not hearing about it?
WANSLEY: DDoS attacks are pretty common, but I haven't heard about any specific attacks like the one by this Iranian group, or claiming to be an Iranian group, anyway, hitting smaller institutions. We've also heard they've hit Google and Akamai recently - very similar attacks during the same time period. So it doesn't appear to be just U.S. banks, but it does appear to be major brand names.
Weighing Impact of DDoS
KITTEN: Are denial-of-service attacks the most concerning, or are other cyberthreats posing greater worries?
WANSLEY: Some denial-of-service attacks are just annoying and they're just a statement. Others, as I said, could almost do damage to the infrastructure, and/or could cause impact on operations and loss of revenue. Those are the ones we're concerned about, and those are a little more sophisticated and take more resources to pull off, especially to get around the defensive systems that the banks have put in place.
KITTEN: I wanted to ask about things that I've heard from other security experts. Some of them have suggested that these attacks pose significant threats to critical infrastructure because the hackers waging the attacks may inadvertently take down systems outside the line of fire. Do you think that those are legitimate worries when we look at some of these nation-state attacks?
WANSLEY: If you're really waging a nation-state level attack, you could do some real damage to smaller institutions that aren't as prepared as the bigger banks. This could be a turning point in some sort of escalation at the national level. I wouldn't jump to that conclusion quite yet. We'll see how the rest of the week comes out and what happens with other attacks; but it's a very, very interesting development, and we'll follow this closely for the next week or so.
KITTEN: You've touched on the fact that it could be organizations or institutions outside the U.S. that are being targeted as well. Do you think the same types of attacks are being waged against institutions in other parts of the world, or is the U.S. really the primary target?
WANSLEY: These specific attacks are waged against U.S. targets, the ones we are observing right now. But, routinely, there are attacks around the world against many different companies and government offices. We're focused on what's here in the U.S. because that's kind of our turf. But I wouldn't even conclude that these things aren't happening in other places, because they are.
Other Industries Should be Concerned
KITTEN: How concerned should other industries and organizations be? We're talking about financial services and the cyberthreats the sector faces, but other industries would be other legitimate targets as well, would they not?
WANSLEY: Yes, specifically, those industries that we characterize in the United States as the "critical infrastructure industries," those critical sectors that have information-sharing bodies established by the FBI, for example. Healthcare would be another one. And there's one for critical manufacturing. The new legislation identifies a number of different sectors; but healthcare, utilities, any part of the critical infrastructure, are areas we should be concerned about.
KITTEN: In closing, I wanted you to talk a little bit about what we can expect in the future. What steps need to be taken and how can institutions ensure that they're protecting sensitive financial data and consumer privacy?
WANSLEY: I have attended several symposiums recently and the discussion I'm hearing from all the professionals in this business is that the cat is out of the bag. Cyberthreats are becoming more recognized as risk areas for companies. The director of the FBI has said cybercrime has now become his No. 1 concern. There's no question that we're getting visibility on the problem more now than we've had in the past. And there's good reason for that.
I think you're going to see more emphasis on Capitol Hill with cyberlegislation, so that the law enforcement bodies have a little more authority to do things to be able to stop and prosecute these cybercriminals. I think it's going to be really important for all the critical infrastructure owners and operators to start using what I recently termed a "common lexicon," a way of describing information security so it's not just the geek guys talking about it. Everyone needs to understand it, and we need to start putting some common standards of security practice in place, across the board, so that everyone's protected a little better.