Distributed Denial-of-Service (DDoS) attacks1 are not a new method employed by cyber criminals to inflict damage on victim entities’ networks. In fact, DDoS attacks were one of the first types of online crimes to appear in the dawn of the Internet age.2 In the past several years, however, cyber threat actors have rekindled this attack to produce two new variants, both of which specifically target the financial services sector.
The first variant employs the DDoS attack merely as a diversion technique. In this method, which became noticeable in late 2011 and continues to present day, criminals conduct a DDoS attack on a victim website in order to divert attention and distract bank personnel from the underlying purpose of the attack—to steal online banking credentials and conduct unauthorized wire transfers. To execute this attack, criminals have used a commercially available crimeware kit—known as Dirtjumper—that can be bought and sold on criminal forums for only $200.3
While the purpose of the first type of DDoS is to increase the chance of successful financial fraud, the purpose of the second variant, which is the focus of this article, appears to be in line with the more traditional purpose of a DDoS—to disrupt services by rendering the website inaccessible to legitimate users. The new variant, however, is unprecedented in terms of its size, its industry focus, the attack vector it employs, its longevity and its potential source.4 At the same time, the response to these attacks has been extraordinary in terms of industry collaboration and information-sharing to mitigate the impact of the attacks.5 Given the combination of first-time factors contributing to this variant’s successes and because this new breed of cybercrime may be merely a sign of what awaits financial institutions in 2013, all financial institutions—small, mid-tiered and large alike—are advised to take this opportunity to review, reexamine and enhance their security incident response capabilities.
The New DDoS Variant
Beginning in mid-September 2012 and continuing over a six-week period, a dozen financial institutions were successfully targeted by a group initiating a series of sophisticated DDoS attacks against these banks’ websites.6 Most of the attacks were preannounced by the group claiming responsibility for the attacks—Izz ad-Din Al-Qassam Cyber Fighters (QCF).7 QCF claimed its motive was to stop widespread and organized offenses to Islamic spiritual and holy issues and, in particular, remove an offensive video from the Internet.8 Some sources, however, attribute the group’s activities to the government of Iran responding to prior alleged U.S. cyber attacks on its systems and networks.9
Approximately one-and-a-half months later, the QCF allegedly initiated a second campaign of attacks. This wave, which started as early as December 11, 2012, targeted many of the same banks and a few additional institutions with similar DDoS attacks.10 Indeed, the group claimed, based on a numerical sequence of “likes and dislikes” to Internet content it deems objectionable, that the attacks would continue for at least 14 months.11 However, seven weeks later on January, 29, 2013, the group claimed victory when the objectionable content was apparently removed from one of the sources on the Internet.12
This DDoS variant is significantly and substantially different from previous types of DDoS attacks in several ways. First, the volume of network traffic used to commit the attacks was substantial. In the first campaign of attacks, it was reported that some banks were hit with a flood of traffic peaking at 65 gigabits-per-second (gbps).13 Given that this volume is magnitudes above previous DDoS attacks, and that a mid-size business may only have the capacity to process 1 gbps of network traffic, this enormous influx of traffic is significant and problematic.14 The high-volume network traffic of this size can overwhelm most of a victim’s network infrastructure, and slow its response time to web inquires, if not grind it to a halt altogether.
Second, the attacks were aimed at institutions in the financial services sector. Both the first and second campaigns targeted large financial institutions, while more recent attacks have targeted a broader range of institutions, including smaller banks and credit unions. 15 Although there is no evidence that these attacks have compromised customer accounts, QFC claims its attacks cost U.S. banks $30,000 for every minute their websites were down.16
Third, the attacks used a network of compromised web servers—nicknamed “brobot”—in contrast to the more traditional DDoS, which uses a network of compromised individual “zombie” computers—known as a “botnet.”17 By using web servers, which have significantly larger bandwidth than individual computers, fewer compromised computers are needed and the capability for massive traffic exists to flood the victims’ systems making it unresponsive to legitimate requests.18
Finally, industry experts have identified a layer of variability and persistence of tactics, particularly in that the toolkit allows attackers to react to defenses and modify attack strategy quickly.19 New attack vectors have also increased the effectiveness of strikes, partly because they utilize bilateral strikes against both Internet service providers and victim banks at the application level.20 Certainly, if the suspected source of the attack is true, the ability of the bad actors to draw upon unlimited resources in changing their tactics “on the fly” is not without reason.
Industry experts attribute an important contribution to minimizing the impact of the attacks to sharing critical threat data in near- to real-time both within the financial services sector and between government and the private sector.21 The Financial Services Information Sharing and Analysis Center (FS-ISAC), the designated operational arm of the Financial Services Sector Coordinating Council, was particularly effective in this regard by providing a mechanism to collect threat intelligence and alert participating members with reports containing anonymized information.22 The FS-ISAC issued a fraud alert the day following the first attack and, a few days later, raised awareness in the U.S. banking industry by changing its cyber threat level from “elevated” to “high.”23 In addition, technology and DDoS mitigation service providers have also provided a significant role in releasing new tools and mechanisms to plug the holes exploited by attackers.24
Some institutions also reached out directly to the government for assistance in the response. Utilizing an established process known as “Request for Technical Assistance” (RTAs), banks reach out to their regulators who, in turn, reach out to the U.S. Treasury Department to draw upon the appropriate resources in the federal government, including the Department of Homeland Security (DHS) and the National Security Agency (NSA), to provide the requested assistance.25 It appears that at least some banks have requested support from the NSA.26 The DHS has also spoken publicly about its ability to help financial institutions to defend against DDoS attacks.27
On December 21, 2012, the Office of the Comptroller of the Currency (OCC), an independent bureau of the U.S. Department of the Treasury, released an alert to CEOs of all national banks, federal branches and agencies, and associated interested parties, calling for a heightened sense of awareness and offering risk mitigation information in response to this series of sophisticated DDoS attacks.28
In the alert, the OCC reiterated its expectations that financial institutions have risk management programs in place to identify evolving threats to online accounts and adjust technology safeguards appropriately.29 Further, banks are expected to ensure that an effective incident response approach with sufficient staffing is in place and proactive due diligence reviews are conducted to identify and mitigate risks imposed by potential DDoS attacks.30 The regulators also encourage participation in information-sharing organizations such as the FS-ISAC.31
In the wake of this unprecedented variant of a traditional cybercrime attack, financial institutions of all sizes should take the opportunity to review, reexamine, improve and expand their incident response capabilities. Of course, every situation varies and there is no “one-size-fits-all” response to any incident. However, building upon lessons learned from responding to these particular attacks, institutions may want to consider:
- developing a structure and mechanism to intake early warning signals and integrate them into an immediate response;
- participating in information-sharing within the sector and with external parties (vendors, regulators and law enforcement);
- testing response plans to ensure that outside parties, such as DDoS mitigation service providers, are able to deliver services as planned and anticipated;
- building a threat/defense matrix into incident response plans for certain threats, such as DDoS attacks; and employing a layered defense with multiple tactical defense options.
In addition, financial institutions may want to consider expanding their arsenal of possible responses with creative solutions, such as:
- cross-industry collaboration (e.g., developing joint strategies with ISPs and information technology and telecommunication providers);
- employing active defense technologies;
- exploring informal and formal (i.e., legal) mechanisms to pursue intermediaries caught in the cross-fire; and
- exploring informal and formal mechanisms to dismantle the bad actor infrastructure.