DDoS: The New Defense Strategy Video

 

We continue to see large-scale DDoS attacks against U.S. banks. In fact, there are signs that the attackers' botnet is getting stronger and they are targeting organizations both outside the U.S. and banking. How can organizations defend against this growing menace? Your customers can get the answers in a timely webcast, “DDoS: The New Defense Strategy,” sponsored by Bank Info Security and featuring Rodney Joffe, Neustar DDoS expert, along with financial services security expert Michael Wyffels and Bank Info Security Managing Editor Tracy Kitten.

You Will Learn:

  • What we know about the attacks and attackers
  • Where organizations are most vulnerable
  • What all organizations can do to assess and mitigate their DDoS risks
 

Video Transcript

Tom Field:

Hi, this is Tom Field, vice president of editorial with Information Security Media Group. Welcome to our session today entitled, “DDoS: The New Defense Strategy.” The featured speakers are Michael Wyffels, senior vice president and chief technology officer of QCR Holdings, Inc.; Tracy Kitten, executive editor of BankInfoSecurity; and Rodney Joffe, senior vice president and senior technologist with Neustar.

Before I turn this over to our panel, let’s talk a little bit about the background of today’s session. We’ve just completed the third wave of distributed-denial-of-service attacks against U.S. banks. While there’s no evidence these attacks will end any time soon, there are signs that the attackers’ botnet is getting stronger, in talking to organizations both outside the U.S. and outside banking. How then can organizations everywhere prepare to defend against this growing menace? That’s what our panel is here to talk about today. They’re going to give a unique insight of what we know about the attacks and the attackers, where organizations are most vulnerable, and what all organizations can do to assess and mitigate their DDoS risks.

Let me tell you a bit about Information Security Media Group. We currently publish several global websites. We have BankInfoSecurity and CUInfoSecurity for financial services; GovInfoSecurity for the public sector; and HealthcareInfoSecurity for the medical community. We also have InfoRiskToday about information risk management; DataBreachToday about breach prevention and response; and CareersInfoSecurity. Each of these sites is dedicated to providing education and news regarding information security, but specially tailored to their unique sectors. With over 350,000 members registered to our sites, we’ve created a true information source that tackles the key issues of interest to our unique audiences.

Just a few housekeeping notes: If you have any questions for our panel during the course of this session, please submit them via the chat window you see on your screen. If anybody should experience any technical issues while viewing today’s webinar, please dial the number on your screen. If you dial extension 110 or 115, we do have technical support staff standing by to help. Also, I need to emphasize the content being presented in today’s session is copyrighted material. It’s meant for today’s webinar and individual study purposes only. If you or your organization would like to use the information presented in today’s session or are looking for customized training education, please contact us.

Let me take a moment now to introduce our sponsor, Neustar, Inc. Neustar is a trusted neutral provider of real-time information and analysis to the Internet, telecommunications, entertainment, advertising and marketing industries throughout the world. Since 1996, Neustar has helped more than 1,500 customers worldwide to promote and protect their businesses. Neustar’s protection services deliver performance, reliability, and security for our online infrastructure. Whether it’s monitoring cyberthreats or mere uptime, preventing fraud, or defending against a DDoS attack, Neustar steps in to protect the customer’s online business, reputation and revenues.

Now let’s meet our first speaker, Tracy Kitten, executive editor of BankInfoSecurity. Tracy is a veteran journalist with more than 14 years of experience. Before coming to BankInfoSecurity, she covered the ATM and financial self-service industries as the senior editor of ATM Marketplace. During her tenure there, she reported extensively about ATM security and regulatory issues facing the global ATM market. Since coming to BankInfoSecurity in 2010, she’s been instrumental in our coverage of account takeover, the FFIEC authentication guidance, and most recently DDoS attacks against financial institutions. It’s my pleasure to turn this over now to Tracy Kitten.

Tracy Kitten:

Thanks, Tom. Here’s a quick overview of what I plan to discuss regarding DDoS during today’s presentation. I’ve been covering DDoS since September, and I’ve learned quite a bit about these attacks, not just from the banks themselves, but from industry regulators as well as vendors. The attacks are highly concerning, and there’s no doubt about the fact that there could be more to these attacks than meets the eye. And the longer these attacks continue, the more questions they raise. The good news, however, is that the attacks are being reported, and industry regulators and law enforcement are increasingly disseminating information about these attacks. In fact, the FBI in April issued some specifics about the attacks, which I will review during the presentation today.

Hacktivists have been targeting U.S. banks, but there’s concern their attacks could branch out to other sectors, and the botnet that’s used by hacktivists continues to grow. And banks, while reporting attack activity via some venues, have increasingly been less willing to share specific information about these attacks. Fraud linked to these attacks also is a concern, and federal regulators have noted this. There’s concern about these attacks being waged against other sectors, even by other groups. Even if the hacktivists themselves aren’t waging these attacks, there’s a worry that perhaps criminal groups could use the same botnet or could piggyback on these attacks. Before we close today, I’m going to review what we might expect in the future.

Let’s start out by taking a look at what’s actually been reported about the state of DDoS. Sept. 18 was the beginning of these distributed-denial-of-service attacks, which we have now seen hitting the U.S. financial services industry for the last eight months. This is when Bank of America took a hit, and this marked the kickoff of Operation Ababil, a series of DDoS attacks waged by the hacktivist group al-Qassam Cyber Fighters against the U.S. financial services industry. At first, we only saw the top-tier banks being targeted, but then the attacks waged by Cyber Fighters, better known as QCF, began to trickle down to smaller institutions.

al-Qassam claims it’s waging the attacks against U.S. banks in protest of a YouTube movie trailer deemed offensive to Muslims, but there have been doubts about whether those are actually the group’s true motive. Is the ultimate goal to spread malware or are these attacks really more about just frustrating the industry by being a nuisance? These are the lingering questions that we have yet to answer.

Now, around the September timeframe when Bank of America took hits, banking groups such as the Financial Services Information Sharing and Analysis Center, as well as the FBI, began raising flags about emerging cybersecurity risks. On Sept. 17, FS-ISAC, the FBI and IC3 issued a fraud alert about cyber-schemes that aimed to drain banking accounts. Then, on Sept. 19, FS-ISAC elevated the cyberthreat risk for U.S. banking institutions to “high.”

On April 10, the FBI issued a notice, noting that 46 U.S. banking institutions had been targeted by more than 200 separate DDoS attacks of various degrees of impact since September. The FBI also noted that these attacks were using high-bandwidth web servers with vulnerable content management systems. These warnings were a precursor to what we later have learned to be fact; that DDoS attacks, if not properly mitigated, can result in online outages that deny customers access to online banking. These outages are frustrating for consumers and raise concerns in consumers’ minds about privacy and account protection, which has been evidenced by numerous posts on social networking sites consumers have created in the wake of these early DDoS strikes.

DDoS attacks run the risk of damaging banking institutions’ reputations and, as I’ll talk about more in depth later, these attacks can and have been used as a means of distraction to perpetrate fraud.

These attacks so far have been waged in three phases, which have run from mid-September until early May. Banking regulators have issued warnings about the potential threats of these DDoS attacks. In December, the OCC noted that banks should incorporate information sharing with other banks and service providers into their risk mitigation strategy in order to stay ahead of shifting attack tactics and targets.

In February, the NCUA noted that credit unions and other institutions should conduct ongoing risk assessments to identify risks associated with DDoS attacks, as well as to ensure that disaster recovery and incident response programs included DDoS attack scenarios that could be tested before, during and after an attack. The NCUA also recommended that institutions conduct ongoing due diligence on third-party service providers, especially Internet and web hosting providers, to ensure that appropriate traffic-management policies and controls are in place.

Finally, in May, the FDIC took it a step further by issuing an update about DDoS attacks to consumers, noting that consumers should communicate directly with their banking institution to learn more about the mitigation steps those institutions are taking to ensure bank account data remains protected.

Brobot, the botnet that’s used by hacktivists, continues to grow. The attacks are getting more targeted and sophisticated, and there’s really no reason for us to think that the attacks will stop. New tools and techniques have emerged with each of these phases that we’ve seen in the DDoS campaigns, and the application-layer attacks have proved to be the most damaging. Banks have responded well to these attacks, but it’s required a 24/7 effort on their part.

Now, when these attacks first started, many of the targeted institutions were actually very forthcoming with information. Some, such as PNC, even posted blogs on their websites explaining to customers exactly why they were experiencing online outages, and communication with the media was more open as well. Over time, however, communication with the media and the public at large have begun to slow, and banks, under the advisement of federal investigators, as well as groups like the FS-ISAC, have increasingly been less willing to share information. Many have continued to warn customers about possible outages through social networking sites, such as Facebook and Twitter, but few have gone into great depth about the outages and the possible outages being linked to DDoS.

What institutions have done - at least those that are publicly traded - is include more details in their quarterly and annual SEC filings about what they’re doing to defend themselves against cyber-attacks. DDoS has been specifically noted by many of these institutions, including Citi.

In its annual 10-K report, which it filed with the SEC on March 1, Citi points out that in 2012 it and other financial institutions were hit by DDoS attacks that were intended to disrupt consumer online banking services. The bank also noted that additional challenges had been posed by external extremist parties, including foreign state actors in some circumstances, as a means to promote political ends.

Chase, Bank of America, Goldman Sachs, US Bank, HSBC, and CapOne also specifically mentioned DDoS in their 10-Ks. Each of these institutions acknowledges suffering from increased cyberactivity and notes that DDoS is an emerging and ongoing threat. I suspect that we will see more details through these filings as we go forward. And as consumers become more understanding about DDoS and are asking more questions, I think that banking institutions will be more willing to share details about these types of attacks in their SEC filings.

Now, it’s also worth noting that there has been some evidence that these attacks have been linked to some sort of financial loss, even fraud. In its SEC filing for year-end 2012, Citi notes that some of these DDoS incidents resulted in certain limited losses, as well as increased expenditures for monitoring against the threat of similar future cyber-incidents.

Citi goes on to say that data loss and the potential for malicious attacks waged in conjunction with DDoS cannot be ignored. Then, in December, local news reports in San Francisco noted that $900,000 had been drained from online accounts at Bank of the West after a DDoS attack hit the bank as a means of distraction. Bank of the West has not publicly stated much about this DDoS attack, but it has acknowledged that the attack occurred and has said that, since this time, it’s implemented enhanced DDoS mitigation strategy.

So what’s next? From a banking perspective, we should be concerned about the potential for malicious attacks, attacks that are either waged by QCF or attacks that are waged by some other group, perhaps a criminal group that’s piggybacking on the efforts of QCF. Let’s not forget to look at Bank of the West as an incident of example. These attacks will continue, and the application-layer attacks will be the focus simply because they’ve proven to be successful. We also will see malicious attacks associated with some of these. Even if the attacks, as I’ve noted earlier, aren’t waged by QCF, they could be waged by some other group, and there’s nothing to say that this botnet robot that QCF has been using won’t be leased out and won’t be sold to some other group to use in attacks that are for a criminal purpose.

Smaller banking institutions and other sectors such as healthcare, energy and manufacturing are the next targets, and we’ve already seen evidence of this. In fact, Verizon notes that 2012 saw a dramatic increase in the number, size and complexity of DDoS attacks, and these attacks were aimed primarily at the banking industry in the United States. But banks and companies across Europe and the Middle East also were targets. Prolexic in the spring also noted that the utility sector was one that had been hit already, and this had been a target not only in the U.S. but also in Europe.

From a preparedness standpoint, more sectors and smaller banking institutions are beginning to appreciate the fact that DDoS is a real threat, but they do need to step up their efforts, and they can learn quite a bit from the example that larger banking institutions in the U.S. have set. Larger institutions in the U.S. have definitely stepped up their mitigation efforts when it comes to DDoS, and they’re defending themselves relatively well. Information sharing also has been phenomenal among these groups and has really set a new bar, not only for the financial services industry in the U.S. but for the world.

Tom, I’ll hand it back over to you.

Field:

Thank you for getting us started with that overview, Tracy. Now let’s hear the financial institutions’ perspective from Michael Wyffels, senior vice president and chief technology officer with QCR Holdings, Inc. At this multi-bank holding company based in Moline, Ill., Michael focuses on compliance, fraud prevention and technology. He’s worked in information technology for more than two decades, and his career has focused on the financial services markets, credit card processing and operations. Before joining QCR, he directed MIS and distributed systems for Alliance Data Systems in Dallas. Before that, he worked in several enterprise and line-of-business roles within IT for First Data Corp.

With that, let me turn this over now to Michael Wyffels.

Michael Wyffels:

Thanks, Tom. For today’s agenda, we’re going to cover the Internet and its impact on our lives. We’ll briefly talk about the threats that are appearing all around us. Then I’ll lead into DDoS - the emergence, warnings and the impacts that we’ve seen. We’ll talk about the implications to our customers, and we’ll talk about the implications to our financial institutions. Then we’ll talk a little bit about the steps we have taken and how you can start planning yourself.

The Internet has been a wonderful and challenging addition to our professional and our personal lives. As with many technologies, it further enables businesses to compete, gain quick access to resources, reduce delivery costs and extend their reach globally to customers they may not have been able to reach before. It also provides a channel to reach out to friends, our families to share memories and provide near real-time updates on our lives. It also gives us a channel to transact business with organizations we have relationships with.

But at the same time, it has its challenges. We have seen where powerful cyber-attack tools have become widely available on the Internet. We’ve seen where customers’ bank accounts have been hacked. We’ve seen countless other organizations threatened by these kinds of attacks, and we’ve seen top U.S. banks, large financial institutions, and now others struck by DDoS attacks.

It seems the threats are all around us. We have quickly become part of an ecosystem where bad things have happened to good people and good businesses. Threats from phishing attacks, social engineering attempts, and malware like Zeus and Citadel, SpyEye, and techniques from High Roller, have all successfully intruded into our lives, creating personal and business hardships. Our privacy continues to become more elusive and threatened. There are near countless points of access on the Internet in our connection to the world. This makes it difficult to identify those who are responsible and prosecute them.

The invasion and theft of our personal information, the credentials we use, the intellectual property we’ve developed and the funds we have worked hard to save is driving responses for increased security, which further complicates the use of our online services for our customers. All of these things create the emergence of the challenges for trust, reliability and the availability of services from which we have become more and more dependent on. Now we have DDoS, the distributed-denial-of-service attack.

What is a DDoS attack? DDoS occurs when an attacker targets a site and initiates a massive amount of traffic towards that site. The goal is to overwhelm the site, prevent it from responding to legitimate requests for service, thus making the site unavailable to those who depend on it, in some cases for long periods of time. We’ve seen organizations like Anonymous successfully use these techniques to take sites down. We’ve seen warnings from government agencies letting us know about concerns regarding upcoming events. These types of attacks and continued escalations of activities will cause disruptions to services, and they can be leveraged as a mechanism to draw our attention away from the real crime being committed, such as account takeovers.

Implications can be costly and frustrating. Customers we have relationships with are impacted by these threats. They depend on us so they can manage and service day-to-day tasks, tasks and services which are expected to be strong and dependable, trustworthy, and easy to access. These services have been threatened, things like e-mail, where vulnerabilities in phishing are taking place; online banking, where we’ve seen account takeovers; bill payments, where we’ve seen payment fraud; investments, account risk and account takeovers. The increasing layers that we add to address these threats also make it harder for our customers to transact business. These threats are harmful to our economy, our clients and our trusted business relationships with those clients. They trust us to complete their transactions safe and securely from origination to destination.

Implications to financial institutions also can be costly and very frustrating. We’ve seen where financial institutions have been vigorously attacked, along with other businesses. It’s clear no business segment is immune to these threats, as history has proven. Attacks impact our reputation, our brand and the trust we work so hard to earn from our customers. These attacks draw down on our revenue, and they draw down on our productivity by stealing the resources on other things than revenue and our customers’ needs. It’s not a matter of if, but when we will each face these threats.

When we do, we must have been prepared already and have taken steps to respond. Some of those steps can be having an incident response plan ready. Develop media messaging [that’s] ready and rehearsed in advance. Practice good security hygiene on your systems. Be vigilant and keep your antivirus and patching current. If you haven’t considered intrusion detection or intrusion prevention systems, consider those and put those in your environment. Use strong access control practices. Talk with your service providers about what they can do to help you mitigate DDoS attacks. Don’t minimize education. Train and educate your staff and your customers the best you can to help them also prepare for these events.

The economic impacts can also be significant to us. Lost revenue hurts us; lost revenue hurts our customers; and certainly lost revenue can hurt our shareholders. Reputational damage is also expensive. It’s hard to earn a good reputation and then have to rebuild it from an event such as this if it’s not managed correctly. Productivity loss is a natural outcome of these kinds of events. Clearly, the productivity is drawn down upon in an organization during the incident and during the recovery phase. We all have responsibilities when customer information is impacted. We have to maintain a high level of integrity and make sure that we’re meeting our obligations for our customers. Professional assistance for recovery can be very expensive, but in many cases needed because the expertise is not usually in-house. Regulatory compliance will continue to be made visible to us. We will continue to get advice, guidance and recommendations to help us become better at being able to support ourselves and our customers in the face of these incidents.

Finally, it’s hard to lose a customer, and it’s hard to get a customer back. You have to earn their respect and you have to earn their trust. None of us wants to lose customers due to incidents like these.

Some of the steps we have taken, or what our playbook looks like, include the following:

  • We have an incident response plan. This is a document that our organization is well aware of, and we ask questions of our employees of on an annualized basis through training. We have a media and crisis communication plan. Individuals know what their roles and their responsibilities are in the event of a crisis and who owns what messaging, how that messaging is going to be delivered and the channels it can be delivered across.
  • We have strong access controls, and sometimes this blade cuts both ways. Strong access controls or more layers in security can make it more difficult for individuals to do their jobs, but sometimes that tradeoff ends up being a value when you need it the most.
  • We have intrusion detection services. We have a third party that provides this as a service for us. We depend on them to identify anomalies in the network and to notify us when they see those things. In some cases, we give them unilateral control to take actions and notify us after the fact.
  • Be vigilant with your patch management and your antivirus regimens. You can’t be too vigilant here. You don’t want to become part of a botnet.
  • Strong web-filtering mechanisms and filtering techniques are in place for us today as well. This is also a service that we subscribe to. We try to let the professionals that are good at these things - that have core competencies in these areas - do those things for us. Have a clear understanding of how our suppliers deal with DDoS, what our role is and what it means to our services. It’s important for us to know what our ISPs do; it’s important to us to know what other telecom carriers do; it’s important for us to understand what a hosting provider does and how they go about doing it in the event we become part of a DDoS event. We also offer educational seminars to our customers on malware and account takeover.

Remember - significant attacks are almost nearly unpreventable and result in hours of lost services. Effective solutions may require third-party assistance. Remember that preparation and planning are strong foundations for defense. Take considerable time to think through what it is that you’re trying to do, how you want to go about doing it and what the goals are you’re trying to accomplish to ensure that preparation and planning deliver the results that you’re looking for. Install the latest updates to computing platforms. Make sure you’re doing your best to keep platforms current to avoid vulnerabilities that are present.

Take time to invest in services which can mitigate risk and impact. Talk to your hosting providers and see what they can help you with. Find out how you can get involved with them and participate in the event that you are part of an incident. Talk to your ISPs and see what options they have. One is called black hole filtering. It’s basically a technique where you set up a false location and the traffic gets routed to that false location; and because that location doesn’t exist, the packets are dropped. Your ISP understands these kinds of things that are available. Talk with them and see how you might be able to benefit from some of those kinds of techniques.

Talk to your telecom carriers. See what their role is and what they can provide for services as well. Investigate the benefits of an application level service and investigation intrusion detection and intrusion prevention systems. We’re seeing more and more application-specific attacks from DDoS trying to interfere with network and services to gain access to networks.

Consult with professionals. After all, we’re bankers. It’s probably important that we go to the people that have the highest level of competency for the things that we’re trying to accomplish - the folks that deal with these kind of things day after day. Those professionals can help us deal with and develop a strong plan of preparation.

Test your plan. Once you have built that plan, test it. Find out if you achieved your goals. Identify the gaps, put preparation activities against the gaps and test it again. Test it until you’re getting the outcome that you’re looking for.

Thanks for your time.

Field:

Thank you, Michael, for giving us the bank’s eye view on DDoS. We’re going to take a step back now and look at some of the trends and lessons learned from recent attacks. Providing that perspective is Rodney Joffe, senior vice president and senior technologist with Neustar.

Rodney’s responsibilities include defining and guiding the technical direction of the company’s Neusentry security offering, as well as heading the company’s cybersecurity initiatives. Joffe joined Neustar in 2006 after the acquisition of UltraDNS Corp., a directory services company he founded in 1999. Prior to that, Rodney was the founder and CTO of Genuity, one of the largest Internet service and hosting providers in the world.

Let me turn this over now to Rodney Joffe.

Rodney Joffe:

Thanks, Tom. What I’m going to do is start off with the bad news. The bad news is that the al-Qassam DDoS that we’ve been watching for … nine months now is only one of many DDoS [types] that actually threaten. It’s a very specific one, but it’s by no means the worst that we’re going to see, and it’s going to be something that’s going to affect us in indirect ways, not directly with DDoS, but the way it affects others.

The very first DDoS [attacks] that affected us - and it’s something that I remember from 2001 - were the DDoS [attacks] that we saw against the major e-commerce companies that were just getting going in the early 2000s. There was a specific DDoS that started off around February of 2001, and it targeted eBay, Yahoo and some of the other sites. I think even Amazon was affected in the early days. It was a wake-up call for everyone.

It was one particular juvenile, in fact, who launched the attack, and it was a real wake-up call for everyone, not just the people defending, but it was also a wake-up call for the criminals because not very long after that we actually began to see the Russian mafia - the criminals out of Russia who had been involved in spamming by that time - switching over to DDoS extortion. They started targeting the gaming companies or others … in the UK, threatening those kinds of organizations with DDoS [attacks] if they didn’t pay up. They generally did that right before major sporting events, which is logical.

The DDoS [attacks] were copied then by hacktivists. There were smaller community groups, also the individuals, who were DDoSing each other in a very small way in the late 1990s. [They] began to realize that this mechanism was very useful, and it didn’t take long for those two groups to really inform and educate the criminals that were interested in financial clients, not just extortion, but actually stealing money.

This took off in a relatively large way, and still today we’re seeing the very latest mechanisms used, unfortunately, by the folks at al-Qassam, by the same criminals who started out in the mid 2000s, specific with malware, but some of the audience will recall or be aware of things like Zeus, SpyEye and, now the latest, which is Citadel.

The DDoS [attacks] though have changed with al-Qassam. What they have managed to identify is the weak spots in the protocols of the Internet. The al-Qassam DDoS [attacks] have really been very, very effective because ultimately there’s no perfect way to actually withstand them. I think that the only mechanism that we’ll be able to use is to actually go after the people behind them.

But in actuality, the way that the DDoS [attacks] are occurring makes it very, very difficult to defend. The bad news is that this is now being picked up by the regular criminals and the hacktivists. They’re realizing now what the weak spots were in what they did, and they’re now making changes. It’s actually quite significant.

The key thing to know is that you’re probably going to all end up being targets of DDoS [attacks] using these mechanisms over the next year or two because [of] the ability to actually launch these [attacks] and have them be very effective with very little.

Let’s look at the current profile of the al-Qassam DDoS [attacks]. The botnet itself is known as Brobot, and this comes from the phrase, “It’s okay, no problem, bro,” which was used to describe the original attacks. It basically compromises commercial content servers. The one piece of careful thought that went into this attack was, instead of compromising the traditional home computers - things that were connected to cable modems and DSL lines, where the ISPs have pretty good control, have pretty good AUPs and service agreements that allow them to filter very, very quickly when there’s something dramatic that’s actually occurring from a home machine - the folks behind the Brobot botnet actually set out to compromise commercial servers that had lots of bandwidth and were very, very reliable.

The major things that they went after were weaknesses in two content server applications. These were very effective because, while they compromised the systems, what they ended up with were systems that were connected to very fat pipes. We saw systems that were connected to hundreds of megabytes or gigabytes. In some cases, when the content servers were actually being housed in some of the big shared-services companies, the rent-by-the-month or rent-by-the-year servers in the hosting facilities, those are connected to multiple 10-gigabyte connections. The additional thing is that many of the servers had multiple customers on them, so it made it very difficult for those hosting companies to actually be able to filter in any effective way very quickly. They had to work very hard to identify the specific customers, contact the customers and get them to shut the systems down. This added a time element, and that time element is what allowed Brobot to be that effective for that extended period of time, multiple hours during the day.

The second thing that occurred was that a lot of these servers were located internationally. They were located outside the U.S., and in many cases they were in countries where there was a language problem, [with] security folks trying to reach out to help the victims of the compromises that were a part of the DDoS attack, to educate them about the fact that their systems were being used and how they were being compromised. Secondly, there were privacy issues in many of those countries, especially in the European Union. In the third case, you were dealing with servers that might have been involved in companies where it was very difficult to find out how to reach anyone within those companies to actually even find the right people to talk to.

Those attacks were launched in that particular way. They were launched against a mix of systems. It started out with web servers and DNS servers, and as the systems became more resilient and as the banks were able to defend more and more, the attackers targeted the payment gateways and also began to target some of the telecom providers and Internet providers, some of their key articulation points. It’s been very, very effective from that point of view.

However, it did go quiet on May 2. There was a threat of attacks by a hacktivist movement called OpUSA that threatened to target the U.S. economy, and they made some claims about being associated and getting help from the al-Qassam Cyber Fighters. The al-Qassam Cyber Fighters, I believe, had a very specific message, which was to cause disruption amongst the banks and get the attention of the U.S. government and the U.S. in general. They distanced themselves from the OpUSA hacktivists and announced that they would not be participating during that week. The interesting thing that’s occurred is that there have been no attacks since then. While we might have expected the attacks to start performing weekly claims by al-Qassam, in their post was that they would not be attacking for that week.

They actually have not re-attacked again. There’s been no activity that we’ve noticed from any of the control systems in their botnet. The jury is out currently as to whether we’re seeing a temporary lull - which is quite possible - or in fact a permanent stop to the attacks for some outside reason.

The current targets of al-Qassam are worth looking at, and this is obviously through the second of May, and, if the attacks were to pick up again, it would be a continuing attack. But what we’re looking at are the 50 largest U.S. financial institutions. In the slide there, I have a link to where we believe the targets are actually listed and are actually being used by al-Qassam. It’s been pretty consistent with almost no exceptions. Their targets have been within this list. The motive, as I said before, was really disruption and not destruction. I don’t think that they want to actually get a national backlash from end users. What they’ve done is they’ve created enough of a disruption so that expenses have been caused for the banks that have been attacked. There’s certainly a lot of unease within the financial community and within the U.S. government; but from an end user point of view, most people see this as just a typical Internet thing where, for a period of time, they’re unable to get to their bank, they’ll make phone calls, and, an hour or two later, they’re able to get to the banks.

What we’re starting to look at are organizations, not banks, actually commercial organizations, as well as small to medium-sized regional banks and credit unions. These are organizations that have payroll accounts and have separate treasury accounts. The malware that’s targeting them - that has been active for probably six or seven years now - is Zeus, SpyEye and Citadel. [It’s] very difficult to eradicate, very difficult to identify, very sophisticated and well written.

In these particular cases, the DDoS [attacks] are actually used to cover the actual financial crime. The way that it works is that a company will be compromised. The treasurer in that company - or the person who actually communicates directly with the bank to do bank transfers - their systems will be compromised. They’ll go ahead and, once they compromise the systems, make fraudulent transfers out of the victim company’s account with a small regional bank. They’ll compromise the bank account and they’ll then launch a DDoS against the bank itself.

At some point, while the bank transfers are actually taking place and are being moved from the bank out to the mules that exist around the world, in order to make sure that the treasurer of the company or the financial person of the company is unable to check the accounts and maybe spot some of the transfers, they launch a DDoS against the bank account so that the treasurer is faced with the same message that everyone else in that bank’s customer base is faced with, which is you can’t get through to the bank account. You’ll put it down once again to being an issue with the Internet and you’ll try again later. In this way, the criminals are able to delay the discovery of the fraud by a couple of hours, which is enough time for those transfers to actually make their way outside the U.S.

From a mitigation strategy point-of-view - the way that I’ll finish this section here - is to try and make sure that you’re not a typical target. One of the things you want to be doing is distributing your infrastructure. You want to separate your DNS servers and your DNS systems from your retail web. Have them be on different circuits or different segments of your connectivity. Your payment gateways and your staff access for VPNs - those definitely need to be on separate segments. What’s likely to happen is that the DDoS attacks will be against the normal web interface. However, in the middle of that, as a bank you need to survive. What you really want to be able to do is make sure that the rest of the infrastructure is able to operate, so that your staff and any third-party assistance that you request in order to help you - maybe even for your major customers to have an alternative web interface for them - you want to make sure they’re on separate web interfaces. Because, once the attack - which is normally launched against the bandwidth, is under way, you’re not going to be able to get traffic in or out in order to help you.

Make sure that you have a switch in place. If you’re using third-party organizations for either content distribution, DDoS mitigation or for your DNS, which are things that you absolutely should be doing if you’re a small to regional bank, you want to make sure that you have the ability that when there’s an attack that’s under way you’re able to switch the resources very rapidly and seamlessly to those third-party resources.

What you want to be able to do is prepare for non-Internet banking. You want to make sure that when you have an Internet failure because of a DDoS, you have a method that allows your customers to call in. Have enough inbound phone numbers; have enough inbound operators; and also make sure that you have the ability to bring additional tellers in, because, if you’re a local regional bank, the chances are customers will get in their vehicles, drive down to the bank and come and try and do banking over the counter. Make sure you can support them. …

Prepare the messages in advance. Make sure that your messaging process to your customers - as well as your shareholders and the public - is done well in advance, that it’s very concise, explains what’s happening and tries to make sure that people don’t get any sense of panic. Make sure that you have the channel set up so that you can get those messages to your customers.

Finally, practice all of the mechanisms that you have and all the procedures you have in place. It’s not enough just to have a dry drill once a year. The more often you’re able to practice with your employees - both your IT staff and your retail staff - the more likely you are to have very little significant effect when you actually are forced by a DDoS or some form of an attack to actually use the alternative methods.

Field:

What do you believe we have learned from this third phase of DDoS that we’ve just seen?

JOFFE:

What we’ve really learned from this latest phase that concluded … is that they have gotten better and better at what they’re doing. They’ve clearly been watching our response, really understanding the mechanisms that are used to help the banks survive and mitigate the attacks. They’ve made minor changes, but the changes have been very effective. They’ve started to understand the ways that the different banks actually are protecting themselves, and each bank is slightly different in the way they’ve done this. They’ve done a very good job of recognizing it. Depending on who the bank is, they’ve modified the attack.

The other thing that we’ve seen them do - which is quite interesting - is they’re now modulating the size of the attacks. There are smaller banks that have been attacked. I think the smallest one I saw was around three gigabytes. But in that particular case, three gigabytes was enough to actually disrupt the bank. They’ve become quite good at measuring the effect in real-time and using just enough resources.

Kitten:

I completely agree with what Rodney is saying. I think what we’ve learned in the third phase is that the attacks have gotten more targeted, more sophisticated, and the botnets behind these attacks continue to grow. My opinion here may differ a bit from Rodney’s, but with the botnets continuing to grow, there’s no reason to think that these attacks are going to slow down or stop. I think that there’s quite a lot of momentum behind what the hacktivists have been able to do, and I think that they have learned a lot. I completely agree that they’ve gotten more effective.

Wyffels:

I would agree. Clearly, these attacks are continuing. I don’t see them slowing down. They’re getting better at what they do, and they’re evolving as they go. They’re becoming difficult to defend against. They’re difficult to defend against in the first place. Then we’re seeing more agencies become more actively engaged. We’re seeing more things playing out from regulators and government agencies about these attacks, anything from warnings to comments. I think I saw one not too long ago where they were talking to the consumers themselves. I think that it’s becoming more recognized as a real threat, and there’s difficulty in managing that.

Field:

Rodney, I’ll come back to you. Two questions I’m going to combine: How have the techniques changed in the DDoS attacks, and how have the targets changed? You touched upon this a bit, so I’d like to hear a little bit more about it.

Joffe:

From a technique point-of-view, what we’ve seen them do is actually evolve in terms of understanding the way the banks are defending. When it first started, there were attacks that were a combination of DDoS attacks against DNS infrastructure and against the actual websites themselves. Then, in the second phase, as the banks got better defending, we saw them begin to attack in some cases even the ISPs, the control points within the ISPs, and they also started to realize that the inbound attacks were being mitigated relatively well. In the second phase they switched, and what they started to do was make requests for very large files that sit within the banks, and that what you had was an outbound saturation of bandwidth. The banks might have had the ability to filter through companies attacking inwards; outbound there was very little filtering. The attackers would request files that perhaps were application forms, or were brochures or annual reports, things that were four or five megabytes in size. They would request those, and so the bandwidth would be saturated outwards, which was much more difficult to deal with because it made mitigation more on the bank side - number one. Number two, it was almost like playing whack-a-mole over the course of a few minutes, that as a bank was able to either remove that file or move the file to a content provider, the attackers would immediately change the file they were trying to get to. That was the first set of things that they’ve actually done. I’m not sure if any of the others have seen any differences with that in terms of techniques, but from our point of view that’s been the real evolution.

Kitten:

Rodney would be the expert here. In fact, Rodney and I have talked about these techniques quite a bit. The short answer to your question is yes, the techniques have changed. To Rodney’s point, there have been new tools and techniques that have emerged with each phase. We’ve progressively seen these attacks get more sophisticated over time. What I’ve been hearing from institutions is the fact that these application-layer attacks have proved to be the most damaging. Banks have responded, and they’ve responded well. But it’s required a 24/7 effort to keep their websites up and running.

Field:

We’re fortunate to have someone here from the financial institutions. Michael, in light of the attacks that we’ve seen over the past several months, and in light of what we’re talking about in terms of techniques and targets changing, what sort of an internal risk assessment does a banking institution have to do to ensure that you’re prepared for something like this?

WYFFELS:

It’s a great question. I do think that there are two different angles that an institution will look at when it comes to a risk assessment for DDoS. Clearly, if you’re hosted versus an in-house bank, hosted being something where your applications are being provided by an outsourced provider versus in-house where you’re hosting your own, your approach may vary a little bit. Clearly on the hosted side you should be working closely with your service provider to determine what precautions and what services they have available to them to help you protect yourself from events as they unfold on the Internet. You’ll find out that most of those large organizations have done pretty well, and they have techniques in place. They don’t openly talk about those techniques for obvious reasons, but clearly they’re concerned about the impacts that would have on an institution. If you have to be hosted on a platform, whether it’s a large institution or a targeted institution, it’s there, and say there are other banks that are running on that platform -- they could do collateral damage on that platform that’s providing those web-hosting services. I would say clearly your internal risk assessment should include a look at what it means from a host provider versus in-house.

In-house is a little more difficult. Banks typically don’t spend lots and lots of money, if you will, towards a lot of the security aspects that are available for DDoS attacks. They’re expensive technologies; they’re hard to put in; and you’ve got to maintain those things. But there are good companies that are out there today that have good products that will help banks who need to put those products in place to protect their in-house applications that are being presented back out on the Internet for their customers to use.

There’s another aspect, which is a communications plan. You shouldn’t wait for an attack to figure out what it is you want to communicate to your customers and what you’re going to communicate to the media. Clearly you should put some thought into that, and your incident response plan should be updated to reflect those kinds of things.

Joffe:

It’s quite interesting to think this through. In the very beginning we saw the larger banks being attacked, and they were the ones that made the press. But they worked their way through over the course of time. What we saw in the beginning - as a company that provides some of the capabilities that have been mentioned in terms of defending – was the smaller banks did very little. They asked questions. What has happened over the second and third set of attacks is that we’re now seeing a lot more of the smaller banks actually coming to us. There’s a list, as they’re reading through the news, [which] would look like the top 50 financial institutions in the U.S. To a large extent, those are all the banks that you saw being attacked. But we’ve now started to see a lot of the smaller banks go through and look at the risk issues, and have made a decision that even though they may not necessarily be targeted by this particular group, the risks are there from other sources, from attacks from other sources, be it a hacktivist or regular criminals. I think the banks have made a decision. They’ve gotten comfortable with the costs to the risk, and they’ve actually now gotten comfortable with outsourcing to companies like us, and that’s certainly something that we didn’t see in the very beginning from the smaller banks, but we’re seeing quite regularly now.

FIELD:

Rodney, to what extent have the DDoS attacks that we’ve seen been conducted to disrupt versus to distract?

Joffe:

The attacks that we saw from the al-Qassam Cyber Fighters, as far as we can tell doing all the research and all the monitoring we can, were designed specifically to disrupt and specifically to get attention. In each particular case, they could have actually taken banks down completely, but it seems like they were really trying to get someone’s attention. There was no criminal element involved. Obviously, this is criminal, but there was simply no intention to actually cover or get involved in any financial shenanigans.

However, there are two things that I think are true. First of all, the criminals that have traditionally been involved in financial attacks, that already have malware as part of their botnets that launch a DDoS attack to disrupt a victim’s ability to check bank balances, I think those same groups in some way are almost guaranteed to have used the cover of the Brobot attacks to actually engage in crimes. That’s the first thing.

The second thing is that I believe this has served as a really good teaching experience for the criminals that normally do get involved in ACH fraud, wire transfers and things like Zeus, SpyEye and Citadel, and I believe that they’ve now been able to improve their ability to create disruption and distraction through the DDoS attacks using the techniques that came from the al-Qassam Cyber Fighters.

Field:

Rodney, my follow-up question for you, and I’d love to hear from Michael and Tracy as well: Is there evidence of fraud that’s been perpetrated in the shadow of DDoS over the past several months?

Joffe:

There’s no direct evidence related to the al-Qassam Cyber Fighters, number one. The numbers we’ve seen -- but I don’t visibility of is into the banks, and for obvious reasons the banks do a relatively good job of keeping as much as they can out of the press. But what we have seen is a fair bit of additional activity in the traditional Zeus and Citadel, and much more sophisticated. I’m not going to say that it’s directly related to it, but I wouldn’t be surprised if that’s what turns out to have happened.

Wyffels:

I would echo what he said. I have not seen anything in the banking industry or from colleagues that I have in the banking industry where they’ve experienced a DDoS attack to be used as a distraction from fraud taking place elsewhere, such as account takeover. But it makes sense that you would think and you would look at this kind of attack as a way to distract you because there’s a number of resources that would become focused on the institution and the impact of the institution’s services. They would focus in that area of the institution where things are stored and potentially could miss something that’s happening elsewhere, and I think that’s one of the reasons why you’re seeing banks start to spend a lot more time on cross-channel fraud detection solutions than probably what we’ve seen in the past.

Joffe:

I think Michael is absolutely correct. The thing that I did notice and I meant to say earlier was that there was a lot of awareness within the security groups that I work with within the banks that are not involved in the DDoS themselves, but involved in normal risk management and identification of fraud, who were sidetracked by the attacks. It took so many resources. Those attacks were actually so effective that resources were taken from the traditional security groups. I think that it really was an attention-getter and it was an attention-diverter, and I think the banks are now beginning to realize that this needs more resources than many of them are supplied, that you’ve got to keep your eyes on the ball while the attacks are happening in the background.

Field:

Tracy, you’ve got the advantage of talking to financial institutions, regulators, analysts; you’ve got lots of different perspectives. What’s your take on the notion of whether there’s been fraud perpetrated in the shadow of DDoS?

Kitten:

The example that comes to mind is the attack against the Bank of the West, which is difficult in an account takeover attempt, although that particular DDoS attack was not linked to the Cyber Fighters. I do think there are different groups out there waging these attacks. To Rodney’s point, a lot of these criminal groups are learning from the attacks that hacktivists wage.

We also have to keep in mind that when we think about DDoS, there’s more than one way, more than one channel to DDoS, if you will. If we’re talking specifically about online banking, it can be DDoS, but we also have seen examples of call centers being [attacked], and a lot of these things are happening simultaneously. I think banking institutions - to Michael’s point - do need to focus on cross-channel fraud detection and more communication among and between their different banking channels. Going back to what Rodney said, I think it’s interesting that we have seen, because of these DDoS attacks, different departments communicating. Moving forward, that’s really the best way to handle it because I do think that there has been evidence of fraud and I think we can expect more of that.

Field:

Tracy, this is a story you’ve covered since the very beginning, last September. From your perspective, how has the public discussion of DDoS evolved in the time that you’ve been covering this story?

Kitten:

When the attacks first started, many of the targeted banks were very forthcoming with information. PNC comes to mind. This institution is even posting blogs on its website from the CEO explaining to customers exactly why they were experiencing intermittent online outages, what a distributed-denial-of-service attack was, how it worked, and they were also communicating with the media. There were several of these institutions that were being hit early on in the process, as we were all kind of trying to wrap our brains around exactly what was happening and figuring out why these attacks were being waged, when they were being waged and how they were being waged. I was in constant communication with some of the PR directors at many of these institutions, and they were very forthcoming with information. They would tell me, “Yes, we have seen DDoS activity this week. It occurred between the hours of 2 p.m. and 5 p.m. Eastern on Wednesday.”

But as time went on, that communication with the media really didn’t begin to flow, and many of the financial institutions that I’ve spoken with have told me off the record that this was because they were advised by federal investigators, as well as groups like the FFIEC, to not share too much information, which is understandable. I think the fear was A) you would create some kind of panic among the customers who really didn’t understand what a DDoS attack was, and B) I think the other concern was that you’d be sharing too much information with the hacktivists. If they knew that one particular attack against Bank of America, for instance, was successful, then they would continue to launch that same type of attack over and over again. Over time, we saw the communication kind of fall off the map, quite frankly.

As we’ve moved toward the end of the third phase, I think we started to see things go back a little bit. Banking institutions were becoming a little bit more forthcoming about sharing information and communicating with their customers on social networking sites, such as Facebook and Twitter. I think that the press coverage out there has educated consumers to a point where they’re asking more questions, and I think banking institutions are responding to that. We’ve also seen that publicly-traded entities are including more information in their SEC filings, the quarterly reports and annual reports that they file with the Securities and Exchange Commission. I think there’s a level of awareness there, and I think there’s a willingness to share. We’re all just trying to learn exactly how much is too much and how little is not enough.

Field:

Tracy, you raised a good point there. Michael, I want to turn this question to you, and the conversation is about what you hear from your customers. What questions have you received from customers regarding DDoS, and how do you respond to those questions?

Wyffels:

You could build a list, and every question you’d probably come up with on the list would probably be on there. It really depends a lot on the sophistication of the customer and then how aware they are from the media that events are taking place. Clearly, the large institutions or the large companies that have been hit have made prime-time news, and there’s been little articles done about those. People either hear or read about those, and they want to ask banks what this is and what’s going on that’s causing this. Then, they want to know what can be done about it. They’ll go on to ask if there are precautions that they can take or that [the organization] has taken, and they may even ask - and a couple have at some point - what they are. You have to be a little careful how much you disclose because you don’t want to give these hacktivists or these actors enough information that would cause them to want to evolve or alter their technique or approach such that the things you put in place become ineffective. It’s a constantly changing game that’s taking place out there.

I think customers are becoming more aware every time you’re more educated just because of the coverage that these things are getting. But clearly those folks are trying to learn more, and I think they’re trying to become a greater partner with the financial institution in being an advocate to help mitigate risk associated with these things. The question list is long and wide, and, depending on how sophisticated the customers are, you can get any number of the questions. But I think this is why it’s important for you to be prepared with the communication and the message that you want to give a customer or the media in the event that you’re asked during the event you just incurred an incident.

Field:

Rodney, I’d love to get your perspective here from the inside and from the outside. You’ve been a big part of financial institutions and how they’ve responded. How have you seen the public discussion of DDoS evolve, and has it been to the hacktivists’ advantage or to the financial institution’s advantage the way that discussion has developed?

Joffe:

My experience has actually been slightly counter to Michael’s and Tracy’s. The best example I can give - and this is probably a difference between consumers versus business - is two weeks ago I gave a presentation and talked to a group of 125 people who are more technical than not. I started to talk about the bank attacks and I talked about the DDoS that has been going on since September, and I got predominantly blank looks. I said, “You people are obviously aware of the attacks by al-Qassam Cyber Fighters,” and literally out of 120 people, maybe four or five were nodding. I was quite surprised. I asked the question, “How many people have had problems in reaching their bank’s website over the last six months,” and probably half of them put their hands up. I said, “What did you think it was?” In most cases, they said a glitch in the system. None of them had actually put this together, and they really weren’t aware of the attacks.

I think that the objective of the attackers was really to get someone’s attention and create disruption on the banks. The second that it actually mattered most from an influence point of view, which would have been the business customers, is why I think that that’s one Michael is getting more feedback on from customers. But the funny thing is that the end consumers just seem to accept the fact that there was a problem with the system. I didn’t hear anyone say that they changed banks because of what had happened, which was not what I was expecting and was quite surprising.

Field:

Interesting. Michael, to bring it back to your institutions, what steps have you taken to bolster your institution’s defenses since these DDoS attacks began in earnest last fall?

Wyffels:

We’ve put in place education programs for starters. We have annual workouts that we go through with the employees to make them more aware of these events and to be able to recognize them. We have typically an annual event that we hold for our customers, and we allow those commercial businesses to enroll and come in and sit down with us for a couple hours. We walk through materials that help get them more educated on what these kinds of things are. We also put in place some online programs where customers can, at their own time or their own schedule, sign up and go through material to help them get educated as well. Especially for your small to medium-sized business owners, that helps them get their employees more knowledgeable about these kinds of things [regarding] what to look for and what to watch for.

On the service-provider side, a lot of what we do is outsourced today. We depend a lot on our relationships with our outside service providers, both telecom and core processing, and we have talked with those organizations to determine what it is that they have in place, what they can do and what we can do to help ourselves in the event something like this happened. There’s clearly a communication process that has to be put in place so that you can communicate and get in touch with people quickly when these things are happening. You do that. We have intrusion-detection systems that we’ve got in place and we use those and depend on those quite a bit, and other daily protocols that we’ve got in place to try to help us.

I mentioned earlier about cross-channel fraud detection; we’ve got some tools there to help us as well. We could probably go on and on and on here. I don’t know if the list will ever end. As time evolves, new products and solutions will come out. They’ll become part of the risk assessment and we’ll be determining whether or not cost benefit shows that it makes sense for us or others to put those kinds of things into place. I just think it’s an evolving process for an institution, and you have to leverage those people around you, as well as yourself, to try to be as prepared as you can and to try to have as many tools that make sense for you to protect your institution and your customers.

Field:

Rodney, is Michael’s experience typical or atypical of what you see with your own customers?

Joffe:

There’s certainly a lot more awareness. I think that awareness amongst banks has obviously skyrocketed over the last two or three years because of the large influence of banks that are being affected by Zeus, which is more and more, by the way, targeting smaller banks that don’t have as sophisticated a process for wiring, which is when most of this occurs. There’s a lot more sophistication that’s going on.

I’m really impressed by the things that I’m hearing Michael say in terms of the bankers’ handiness because it means that the message is obviously getting through and banks are becoming more and more aware of the real issues. The other thing that we sort of sometimes forget is that the law enforcement community is also starting to take this much more seriously, and there was obviously training and a vocational windfall three or four years ago, but there weren’t that many agents that actually understood it. Now we actually see some national task forces that are working together to deal with the issues and to also start to accept the fact that these attacks are no different to the kinds of attacks where someone walks in and brandishes a weapon, other than the fact in those particular cases lives are put at risk. I’m not minimizing that; that’s a really important thing. But the difference is if there’s an armed robbery, you might see a few thousand dollars stolen. With some of these larger attacks where there’s actually a financial issue, you’re seeing sometimes in the multiple millions of dollars, and it really does have an effect over time. You also have the disruption. There’s brand damage that we’re seeing with banks that also has to be dealt with.

Field:

Tracy, I’m going to bring you back into the discussion here. You’ve got a unique perspective because you talk to law enforcement, regulatory agencies and financial executives. From where you sit, how has the financial industry responded well to the DDoS attacks? And the flip side, how have they responded not so well?

Kitten:

I’ll just echo some of what has already been discussed. The larger institutions have definitely stepped up their DDoS mitigation efforts, and they’re defending themselves very well. Information sharing among these institutions has been phenomenal and it’s really set a new bar for the financial industry. I suspect that other industries will learn from the example that many of these leading institutions have set. They’re sharing information on a regular basis and it is information sharing that we’ve really never seen before.

On the flip side, I’ll go back to the point that Rodney made earlier. I’m kind of glad to hear that smaller institutions are actually stepping up their efforts because what I’ve gotten over the course of the last several months is that many of the community banks, in particular smaller institutions, are not really well-prepared for these types of attacks. I think a lot of that goes back to the fact that they’ve gotten mixed messages from law enforcement and mixed messages from the industry. They weren’t really sure if these types of attacks would be affecting them. To Michael’s point, investing in some of the mitigation solutions is very expensive. It’s expensive from a technology standpoint; it’s also expensive from a staffing standpoint because smaller institutions just don’t have the staff on hand. Working the core processor, working with vendors that you already have, makes a big difference and it’s good to know that some of these smaller institutions are taking these attacks seriously because they need to.

Joffe:

[I have] just one point in support of what Tracy is saying. The small institutions are finally coming to talk to us and are working with us to make use of the experience that we’ve gained from the attacks against the larger banks. One of the good things that’s occurred in the provider industry where we’re actually mitigating some of these attacks [is] it’s been a very good learning experience for us as well. We’ve gotten a whole lot better at what we’re able to do, as have some of the other companies in the business. That’s one good thing that the smaller banks now get the benefits of experience that was effectively paid for by the larger banks. As some of them realize that, they’re stepping up.

Field:

One of the points you’ve made in previous conversations is that every organization should consider itself a potential DDoS target. That being the case, what are some of the ways that organizations can diminish the impact of DDoS?

Joffe:

I think that there are multiple levels that you can do. First of all, if you can at all do it, avoid being a target. But that becomes more and more difficult, especially when you’re dealing with hacktivists. The kinds of things you can put in place are the things Michael had mentioned. You have the traditional things you use like IDS -intrusion detection systems - and intrusion prevention systems and so on. Put in systems that are capable of recognizing when there’s some form of attack that’s occurring internally. Have your staff be aware of the fact that there’s unusual activity in some particular way.

The next thing is to make sure you prepare for the attack. You make an assumption that at some point someone is going to get upset at you and is going to choose you as a target or they’re going to choose to victimize you because they want to victimize your customers, not so much you, but they may have targeted a customer of yours. What you want to start doing is, as those things occur, and assuming that DDoS is going to be a part of the attack, making it difficult for the victim to actually connect with a bank … have some kind of communication process in place already with your customers that tells them, when this kind of thing happens, here’s a plan B and here’s a plan C for actually being able to do business with the banks. Michael is doing all the right things. The education part with customers is to educate them not only to not be victims but how to recognize when some of the clients are victimized and be able to recognize it. …

Field:

Rodney, a quick follow-up: How can organizations make themselves less-attractive targets for DDoS?

Joffe:

The best example I can give is if a burglar walks down the street. You look at all the houses, and one of the houses has a high fence, guard dogs, big alarm, signs and cameras. Burglars in general will go to another house. They’re looking for the easy targets. One of the things you want to make sure of as a company is that you have processes in place that make it difficult for you to be compromised. If we talk now about the normal financial attacks, make sure that you don’t look like you’re a great target. Make sure that you have those things like IDS and so on.

From the DDoS point-of-view, what you probably want to be doing is making sure that your resources are with third-party providers that have a reputation. When someone who’s looking to launch an attack looks at a list of targets - and they identify the fact that of the ten targets three of them are using outsourced providers of DNS, they’re using outsourced providers for content hosting and for perhaps even DDoS mitigation - if they’re looking to make an impact, there’s a point at which they may say, “I’m not going to go after those three; I’m going to go after the other seven.” One of the best ways you can make yourself not be a target for DDoS is by using large outsourced companies that have a reputation and have the ability to be able to defend to some extent against these large attacks.

Field:

Michael, a question for you for the financial-institution perspective. In your opinion, how have the DDoS attacks changed the way that banks secure themselves? Also, to get to the points that Tracy and Rodney were making and you yourself, how has it changed the way financial institutions communicate with customers about threats?

Wyffels:

All the financial institutions want to be very open and straight with their customers when events are taking place. But at the same time, they have an obligation to protect your customers from being subject to a threat later in the game. That being said, you don’t want to communicate so much that you educate the hacktivists about techniques or things that you’re doing and then they evolve their threats to accommodate those techniques and you become ineffective again. The banks are getting smarter about how to articulate what’s happening and when it’s happening and what the customers can expect from their service provider in the event that these things take place. I think that’s probably one thing.

Historically, our incident response plan covered a lot of the traditional things that you would see out there today; for example, disaster recovery is a pretty common thing to have an incident response plan around. Based on where you’re at, the threats that chose to do that usually come into play. If you’re in an earthquake zone, there’s going to be scenario for that. If you’re in a heavy weather zone where you have high winds or weather-related events, you’re going to have scenarios where you practice that. Now banks are looking at the Internet and they’re looking at a whole different kind of environment that has a whole different set of threats assessed to it. Your incident scenarios now are going to start including things like malware, DDoS and so on. Banks are reacting with their incident response plans to become more sophisticated and be stronger planners around how they would react to those kinds of things.

Field:

Tracy, I’ve got a question here for you, and I’m sure it’s one that you want to respond to as well. Given everything that we have discussed or we’ve seen over the past several months, what remains your biggest unanswered question about the DDoS attacks on financial institutions?

Kitten:

I think the biggest question is, “Why?” What’s actually been the purpose of these attacks? Has it been to get attention? If that’s the case, then have they gotten the attention that they want? Are these attacks going to stop? I don’t think they will. I think we’ll continue to see the attacks. Are the attacks being waged to perpetrate some type of fraud? Can we expect malware to in some ways be associated with these attacks in the future? The botnet continues to grow. We know that the botnet at full force has not been used in these attacks. Why not? What exactly are the hacktivists after? I think these are questions that have yet to be answered. I think we’re still trying to figure out exactly what the purpose is.

Field:

Rodney, what do you expect to see in a next phase of DDoS attacks? Go with the presumption that the third phase is over; we’re waiting to see what could happen next. What are your expectations?

Joffe:

I guess the major thing from my side is that we’ve seen change in the way that the attackers are actually working. They continue to be more sophisticated, but they stopped three weeks ago and we’ve seen no real activity. I may be proven wrong in the next day or two, but I have a sense that, given there was no shutdown, this went quiet around OpUSA and never came back, and knowing how much of an effect this had on the banks - there have been a couple of articles with some presentations about the federal government and the banking industry when they talked about the fact that this was a more debilitating set of attacks than most of the banks admitted - I wouldn’t surprised if behind the scenes there’s been some pressure that’s brought to bear [and] this actually has stopped the attacks. I don’t know that we’re going to see more of the attacks from the al-Qassam Cyber Fighters.

If those continue, I think that it’s going to be just as effective going forward as it has been so far. I don’t think that there’s any real way that these can be mitigated, absent actually getting hold of the people behind them and taking action with the actual perpetrators. I think that defending this is going to be very, very difficult because it makes you solve the fundamental mechanisms that make the Internet work.

On the other hand, as I said earlier, I think that we’re going to see more and more attacks from the traditional sources of DDoS as sort of a side activity of the normal banking and financial criminals. They’re going to be using these kinds of DDoS [attacks] and it’s going to be getting a lot more difficult for us to actually keep things relatively calm, certainly in the next few months. We’ve already seen discussions in the underground where the criminals are discussing openly the mechanisms that work. In the same way as the banks are discussing the mechanisms that work in defending, the bad guys we’re watching them discussing the things that are actually working for them. That actually gives me a bit of a shock.

Field:

Michael, what do you expect to see in the next phase, if there is a next phase of attacks?

Wyffels:

I would continue to see more sophistication coming from these attacks, that they even get more specific than what we’ve seen in the past. I think activity now causes us to be more suspicious. It kind of makes us wonder, “What did they learn from the last attack and what are they adapting to? What are they planning to do with what they learn and when is that going to happen?” I think that they’ve proven to be and will likely continue to be effective in their efforts. Regardless of their motivation - geopolitical, religious or just trying to use it as a deceptive practice to move funds from one account to another or move them out of the country - I think all those same motivations are going to continue to play themselves out, whether it’s the same group of actors, a new group of actors or just an individual actor that wants to get in the game.

Field:

Tracy, your thoughts?

Kitten:

I think there are probably a few different scenarios that could play out here. I do think that we will see the attacks pick up. There’s evidence that the botnet continues to grow. Why that botnet continues to grow I don’t know. Whether or not the group that owns this botnet plans to rent it out to criminal groups to wage attacks could be a reason. Perhaps we won’t see any other phases from QCF, or QCF will come back and start attacking again. I think it does raise questions when we see them take a break. We have seen this before, and we’ve seen each phase as we move along get progressively longer. The first two phases ran six to seven weeks. This most recent phase, the third phase, ran nine weeks. If we do see another phase begin in the next couple of weeks, it will probably be the longest that we’ve seen so far. But again, I think it goes back to what I was saying earlier; we’re not really sure what the purpose here is. We know that they’re continuing to strengthen their abilities. What will be done with that I think remains to be seen.

Field:

Final question. Tracy, I’ll send this to you first. We’ve said from the start that financial institutions might be the best prepared to handle something like DDoS, just because of the investments they’ve made in security. Assuming that DDoS can become a weapon to be used against any industry, any organization, what advice do we offer to non-financial institutions? What should they be doing now to prepare in case they, their organizations and their industries become the next targets?

Kitten:

I think it goes back to what Michael and Rodney have both said: risk assessments. I think other industries could learn quite a bit from the financial industry from a risk-assessment perspective. They really need to understand what their risks are, where their data is and what might be exposed if they were to be attacked or distracted in some way. The sad reality is that most industries really aren’t that well prepared. We have seen DDoS attacks waged against different industries, and they’ve been debilitating. I really think that it all starts with a firm risk assessment and then just getting a handle on exactly where you have data, what vulnerable points you have and preparing for that now.

Wyffels:

Clearly, I believe that we should all be practicing good security hygiene, just the basic fundamentals of what you would do to protect your internal networks, desktops, servers and devices that provide computing powers to the users. Having good fundamentals there helps prevent those components from becoming part of the botnet that Tracy had talked about, or at least mitigates the risk to keep that from happening. Having good intrusion detection and prevention systems in place can also be very effective. Again, you don’t have to buy them; you can subscribe to those so you can see the complexity for anybody to use those, just applying strong access to practices. Every time you add a layer of security or you make things a little bit harder for the person on the keyboard, it makes it that much more difficult for them to get their job done.

But still, nothing replaces good, strong access-control practices. Think about that. If you haven’t talked to your service providers, I think you should. You should get out there and find out what they know, what they have, what they do and how you can participate. Learn from what they’re doing. See if you can apply any of that to your own organization.

Lastly - and I say this a lot - train and educate your staff. Train and educate your customers the best that you can. Help them become more aware of what’s going on and how they can play a role in mitigating the risk for that. That by itself is another layer of security that you can apply. I don’t think this just has been limited to the financial industry. I really don’t believe that there’s any vertical that’s immune to these kinds of attacks, and we’ll probably see more and more of that as time goes on.

Field:

Rodney, I’ll give you the last words on it. What’s your advice to non-financial institutions?

Joffe:

Michael and Tracy have said everything - all the right stuff, all the good things. We already are beginning to see [attacks] on some of the sectors, in the energy sector and utilities, so there’s a real concern there. But I have a slightly different take. Knowing that you’re doing all these things, one of the most important things people can do is accept the fact that there are going to be attacks. Accept the fact they’re going to be compromised. Spend the time now preparing with recovery. How do you deal with the attack? And not just the attack, but how do you deal with it once it’s happening, [such as] customer communications, getting yourself back to a trusted place, getting yourself back to a situation where you can actually begin to do business again and trust what’s actually going on; knowing that the numbers are taken care of and that the systems have been cleaned off appropriately?

From the DDoS point-of-view, when you have a DDoS and the DDoS stops, don’t make the assumption that it’s done. Make the assumption that says the DDoS may be used as a cover for something else. Have a process in place that says when there’s a DDoS, we begin with the other things that would affect us as a business that may have been compromised during the distraction phase of the DDoS. In a nutshell, hope for the best by using best practices, prepare for the worst and assume you’re going to have to recover from something.