DDoS Defense for Financial Services Companies

Transcription

1 Arbor White Paper DDoS Defense for Financial Services Companies The Next Step in Disaster Preparedness

2 About Arbor Networks Arbor Networks, Inc. is a leading provider of network security and management solutions for enterprise and service provider networks, including the vast majority of the world s Internet service providers and many of the largest enterprise networks in use today. Arbor s proven network security and management solutions help grow and protect customer networks, businesses and brands. Through its unparalleled, privileged relationships with worldwide service providers and global network operators, Arbor provides unequalled insight into and perspective on Internet security and traffic trends via the ATLAS Active Threat Level Analysis System. Representing a unique collaborative effort with 270+ network operators across the globe, ATLAS enables the sharing of real-time security, traffic and routing information that informs numerous business decisions. 1

3 DDoS: The New, Emerging and Very Real Security Threat Distributed denial of service (DDoS) attacks are increasingly becoming one of the most grievous security threats that any company with a significant online presence faces. In fact, four of the top five security threats today are DDoS related, with an average of 2,000-3,000 DDoS attacks per day on enterprises, financial institutions and governments. 1 And the reality is that the severity, frequency and complexity of these attacks are on the rise, with no end in sight. Operation Ababil, for instance, started in September of 2012 as a politically motivated DDoS campaign targeted at banking institutions. Led by a group called Cyber Fighters of Izz ad-din al-qassam, this campaign has had multiple waves of attacks, with each growing in sophistication, strength and breadth. In fact, in May of 2013, the FBI announced that these hackers were modifying their attack methodology to better evade mitigation efforts of financial institutions. 2 Taking Aim: No Financial Services Company is Immune Motivated by ideological hacktivism and Internet vandalism, hackers recognize financial institutions as attractive targets that have built strong revenue streams and enhanced customer loyalty through online and mobile services. By attacking banks and other financial services companies, hacktivists believe they can disrupt the global economy of the U.S. and other leading countries and this strategy seems to be working. According to Keynote Systems, major U.S. bank Web sites were offline a total of 249 hours during a six-week period in early 2013, an increase of more than 70 percent over the previous year. 3 And the FBI reports that since September of 2012, 46 U.S. financial institutions have been targeted in over 200 separate DDoS attacks. 4 Initially, most of the DDoS attacks targeted very large financial institutions that are part of the Fortune 100. The Financial Services Information Sharing and Analysis Center notes that the second phase of Operation Ababil hit mid-tier banks and some credit unions. In announcing recent planned attacks, the Qassam Cyber Fighters added smaller financial services companies and secondary and tertiary processors such as payment processors, local or regional banks, and clearing houses to its list of targets. Service providers with customers in the financial industry are also increasingly becoming targets. And for them, the risk is even larger, as a multi-customer attack can be exponentially devastating. It s Time for a New Approach to Disaster Preparedness Today every financial services company with online services whether large or small, local or international is at risk for the ever-present DDoS threat to its network, infrastructure and customer data. Financial institutions should include a DDoS defense plan in their disaster preparedness strategy, as the ramifications are potentially just as costly if not more so than a natural disaster, accidental fire or unplanned downtime. This Arbor Networks white paper examines the growing multi-vector DDoS attacks that are becoming more prevalent. It also discusses how financial institutions can integrate DDoS defense best practices and services in their disaster preparedness programs to better protect themselves and their customers from these devastating attacks. 1

4 The Deep and Costly Impact of a DDoS Attack Ironically, the costs to execute a DDoS attack are relatively minimal, since the tools are simple to develop and often shared widely online for free to anyone who wants to maliciously participate. However, the consequences of an attack can cost millions, not only from mitigation, but also from other longer-term ramifications. The Aftermath of DDoS: From the Network to the Customer The extent of damage done by the latest waves of DDoS attacks on financial institutions is still unclear. However, several years ago McAfee surveyed enterprises representing a variety of business sectors. The survey reported that, on average, these companies estimated that 24 hours of downtime from a cyber attack would cost their organizations $6.3 million each time. 5 In reality, the full costs of an attack could be much higher. A well-documented case is the Sony Corporation PlayStation hack, where data on approximately 77 million user accounts was stolen. Sony estimates that it spent $170 million to recover, with expenditures including customer identity theft insurance, network security improvements, customer support, public relations, legal costs and an investigation into the hacking. 6 Financial services companies may face these same expenses, along with one additional, more far-reaching ramification customer loyalty. The Quick Erosion of Trust While it can be costly to mitigate a DDoS attack, the possible harm inflicted on a financial institution s relationship with its customers may be costlier. The very nature of such a relationship is dependent on trust. Unlike a customer s relationship with his or her favorite online retailer, people don t shop around to get access to their financial assets. They believe that their financial assets whether it s a checking account for immediate purchases or a retirement fund for the future are completely safe, always readily accessible and secure with their chosen financial institution. Therefore, when customers can t access their accounts online for any extended amount of time, frustration can quickly turn into panic. Confidence erodes rapidly, and customers may opt to go to a competing organization that is deemed more trustworthy. This kind of widespread disruption is the ultimate goal of hacktivists. And with their latest level of sophistication and broad reach, these groups are ensuring that no financial institution with an online presence should think it s exempt from an attack. Potential DDoS Attack Costs The actual costs of an attack depend on its duration and severity. But if a financial services company is a target, it can expect a direct or indirect impact in one or several of the following areas: Network Recovery. During and after an attack, an organization will need extra personnel, both internal and external, for mitigating the attack and restoring Web site service. There may also be additional service provider costs for recovery assistance and extra bandwidth. Infrastructure Repair. Once an attack is over, there may be a need to restructure the security of the infrastructure to eliminate any system vulnerabilities from future attacks. Company-Wide Productivity. During downtime, internal and customer-facing help desks and service departments will be inundated with emergency requests and panicking customers. In addition, employees may have difficulty doing their job without Internet access. Customer Loyalty. Customers will be inconvenienced, possibly causing some to defect and move to competitors, as trust is eroded. Credits and refunds may be mandated, particularly if customer data is compromised. Brand Image. Depending on the attack s severity, there may be a need for short-term public relations efforts to rebuild trust with current and future customers. Profitability. The loss of immediate e-commerce dollars from missed sales may be one of the first impacts. There are also longer-term revenue implications, especially if an attack impedes anticipated business growth and necessitates higher customer acquisition costs. To automatically calculate the potential DDoS costs to your organization, visit 2

5 Today s Attacks: Complex, Severe and Multi-Vectored Initially, the first DDoS attacks on financial institutions were much simpler in nature. But today, hacker groups are more innovative and aggressive, unleashing attacks that are bigger, faster and more complex. Hackers like those behind Operation Ababil used tools such as Brobot and large numbers of readily found neglected or zombie Web servers to perpetrate their attacks. With thousands of high-bandwidth servers at their disposal, these hackers are increasing their ability to attack more and more institutions within a short time. To ensure their attacks are more effective, hackers are using real-time monitoring tools that help them identify defense mechanisms that block their efforts. They then adopt a different approach on the fly to counteract the defense and evade further mitigation. Hackers are also enlisting the help of other groups that are more than willing to share intelligence or join forces with them simply because they want to, but also for financial incentives. The Multi-Layered, Multi-Phase Strategy The latest attack strategy for hacktivists is to simultaneously unleash a wide array of attacks on multiple protocols and applications against a targeted financial institution. This type of approach causes the greatest amount of destruction possible before detection. These powerful attacks can be devastating, as the attacks are a challenge to identify and difficult to defend against. While the vectors are continuously evolving, the most damaging attack types employed today include the following: Volumetric The most common and well known, this type of attack focuses on flooding networks with enough Internet traffic volume to consume all of a target s bandwidth. To congest the networks, trillions of packets are sent, which quickly block legitimate customers from accessing a target s site. The average size of attacks in 2012 was 1.67 Gbps, and the largest was just over 100 Gbps. 7 In 2013, however, one attack has already reached an astounding 300 Gbps. TCP State Exhaustion Another level of attack goes after the connection state tables of infrastructure resources and components such as routers, switches, load balancers, firewalls and application servers, bombarding them until they can no longer function properly. For instance, a high-capacity firewall may be compromised after it attempts to analyze thousands or even millions of false packet requests, thus denying access to all the resources behind it. Application Layer This type of attack is a bit more sophisticated and can cause the most damage. That s because it goes after specific applications or services and attacks resources at a slower, stealthier pace than other DDoS occurrences. Over time, applications such as Web or servers can t keep up with the thousands or millions of requests that infiltrate the system, bringing everything they support to a standstill. 3

6 ISP 1 Data Center ISP 2 ISP EXHAUSTION OF STATE EXHAUSTION OF SERVICE SATURATION Firewall IPS Load Balancer ISP n Target Applications and Services Todays complex, multi-layered DDoS attacks are even more challenging to identify and block due to attacker innovations, tools and strategy Attack Traffic Legitimate Traffic Finding the Greatest Vulnerabilities Hacker organizations understand the high cost of mitigation. They also know that an attack requires the convergence of extensive resources. Part of their strategy is to monitor the level and type of mitigation efforts that organizations execute during an attack. For instance, after a volumetric attack, hackers can tell if a financial institution is protected only at the service-provider level. They can then go back to the same financial services company and go after it at the application layer, knowing that there is no protection on premise. Because all mitigation resources are focused on the volumetric attack, the application-layer attack, which is always more difficult to identify, will go undetected for longer and cause more damage before mitigation can occur. Be Aware of Smoke Screens As mentioned, an attack that involves one or more of the above vectors requires the full attention of an organization and its service provider. What appears to be one type of attack may simply be the means to achieve a deeper, more pervasive destructive goal. For instance, the known attack may be a smoke screen for hackers as they attempt to get into a company s proprietary data, such as customer information and intellectual property. In fact, Gartner Research warns that fraud linked to DDoS attacks is likely on its way, with hackers eventually targeting individuals through massive account takeovers. As one Gartner analyst notes, initially the hackers attacked the perimeters, then they moved to back-end services in order to get into accounts. 8 4

7 DDoS Protection: A Broad and Multi-Faceted Approach Because DDoS attacks have become more complex and sophisticated, so must any defensive strategy that attempts to fully protect a financial institution. Traditional security measures such as firewalls, intrusion prevention systems (IPS) and other disaster preparedness tactics are certainly key components in a DDoS protection strategy. However, those measures alone are not strong enough, as they do not have functionality that can specifically defend against the rapidly evolving DDoS attack tools used today. The Best Defense: Purpose-Built Because hackers are gaining momentum and expanding their tactics on a daily basis, financial services companies need an additional layer of protection that helps them stay one step ahead. The optimal solution is a purpose-built, intelligent DDoS mitigation system. Financial institutions need a multi-faceted solution that can detect and block attacks with multiple dimensions of countermeasures before the attacks escalate into costly service interruptions or worse, an eroding customer base. Armed with a defense based on the latest emerging threats, organizations are protected both on premise and at the service-provider level against current and future attack strategies. Defend Upstream If it is a victim of a volumetric attack, a financial institution will never have enough on-premise bandwidth available to offset the attack. The best defense against this DDoS attack is a solution that provides protection functionality at the cloud or service-provider level. The provider can then identify the volumetric attack and divert the attack traffic to a scrubbing center for mitigation. Defend On Premise The application-layer and state-exhaustion attacks aimed at the perimeter of networks and data centers are often called low and slow attacks. Because this type of attack traffic looks legitimate, it s much harder to detect. As a result, hackers are often able to successfully get through the traditional defenses of service providers. These attacks, therefore, are best defended with an on-premise solution that is as close to the application or network infrastructure as possible. This provides quicker visibility into any suspicious activity and helps stop the attacks before extensive damage occurs. 5

8 Plan Ahead and Be Prepared Like any part of a disaster preparedness strategy, contingency planning is a key part of a DDoS mitigation plan. Once a multi-faceted intelligent mitigation system is in place, it s important to rehearse an action plan that is coordinated both internally as well as with service providers. A well-thought-out strategy, executed by a thoroughly trained team, provides the best chances for a financial institution to ward off an attack while protecting its network, infrastructure and customers. ISP Cleaning Center ISP Firewall IDS/IPS Firewall Large DDoS Attacks Data Center Load Balancer IDS/IPS Target Applications and Services Attack Traffic Legitimate Traffic Application Layer Attacks Multiple layers of defense are required for comprehensive DDoS protection Conclusion The Ababil financial attacks have awakened the industry to the threat of targeted multi-layer DDoS attacks that are not stopped by upstream service providers. While the hacktivists have started and stopped their attacks periodically in the past year, the expectation is that they will continue to use refined and widespread weapons to attack organizations at multiple levels of their networks and infrastructures. And the floodgates have opened in terms of the new weapons that are now part of the hacker s tools, making a layered approach to DDoS defense even more imperative. While traditional security measures can help, they are ill-equipped to defend against the invasive DDoS techniques that hacktivists employ. Camping out in war rooms waiting for an attack won t help either. The recommended defense against multi-level, multi-phased attacks is an intelligent DDoS mitigation solution that is built specifically to address the most destructive kinds of attacks, no matter what vector is used. Besides providing a base level of protection, a comprehensive DDoS mitigation solution provides insights into emerging threats. Financial institutions can use this insight to develop defenses both on premise and at the service-provider level. With visibility into all traffic and potential subterfuge, these kinds of solutions deliver multiple dimensions of countermeasures that organizations can leverage to stop dynamic and diverse threats before an attack is fully launched. To learn more about the kinds of solutions that can help protect you and your customers from DDoS attacks, contact Arbor Networks today. 6

9 References 1 Arbor Networks Research 2 news.softpedia.com/news/fbi-warns-that-al-qassam-cyber-fighters-are-modifying-their-botnet shtml FBI Liaison Alert System, #M BT 5 In the Crossfire: Critical Infrastructure in the Age of Cyber War, McAfee, Eighth Annual Arbor Networks Worldwide Infrastructure Security Report 8 DDoS: What to Expect from Next Attacks, Bank Info Security, April

10 8

11 9

12 Corporate Headquarters 76 Blanchard Road Burlington, MA USA Toll Free USA T Europe T Asia Pacific T Arbor Networks, Inc. All rights reserved. Arbor Networks, the Arbor Networks logo, Peakflow, ArbOS, How Networks Grow, Pravail, Arbor Optima, Cloud Signaling, ATLAS and Arbor Networks: Smart. Available. Secure. are all trademarks of Arbor Networks, Inc. All other brands may be the trademarks of their respective owners. DS/DDoSDEFENSE/en/0713-letter