Security execs have never been comfortable talking about these attacks because they don’t want to draw more attention to their companies. They worry that offering even the basic details of their defensive strategy will inspire attackers to find the holes.
But many companies are finding themselves under attack for the first time, and their security chiefs need answers if they’re going to fight back. So despite knowing CSOs are reluctant to talk, we tried to get answers anyway. We offered several CSOs anonymity to tell their stories, a tactic that always worked before.
Not this time.
[The DDoS survival guide: 2013 edition]
DDoS attacks have become more ferocious than ever the past few years, fueled by hacktivists who understand that every minute of downtime for a financial services site equals millions of dollars in lost business. Attacks hitting the likes of Bank of America, Capital One, Chase, Citibank, PNC Bank and Wells Fargo have been so relentless and sophisticated that most security execs are too freaked out to discuss details.
“These DDoS attacks are a very sensitive issue now and not something we can talk about publicly,” says the CISO at a midsize bank that operates out of the Pacific Northwest.
“Our communications department has asked that we don’t discuss this with the media right now, out of concern that we may draw attention to ourselves and become a target,” says a security officer at another financial services firm in the southeastern U.S.
Tight lips sink company defenses
While theres plenty of truth behind the old World War II propaganda posters that say, “Loose lips sink ships,” the saying “Knowledge is power” also holds true, especially when it comes to defending modern business-technology systems. There’s no doubt that tight lips can be a problem if you’re the newly-minted CISO of a bank and find yourself under attack. You need good information on the most recent attacks and defense trends.
Some contend that the adversarial relationship between regulators, the public and financial institutions regarding cybersecurity incidents is at least partially to blame for organizations playing their cards so close to the vest.
“The best way to drive this kind of cooperation and information sharing is to make sure that there are no repercussions to the institutions for sharing both successes and failures. If an institution shares attack information that was successful and then the regulators come down on them for that, they’re not going to want to cooperate in the future,” says Chip Tsantes, principal of information security advisory services at Ernst and Young.
When it comes to these recent waves of DDoS attacks, being able to detect the techniques employed in the attack and speedily respond to threats means the difference between keeping services running and having them shut down.
“These recent DDoS attacks are evolving so very rapidly, every time a new attack arrives theyre switching to a different strategy,” says Lynn Price, IBM security strategist for the financial sector. In essence, the attackers’ strategy is to increase their capacity, use advanced infrastructure and application targeting tools, and automate attacks.
“They’re getting much more sophisticated in their capability and what aspects of the IT stack they’re hitting,” she says.
[Lulzsec members sent to prison for infamous DDoS attacks]
In this environment, silence among the good guys is an extreme liability. So despite CSOs’ extreme reluctance to talk about this issue, we managed to get some information through background discussions and interviews with security specialists who help companies combat DDoS attacks. Using that insight, we’ve assembled some action items for companies that aren’t used to facing down DDoS attacks.
Be ready for real-time defense adjustments
“Not only were these attacks multi-vector, but the tactics changed in real time,” says Gary Sockrider, solutions architect for the Americas at Arbor Networks. The attackers would watch how sites responded, and when the site came back online, the hackers would adjust with new attack methods.
“They are resolute and they will hit you on some different port, protocol, or from a new source. Always changing tactics,” he says. “Enterprises have to be ready to be as quick and flexible as their adversaries.”
Don’t rely only on perimeter defenses
Everyone we interviewed named cases in which traditional on-premise security devices –firewalls, intrusion-prevention systems, load balancers –were unable to block the attacks.
“We watched those devices failing. The lesson there is really simple: You have to have the ability to mitigate the DDoS attacks before it gets to those devices. They’re vulnerable. They’re just as vulnerable as the servers you are trying to protect,” says Sockrider. Part of the mitigation effort is going to have to rely on upstream network providers or managed security service providers that can interrupt attacks away from the network perimeter.
It’s especially important to mitigate attacks further upstream when you’re facing high-volume attacks.
“If your Internet connection is 10GB and you receive a 100GB attack, trying to fight that at the 10GB mark is hopeless. You’ve already been slaughtered upstream,” says Sockrider.
Fight application-layer attacks in-line
Attacks on specific applications are generally stealthy, much lower volume and more targeted.
“They’re designed to fly under the radar. So you need the protection on-premise or in the data center so that you can perform deep-packet inspection and see everything at the application layer. This is the best way to mitigate these kinds of attacks,” says Sockrider.
The banking industry is collaborating a little when it comes to these attacks. Everything they reveal is carefully protected and shared strictly amongst themselves, but in a limited way, banks are doing a better job at collaborating than most industries.
“They’re working among each other and with their telecommunication providers. And they’re working directly with their service providers. They have to. They can’t just work and succeed in isolation,” says Price.
They’re also turning to the Financial Services Information Sharing and Analysis Center for support and to share information about threats.
“In some of these information-sharing meetings, the [big] banks are very open when it comes to talking about the types of attacks underway and the solutions they put into place that proved effective. In that way, the large banks have at least been talking with each other,” says Rich Bolstridge, chief strategist of financial services at Akamai Technologies.
The financial sector’s strategy is one that could and should be adopted elsewhere, regardless of industry.
Have your playbook ready
Organizations must try to anticipate the applications and network services adversaries will target and draft an emergency response plan to mitigate those attacks.
“Enterprises are paying more attention to these attacks and planning how they’ll respond. And they’re getting better at assembling their own internal attack information as well as the information their vendors are providing them to help fight these attacks,” says Tsantes.
IBM’s Price agrees.
“Organizations are getting better at response. They’re integrating their internal applications and networking teams, and they know when the attack response needs to be escalated so that they aren’t caught off guard. So as attackers are becoming much more sophisticated, so are the financial institutions,” she says.
Now that many larger financial institutions have hardened their DDoS defenses, observers are concerned that attackers will broaden their nets to include smaller banks, credit unions and even other industries.
“The one good thing about these rounds of attacks is that they’ve caught the attention of management at regional banks, and they’re asking about what needs to be done so that the organization is best prepared,” says the IT security officer at a regional bank in the mid-Atlantic.
“Many smaller banks are gearing up as a result of watching the larger institutions being attacked. They see that they too can be victims, and they’re choosing to be proactive,” says Bolstridge.
For most, explains Price, that means increased reliance on service providers and managed security services providers.
“They’re having their systems assessed for resiliency, and they’re making sure that their service providers are prepared for potential attacks and that they also have adequate protection in place,” she says.
Watch out for secondary attacks
As costly as these attacks can be, they may sometimes be little more than a distraction to provide cover for an even more nefarious attack.
“DDoS can be a diversion tactic for more serious attacks coming in from another direction. Banks need to be aware that they have to not only be monitoring for and defending the DDoS attack, but they also have to have an eye on the notion that the DDoS may only be one aspect of a multifaceted attack, perhaps to steal account or other sensitive information,” Price says.
Be worried, even if you’re not a bank
Although recent attacks have been concentrated on financial institutions, experts are concerned about industry crossover.
“We don’t want to see this level of attacks cross over into healthcare and other industry segments. They’re not as well equipped because they don’t necessarily consider themselves a target,” says Bolstridge. “It’d be some good news if others looked at this as a wake-up call and took a good assessment of their risk.”
Sharing information is an essential part of that.
“The attackers certainly share their information with each other. And really, only the first attacker has to be smart. Beyond that its just implementing software for everyone,” he says.
The good guys should take a page from that playbook.
George V. Hulme is a freelance writer based in Minnesota. Follow him on Twitter: @georgevhulme.