Whitepaper_DDoSDefenseFinancial_EN2013

Arbor White Paper

The Next Step in Disaster Preparedness

DDoS Defense for Financial Services Companies

Arbor White Paper DDoS Defense for Financial Services Companies

1

Arbor Networks, Inc. is a leading provider of network security and management solutions for enterprise and service provider networks, including the vast majority of the world’s Internet service providers and many of the largest enterprise networks in use today. Arbor’s proven network security and management solutions help grow and protect customer networks, businesses and brands. Through its unparalleled, privileged relationships with worldwide service providers and global network operators, Arbor provides unequalled insight into and perspective on Internet security and traffic trends via the ATLAS® Active Threat Level Analysis System. Representing a unique collaborative effort with 270+ network operators across the globe, ATLAS enables the sharing of real-time security, traffic and routing information that informs numerous business decisions.

About Arbor Networks


1

DDoS: The New, Emerging—and Very Real—Security Threat

Distributed denial of service (DDoS) attacks are increasingly becoming one of the most

grievous security threats that any company with a significant online presence faces. In fact,

four of the top five security threats today are DDoS related, with an average of 2,000-3,000

DDoS attacks per day on enterprises, financial institutions and governments.1 And the reality is

that the severity, frequency and complexity of these attacks are on the rise, with no end in sight.

Operation Ababil, for instance, started in September of 2012 as a politically motivated DDoS campaign targeted at banking institutions. Led by a group called Cyber Fighters of Izz ad-Din al-Qassam, this campaign has had multiple waves of attacks, with each growing in sophistication, strength and breadth. In fact, in May of 2013, the FBI announced that these hackers were modifying their attack methodology to better evade mitigation efforts of financial institutions.2

Taking Aim: No Financial Services Company is Immune

Motivated by ideological hacktivism and Internet vandalism, hackers recognize financial institutions as attractive targets that have built strong revenue streams and enhanced customer loyalty through online and mobile services. By attacking banks and other financial services companies, hacktivists believe they can disrupt the global economy of the U.S. and other leading countries—and this strategy seems to be working.

According to Keynote Systems, major U.S. bank Web sites were offline a total of 249 hours during a six-week period in early 2013, an increase of more than 70 percent over the previous year.3 And the FBI reports that since September of 2012, 46 U.S. financial institutions have been targeted in over 200 separate DDoS attacks.4

Initially, most of the DDoS attacks targeted very large finan-cial institutions that are part of the Fortune 100. The Financial Services Information Sharing and Analysis Center notes that the second phase of Operation Ababil hit mid-tier banks and some credit unions. In announcing recent planned attacks, the Qassam Cyber Fighters added smaller financial services companies and secondary and tertiary processors such as payment processors, local or regional banks, and clearing houses to its list of targets.

Service providers with customers in the financial industry are also increasingly becoming targets. And for them, the risk is even larger, as a multi-customer attack can be exponentially devastating.

It’s Time for a New Approach to Disaster Preparedness

Today every financial services company with online services—whether large or small, local or international—is at risk for the ever-present DDoS threat to its network, infrastructure and customer data. Financial institutions should include a DDoS defense plan in their disaster preparedness strategy, as the ramifications are potentially just as costly—if not more so—than a natural disaster, accidental fire or unplanned downtime.

This Arbor Networks white paper examines the growing multi-vector DDoS attacks that are becoming more prevalent. It also discusses how financial institutions can integrate DDoS defense best practices and services in their disaster prepared-ness programs to better protect themselves and their customers from these devastating attacks.


2

The Aftermath of DDoS: From the Network to the Customer

The extent of damage done by the latest waves of DDoS attacks on financial institutions is still unclear. However, several years ago McAfee surveyed enterprises representing a variety of business sectors. The survey reported that, on average, these companies estimated that 24 hours of downtime from a cyber attack would cost their organizations $6.3 million each time.5

In reality, the full costs of an attack could be much higher. A well-documented case is the Sony Corporation PlayStation hack, where data on approximately 77 million user accounts was stolen. Sony estimates that it spent $170 million to recover, with expenditures including customer identity theft insurance, network security improvements, customer support, public relations, legal costs and an investigation into the hacking.6 Financial services companies may face these same expenses, along with one additional, more far-reaching ramification—customer loyalty.

The Quick Erosion of Trust

While it can be costly to mitigate a DDoS attack, the possible harm inflicted on a financial institution’s relationship with its customers may be costlier. The very nature of such a relationship is dependent on trust.

Unlike a customer’s relationship with his or her favorite online retailer, people don’t shop around to get access to their financial assets. They believe that their financial assets—whether it’s a checking account for immediate purchases or a retirement fund for the future—are completely safe, always readily accessible and secure with their chosen financial institution. Therefore, when customers can’t access their accounts online for any extended amount of time, frustration can quickly turn into panic. Confidence erodes rapidly, and customers may opt to go to a competing organization that is deemed more trustworthy.

This kind of widespread disruption is the ultimate goal of hacktiv-ists. And with their latest level of sophistication and broad reach, these groups are ensuring that no financial institution with an online presence should think it’s exempt from an attack.

The Deep and Costly Impact of a DDoS Attack

Ironically, the costs to execute a DDoS attack are relatively minimal, since the tools are simple to

develop and often shared widely online for free to anyone who wants to maliciously participate.

However, the consequences of an attack can cost millions, not only from mitigation, but also

from other longer-term ramifications.

Potential DDoS Attack Costs

The actual costs of an attack depend on its duration and severity. But if a financial services company is a target, it can expect a direct or indirect impact in one or several of the following areas:

• Network Recovery. During and after an attack, an organization will need extra personnel, both internal and external, for mitigating the attack and restoring Web site service. There may also be additional service provider costs for recovery assistance and extra bandwidth.

• Infrastructure Repair. Once an attack is over, there may be a need to restructure the security of the infrastructure to eliminate any system vulnerabilities from future attacks.

• Company-Wide Productivity. During downtime, internal and customer-facing help desks and service departments will be inundated with emergency requests and panick-ing customers. In addition, employees may have difficulty doing their job without Internet access.

• Customer Loyalty. Customers will be inconvenienced, possibly causing some to defect and move to competitors, as trust is eroded. Credits and refunds may be mandated, particularly if customer data is compromised.

• Brand Image. Depending on the attack’s severity, there may be a need for short-term public relations efforts to rebuild trust with current and future customers.

• Profitability. The loss of immediate e-commerce dollars from missed sales may be one of the first impacts. There are also longer-term revenue implications, especially if an attack impedes anticipated business growth and necessitates higher customer acquisition costs.

To automatically calculate the potential DDoS costs to your organization, visit www.arbornetworks.com/roicalculator.


3

Initially, the first DDoS attacks on financial

institutions were much simpler in nature.

But today, hacker groups are more innovative

and aggressive, unleashing attacks that are

bigger, faster and more complex. Hackers

like those behind Operation Ababil used

tools such as “Brobot” and large numbers

of readily found neglected or “zombie” Web

servers to perpetrate their attacks. With

thousands of high-bandwidth servers at their

disposal, these hackers are increasing their

ability to attack more and more institutions

within a short time.

To ensure their attacks are more effective, hackers are using real-time monitoring tools that help them identify defense mechanisms that block their efforts. They then adopt a different approach on the fly to counteract the defense and evade further mitigation. Hackers are also enlisting the help of other groups that are more than willing to share intelligence or join forces with them—simply because they want to, but also for financial incentives.

The Multi-Layered, Multi-Phase Strategy

The latest attack strategy for hacktivists is to simultaneously unleash a wide array of attacks on multiple protocols and applications against a targeted financial institution. This type of approach causes the greatest amount of destruction possible before detection. These powerful attacks can be devastating, as the attacks are a challenge to identify and difficult to defend against. While the vectors are continuously evolving, the most damaging attack types employed today include the following:

VolumetricThe most common and well known, this type of attack focuses on flooding networks with enough Internet traffic—“volume”—to consume all of a target’s bandwidth. To congest the networks, trillions of packets are sent, which quickly block legitimate customers from accessing a target’s site. The average size of attacks in 2012 was 1.67 Gbps, and the largest was just over 100 Gbps.7 In 2013, however, one attack has already reached an astounding 300 Gbps.

TCP State ExhaustionAnother level of attack goes after the connection state tables of infrastructure resources and components such as routers, switches, load balancers, firewalls and application servers, bombarding them until they can no longer function properly. For instance, a high-capacity firewall may be compromised after it attempts to analyze thousands or even millions of false packet requests, thus denying access to all the resources behind it.

Application LayerThis type of attack is a bit more sophisticated and can cause the most damage. That’s because it goes after specific applica-tions or services and attacks resources at a slower, stealthier pace than other DDoS occurrences. Over time, applications such as Web or email servers can’t keep up with the thousands or millions of requests that infiltrate the system, bringing everything they support to a standstill.

Today’s Attacks: Complex, Severe and Multi-Vectored


4

Finding the Greatest Vulnerabilities

Hacker organizations understand the high cost of mitigation. They also know that an attack requires the convergence of extensive resources. Part of their strategy is to monitor the level and type of mitigation efforts that organizations execute during an attack.

For instance, after a volumetric attack, hackers can tell if a financial institution is protected only at the service-provider level. They can then go back to the same financial services company and go after it at the application layer, knowing that there is no protection on premise. Because all mitigation resources are focused on the volumetric attack, the application-layer attack, which is always more difficult to identify, will go undetected for longer and cause more damage before mitigation can occur.

Be Aware of Smoke Screens

As mentioned, an attack that involves one or more of the above vectors requires the full attention of an organization and its ser-vice provider. What appears to be one type of attack may simply be the means to achieve a deeper, more pervasive destructive goal. For instance, the known attack may be a smoke screen for hackers as they attempt to get into a company’s proprietary data, such as customer information and intellectual property.

In fact, Gartner Research warns that fraud linked to DDoS attacks is likely on its way, with hackers eventually targeting individuals through massive account takeovers. As one Gartner analyst notes, initially the hackers attacked the perimeters, then they moved to back-end services in order to get into accounts.8

Load Balancer

Target Applicationsand Services

ISP 1

ISP n

IPS

Attack Traffic

Legitimate Traffic

ISP

ISP 2

Firewall

Data Center

SATURATION

EXHAUSTIONOF STATE

EXHAUSTIONOF SERVICE

Todays complex, multi-layered DDoS attacks are even more challenging to identify and block due to attacker innovations, tools and strategy


5

DDoS Protection: A Broad and Multi-Faceted Approach

Because DDoS attacks have become

more complex and sophisticated, so must

any defensive strategy that attempts to

fully protect a financial institution. Traditional

security measures such as firewalls, intrusion

prevention systems (IPS) and other disaster

preparedness tactics are certainly key

components in a DDoS protection strategy.

However, those measures alone are not

strong enough, as they do not have

functionality that can specifically defend

against the rapidly evolving DDoS attack

tools used today.

The Best Defense: Purpose-Built

Because hackers are gaining momentum and expanding their tactics on a daily basis, financial services companies need an additional layer of protection that helps them stay one step ahead.

The optimal solution is a purpose-built, intelligent DDoS mitiga-tion system. Financial institutions need a multi-faceted solution that can detect and block attacks with multiple dimensions of countermeasures before the attacks escalate into costly service interruptions—or worse, an eroding customer base. Armed with a defense based on the latest emerging threats, organizations are protected both on premise and at the service-provider level against current and future attack strategies.

Defend Upstream If it is a victim of a volumetric attack, a financial institution will never have enough on-premise bandwidth available to offset the attack. The best defense against this DDoS attack is a solution that provides protection functionality at the cloud or service-pro-vider level. The provider can then identify the volumetric attack and divert the attack traffic to a scrubbing center for mitigation.

Defend On Premise The application-layer and state-exhaustion attacks aimed at the perimeter of networks and data centers are often called “low and slow” attacks. Because this type of attack traffic looks legitimate, it’s much harder to detect. As a result, hackers are often able to successfully get through the traditional defenses of service providers.

These attacks, therefore, are best defended with an on-premise solution that is as close to the application or network infra-structure as possible. This provides quicker visibility into any suspicious activity and helps stop the attacks before extensive damage occurs.


6

Plan Ahead and Be Prepared

Like any part of a disaster preparedness strategy, contingency planning is a key part of a DDoS mitigation plan. Once a multi-faceted intelligent mitigation system is in place, it’s important to rehearse an action plan that is coor-dinated both internally as well as with service providers. A well-thought-out strategy, executed by a thoroughly trained team, provides the best chances for a financial institution to ward off an attack while protecting its network, infrastructure and customers.

And the floodgates have opened in terms of the new “weapons” that are now part of the hacker’s tools, making a layered approach to DDoS defense even more imperative. While traditional security measures can help, they are ill-equipped to defend against the invasive DDoS techniques that hacktivists employ. Camping out in war rooms waiting for an attack won’t help either.

The recommended defense against multi-level, multi-phased attacks is an intelligent DDoS mitigation solution that is built specifically to address the most destructive kinds of attacks, no matter what vector is used.

Besides providing a base level of protection, a comprehensive DDoS mitigation solution provides insights into emerging threats. Financial institutions can use this insight to develop defenses both on premise and at the service-provider level. With visibility into all traffic and potential subterfuge, these kinds of solutions deliver multiple dimensions of countermeasures that organiza-tions can leverage to stop dynamic and diverse threats before an attack is fully launched.

To learn more about the kinds of solutions that can help protect you and your customers from DDoS attacks, contact Arbor Networks today.

Conclusion

The Ababil financial attacks have awakened the industry to the threat of targeted multi-layer

DDoS attacks that are not stopped by upstream service providers. While the hacktivists have

started and stopped their attacks periodically in the past year, the expectation is that they will

continue to use refined and widespread weapons to attack organizations at multiple levels of

their networks and infrastructures.

Load Balancer

IDS/IPS

Firewall

Target Applicationsand Services

ISP

Data Center

Large DDoS Attacks

Application Layer Attacks

Firewall

ISP Cleaning Center

IDS/IPS

Attack Traffic

Legitimate Traffic

Multiple layers of defense are required for comprehensive DDoS protection


7

1 Arbor Networks Research

2 news.softpedia.com/news/FBI-Warns-That-al-Qassam-Cyber-Fighters-Are-Modifying-Their-Botnet-350008.shtml

3 www.cnbc.com/id/100613270

4 FBI Liaison Alert System, #M-000001-BT

5 In the Crossfire: Critical Infrastructure in the Age of Cyber War, McAfee, 2010.

6 www.huffingtonpost.com/2011/05/23/sony-playstation-network-hack-cost_n_865432.html

7 Eighth Annual Arbor Networks Worldwide Infrastructure Security Report8 “DDoS: What to Expect from Next Attacks,” Bank Info Security, April 2013

References


8


9

©2013 Arbor Networks, Inc. All rights reserved. Arbor Networks, the Arbor Networks logo, Peakflow, ArbOS, How Networks Grow, Pravail, Arbor Optima, Cloud Signaling, ATLAS and Arbor Networks: Smart. Available. Secure. are all trademarks of Arbor Networks, Inc. All other brands may be the trademarks of their respective owners.

DS/DDOSDEFENSE/EN/0713-LETTER

Corporate Headquarters

76 Blanchard Road Burlington, MA 01803 USA

Toll Free USA +1 866 212 7267 T +1 781 362 4300

Europe

T +44 207 127 8147

Asia Pacific

T +65 6299 0695

www.arbornetworks.com

Documents

Whitepaper_DDoSDefenseFinancial_EN2013