DDoS Attacks: Lessons Learned

4 Thought Leaders Share Insights About Bank Attacks
DDoS Attacks: Lessons Learned

Distributed-denial-of-service attacks waged against leading U.S. banks between mid-September and mid-October led to improved information sharing about threats. And that exchange proved effective in minimizing disruptions (see Bank Attacks: 7 Steps to Respond).

See Also: 2016 State of Threat Intelligence Study

Inter-bank and industry communication helped financial institutions targeted later in the DDoS campaign suffer less severe outages than those targeted earlier, says Mike Smith, a DDoS specialist at Web security vendor Akamai Technologies (see 2 More Banks Are DDoS Victims).

It's an important lesson for those in other business sectors that could be targeted by DDoS attackers.

"Information sharing allowed us to say, 'Here is a packet capture of what we saw. ... You can monitor for these things so you know a pattern of what these things look like so you can block them," Smith says.

"When you're the first [institution] receiving the attack, you have to diagnose it," he adds. "Sometimes you don't even know if it's a denial-of-service attack at first. ... But I think from the response side, we did really, really well, once the patterns were identified."

Smith's comments, along with those of Matt Speare of M&T Bank Corp., Stephen Mulhearn of Fortinet and Rodney Jofee of Neustar, are featured in a panel discussion that caps off a new Information Security Media Group webinar, The New Wave of DDoS Attacks: How to Prepare and Respond slated to debut Dec. 12. There is no fee for registering to attend the session.

Attacks Highlight Dependencies

The series of attacks against banks highlighted the dependencies business enterprises have on Internet service providers and exposed gaps in communication strategies most corporations face in the wake of a DDoS hit, says Speare, senior vice president of information technology for M&T Bank Corp., an $81.1 billion institution based in Buffalo, N.Y.

"The detection part is relatively easy," Speare says. "What I'm really looking for are partners. I do not have all of the capabilities to reach out beyond my network to see what's going on."

Leveraging information provided by third parties gives organizations the ability to prepare, Speare says. "We appreciated getting that information," he adds. "When you knew the IPs [Internet protocols for the attackers], you had the opportunity to block them."

M&T was the victim of a DDoS attack in late 2011, but was not among the banks targeted in the recent attacks by the hacktivist group Izz ad-Din al-Qassam Cyber Fighters. The group has taken credit for hits against Bank of America, JPMorgan Chase, Citigroup, Wells Fargo, Capital One, PNC, U.S. Bank, SunTrust Banks, Regions Financial Corp., BB&T and HSBC. But information sharing within the industry in response to the attacks put other institutions on alert, giving them time to prepare (see Banks Take Action After Alert, Attacks). This preparation helped some institutions lessen the impact of the attacks, and it put others on notice of what to look for in suspicious activity.

Lessons Learned

Explaining to the public what was driving the attacks proved challenging, Smith says.

"One of the things I grappled with a lot in weeks two and three of this campaign was, 'How much information do we want to get out there?'" he says.

There's a fine balance between scaring consumers and informing them, without tipping off hackers to newly implemented security measures, Smith adds.

But some institutions' decisions to stay relatively silent in the wake of the attacks, in hindsight, may have been more damaging, he says.

"When you sustain a longer outage, four hours or above, you need to get out there and control the message and get messaging out to your customers," Smith says.

What proved most vexing was how to clearly communicate to consumers a message about a technical takedown that did not involve fraud, says Jofee, senior vice president and senior technologist of DDoS prevention vendor Neustar.

Preparing for DDoS

The more steps that organizations take to understand the attacks and the attackers, the better prepared they will be to respond and react.

"Each organization has a different posture and different need and use for its website," Jofee says. "No DDoS is ever the same."

The organizations that will fare the best are those who understand their infrastructure, their traffic and the impact an attack will have on their business.

"The worst time you want to be learning is in the middle of a fire fight," Jofee says.

Stephen Mulhearn, director of product management for DDoS-prevention vendor Fortinet, says education of employees and customers has to be a top priority. "I'm almost shocked at the level of naivety" about DDoS attack vectors and prevention, he says.

Among the topics panelists also discuss in this webinar:

  • Lessons learned from studying the attacks;
  • Technology options for mitigating the impact of a DDoS attack;
  • How to prepare your organization to detect and respond to a DDoS attack.

For more information, please visit the webinar landing page: The New Wave of DDoS Attacks: How to Prepare and Respond.


About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network