For many years banks have been a prime target for cyber-attacks. As of late though, publicly-known cyber-attacks in the financial industry seem to have remained static – in terms of attack frequency, duration and intensity. In reality, however, this is just the surface. There is still a significant threat of new attacks targeting banks and in many cases, the industry may not even be aware that they are under fire. This has the potential to cause even greater damage than a “public” Distributed-Denial-of-Service (DDoS) Attack.
2012 and 2013 were turbulent years for the financial industry. Operation Ababil kept US banks very busy and as a result, many banks invested a lot into their DDoS protection. The main purpose of those attacks was to bring down the infrastructure (or parts of it) and to disrupt business operations. That understanding translates to today, where many companies still believe that the main goal of a DDoS attack is to assault the availability of an infrastructure. But the real threat landscape can go far beyond this and DDoS attacks are often used to sidetrack the attention from a different intrusion that could go unnoticed for weeks, months, or even years. Companies and banks may think they have successfully mitigated a DDoS attack, but in reality an Advanced Persistent Threat (APT) may have been installed, providing hackers full access to internal documents and financial data.
The (Mis)Direction of Advanced Persistent Threats and Stealth Attacks
One of the most spectacular cases of misdirection was performed by the international hacker group Carbanak, who started in late 2013 to secretly install APT malware in financial institutions. Until the beginning of 2015, they stole more than 1 Billion USD from more than 100 banks in 20 countries around the globe. The average attack length took between two to four months.
Every fan of action movies knows this trick. The aggressors create a huge mess at the front door, while stealth intruders enter through the back door. In the cyber-world, a DDoS attack represents this kind of mess and this is forcing existing protection infrastructure to fail. All that is required now is for one part of the protection chain to fail (firewall, IPS/IDS) and the attackers will launch phase 2 and extend their attack to the application layer. This can be done with attacks like SQL injections or Cross Side Scripting Attacks (XSS) and they enable the installation of APTs – which will then start their dangerous mission under the hood.
Stealth attacks on banks work in a different way. They use low level, but constant DDoS attacks to tackle their victims. According to research by the Radware ERT, more than 19% of DDoS attacks in 2014 were considered constant. This represents an increase of four times over the previous year.
One popular attack type is known as a Brute Force Attack. This attack focuses on log-in pages and has two purposes: first, to keep the system busy with constant log-in queries and second, to search and find a legitimate user account and password to access the system. What are the consequences of keeping a system “busy”? Loading up the application and related infrastructure is one result, but these attacks can also lock the passwords of users. This creates significant additional load for the support help desk and the system administration to manage.
Stealth attacks are mainly done via HTTP or HTTP/S, which is at the application layer and this makes it very hard for regular protection solutions to identify and block because the system behaves as defined by RFC regulations. In addition, many of the current security tools often work on separate islands and while that might be great for a dedicated attack, when it comes to a coordinated campaign across multiple attack layers, such isolated solutions will not succeed.
Five Security Protection Tips to Remember
Identify and become aware of campaigns.
Security vendors aren’t the only source for updates on attacks trends, tools and assailants. Other inter-trade organizations, governments and vendor-independent groups can also provide valuable information and support.
Create a security control center.
Every sensitive infrastructure, especially in finance, requires a central control and management center. To protect against campaigns on multiple layers, a key requirement is to have all Information Technology and Application Management under one umbrella.
Define an emergency team.
An emergency response team, independent of the attack and the current infrastructure, is essential. They can detect many kinds of attacks and have the knowledge to mitigate them effectively. Attack detection and mitigation requires 365 day availability and often it makes sense to use a specialized external company for this.
Identify critical company data and related networks.
Actually the separation of networks is an old concept but still an obligatory requirement for security standards, such as PCI-DSS V2.0 and PCI-DSS V3.0. This will ensure that critical information will be operated in networks and infrastructure with a higher security profile.
Avoid a domino effect.
How will my partners and contractors impact on my own IT Security? For example, what will happen to my bank operations when my ISP is under attack? Will online banking still available for my customers? What are the protection and security SLA’s from my provider?
DDoS attacks are still a serious threat for companies and CISOs, however, APTs, Stealth Attacks and other attacks can also be damaging and a combination from both – is a very serious risk for every bank and organization. Attacks that use one or two attack vectors are the exception and attacks on multiple layers are becoming the standard now. The goal for many attackers is to go undiscovered so they can operate for as long as possible and gain extensive access to data and systems.