Embed Size (px)
DESCRIPTION
DDoS attacks have catapulted to the forefront of banking security news after the industry experienced a series of multi-phased attacks beginning back in September of 2012. Hackers launch DDoS attacks prompted by one of two common motives. Protest attacks, like OpUSA, target large, high-profile banks and are often launched for social or political purposes. Attacks on community banks are usually used to as a distraction in conjunction with account takeover attacks. This event is designed to strengthen the awareness and defenses of participants. Jay McLaughlin, this session's presenter, fights cybercrime aimed at financial institutions on a daily basis as Q2ebanking's Chief Security Officer. Jay will break down conceptual and technical aspects of DDoS attack types, clarify the differing attacker motives, and discuss how community banks can build a layered security model to prevent DDoS attacks.
Citation preview
April 8, 2023
DCI Annual Conference
DDoS Attacks: The Impact to
Community Financial Institutions
Jay McLaughlin, CISSPSenior Vice President, Chief Security Officer
April 8, 2023
Agenda
• Overview of Distributed Denial-of-Service Attacks
• Types of DoS attacks and why they are successful
• Understanding the motives behind recent attacks
• Detecting & Defending against an attack
• Preparation for response to an attack
• Steps to mitigate the attacks targeted to commit fraud
April 8, 2023
Types of Denial-of-Service Attacks
• SYN Floods/IP Floods• connection attacks; half open connections do not complete the handshake
• HTTP GET/POST • Application level flood attacks
• ICMP Attacks / ICMP Echo• ping of death; Smurf attacks
• UDP Floods• DNS amplification attacks
- send 64-byte query and return 3,363-byte return (50X amplification factor)
• Teardrop Attacks• TCP packet fragmentation that attacks reassembly process
April 8, 2023
New Waves of State-Sponsored Attacks
• April 2007 began a three-week wave of massive cyber-attacks on the small Baltic country of Estonia
• First known incidence of such an assault on a state
• Targeted the government, banks, news agencies, and businesses
• Recent DDoS attacks have indicated sponsorship or involvement of foreign nation states
April 8, 2023
“Hacktivism” on the Rise
•Definition: “Hacktivisim”– Non-violent use of legal and/or illegal computers and computer
networks as a means in pursuit of political ends
– Term first coined in 1998 by Cult of the Dead Cow
•Most forms of political activism require the strength of masses; hacktivism can often the result from the power of one, or small group
•Attacks often include defacement, sit-ins, e-mail bombs, & doxing
•Most often carried out anonymously, and can take place over trans-national borders
April 8, 2023
H-Activists Attacks Organized by “Anonymous”
• Group formed in 2008 originally after an internal Church of Scientology video was redacted from YouTube
• Gained public prominence in 2010 during its defense and support of WikiLeaks and its leader Julian Assange
• Anonymous mobilized, unleashing its Low Orbit Ion Cannon (LOIC) tool, with which anyone could participate in DDoS attacks
• Attacks waged against Mastercard, Visa, PayPal
• Since attacked various causes, from cartels in Mexico, child pornography, protests against U.S. actions
• Government entities, CIA & FBI, Sony, Westboro Baptist Church
April 8, 2023
Operation Payback: Against Anti-Piracy
April 8, 2023
Tools: No Skills Required (Example: LOIC)
April 8, 2023
Waves of DDoS Attacks Against US Banks
• Bank of America, Chase, Citigroup, HSBC, Wells Fargo, US Bank, Capital One, PNC Financial Services, Ally Bank, SunTrust Bank, Regions Bank, BB&T, Fifth-Third Bank, etc.
• U.S. intelligence officials said they believe the attacks against the banks have been carried out or condoned by the Iranian govt
• “Suspicions point towards a special unit of Iran’s Revolutionary Guard” – Sen. Joe Lieberman (CSPAN interview, Sept. 2012)
• Experts cautioned it is difficult to accurately identify
April 8, 2023
Responsibility for the latest attacks against banks?
• Izz ad-Din Al-Qassam
• Syrian prophet who fought against the French, British and Zionist elements in eastern Mediterranean regions in the 20’s and 30’s
• “Brigades” is military wing of the Islamic resistance movement Hamas
• “Cyber Fighters” is the hacker collective
• Retaliation for the portrayal of Muslims in a series of movie trailers posted to YouTube for the film “Innocence of Muslims.”
April 8, 2023
Warning of Attacks Against US Banks
http://www.youtube.com/watch?v=xYVfBNKbfRQ
April 8, 2023
DDoS Attacks Hit US Banks: Operation Ababil
April 8, 2023
Pay-to-Play “Booter” Services
April 8, 2023
Why are DDoS Attacks Successful?
• Attackers are acquiring more bandwidth
April 8, 2023
April 8, 2023
Why are DDoS Attacks Successful?
• Attackers are acquiring more bandwidth
• No longer compromise and recruit thousands or tens of thousands of end-user PCs to carry out the distributed denial-of-service attacks
• Instead, targeting a handful of web servers that have more bandwidth and processing power
• Yapping Chihuahuas morphed into fire-breathing Godzillas
• The extra horse power of servers can create peak floods exceeding 100Gbps, a volume big enough to knock even large sites offline
April 8, 2023
Compromised Endpoints: Botnet Armies
• Researchers from the security firm Incapsula researchers noticed a website located in the UK that was exhibiting suspicious behavior
• Discovered a backdoor that had been planted on it that was programmed to receive instructions from remote attackers
• Website traffic was being directed to send a flood of HTTP and UDP packets to major banks including PNC HSBC, and Fifth Third Bank
Source: Ars Technica; Jan. 2013
http://arstechnica.com/security/2013/01/secret-footsoldier-targeting-banks-reveals-meaner-leaner-face-of-ddos/
April 8, 2023
Attacking The Stack
• DDoS security firm Prolexic reported they have found several compromised servers were outfitted with “itsoknoproblembro”
• (pronounced "it's OK, no problem, bro”) • DDoS tools that allowed the attackers to unleash network
packets based on the UDP, TCP, HTTP, and HTTPS protocols. • These flooded the banks' routers, servers, and server
applications• Attacked layers 3, 4, and 7 of the networking stack
Source: Threatpost October 2012http://threatpost.com/en_us/blogs/automated-toolkits-named-massive-ddos-attacks-against-us-banks-100212
April 8, 2023
Preparing for DoS Attacks
April 8, 2023
What Can Be Done in Advance?
• DoS attacks cannot be prevented!• Adversaries will launch attacks and no technology, provider,
plans, etc. can stop those actions from occuring
• Element of your Risk Assessment
• Risk 101:• Risks can NEVER be eliminated…but they CAN be mitigated
April 8, 2023
Incident Response Planning
• Critical to establish your plans
• Don’t assume you won’t be a target
• Most banks cannot fight these attacks alone
• Relying on infrastructure will eventually help attacks achieve objectives
• Ensure that providers and ISPs are prepared
• Blocking source addresses and blacklisting traffic from geographic regions must be done “upstream”
• Test plans to ensure preparedness (ex. tabletop testing)
April 8, 2023
Understanding Your Network
• Baseline network activity
• Without established baselines, it is difficult to be identify when an onslaught or attack is starting
• Real-time monitoring of inbound TCP/UDP traffic
• Understand “normal” connection counts for web applications (e.g. OLB)
• Track bandwidth utilization – what is typical? Good? Bad?
April 8, 2023
Securing the Perimeter
• Load Balance Traffic
• Explicit access-control lists should permit only authorized traffic• Immediately drop all malformed protocol requests
• Pre-built access-lists to block non-domestic inbound traffic or shun bad sources
• Set rate limits and embryonic connection thresholds
• DNS cat-mouse techniques
• Enhance monitoring of traffic (early detection, baselines)
• Work with your critical providers and ISPs in advance
April 8, 2023
Combatting These Attacks
April 8, 2023
Critical Distinction
• Politically-motivated attacks are a reality for prominent US institutions
• they are now at risk of being targeted for activities unrelated to their own business
• Different threat scenario for community banks• Community banks will more likely be targeted in combination with an account
takeover event
• DDoS attacks are significantly mitigated with the absence of account takeover fraud
• DDoS attacks represent ONLY the 2nd half of the equation
April 8, 2023
Anatomy of an Attack
April 8, 2023
Account Takeover Fraud
• Account takeover is one of the more prevalent forms of fraud. It is the result of an attacker taking over another person's account, first by gathering information about the intended victim
• Estimates from the FBI project that financial fraud resulting from account takeover attacks will exceed $1 billion this year
• Motivated by financial gain, this has become an extremely lucrative, criminal business
April 8, 2023
•Defense-in-depth (“deep” or “elastic”)
•Derived from traditional military strategy
• requires that a defender deploy resources at and well behind the front line
•Reliance on any single control or mitigating factor is not sufficient
•Prevents shortfalls in any single defense control
Building a Layered Security Model
April 8, 2023
• Strong multi-factor authentication
• one-time passwords (OTPs), temporary access codes (TACs)
• Out-of-band transaction authorization
• Cannot only focus around authentication events
• Anomaly detection for suspicious transactions based on characteristics/patterns
• Dual Approval controls / Segregation of duties
• Enhanced controls over account activities
• Transactions limits, payment recipients, thresholds
Fighting Account Takeover Fraud
April 8, 2023
Out-of-Band Transaction Authorization
• FFIEC’s June 2011 Guidance states:
• “Out-of-band authentication means that a transaction that is initiated via one delivery channel [e.g.. online] must be re-authenticated or verified via an independent delivery channel [e.g.. telephone] in order for the transaction to be completed”
out-of-band authentication directed to through the same device that initiates the transaction may not be effective since that device may have been compromised
• Out-of-band authorization is can be extremely effective in protecting customers against financial malware attacks and Trojans
April 8, 2023
Leverage Alerts
• Users must play a part and participate in fighting fraud
• Real-time alerts delivered to a victim are timely and provide the opportunity to alert the financial institution of activity
• Transactional Alerting Ex: creation, authorization
• Changes to profile settings
• Security Event Alerts Ex: changes to delivery targets, failed logon attempts
April 8, 2023
Communicating with Customers
• FFIEC has been critical of the lack of communication provided by banks and institutions that have been attacked
• This represents a fine line, as any public communication may disclose response plans, details, or other information to attackers
• Establish general communication templates that will be used in the event of an attack
• Know how and at what point to communicate
April 8, 2023
Summary & Wrap Up
• Hacktivists attacks have illustrated severity of DoS
• Better understanding of denial-of-service attacks
• DoS attacks are being used in multifaceted fraud
• Critical distinction between publicized attacks
• Establish and test your plans
• Reduce account takeover fraud with layered controls
April 8, 2023
“The future ain’t what it used to be.”
-Lawrence “Yogi” BerraNew York Yankees, 1946-1964
Be Prepared
April 8, 2023
Declare var $response
if [?] >= ‘1’
then$response = ‘answer’
else $response = ‘thankyou’
end if;
Questions
