Regional Banks Face a Global Problem: Escalating DDoS Attacks
Security teams at regional banks face real challenges: they confront the same global cyber threats as national or multi-national organizations, without the same resources. Distributed Denial of Service (DDoS) attacks targeting network and application availability — frequently including ransom demands — are a perfect case in point.
The Verizon 2017 DBIR found denial of service attacks were the most common type of incident effecting financial services. The report also found that financial services were the victims of almost a quarter of all data breaches (24%). The unfortunate fact is DDoS attacks are getting more sophisticated and more frequent.
- According to Arbor Networks’ 12th annual Worldwide Infrastructure Security Report (WISR) 67% experienced multi-vector attacks and 25% experienced application layer attacks.
- Arbor Networks’ Active Threat Level Analysis System (ATLAS), which collects data from more than 300 service provider networks, recorded 6.3 million attacks in 2016, or one every 6.3 seconds.
Just as regional banks are in the thick of transforming their operations to be more digital, introducing customer-facing web-based and mobile products as well as incorporating new back-end, third party services such as e-payments, DDoS threats to the availability of their networks, applications and services have never been greater.
Regulators are well aware of DDoS too. The Federal Financial Institutions Examination Council (FFIEC) began alerting financial services organizations specifically on the risks of DDoS to public-facing applications as early as 2014.
“Financial institutions of all sizes that experience DDoS attacks may face a variety of risks, including operational risks and reputation risks. If the attack is coupled with attempted fraud, a financial institution may also experience fraud losses as well as liquidity and capital risks,” stated the FFIEC.
And last year, following the Mirai botnet attacks leveraging connected yet insecure devices like cameras, printers and baby monitors, NIST issued Special Publication 800-160 to provide guidance on better securing IoT systems against misuse.
The Canadian Office of the Superintendent of Financial Institutions (OSFI), specifically calls out the best practice of layered DDoS protection in section 4.12 of their Cyber Security Self-Assessment Guidance.
Though not solely pertaining to financial institutions Article 32 of the EU’s pending General Data Protection Regulation (GDPR) specifically calls for “the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services”, and more “the ability to restore the availability and access to personal data in a timely manner.”
The most efficient solution: an integrated, hybrid defense leveraging the strengths of both on premise and on-demand, cloud-based DDoS protection.
An on premise intelligent DDoS mitigation system (IDMS) is the most efficient, first line of DDoS defense. Stateful devices such as firewalls, load balancers, WAFs and IPS are not designed for DDoS. They too are susceptible to sophisticated tactics such as TCP state exhaustion attacks. On premise IDMS can provide:
- Rapid detection and in many cases automatic mitigation of DDoS attacks. IDMS can remove attack traffic at the lowest level, before it impacts other network components;
- Defense against “low and slow” application layer attacks. Application layer attacks are extremely difficult for cloud-based protection solutions to detect and mitigate;
- Critical traffic visibility to quickly determine whether poor application performance is a result of a DDoS attack or some other problem. Traffic visibility is also essential to understanding if you are facing an attack campaign, if DDoS is being used to distract you from the exfiltration of data;
- Monitoring of out-bound traffic to discover attacker command and control and exfiltration. The better IDMS provide outbound blocking to prevent data exfiltration.
Since most attacks can be managed on premise, the one-time cost of IDMS extends value over many DDoS events, and into the future. Depending upon the degree of IDMS intelligence and automation, the TCO can be less than a service that is completely cloud-based.
But a cloud-based component does play a critical role. Even though eighty per cent of DDoS attacks are less than 1 Gbps, a 2016 FS-ISAC Survey found most financial organizations have less than 1Gbps of Internet bandwidth. For attacks that do begin to saturate your connectivity, rapid, on-demand cloud mitigation is the best option.
Threat intelligence and tight integration with the IDMS are key to strong hybrid solutions. Informed with the right, up-to-date threat intelligence, the on-premise IDMS can automatically signal the cloud component to temporarily divert traffic to be scrubbed. Detection, signaling and the diverting of traffic must be fast, as automatic as possible, removing the ability for attack traffic to overwhelm on premise defenses. A well-integrated cloud component should be seen as insurance, not the first line of defense.
Integrated, hybrid DDoS protection is the best and most cost-effective solution for protecting the availability of your bank’s new applications and services — no matter the size of your security team. By automatically managing many DDoS attacks, on premise IDMS can save your team valuable time and IT resources. The IDMS traffic visibility and ability to block data exfiltration cannot be provided through the cloud.
Tightly integrated and automatically triggered by the IDMS, on-demand cloud capacity can serve as insurance. You also pay only for what you need. And the best practices, hybrid DDoS protection solution will go a long way toward meeting the banking industry’s regulatory requirements.
Wondering how prepared you are in the fight against DDoS? Take this quick assessment. Then take a look at how integrated, hybrid DDoS protection can keep you more efficiently in control of your service availability and performance.
For more information about DDoS risk implication to financial services institutions visit our dedicated source page.