September 9, 2013
DCI Annual Conference
DDoS Attacks:
The Impact to Community
Financial Institutions
Jay McLaughlin, CISSP...
September 9, 2013
Agenda
• Overview of Distributed Denial-of-Service Attacks
• Types of DoS attacks and why they are succe...
September 9, 2013
Types of Denial-of-Service Attacks
• SYN Floods/IP Floods
• connection attacks; half open connections do...
September 9, 2013
New Waves of State-Sponsored Attacks
• April 2007 began a three-week wave of massive cyber-
attacks on t...
September 9, 2013
“Hacktivism” on the Rise
•Definition: “Hacktivisim”
– Non-violent use of legal and/or illegal computers ...
September 9, 2013
H-Activists Attacks Organized by “Anonymous”
• Group formed in 2008 originally after an internal Church ...
September 9, 2013
Operation Payback: Against Anti-Piracy
September 9, 2013
Tools: No Skills Required (Example: LOIC)
September 9, 2013
Waves of DDoS Attacks Against US Banks
• Bank of America, Chase, Citigroup, HSBC, Wells Fargo, US Bank,
...
September 9, 2013
Responsibility for the latest attacks against banks?
• Izz ad-Din Al-Qassam
• Syrian prophet who fought ...
September 9, 2013
Warning of Attacks Against US Banks
http://www.youtube.com/watch?v=xYVfBNKbfRQ
September 9, 2013
DDoS Attacks Hit US Banks: Operation Ababil
September 9, 2013
Pay-to-Play “Booter” Services
September 9, 2013
Why are DDoS Attacks Successful?
• Attackers are acquiring more bandwidth
September 9, 2013
September 9, 2013
Why are DDoS Attacks Successful?
• Attackers are acquiring more bandwidth
• No longer compromise and rec...
September 9, 2013
Compromised Endpoints: Botnet Armies
• Researchers from the security firm Incapsula
researchers noticed ...
September 9, 2013
Attacking The Stack
• DDoS security firm Prolexic reported they have found several
compromised servers w...
September 9, 2013
Preparing for DoS Attacks
September 9, 2013
What Can Be Done in Advance?
• DoS attacks cannot be prevented!
• Adversaries will launch attacks and no...
September 9, 2013
Incident Response Planning
• Critical to establish your plans
• Don’t assume you won’t be a target
• Mos...
September 9, 2013
Understanding Your Network
• Baseline network activity
• Without established baselines, it is difficult ...
September 9, 2013
Securing the Perimeter
• Load Balance Traffic
• Explicit access-control lists should permit only authori...
September 9, 2013
Combatting These Attacks
September 9, 2013
Critical Distinction
• Politically-motivated attacks are a reality for prominent US institutions
• they ...
September 9, 2013
Anatomy of an Attack
September 9, 2013
Account Takeover Fraud
• Account takeover is one of the more prevalent forms of fraud.  It is the
result...
September 9, 2013
•Defense-in-depth (“deep” or “elastic”)
•Derived from traditional military strategy
• requires that a de...
September 9, 2013
• Strong multi-factor authentication
• one-time passwords (OTPs), temporary access codes (TACs)
• Out-of...
September 9, 2013
Out-of-Band Transaction Authorization
• FFIEC’s June 2011 Guidance states:
• “Out-of-band authentication...
September 9, 2013
Leverage Alerts
• Users must play a part and participate in fighting fraud
• Real-time alerts delivered ...
September 9, 2013
Communicating with Customers
• FFIEC has been critical of the lack of communication provided by
banks an...
September 9, 2013
Summary & Wrap Up
• Hacktivists attacks have illustrated severity of DoS
• Better understanding of denia...
September 9, 2013
“The future ain’t
what it used to be.”
-Lawrence “Yogi” Berra
New York Yankees, 1946-1964
Be Prepared
September 9, 2013
Declare var $response
if [?] >= ‘1’
then
$response = ‘answer’
else
$response = ‘thankyou’
end if;
Questi...
September 9, 2013
linkedin.com/in/mclaughlinjay
Email: jmclaughlin@q2ebanking.com
Thank you
Upcoming SlideShare
Loading in …5
×

Exploring DDoS Attacks: Impact to Community Financial Institutions

1,246 views

Published on

DDoS attacks have catapulted to the forefront of banking security news after the industry experienced a series of multi-phased attacks beginning back in September of 2012. Hackers launch DDoS attacks prompted by one of two common motives. Protest attacks, like OpUSA, target large, high-profile banks and are often launched for social or political purposes. Attacks on community banks are usually used to as a distraction in conjunction with account takeover attacks. This event is designed to strengthen the awareness and defenses of participants. Jay McLaughlin, this session's presenter, fights cybercrime aimed at financial institutions on a daily basis as Q2ebanking's Chief Security Officer. Jay will break down conceptual and technical aspects of DDoS attack types, clarify the differing attacker motives, and discuss how community banks can build a layered security model to prevent DDoS attacks.

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,246
On SlideShare
0
From Embeds
0
Number of Embeds
29
Actions
Shares
0
Downloads
21
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • 1. SYN->SYN/ACK->ACK 2. Goal of an attack: make services unavailable; disruption! 3. Work by pounding on infrastructure
  • Riff over the Estonians' removal of the Bronze Soldier Soviet war memorial in central Tallinn
  • Doxing – exposing or “outing” and individual or organization
  • WikiLeaks came under fire from the U.S. government after the site obtained video footage from a U.S. helicopter strike in Iraq that killed two Reuters employees, as well as two children. Next, Assange began to coordinate--together with major newspapers in multiple countries--the release of hundreds of thousands of secret U.S. government cables beginning in December 2010. PayPal and credit-card processors MasterCard and Visa blocked payments to WikiLeaks, which relied on donations to lease server space and pay staff.
  • Low Orbit Ion Cannon is an open source network stress testing and denial-of-service attack application which floods a server with TCP packets or UDP packets
  • “ In [a] new phase [of coming attacks], the wideness and the number of attacks will increase explicitly; and [target banks] will not be able to imagine and forecast the widespread and greatness of these attacks.” The threat was delivered after weeks of silence following a slew of distributed denial-of-service (DDoS) attacks which spanned for more than a month against some of the nation’s largest financial institutions.
  • 1)The controversial hacker known as The jester (th3j35t3r) claims that Anonymous hackers provided Izz ad-Din al-Qassam Cyber Fighters – the group who has been launching attacks against US banks – the necessary means to disrupt the financial institutions’ websites. 2)a DDOS attack lasting 5 hours would cost $15 (12 EUR), and one lasting for 1337 hours was priced at $300 (240 EUR).
  • Attackers don’t directly launch attacks on enterprise networks - instead they plant malicious code in several computer that act as zombies and they take control over the computers through botnets to launch DoS attacks simultaneously from many sources.
  • Attackers don’t directly launch attacks on enterprise networks - instead they plant malicious code in several computer that act as zombies and they take control over the computers through botnets to launch DoS attacks simultaneously from many sources.
  • -the administration password was simply "admin” -demonstration of how security in the internet is always determined by the weakest link -simply neglecting to manage an administrative password in a small site in the UK can be very quickly exploited by botnet shepherds operating obscurely out of Turkey
  • Other security firms have noted finding more automated toolkits installed on compromised servers
  • Last point: who will have your back when these attacks occur?
  • With a layered security model, the weakness in one control is compensated by the strength of another control. If the attacker breaches the perimeter, he is met with resistance as he attempts to advance further.
  • Relative to electronic banking, t his approach relies on different controls at different points in the transaction.
  • Jay intro, then Caity Out of band delivery is more effective Users must play a role in this – real time alerts can allow the user to be alerted to fraud before the FI knows about it Out of band delivery is more effective – highly recommend speaking to customers about setting these alerts up to be delivered to voice or SMS – email susceptible to being intercepted
  • use this information to promote additional safeguards that your customers can use as protection against ATO fraud
  • Exploring DDoS Attacks: Impact to Community Financial Institutions

    1. 1. September 9, 2013 DCI Annual Conference DDoS Attacks: The Impact to Community Financial Institutions Jay McLaughlin, CISSP Senior Vice President, Chief Security Officer
    2. 2. September 9, 2013 Agenda • Overview of Distributed Denial-of-Service Attacks • Types of DoS attacks and why they are successful • Understanding the motives behind recent attacks • Detecting & Defending against an attack • Preparation for response to an attack • Steps to mitigate the attacks targeted to commit fraud
    3. 3. September 9, 2013 Types of Denial-of-Service Attacks • SYN Floods/IP Floods • connection attacks; half open connections do not complete the handshake • HTTP GET/POST • Application level flood attacks • ICMP Attacks / ICMP Echo • ping of death; Smurf attacks • UDP Floods • DNS amplification attacks - send 64-byte query and return 3,363-byte return (50X amplification factor) • Teardrop Attacks • TCP packet fragmentation that attacks reassembly process
    4. 4. September 9, 2013 New Waves of State-Sponsored Attacks • April 2007 began a three-week wave of massive cyber- attacks on the small Baltic country of Estonia • First known incidence of such an assault on a state • Targeted the government, banks, news agencies, and businesses • Recent DDoS attacks have indicated sponsorship or involvement of foreign nation states
    5. 5. September 9, 2013 “Hacktivism” on the Rise •Definition: “Hacktivisim” – Non-violent use of legal and/or illegal computers and computer networks as a means in pursuit of political ends – Term first coined in 1998 by Cult of the Dead Cow •Most forms of political activism require the strength of masses; hacktivism can often the result from the power of one, or small group •Attacks often include defacement, sit-ins, e-mail bombs, & doxing •Most often carried out anonymously, and can take place over trans- national borders
    6. 6. September 9, 2013 H-Activists Attacks Organized by “Anonymous” • Group formed in 2008 originally after an internal Church of Scientology video was redacted from YouTube • Gained public prominence in 2010 during its defense and support of WikiLeaks and its leader Julian Assange • Anonymous mobilized, unleashing its Low Orbit Ion Cannon (LOIC) tool, with which anyone could participate in DDoS attacks • Attacks waged against Mastercard, Visa, PayPal • Since attacked various causes, from cartels in Mexico, child pornography, protests against U.S. actions • Government entities, CIA & FBI, Sony, Westboro Baptist Church
    7. 7. September 9, 2013 Operation Payback: Against Anti-Piracy
    8. 8. September 9, 2013 Tools: No Skills Required (Example: LOIC)
    9. 9. September 9, 2013 Waves of DDoS Attacks Against US Banks • Bank of America, Chase, Citigroup, HSBC, Wells Fargo, US Bank, Capital One, PNC Financial Services, Ally Bank, SunTrust Bank, Regions Bank, BB&T, Fifth-Third Bank, etc. • U.S. intelligence officials said they believe the attacks against the banks have been carried out or condoned by the Iranian govt • “Suspicions point towards a special unit of Iran’s Revolutionary Guard” – Sen. Joe Lieberman (CSPAN interview, Sept. 2012) • Experts cautioned it is difficult to accurately identify
    10. 10. September 9, 2013 Responsibility for the latest attacks against banks? • Izz ad-Din Al-Qassam • Syrian prophet who fought against the French, British and Zionist elements in eastern Mediterranean regions in the 20’s and 30’s • “Brigades” is military wing of the Islamic resistance movement Hamas • “Cyber Fighters” is the hacker collective • Retaliation for the portrayal of Muslims in a series of movie trailers posted to YouTube for the film “Innocence of Muslims.”
    11. 11. September 9, 2013 Warning of Attacks Against US Banks http://www.youtube.com/watch?v=xYVfBNKbfRQ
    12. 12. September 9, 2013 DDoS Attacks Hit US Banks: Operation Ababil
    13. 13. September 9, 2013 Pay-to-Play “Booter” Services
    14. 14. September 9, 2013 Why are DDoS Attacks Successful? • Attackers are acquiring more bandwidth
    15. 15. September 9, 2013
    16. 16. September 9, 2013 Why are DDoS Attacks Successful? • Attackers are acquiring more bandwidth • No longer compromise and recruit thousands or tens of thousands of end-user PCs to carry out the distributed denial-of-service attacks • Instead, targeting a handful of web servers that have more bandwidth and processing power • Yapping Chihuahuas morphed into fire-breathing Godzillas • The extra horse power of servers can create peak floods exceeding 100Gbps, a volume big enough to knock even large sites offline
    17. 17. September 9, 2013 Compromised Endpoints: Botnet Armies • Researchers from the security firm Incapsula researchers noticed a website located in the UK that was exhibiting suspicious behavior • Discovered a backdoor that had been planted on it that was programmed to receive instructions from remote attackers • Website traffic was being directed to send a flood of HTTP and UDP packets to major banks including PNC HSBC, and Fifth Third Bank Source: Ars Technica; Jan. 2013 http://arstechnica.com/security/2013/01/secret-footsoldier-targeting-banks- reveals-meaner-leaner-face-of-ddos/
    18. 18. September 9, 2013 Attacking The Stack • DDoS security firm Prolexic reported they have found several compromised servers were outfitted with “itsoknoproblembro” • (pronounced "it's OK, no problem, bro”) • DDoS tools that allowed the attackers to unleash network packets based on the UDP, TCP, HTTP, and HTTPS protocols. • These flooded the banks' routers, servers, and server applications • Attacked layers 3, 4, and 7 of the networking stack Source: Threatpost October 2012 http://threatpost.com/en_us/blogs/automated-toolkits-named-massive-ddos-attacks-against-us-banks-100212
    19. 19. September 9, 2013 Preparing for DoS Attacks
    20. 20. September 9, 2013 What Can Be Done in Advance? • DoS attacks cannot be prevented! • Adversaries will launch attacks and no technology, provider, plans, etc. can stop those actions from occuring • Element of your Risk Assessment • Risk 101: • Risks can NEVER be eliminated…but they CAN be mitigated
    21. 21. September 9, 2013 Incident Response Planning • Critical to establish your plans • Don’t assume you won’t be a target • Most banks cannot fight these attacks alone • Relying on infrastructure will eventually help attacks achieve objectives • Ensure that providers and ISPs are prepared • Blocking source addresses and blacklisting traffic from geographic regions must be done “upstream” • Test plans to ensure preparedness (ex. tabletop testing)
    22. 22. September 9, 2013 Understanding Your Network • Baseline network activity • Without established baselines, it is difficult to be identify when an onslaught or attack is starting • Real-time monitoring of inbound TCP/UDP traffic • Understand “normal” connection counts for web applications (e.g. OLB) • Track bandwidth utilization – what is typical? Good? Bad?
    23. 23. September 9, 2013 Securing the Perimeter • Load Balance Traffic • Explicit access-control lists should permit only authorized traffic • Immediately drop all malformed protocol requests • Pre-built access-lists to block non-domestic inbound traffic or shun bad sources • Set rate limits and embryonic connection thresholds • DNS cat-mouse techniques • Enhance monitoring of traffic (early detection, baselines) • Work with your critical providers and ISPs in advance
    24. 24. September 9, 2013 Combatting These Attacks
    25. 25. September 9, 2013 Critical Distinction • Politically-motivated attacks are a reality for prominent US institutions • they are now at risk of being targeted for activities unrelated to their own business • Different threat scenario for community banks • Community banks will more likely be targeted in combination with an account takeover event • DDoS attacks are significantly mitigated with the absence of account takeover fraud • DDoS attacks represent ONLY the 2nd half of the equation
    26. 26. September 9, 2013 Anatomy of an Attack
    27. 27. September 9, 2013 Account Takeover Fraud • Account takeover is one of the more prevalent forms of fraud.  It is the result of an attacker taking over another person's account, first by gathering information about the intended victim • Estimates from the FBI project that financial fraud resulting from account takeover attacks will exceed $1 billion this year  • Motivated by financial gain, this has become an extremely lucrative, criminal business
    28. 28. September 9, 2013 •Defense-in-depth (“deep” or “elastic”) •Derived from traditional military strategy • requires that a defender deploy resources at and well behind the front line •Reliance on any single control or mitigating factor is not sufficient •Prevents shortfalls in any single defense control Building a Layered Security Model
    29. 29. September 9, 2013 • Strong multi-factor authentication • one-time passwords (OTPs), temporary access codes (TACs) • Out-of-band transaction authorization • Cannot only focus around authentication events • Anomaly detection for suspicious transactions based on characteristics/patterns • Dual Approval controls / Segregation of duties • Enhanced controls over account activities • Transactions limits, payment recipients, thresholds Fighting Account Takeover Fraud
    30. 30. September 9, 2013 Out-of-Band Transaction Authorization • FFIEC’s June 2011 Guidance states: • “Out-of-band authentication means that a transaction that is initiated via one delivery channel [e.g.. online] must be re- authenticated or verified via an independent delivery channel [e.g.. telephone] in order for the transaction to be completed”  out-of-band authentication directed to through the same device that initiates the transaction may not be effective since that device may have been compromised • Out-of-band authorization is can be extremely effective in protecting customers against financial malware attacks and Trojans
    31. 31. September 9, 2013 Leverage Alerts • Users must play a part and participate in fighting fraud • Real-time alerts delivered to a victim are timely and provide the opportunity to alert the financial institution of activity • Transactional Alerting  Ex: creation, authorization • Changes to profile settings • Security Event Alerts  Ex: changes to delivery targets, failed logon attempts
    32. 32. September 9, 2013 Communicating with Customers • FFIEC has been critical of the lack of communication provided by banks and institutions that have been attacked • This represents a fine line, as any public communication may disclose response plans, details, or other information to attackers • Establish general communication templates that will be used in the event of an attack • Know how and at what point to communicate
    33. 33. September 9, 2013 Summary & Wrap Up • Hacktivists attacks have illustrated severity of DoS • Better understanding of denial-of-service attacks • DoS attacks are being used in multifaceted fraud • Critical distinction between publicized attacks • Establish and test your plans • Reduce account takeover fraud with layered controls
    34. 34. September 9, 2013 “The future ain’t what it used to be.” -Lawrence “Yogi” Berra New York Yankees, 1946-1964 Be Prepared
    35. 35. September 9, 2013 Declare var $response if [?] >= ‘1’ then $response = ‘answer’ else $response = ‘thankyou’ end if; Questions
    36. 36. September 9, 2013 linkedin.com/in/mclaughlinjay Email: jmclaughlin@q2ebanking.com Thank you

    ×