DDoS attacks have catapulted to the forefront of banking security news after the industry experienced a series of multi-phased attacks beginning back in September of 2012. Hackers launch DDoS attacks prompted by one of two common motives. Protest attacks, like OpUSA, target large, high-profile banks and are often launched for social or political purposes. Attacks on community banks are usually used to as a distraction in conjunction with account takeover attacks. This event is designed to strengthen the awareness and defenses of participants. Jay McLaughlin, this session's presenter, fights cybercrime aimed at financial institutions on a daily basis as Q2ebanking's Chief Security Officer. Jay will break down conceptual and technical aspects of DDoS attack types, clarify the differing attacker motives, and discuss how community banks can build a layered security model to prevent DDoS attacks.

1. September 9, 2013
DCI Annual Conference
DDoS Attacks:
The Impact to Community
Financial Institutions
Jay McLaughlin, CISSP
Senior Vice President, Chief Security Officer

2. September 9, 2013
Agenda
• Overview of Distributed Denial-of-Service Attacks
• Types of DoS attacks and why they are successful
• Understanding the motives behind recent attacks
• Detecting & Defending against an attack
• Preparation for response to an attack
• Steps to mitigate the attacks targeted to commit fraud

3. September 9, 2013
Types of Denial-of-Service Attacks
• SYN Floods/IP Floods
• connection attacks; half open connections do not complete the handshake
• HTTP GET/POST
• Application level flood attacks
• ICMP Attacks / ICMP Echo
• ping of death; Smurf attacks
• UDP Floods
• DNS amplification attacks
- send 64-byte query and return 3,363-byte return (50X amplification factor)
• Teardrop Attacks
• TCP packet fragmentation that attacks reassembly process

4. September 9, 2013
New Waves of State-Sponsored Attacks
• April 2007 began a three-week wave of massive cyber-
attacks on the small Baltic country of Estonia
• First known incidence of such an assault on a state
• Targeted the government, banks, news agencies, and
businesses
• Recent DDoS attacks have indicated sponsorship or
involvement of foreign nation states

5. September 9, 2013
“Hacktivism” on the Rise
•Definition: “Hacktivisim”
– Non-violent use of legal and/or illegal computers and computer
networks as a means in pursuit of political ends
– Term first coined in 1998 by Cult of the Dead Cow
•Most forms of political activism require the strength of masses;
hacktivism can often the result from the power of one, or small group
•Attacks often include defacement, sit-ins, e-mail bombs, & doxing
•Most often carried out anonymously, and can take place over trans-
national borders

6. September 9, 2013
H-Activists Attacks Organized by “Anonymous”
• Group formed in 2008 originally after an internal Church of
Scientology video was redacted from YouTube
• Gained public prominence in 2010 during its defense and
support of WikiLeaks and its leader Julian Assange
• Anonymous mobilized, unleashing its Low Orbit Ion Cannon
(LOIC) tool, with which anyone could participate in DDoS attacks
• Attacks waged against Mastercard, Visa, PayPal
• Since attacked various causes, from cartels in Mexico, child
pornography, protests against U.S. actions
• Government entities, CIA & FBI, Sony, Westboro Baptist Church

7. September 9, 2013
Operation Payback: Against Anti-Piracy

8. September 9, 2013
Tools: No Skills Required (Example: LOIC)

9. September 9, 2013
Waves of DDoS Attacks Against US Banks
• Bank of America, Chase, Citigroup, HSBC, Wells Fargo, US Bank,
Capital One, PNC Financial Services, Ally Bank, SunTrust Bank,
Regions Bank, BB&T, Fifth-Third Bank, etc.
• U.S. intelligence officials said they believe the attacks against the
banks have been carried out or condoned by the Iranian govt
• “Suspicions point towards a special unit of Iran’s Revolutionary Guard”
– Sen. Joe Lieberman (CSPAN interview, Sept. 2012)
• Experts cautioned it is difficult to accurately identify

10. September 9, 2013
Responsibility for the latest attacks against banks?
• Izz ad-Din Al-Qassam
• Syrian prophet who fought against the French, British and
Zionist elements in eastern Mediterranean regions in the
20’s and 30’s
• “Brigades” is military wing of the Islamic resistance movement
Hamas
• “Cyber Fighters” is the hacker collective
• Retaliation for the portrayal of Muslims in a series of movie
trailers posted to YouTube for the film “Innocence of Muslims.”

11. September 9, 2013
Warning of Attacks Against US Banks
http://www.youtube.com/watch?v=xYVfBNKbfRQ

12. September 9, 2013
DDoS Attacks Hit US Banks: Operation Ababil

13. September 9, 2013
Pay-to-Play “Booter” Services

14. September 9, 2013
Why are DDoS Attacks Successful?
• Attackers are acquiring more bandwidth

15. September 9, 2013

16. September 9, 2013
Why are DDoS Attacks Successful?
• Attackers are acquiring more bandwidth
• No longer compromise and recruit thousands or tens of thousands of end-user
PCs to carry out the distributed denial-of-service attacks
• Instead, targeting a handful of web servers that have more bandwidth and processing
power
• Yapping Chihuahuas morphed into fire-breathing Godzillas
• The extra horse power of servers can create peak floods exceeding 100Gbps, a
volume big enough to knock even large sites offline

17. September 9, 2013
Compromised Endpoints: Botnet Armies
• Researchers from the security firm Incapsula
researchers noticed a website located in the UK
that was exhibiting suspicious behavior
• Discovered a backdoor that had been planted
on it that was programmed to receive
instructions from remote attackers
• Website traffic was being directed to send a
flood of HTTP and UDP packets to major banks
including PNC HSBC, and Fifth Third Bank Source: Ars Technica; Jan. 2013
http://arstechnica.com/security/2013/01/secret-footsoldier-targeting-banks-
reveals-meaner-leaner-face-of-ddos/

18. September 9, 2013
Attacking The Stack
• DDoS security firm Prolexic reported they have found several
compromised servers were outfitted with “itsoknoproblembro”
• (pronounced "it's OK, no problem, bro”)
• DDoS tools that allowed the attackers to unleash network packets
based on the UDP, TCP, HTTP, and HTTPS protocols.
• These flooded the banks' routers, servers, and server applications
• Attacked layers 3, 4, and 7 of the networking stack
Source: Threatpost October 2012
http://threatpost.com/en_us/blogs/automated-toolkits-named-massive-ddos-attacks-against-us-banks-100212

19. September 9, 2013
Preparing for DoS Attacks

20. September 9, 2013
What Can Be Done in Advance?
• DoS attacks cannot be prevented!
• Adversaries will launch attacks and no technology, provider, plans,
etc. can stop those actions from occuring
• Element of your Risk Assessment
• Risk 101:
• Risks can NEVER be eliminated…but they CAN be mitigated

21. September 9, 2013
Incident Response Planning
• Critical to establish your plans
• Don’t assume you won’t be a target
• Most banks cannot fight these attacks alone
• Relying on infrastructure will eventually help attacks achieve objectives
• Ensure that providers and ISPs are prepared
• Blocking source addresses and blacklisting traffic
from geographic regions must be done “upstream”
• Test plans to ensure preparedness (ex. tabletop testing)

22. September 9, 2013
Understanding Your Network
• Baseline network activity
• Without established baselines, it is difficult to be identify
when an onslaught or attack is starting
• Real-time monitoring of inbound TCP/UDP traffic
• Understand “normal” connection counts for web applications (e.g. OLB)
• Track bandwidth utilization – what is typical? Good? Bad?

23. September 9, 2013
Securing the Perimeter
• Load Balance Traffic
• Explicit access-control lists should permit only authorized traffic
• Immediately drop all malformed protocol requests
• Pre-built access-lists to block non-domestic inbound traffic or shun bad sources
• Set rate limits and embryonic connection thresholds
• DNS cat-mouse techniques
• Enhance monitoring of traffic (early detection, baselines)
• Work with your critical providers and ISPs in advance

24. September 9, 2013
Combatting These Attacks

25. September 9, 2013
Critical Distinction
• Politically-motivated attacks are a reality for prominent US institutions
• they are now at risk of being targeted for activities unrelated to their own business
• Different threat scenario for community banks
• Community banks will more likely be targeted in combination with an account
takeover event
• DDoS attacks are significantly mitigated with the absence of account
takeover fraud
• DDoS attacks represent ONLY the 2nd half of the equation

26. September 9, 2013
Anatomy of an Attack

27. September 9, 2013
Account Takeover Fraud
• Account takeover is one of the more prevalent forms of fraud. It is the
result of an attacker taking over another person's account, first by
gathering information about the intended victim
• Estimates from the FBI project that financial fraud resulting from account
takeover attacks will exceed $1 billion this year
• Motivated by financial gain, this has become an extremely lucrative,
criminal business

28. September 9, 2013
•Defense-in-depth (“deep” or “elastic”)
•Derived from traditional military strategy
• requires that a defender deploy resources
at and well behind the front line
•Reliance on any single control or mitigating factor is not
sufficient
•Prevents shortfalls in any single defense control
Building a Layered Security Model

29. September 9, 2013
• Strong multi-factor authentication
• one-time passwords (OTPs), temporary access codes (TACs)
• Out-of-band transaction authorization
• Cannot only focus around authentication events
• Anomaly detection for suspicious transactions based on characteristics/patterns
• Dual Approval controls / Segregation of duties
• Enhanced controls over account activities
• Transactions limits, payment recipients, thresholds
Fighting Account Takeover Fraud

30. September 9, 2013
Out-of-Band Transaction Authorization
• FFIEC’s June 2011 Guidance states:
• “Out-of-band authentication means that a transaction that is
initiated via one delivery channel [e.g.. online] must be re-
authenticated or verified via an independent delivery channel [e.g..
telephone] in order for the transaction to be completed”
 out-of-band authentication directed to through the same device
that initiates the transaction may not be effective since that
device may have been compromised
• Out-of-band authorization is can be extremely effective in
protecting customers against financial malware attacks and Trojans

31. September 9, 2013
Leverage Alerts
• Users must play a part and participate in fighting fraud
• Real-time alerts delivered to a victim are timely and provide the opportunity to
alert the financial institution of activity
• Transactional Alerting
 Ex: creation, authorization
• Changes to profile settings
• Security Event Alerts
 Ex: changes to delivery targets, failed logon attempts

32. September 9, 2013
Communicating with Customers
• FFIEC has been critical of the lack of communication provided by
banks and institutions that have been attacked
• This represents a fine line, as any public communication may
disclose response plans, details, or other information to attackers
• Establish general communication templates that will be used in the
event of an attack
• Know how and at what point to communicate

33. September 9, 2013
Summary & Wrap Up
• Hacktivists attacks have illustrated severity of DoS
• Better understanding of denial-of-service attacks
• DoS attacks are being used in multifaceted fraud
• Critical distinction between publicized attacks
• Establish and test your plans
• Reduce account takeover fraud with layered controls

34. September 9, 2013
“The future ain’t
what it used to be.”
-Lawrence “Yogi” Berra
New York Yankees, 1946-1964
Be Prepared

35. September 9, 2013
Declare var $response
if [?] >= ‘1’
then
$response = ‘answer’
else
$response = ‘thankyou’
end if;
Questions

36. September 9, 2013
linkedin.com/in/mclaughlinjay
Email: jmclaughlin@q2ebanking.com
Thank you