Through Richard Hummel, ASERT Threat Intelligence Lead for NET SCOUT
Over the past two years, the way financial institutions operate has changed significantly. Companies in the financial sector have had to adapt their operating models and implement remote working policies following the Covid-19 pandemic. By working from home, large volumes of private and sensitive employee material have been exposed to cybercriminals operating outside of traditional perimeters, due to access to data from offsite locations. Unsurprisingly, threat actors took advantage of the opportunity this presented to them.
In its recently released Threat Intelligence report, NETSCOUT found that threat actors launched approximately 5.4 million distributed denial-of-service (DDoS) attacks in the first half of 2021, an increase of 11% from the same period in 2020, with the peak between January and March 2021.
This should be of significant concern to security managers at these organizations, as the report also found that in the first half of 2021, more than 50% of people targeted by DDoS extortion attacks were from the financial industry. Additionally, NETSCOUT found that over 7,000 DDoS attacks were launched against commercial banks and payment card processors in the first six months of 2021.
Although at first glance it may seem that this attack activity is relatively minor compared to the total number, many of these attacks have succeeded in causing major disruptions. This, in turn, had a detrimental impact on downstream consumers attempting to use their credit cards as well as targeted organizations. If a commercial bank or payment card processor is attacked, it can have major consequences as credit card processors have the capacity to process over 5,000 transactions per second, so even in a scenario where they suffer minutes of downtime, there is the possibility of losing millions of pounds in revenue. It can also have a hugely negative effect on the organization’s brand and customer retention.
Types of DDoS attacks launched by malicious actors
As mentioned earlier, financial institutions receive a large number of DDoS extortion attacks. These types of attacks differ from other DDoS attacks because the threat actors launch a demonstration DDoS attack against elements of the company’s online infrastructure, either before or after sending an email to the business requesting payment in cryptocurrency, usually Bitcoin.
One of the main reasons threat actors target financial institutions using DDoS extortion attacks is that these organizations are known to have access to large volumes of data and money. For example, the Lazarus Bear Armada (LBA) DDoS extortion campaign targeted financial institutions such as commercial banks and market institutions, including the New Zealand Stock Exchange. On top of that, professional ransomware gangs have added triple extortion attacks to their weapons. Through a combination of file encryption, data theft, and DDoS attacks, cybercriminals have achieved a ransomware treble in an effort to increase payout potential.
On top of that, threat actors are using increasingly complex techniques when it comes to launching DDoS attacks against financial institutions. Proof of this is that cybercriminals are adapting the types of attacks they use to try to overwhelm the multiple layers of on-premises and cloud-based DDoS protection that have been installed in an attempt to penetrate the online infrastructure of financial organizations. . An example of this can be seen with the increased use of TCP ACK flood attacks, which are designed to overload and clog connections between servers against commercial banks and payment card processing solutions. As a result, institutional and end customers using these services have been impacted by downtime and outages.
What can financial institutions do to protect themselves?
As with many aspects of the human condition, the 80/20 rule – also known as the Pareto principle after its famous exponent, economist Vilfredo Pareto – can be applied not only to the economy but also Internet security and DDoS protection. For approximately 80% of DDoS attacks, companies that have appropriate industry best current practices (BCPs) in place will be able to ensure availability in the event of a DDoS attack. For the remaining 20% of attacks, financial institutions need to optimize their DDoS defense systems based on many factors, including vector selection and attack behavior. Nonetheless, the effort and time required to properly prepare means that defenders must respond in a manner deemed appropriate to the situation, so that attacks are thwarted and the resilience of their online properties is maximized. Thus, companies in the financial sector can take many steps to ensure that they have maximized their ability to defend against DDoS attacks.
First, for financial institutions to adequately defend their public-facing online infrastructure against this continuing threat, it is essential that they invest in a robust and effective DDoS protection system. With the implementation of comprehensive DDoS attack mitigation, the threat posed by cybercriminals will be neutralized. Indeed, the system will prevent DDoS attacks from causing significant damage, thanks to the preventive measures put in place. If organizations with an adequate DDoS defense system fall victim to a DDoS attack, they will have peace of mind and complete confidence in the system they are using.
Second, financial firms should test their DDoS attack mitigation system on a semi-regular basis. Periodic testing ensures that all changes and adjustments to an organization’s online systems are incorporated into the comprehensive protection plan, protecting the entire online infrastructure against DDoS attacks. Finally, financial institutions should also seriously consider employing an on-demand DDoS attack specialist. By using the expertise of a specialist, companies will be able to negotiate unfamiliar circumstances and terrain, which should benefit the whole company, as well as individual teams. As long as financial organizations adhere to BCP procedures and implement the aforementioned recommendations, they will be in a strong position to successfully defend their online properties if they are the target of a DDoS attack.
The continued evolution of DDoS attacks, which are becoming increasingly complex and difficult to defend against, requires financial institutions to implement security capable of preventing these complex attacks from causing serious damage. By doing so, financial industry organizations will be well positioned to defend against cybercriminals should they find themselves the target of a DDoS attack.