WHITEPAPER

Protecting Financial Institutions from DDoS Attacks

imperva.com2 Protecting Financial Institutions from DDoS Attacks - Whitepaper

01 DDoS attacks are increasing in strength and complexity ............................................. 3

02 Implications for the financial industry ............................................................................. 4

03 FFIEC, GDPR and regional regulations ............................................................................. 5

04 Best practices for mitigating DDoS attacks .................................................................... 6

Over-provision bandwidth to absorb DDoS bandwidth peaks ..............................................6

Monitor application and network traffic ..................................................................................6

Detect and stop malicious users .............................................................................................6

Detect and stop malicious requests ........................................................................................7

05 DDoS protection for websites ........................................................................................... 8

How it works ..............................................................................................................................8

06 Conclusion ......................................................................................................................... 9

Contents

imperva.com3 Protecting Financial Institutions from DDoS Attacks - Whitepaper

DDoS attacks are increasing in strength and complexityDDoS attacks are growing in volume, size and intensity with the number of DDoS attacks in Q1 2019 up by 200 percent compared to the same period the previous year. In a recent survey of IT professionals most indicated that they believe that DDoS is the top threat to their network; however, as organizations implement more effective DDoS security safeguards cybercriminals are also increasing their ability to outsmart the latest mitigation techniques.

Network level DDoS attacks, designed to bring down a website or online application by overwhelming network and server resources, continue to grow at a rapid pace fueled in part by the growing availability of cloud infrastructure. Although these types of attacks are usually measured by the amount of bandwidth involved, such as the 1.35 Terabits per second (maximum) attack directed at GitHub in February 2018, the largest DDoS attack ever at the time, when it comes to mitigating these attacks it is not the bandwidth that is important but the number of packets per second. Imperva’s DDoS Protection Service has since mitigated an even larger DDoS attack against one of our clients in January 2019 which crossed the 500 million packets per second (Mpps) mark. That’s more than four times the volume of packets sent at GitHub in 2018. In April 2019, we recorded an even larger-by-PPS-volume attack against one of our clients which peaked at 580 million packets per second. Using our new common mitigation state (CMS) feature, our DDoS Protection service was able to escalate and mitigate this attack even faster.

DDoS attacks are not only strengthening in size, but they are also increasing in sophistication and complexity, and while large-scale attacks still take place, it’s the smaller, more targeted attacks that can slip through the net to bring down an enterprise’s network. Applying multilevel tactics, large-scale attacks are often used as a diversionary technique to overwhelm security professionals while smaller and more targeted attacks go unnoticed thus allowing a prolonged attack to target and disable specific infrastructure below the radar. According to the University of Cambridge’s Cyber Risk Outlook Report 20191, the majority (94%) of DDoS attacks recorded are still low intensity (less than 5 Gbps), often resulting in the slowing of service delivery rather than complete shutdown. These types of attacks can be mistaken for legitimate user traffic making it possible for them to evade an organization’s common security measures, including barebones anti-DDoS solutions.

1Cyber Risk Outlook Report 20192Q1, 2019 Cyber Threats & Trends Report - Neustar3NISC Survey Results

“Enterprises face a bill of between $50,000 (£35,000) to $2.5M (£1.8M) for each [DDoS] attack”.

STEVE PATTON 2018

1 DDoS attack

$50,000 - $2,500,000

imperva.com4 Protecting Financial Institutions from DDoS Attacks - Whitepaper

Implications for the financial industryBanks have long been a target for criminals but nowadays the business profile of banking has changed entirely with most banking and financial transactions executed online. However as the financial sector grows and develops in keeping with digitalization and new technologies, so too does crime. According to a report by Generali the average cost of a DDoS attack on a financial services organization can reach $1.8 million attributing the rise in numbers of DDoS attacks to the “abundance of non-password protected Internet of Things devices (which) has given hackers the tools they need to flood a website with pointless repetitive traffic, blocking access to the site for legitimate customers.”

DDoS attacks continue to plague financial institutions, slowing website response times, intermittently prevented customers from accessing institutions’ public websites, and adversely affected back-office operations. In other cases DDoS attacks serve as a diversionary tactic by criminals attempting to commit fraud using stolen customer or bank employee credentials to initiate fraudulent wire or automated clearinghouse transfers.

Botnets-for-hire, composed of thousands of compromised devices, are readily available on the Internet and provide the foundation for launching devastating attacks against a financial institution’s web or application server.

DDoS attacks can cripple an online banking website, for example, resulting in lost revenues, reputation damage and reduced customer confidence. If the attack is coupled with attempted fraud, a financial institution may also experience liquidity and capital risks.

In January 2018 three top banks in the Netherlands, ABN Amro, ING and Rabobank, were targeted by a series of DDoS attacks in the same week, blocking access to websites and internet banking services for customers. ABN Amro suffered a further DDoS attack in May of the same year.

In 2017, seven of the UK’s high street banks came under attack, causing hundreds of thousands of pounds of damage. The National Crime Agency was involved in an investigation which resulted in website webstresser.org being taken down and a number of people arrested.

imperva.com5 Protecting Financial Institutions from DDoS Attacks - Whitepaper

FFIEC, GDPR and regional regulationsIn response to the DDoS threat, the Federal Financial Institutions Examination Council (FFIEC) issued a statement in April 2014 requiring banks and financial institutions regulated by the federal government to monitor their networks for DDoS attacks and have a plan in place to mitigate against such attacks.

The FFIEC outlined six steps that banks and other financial institutions should follow to address DDoS readiness. These steps include setting up a program to assess risk to IT systems, monitoring internet traffic to the institution’s website to detect attacks, and being prepared to activate incident response plans with ISP. The FFIEC statement encourages financial institutions to hire pre-contracted third-party vendors to assist in managing the internet-based traffic flow associated with DDoS attacks.

EUROPE - The General Data Protection Regulations (GDPR) includes recital 49 that requires “network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data”, and singles out stopping denial of service attacks. Failure to adhere to the regulations can carry a fine of 20 million euro or 4 percent of global annual turnover.

CHINA - China’s Cybersecurity Law, effective since June 2017, which places new requirements on network and system security, will directly affect the financial services sector that is considered to be a critical information infrastructure (CII). Article 21 of the law requires that operators implement network security protection and adopt technological measures to prevent unspecified forms of cyberattacks. This may include protection against DDoS attacks.

SINGAPORE - The Singapore Cyber Security Act came into force in August 2019 and requires owners of CII to establish mechanisms and processes for the purposes of detecting cybersecurity threats and incidents. The Act penalises any person who fails to comply with fines of up to SG$20,000, imprisonment of up to 12 months or both.1

NEW YORK - As the leading financial center, the state Department of Financial Services has imposed regulation that New York banks and insurers report within 72 hours any security event that has “reasonable likelihood” of causing material harm to normal operations. The new regulation would capture significant cybersecurity events, such as DDoS attacks, that currently are not cataloged or reported. Learn more about NYDFS on the Imperva blog.

1The Impact of Singapore’s Cybersecurity Act

imperva.com6 Protecting Financial Institutions from DDoS Attacks - Whitepaper

Best practices for mitigating DDoS attacksThere are a number of measures that financial institutions can undertake to mitigate the risks of a DDoS attack. These include:

Over-provision bandwidth to absorb DDoS bandwidth peaks

This is one of the most common measures to alleviate DDoS attacks, but it is also probably the most expensive, especially since DDoS attacks can be ten times or even one hundred times greater than standard Internet traffic levels. An alternative to over-provisioning Internet bandwidth is to use a security service to scale on-demand to absorb and filter DDoS traffic. DDoS protection services are designed to stop massive DDoS attacks without burdening businesses’ Internet connections.

Monitor application and network traffic

The best way to detect when you are under an attack is by monitoring application and network traffic. Then, you can determine if poor application performance is due to service provider outages or a DDoS attack. Monitoring traffic also allows organizations to differentiate legitimate traffic from attacks. Ideally, security administrators should review traffic levels, application performance, anomalous behavior, protocol violations, and Web server error codes. Since DDoS attacks are almost always executed by botnets, application tools should be able to differentiate between legitimate users and bot traffic. Monitoring application and network traffic provides IT security administrators with instant visibility into DDoS attack status.

Detect and stop malicious users

There are two primary methods to identify DDoS attack traffic: identify malicious users and identify malicious requests. For application DDoS traffic, often times identifying malicious users can be the most effective way to mitigate attacks.

Use the following measures:

• Recognize known attack sources, such as malicious IP addresses that are actively attacking other sites, and identifying anonymous proxies and TOR networks. Known attack sources account for a large percentage of all DDoS attacks. Because malicious sources constantly change, organizations should have an up-to-date list of active attack sources.

• Identify known bot agents; DDoS attacks are almost always performed by an automated client. Many of these clients or bot agents have unique characteristics that differentiate them from regular Web browser agents. Tools that recognize bot agents can immediately stop many types of DDoS sources.

imperva.com7 Protecting Financial Institutions from DDoS Attacks - Whitepaper

• Perform validation tests to determine whether the Web visitor is a human or a bot. For example, if the visitor’s browser can accept cookies, perform JavaScript calculations or understand HTTP redirects, then it is most likely a real browser and not a bot script.

• Restrict access by geographic location. For some DDoS attacks, the majority of attack traffic may originate from one country or a specific region of the world. Blocking requests from undesirable countries can be a simple way to stop the vast majority of DDoS attack traffic.

Detect and stop malicious requests

Because application DDoS attacks mimic regular web application traffic, they can be difficult to detect through typical network DDoS techniques. However, using a combination of application-level controls and anomaly detection, organizations can identify and stop malicious traffic.

Measures include:

• Detect an excessive number of requests from a single source or user session. Automated attack sources almost always request web pages more rapidly than legitimate users.

• Prevent known network and application level DDoS attacks. Many types of DDoS attacks rely on simple network techniques like fragmented packets, spoofing, or not completing TCP handshakes. More advanced attacks, typically application-level attacks, attempt to overwhelm server resources. These attacks can be detected through unusual user activity and known application attack signatures.

• Distinguish the attributes, and the aftermath, of a malicious request. Some DDoS attacks can be detected through known attack patterns or signatures. In addition, the HTTP requests for many DDoS attacks do not conform to HTTP protocol standards. The Slowloris attack, for example, includes redundant HTTP headers. In addition, DDoS clients may request web pages that do not exist. Attacks may also generate web server errors or slow web server response time.

imperva.com8 Protecting Financial Institutions from DDoS Attacks - Whitepaper

DDoS protection for websitesDue to the complex and evolving nature of DDoS attacks, many organizations are turning to services to implement effective DDoS mitigation measures as described above. DDoS protection for websites complements Imperva’s cloud web application firewall (WAF), which blocks hacking attempts and attacks by malicious bots, and stops all types of DDoS threats, including network, protocol and application level attacks – with minimal business disruption. Leveraging a high-capacity global CDN, DDoS Protection for Websites is an always-on DDoS mitigation service that scales on demand to stop multi-gigabit attacks without requiring businesses to purchase expensive Internet connections or deploy additional networking equipment.

DDoS Protection for Websites combines multiple defenses to mitigate DDoS attacks. Network defenses detect attacks like SYN floods and DNS amplifications. DDoS Protection for Websites detects sophisticated application-level attacks that bypass traditional DDoS security services by implementing advanced and progressive challenge mechanisms. These defenses differentiate between bots and legitimate application users by validating whether the client browser can execute JavaScript, store cookies and perform other basic browser functions.

How it works

• CDN distributes traffic between DDoS Protection for Websites scrubbing centers

• Dedicated hardware and software block network DDos threats

• Security engine protects from web application and server vulnerabilities

• Visitors are assigned a risk score and their actions are put into context

• A set of challenges allows for granular and transparent mitigation

• Advanced analysis of (DDoS) network layer traffic via simple dashboard display

DDOS PROTECTION FOR WEBSITES OFFERS

Always on deployment with automatic attack detection and mitigation

Advanced analytics capabilities of legitimate and malicious (DDoS) network layer traffic via Imperva dashboard

Zero business disruption based on transparent mitigation with less than 0.01% false positives

End-to-end protection against the largest and smartest DDoS attacks

Powerful backbone of globally distributed scrubbing centers

Specialized support for massive SYN flood, DNS targeted and DNS amplification attacks

BGP routing support that enables DDoS protection for all protocols (Email, VoIP, FTP, etc.)

Dedicated 24x7 NOC support & security team

Copyright © 2020 Imperva. All rights reserved

Protecting Financial Institutions from DDoS Attacks - Whitepaper imperva.com+1.866.926.4678

Imperva is an analyst-recognized, cybersecurity leader championing the fight to secure data and applications wherever they reside.

ConclusionAs DDoS attacks continue to increase in size, complexity and frequency, it is imperative that financial institutions understand the need for dedicated and advanced DDoS protection services to minimize financial, operational, and reputation risks associated with DDoS attacks.

In response to these trends, and in particular the wave of DDoS attacks targeted against the financial sector over the past few years, the FFIEC has issued a recent statement1 emphasizing the benefits of using a standardized approach to assess and improve cybersecurity preparedness. The approach would entail choosing from a variety of standardized tools aligned with industry standards and best practices to assess their cybersecurity preparedness with the objective being that the Assessment provides a repeatable and measurable process for financial institutions to measure their cybersecurity preparedness over time.

The best practices outlined in this paper will help financial institutions build a sound DDoS mitigation strategy, enabling them to comply with key steps outlined by the FFIEC. These measures include over-provisioning bandwidth to absorb peaking attack traffic, monitoring of application and network traffic, detection and filtering of malicious users, and identification and blocking of malicious requests.

Imperva offers a cloud-based DDoS Protection service that addresses all of these key requirements, enabling financial institutions to keep their websites and online applications up and running with high availability, performance, and user experience.

MORE RESOURCESThe changing face of DDoS attacks: degraded performance instead of total takedown

Neustar Security: Q3, 2019 cyber threats & trends report

DDoS attack statistics and facts for 2018-2019

DDoS attacks growing ever-more sophisticated and efficient

The impact of cybersecurity incidents on financial institutions

Financial sector under siege

Cyber risk outlook 2019

Top Dutch banks, government services hit by cyberattacks

Cybersecurity assessment tool

What is the real cost of a DDos Attack?