The recent DDOS attack on a number of global banking and financial institutions has highlighted the need for urgent action to strengthen cybersecurity infrastructure. The attacks are a reminder that a connected world is not without its risks. . In the past, individuals and small businesses have been vulnerable to cyberattacks. The Cyber Security Strategy 2018-2027 will help protect Canada from cyberthreats by developing a modernized federal cybersecurity strategy that is resilience-based and promotes collaboration among stakeholders. It also sets out new priorities for the Government of Canada to enhance cybersecurity capacity, awareness and skills across the country.
Terrorist organizations are launching DDOS attacks against global banks to interfere with the global economy. These organizations have been attempting to destabilize the world economy by targeting financial institutions that have a significant influence on macroeconomic variables, such as currency exchange rates.
Leading banks are often present in other countries, which translates to having local branches. This includes services such as remote access for employees and partners, credit card and debit card validation, and web or mobile banking. In the second half of November, we observed an increase in malicious activity that targeted those services from several global financial institutions in multiple countries. The attacks initially targeted specific services with volumetric attacks. They then switched to subnet floods, randomizing the destination IP addresses in order to avoid detection. The threat you faced was persistent and they soon started using more sophisticated and challenging methods. There were various different attack durations from multivector attacks that lasted for an hour to shorter waves that only attempted to impact productivity and User experience.
According to our research, there were no ransom letters delivered to the targeted companies. We are still unsure of the attacker’s objective but it could be one of the following:
- gaining a competitive advantage
- angry customers
- e-fame and trolling
These attacks are being carried out by some unknown entity. Hacking groups usually claim responsibility and they would want the general public to know as this is their main way of communicating/getting their point across. Angry customers are also unlikely, given that multiple banks and various branches have been attacked.
Kids looking for a short-lived, trolling fame are typically not as persistent and meticulous when researching and discovering their targets for trolling. One of the most common places you’ll find AI is in website optimization. Most of these software are pretty good at getting high visibility on search engines and will help your site get more clicks which is what most businesses hope for. They also usually have methods to optimize your social media platforms and try to use different strategies based on the demographics.
Not The Technique, Rather Consider The Objective
Whenever a record-level attack makes headlines, people tend to focus on the wrong thing and forget about the original or primary reason for it. Volumetric DDoS attacks reaching beyond 2Tbps get a lot of attention, but they were successfully mitigated and defending against them mostly depends on ones ability to consume vast amounts of traffic.
Recently, we’ve seen a number of successful short-term attacks that gained their popularity by impacting services for longer periods of time. Victims were led to believe the attacks had stopped, only to be caught off guard again a few hours/days later. These impactful attacks weren’t on the terabit per second level, and didn’t require millions of requests per second to degrade or disrupt the services of their victims.
The main objective of a DDoS attack is to disrupt service and impact productivity, reputation or revenue streams. Behind the objective there will be different motivations which vary depending on the threat actor. An angry customer will seek revenge. A competitor may see harming your business as the best way to gain a competitive advantage and take market share. Organized cybercrime or professional cybercriminals are in it for the money, while people looking for e-fame or trolling for fun would likely be hurting you in other ways.
DDoS Attack Attribution is Hard
Attributing the origins of a DDoS attack is not always easy, and many DDoS attacks rely on spoofing and reflection to remain anonymous. Comparing attacks and attributing them to a particular threat actor or group is becoming increasingly difficult because there are a lot of similar amplification and reflection resources readily available which can be abused. It’s hard to figure out who is causing a DDoS attack unless they publicly brag about it on social media or their logs are openly exposed.
Previously we assumed that attacks on global financial institutions were all carried out by the same group, but now we feel there may be more than one. We cannot rule out the possibility that this group is working in tandem with other groups. Recently we have seen a number of attacks outside the previous pattern.
Here’s how to choose the right defensive strategy
I typically don’t worry too much about the most visible parts of attack traffic graphs. Large and consistent floods are easy to detect, which allows us to mitigate them quickly. However, more worrying are the potentially malicious traffic patterns on the underside of the barrel. A lot of people ask me if it’s worth the time to learn application-layer attacks since they require less of a bandwidth. That’s not true! They’re just as easy as volumetric attacks which work over any IPv4 connection, and they can be really potent when used against large machines with bad defenses. Publicly available exploit tools like Burp Suite, cURL, and OWASP ZAP can perform HTTP GET requests that are indistinguishable from other legitimate traffic. That’s why it’s important to have protections adapted to the exposed assets and services being protected.
A good DDoS solution for networks is one that can handle all types of attacks, not just volumetric. Make sure to find a provider with enough capacity to handle any attack, from the largest to the smallest. Protocols that use stateless packet-layer security are effective in protecting against network starvation attacks.