The recent wave of distributed denial of service attacks against U.S. financial institutions prove organizations aren't doing enough to prepare for online attacks, says Jason Malo of CEB TowerGroup.
Malo, a financial-services research director at the Boston-based consultancy and web security expert formerly with VeriSign, has been studying DDoS attacks for some time. He says the recent wave of large-scale attacks affecting leading institutions have exposed website weaknesses few organizations have adequately addressed.
Malo says DDoS-attack preparation and prevention comes down to risk assessment and scale.
"As the breadth of the attacks starts to ramp up, you've got to be able to not only understand the traffic coming in and out of your network, but also what that traffic looks like," Malo says in an interview with BankInfoSecurity's Tracy Kitten [transcript below]. "That's one thing that has really marked the evolution."
Companies, Malo says, can then scale their abilities to handle traffic based on normal patterns. "With [DDoS attacks], it's a significant amount extra traffic, and the numbers don't tend to work out if you're looking at scaling to that significant level."
There are solutions out there to deal with these types of attacks, he adds. "Banks don't have to put in huge investments of capital to be able to put mitigation in place."
Further, a cloud approach could assist with deflecting a large, volume-based attack, Malo says. "If someone is hitting you with a significant amount of data, there's benefit in meeting volume-per-volume," he says. "If there's a way to augment that through a public cloud infrastructure, where you don't need to crack open packets and get into any kind of deep inspection, there's absolutely benefit there."
During this interview, Malo discusses:
- Cloud-based services and other outsourced solutions that address DDoS;
- How banks and credit unions should use big data to improve analytics and anomalous activity detection; and
- Why banking institutions need to implement more than intrusion detection and prevention systems to thwart DDoS-related outages.
Malo, who works in CEB TowerGroup's retail banking and cards practice, has more than 16 years of online service development, management and marketing experience. Malo is focused on market evaluation and product strategy for mobile banking, emerging threats, regulation and customer attitudes surrounding security and fraud across banking and card channels. Before joining CEB TowerGroup, Malo spent five years with VeriSign, where he managed development roadmaps and go-to-market strategies for cloud-based products that address threats to personal information, network infrastructure and commerce. Earlier, at Bank of America, Malo led projects that addressed enterprise and consumer authentication, consumer privacy and security, online banking, information security, and platform consolidation.
TRACY KITTEN: Can you give us some background about what a DDoS attack actually is?
JASON MALO: It's an attack that's meant to deny resources to someone, and, most traditionally, this has been looked at in a consumer environment, where a website is hit with a denial-of-service attack which renders it unavailable to its normal clientele.
A DDoS attack - while categorized as a massive overwhelming of critical resources - is not just blunt instruments. They're not just flooding Internet pipes and pounding on Web servers until they fall down. There's actually a wide range of different attack types at every place in the delivery of those services. You can have attacks that are going after and trying to flood your Internet pipes. You can have attacks that go after the amount of processing power that any one of your Web-application servers may have. Or you can have things that look to exhaust the number of sessions that your application can have in place. It can put a taxing amount of traffic on the amount of images and content it's able to deliver back out, for instance.
Essentially, any point where you need to have those resources inputting that information stream between your consumer base and yourself is subject to exhaustion. And denial-of-service attacks aren't just going after one thing. They're looking to exhaust those resources in sometimes very tactical ways.
KITTEN: Can you tell us a bit about your experience in the DDoS realm and how you've seen DDoS attacks evolve in recent years?
MALO: In 2009 I actually went to market with a service at Verisign, and it was a cloud-based service meant to address what we were seeing on the Internet - the volume-metric attacks that were coming in that were looking at different pieces that people hadn't really thought about. Certainly, bringing to bear massive amounts of attacks that flood Internet pipes was really important, but also Verisign is very in touch with the DNS [domain naming systems] infrastructure and had a deep understanding of DNS as a critical point in delivering a customer's desktop to the resources they need. When we went to market, it was a very cloud-based solution that was meant to handle these volume-metric attacks, if you will - attacks that overwhelm resources so much so that it's not really financially feasible for institutions to provision to such a massive scale.
Typically, institutions will look at how much traffic they normally see. It doesn't make sense to do a thousand acts of what their normal traffic pattern looks like. So there's an outsourcing aspect to cloud-based DDoS protection, and that's really where we started. The attacks have evolved into a few different flavors, and you hear things like Slowloris as being the attack that's meant to mimic normal traffic and do so at such a small level that it seems to integrate itself into the expected traffic before it starts to really exhaust those resources. There's much more of a nefarious, low-level attack there.
As the breadth of the attacks starts to ramp up, you get the large network-level attacks, and you get those smaller application attacks. And it really becomes something where if you want to be able to protect against all of them, you've got to be able to not only understand the traffic coming in and out of your network, but also know what that traffic looks like. That's one thing that has really marked the evolution.
The other thing that has really changed the evolutionary flow of DDoS lately has been the motivations. Anonymous certainly has gotten a lot of traction in the last couple of years around their hacktivist view to this, and how they can show displeasure with sites by taking them down. But there's also another piece of this, where it integrates with an expanded toolkit that attackers have. If they want to weaken your defenses in one area, they can essentially make a really loud noise over there, get you to shift all your resources, and then hit you in another place.
Sony was a really good example of this. From a financial-services perspective, that evolution really has driven a lot of the conversation. In the beginning of my tenure with Verisign, I had a lot of conversations, and the main question that they asked was not if this is a problem, or, "Does your solution fix this?" but, "Why would anybody attack me?" I think that conversation has really changed over the last few years.
Recent Attack Wave
KITTEN: What's different about this recent wave of attacks?
MALO: From a standpoint of scale-complexity, these attacks aren't really new or unprecedented. To my understanding, these attacks have been in the range of 90 gigabytes per second. There have been larger attacks that have been measured on the Internet, and the DNS reflector attacks are not a new phenomenon.
I think what's interesting and different about these attacks is that there could be a state-sponsored connection - the organizational aspect to it and what's perceived to be an attack on the U.S. critical infrastructure. Launching a 90 gigabyte DNS reflector attack is no small feat. It does cause quite a bit of turmoil; and I think we did see some levels of success in fighting this.
Maybe sometimes forgotten is that there have been slowdowns; there have been outages. Some financials have been affected more than others. But I think the ones that have dealt with these attacks most successfully have been the ones that knew in advance what they were going to do. We talk about the distraction aspect - how DDoS can create a massive amount of traffic and distract your resources. Financial institutions that focus on who's going to deal with the attacks and the resources ... are going to be to be the most successful.
DNS Server Attacks
KITTEN: Do you see these DNS server attacks as being more sophisticated?
MALO: There's a different level of sophistication with a DNS attack versus something that's more targeted to a specific web application. With DNS attacks, there are a couple of things I would mention. One is that most are reflective or amplification attacks. The concept here is that when you send a request to a DNS server, it's a relatively small packet, small-sized request. The response, however, can be up to 70 times larger than the original request.
This is all strictly hypothetical, but if a DNS request is 1 gigabyte, the response is going to be 70 gigabytes; so it's amplified the attack significantly. Someone can create a large amount of traffic with a small amount of outbound requests. That's one thing that really makes this a little bit scary.
The other consideration is that it's much harder to apply straight filtering. If you think about this in terms of filtering based on "I'm going to block that, because it's bad, and let this in because it's good," on DNS, it is a bit harder. Approaching DNS, the first thing you want to do is have volume. You have to be able to answer a ton of DNS requests, and if that's not enough and you can't bring that to bear through an outsourced solution, then having the ability to filter is certainly important.
Institutions Caught Off Guard?
KITTEN: Are these attack variations catching institutions off guard?
MALO: I think that institutions are aware of these types of attacks and, certainly the information that I have presented had actually predicted attacks of this particular nature, up to 120 gigs, as early as 2006. It's well-understood what they can do. I think the level of unpreparedness has been more around the original risk assessment and the cost of scaling to deal with something like this.
If you're looking at a way to mitigate DDoS strictly based on matching volume-for-volume, that is where it becomes hard to create business-case justification. I talked about how companies usually will scale their ability to handle traffic based on what their normal traffic patterns look like, and then they ensure they've got a little bit extra. With this, it's a significant amount extra, and the numbers don't tend to work out if you're looking at scaling to that level. It's a known threat, but until now, the risk wasn't really there. The motivations, quite frankly, on the attackers' side weren't there, either. But now the risk profile has really changed. The good news is that there are solutions out there to deal with these types of attacks, so banks don't have to put in huge capital investments to mitigate their risks.
KITTEN: What other types of DDoS attacks might we expect to see next?
MALO: One is a network-based attack. I'll use a metaphor here to explain. Count the number of cars that are entering the parking garage at work, and you've got a good sense for how much traffic you have. You can certainly do something at that level. Then you inspect the cars that go through the garage and determine if one is red, if it's a sedan, and those types of things. Doing things at a network level is about volumes and understanding some of the generalizations of the data; understanding where it came from, where it's going, what it looks like and how it behaves.
Then you have application attacks, and then it's more important to understand what's actually going on inside the attack. Going back to the car analogy, determining if the attacker is underneath the car, in the backseat or in the trunk is important. What is that delivery mechanism? When you start looking at a combined, defense-in-depth approach to these attacks, first you'll see a lot more volume-metrics. But I think some of the attacks we need to be mindful of, and certainly financials need to be mindful of, are the attacks that are trying to sneak in under the radar. They're much more difficult to detect and really require a much greater investment and understanding of what the traffic looks like even beyond your network. What are the attackers doing inside and outside your network? You don't only need to understand how many packets are coming in and what color they are, but also where they are coming from. You also need to know if you see something that's outside of the norm, not only from just a volume perspective, but from an amount of traffic on your website perspective, too. That whole understanding of what your traffic looks like is really going to be key.
Protection and Detection Technologies
KITTEN: What about protection and detection technologies that institutions should be investing in?
MALO: This certainly is a great example for a cloud approach and, more specifically, a hybrid approach, where if you're talking about those network-layer attacks, you have something that can provide the volume-metric approach. If someone is hitting you with a significant amount of data, there's benefit in meeting it volume-per-volume. If there's a way to augment that through a public cloud infrastructure, where you don't need to crack open packets and get into any kind of deep inspection, there's absolutely benefit there.
However, there's also the need to be able to open those things up and understand what the traffic looks like on a much deeper level, and so that really requires having the ability to decrypt those packets and actually see what's going on. The latter would certainly suggest the need for a specific, premise-based or private cloud implementation. ... The optimum approach to that ends up being a premise-based private cloud solution that can do initial layers of inspection, can understand what's happening and then, if the volume exceeds what you're capable of dealing with, you pass that volume into a public cloud, a scaled infrastructure. A combined approach to DDoS and a specific approach to DDoS, I would say, are the best.
KITTEN: One of the things that we've heard time and time again is that no financial data or account information was compromised during these attacks. But how can institutions really be so sure?
MALO: I believe the ones that have been attacked have been down this road before and have the ability to understand where the attack is occurring, what the target of the attack is and understand the potential for collateral damage. A lot of the denial-of-service attacks are focused on websites. They're focused on the public face of the company. It's not meant to get data; it's meant to make the site unavailable.
Financial institutions understand what the traffic patterns look like, not only around the denial-of-service attack but on their more critical data transfers, too. There's a separation of responsibility that I believe these institutions have really outlined. ... It's the separation of responsibilities and ensuring that people who are tasked with DDoS and those who are tasked with protecting information stay where they are. Banks should not realign resources away from one place to focus on another.
KITTEN: What role do you see behavioral analytics playing here?
MALO: I think it's a really interesting time to start talking about some of that because there's a lot of focus around big data. The ability to start to call that information on a large scale and coalesce it into what that traffic looks like, what it means and what may be anomalous, could be critical. Big data offers a huge opportunity to not only understand what's good and look for potential malicious behaviors within your network, but also allows an institution to optimize systems. There's a huge amount of opportunity there, above and beyond the intrusion-detection piece and the DDoS side of things.
KITTEN: How does vendor management fall into this DDoS prevention fold, especially where cloud comes into play?
MALO: I think the cloud is key and there have been some generalizations of cloud. Some people have tried to define what cloud is, and recently the FFIEC said that cloud was outsourcing. Some people have said that it was too narrow a view; but from the perspective of denial-of-service, it's actually pretty close. Most cloud providers are set up to be able to bring the needed resources to bear at a moment's notice.
The limits, I think, that you may have with a public cloud, is the ability to get into those packets and really look at what they have. When you're talking about financial-institution data, it's certainly a harder thing to go through. I think banks have some hesitation about a third-party vendor opening up those packets and doing inspections.
That said, there are a lot of providers now who are specializing in DDoS and who are being used by some of these cloud vendors; so the ability to combine a cloud-based infrastructure that uses best-in-class, as well as procuring best-in-class for themselves, create a solution that provides continuity both for internal and external systems. There are a lot of different ways to mix and match, and this is one of those places where a hybrid cloud certainly makes a lot of sense.