How A Multinational Bank Handled a Ransom Threat and SSL-Based Attack

228

In 2016, the financial services industry suffered 44 million cyber-attacks, more than any other industry. Everything from hacktivist motivated attacks to Internet of Things (IoT) assaults targeted leading banks, financial service institutions, and markets, resulting in hundreds of millions in lost revenue.

Perhaps more than any other industry, security professionals at financial service firms truly is on the frontlines of today’s cyber-attacks, combating everything from ransomware to SSL-based attacks. In this piece, a senior network architect at an EMEA-based international banking group shares his notable experiences protecting his organization’s network perimeter from cybersecurity threats.

The Task and Solution

In September 2016, we received an attack that was relatively small (only 2-3 Gbps) but lasted over four hours and gradually evolved in several stages. First, we noticed that some of the attacks were ping-back attacks. We experienced attacks of 16,000 SYN connections which were mitigated via our on-premises DDoS protection appliance. After the Half-SYN attack, there was an HTTP flood with about 2,000 sources in the attack, which was also successfully mitigated. However, we had difficulty mitigating the full HTTPS flood attack. It was the first time we experienced an encrypted attack, highlighting the need for dedicated protection against encrypted attacks that leverage SSL standards to evade security controls.

Normally the bank faces UDP fragmented attacks followed by a DNS reflective attack. In this case, we were hit with a typical SSL attack that we were not prepared to mitigate. Typically attacks only last three to four minutes and immediately follow each other, but this SSL attack lasted an hour and a half, putting our defenses under tremendous stress because of the computing resources the attack consumed. In fact, we generated so much response load that it pushed our outbound connection to its limit; it tripled our usual throughput.

Lessons Learned

  • Experience has taught us the benefits of behavioral analysis over rate-limiting analysis

In the past, the bank tested a DDoS mitigation solution that leveraged rate-limiting technology and discovered that using behavioral analysis provided a significant advantage since it doesn’t block legitimate traffic, thereby allowing us to maintain our service levels.

  • The importance of time to mitigation

By having the ability to develop attack signatures in real-time, we have been able to mitigate attacks in as little as 20 seconds. Our traffic pattern during the day is heavy and at night it’s quieter, so we had to do some fine tuning to reflect different behavioral traffic patterns at different times of the day.

  • The advantages of a single vendor hybrid DDoS protection solution.

Now the baseline on our perimeter and the baseline on the Radware scrubbing center are identical. As a result, we can mitigate attacks faster versus another solution that would have to reanalyze traffic in the cloud again, or require a lot of manual tuning to reach the same protection level.

  • Let the experts deal with attacks.

Knowing we are backed up by Radware’s Emergency Response Team, we can focus on our daily tasks knowing that we can rely on their expertise within seconds. It means the bank isn’t required to have that expertise in-house, which is important since the attack landscape is always evolving. Access to this level of expertise should be part of any response and business-continuity strategy.

Our networking team preferred no form of Border Gateway Protocol (BGP) on-ramping or off-ramping. Nor did they want a security application that would interfere with any routine decisions.

Tips for Financial Service Security Professionals

There is a belief that hard-to-detect attacks do not represent a critical threat, but for a bank, nothing could be further from the truth. We feel the most effective way to protect our organization’s infrastructure in the event of an attack is to have protection installed in-line. This eliminates the need to analyze events and reroute traffic and eliminates any infrastructure obstacles to successfully mitigating an attack. There’s increased visibility because the solution is always on. With automated attack mitigation—including behavioral analysis that delivers continuous visibility and forensics—we’ll never be left vulnerable to evolving DDoS attacks. Detect where you can; mitigate where you should.

For more information, please visit www.radware.com.

LEAVE A REPLY