Distributed denial-of-service (DDoS) attacks aim to bring portions of a network down by bombarding the network with requests, and large U.S. financial institutions have been prime targets. JP Morgan Chase, Capital One and Bank of America were recently hit, annihilating the availability of their web banking infrastructure’s front end. The recent attacks were reportedly linked to the Iranian Government and other State actors. These 10 tips can help increase and maintain your financial institution’s network and cyber-security posture while decreasing the risk and potential collateral damage of DDoS attacks.
1 Address the basic security objectives
Financial enterprises should first consider implementing controls as they relate to the three main tenants of information security, the CIA triad. These principles are confidentiality, integrity and availability and are the foundation of any information security policy infrastructure. Confidentiality refers to the safeguarding of sensitive or classified data; integrity refers to keeping the original data unadulterated and intact; and availability refers to the resources and data that need to be continuously available to authorized parties to maintain day-to-day business. While the CIA triad is important for every network, it is especially vital for the financial sector where classified data can consist of personal information that must be protected due to regulatory compliance. Reviewing your information security policy is a must, as is fortifying any weak spots within the system. Hackers will find those weak spots, with a focus on destruction, alteration and disclosure of confidential or sensitive information that could dramatically impair customer’s ability to transact business with an enterprise.
2 Start with an effective SIEM
Another early stage security measure is a highly effective Security Information and Event Management (SIEM) solution. The exact solution depends largely on the size and needs of your financial enterprise, and both are designed to increase the visibility of telemetry within the enterprise network or on its boundaries.
3 Build a layered defence
One layer of protection is never enough when it comes to DDoS mitigation within a financial institution, or any large enterprise. Your defence instead requires an in-depth approach consisting of myriad components in each layer. The perimeter/edge needs to be fortified with network firewalls, network intrusion prevention systems, and content checking capabilities for attachments. While your network layer requires visibility from intrusion detection systems and certain proxies to protect sensitive applications and databases in addition to encryption, the host would need to be hardened regardless of the operating system, with host intrusion prevention systems, antivirus, anti-spyware and the ability to protect sensitive information by encrypting drives.
Every defence strategy must also include telemetry and visibility at the edge for flow-based visibility, substantial bandwidth to burst to sustain the initial attack, and an intrusion prevention system with up-to-date signatures. Anomaly detection is another pertinent component, as are sink hole and black hole techniques that can divert and reroute traffic when necessary. There is also radio frequency control (RFC) compliant unicast reverse path forwarding (uRPF) to further mitigate DDOS attacks. Monitoring logs and flows for additional telemetry at the edge could provide visibility into traffic behaviour that is out of the ordinary. The same monitoring applies to your data flow and anomaly detection, allowing for proactive, rapid, effective action against potential threats.
A Security Information and Event Management solution carries out the collection, storing, alerting and reporting, and processes logs in order to create alerts from connected events. The wide range of capabilities includes compliance-related functions, such as the retention of messages and creation of reports specifically designed to address audit or compliance concerns. Audit and compliance concerns are typically major concerns within the financial sector, and a stalwart SIEM can provide the additional visibility an enterprise needs to increase the meantime to resolution of an incident. Additional functions include alerts in response to messages and events, the normalization of messages and reporting abilities beyond the compliance-driven reports.
4 Implement advanced evasion technique protection
Advanced evasion techniques, or AETs, were discovered by Stonesoft in 2010 and the cyber security firm has been the undisputed leader for protection against them ever since. AETs consist of an advanced evasive technique that lets intruders bypass security detection and logging during network security reconnaissance. In addition to bypassing network security, they are usually stackable through simultaneous execution on multiple protocol layers, capable of changing dynamically even in the midst of an attack and consist of numerous combinations of evasion techniques and modifications. Stonesoft has found effective AET protection requires zero-day protection in all layers as well as deep packet inspection across multiple network layers and protocols. AET protection components should also have easy upgradability, full integration capabilities, and a full range of features, high manageability, and infrastructure patch capabilities. AETs are especially dangerous to the financial sector where, once again, extremely sensitive information is at stake due to a highly regulated environment.
5 Implement web and content controls
Web and content controls are integral for inspecting and blocking unauthorized access to sites and dangerous active content. Active content in the broadest sense consists of electronic documents that are designed to automatically invoke actions or trigger a response within a system without the assistance of an individual, phone-home type of behaviour. Such content is a major hazard due to its automation and the fact that an individual may not directly or knowingly execute the actions. Electronic documents have an added component of danger when they are actually programs or consist of programs that can be self-triggered, requiring no user intervention, and result in the same type of actions executing a program would entail. Because active content can be a death knell for the integrity of a financial network, protection against triggered behaviours is necessary, as is requiring user intervention to open executable, and strong authentication, authorization and accounting.
6 Fortify and monitor endpoints
Endpoints need their own fortification and monitoring to ensure each device measures up to your financial institution’s security standards prior to allowing network access. Three imperative measures include the implementation of virtual firewalls to protect virtual endpoints, the implementation of host intrusion prevention across endpoints and the control of proxy behaviour in the enterprise at the endpoint. Because endpoints can consist of a wide range of devices, each requires monitoring, hardening and deployment in line with corporate security governance. Virtual firewalls should provide stateful packet inspection and/or application-level protection and visibility. In addition, granular access controls are necessary. Intrusion prevention must be able to have visibility and protection into malicious web VOIP and video traffic. Additional functions should include content inspection and the ability to redirect network traffic to appropriate filters or anti-virus gateways.
Effective host intrusion prevention should provide protection from all types of attacks, even those launched inside encrypted connections. Deep inspection should come with the IPS, as should integration with firewalls. The endpoint should also serve as a place to control proxy type behaviour in the financial enterprise and a means to inspect connections and implement honey pots.
7 Build strong service provider relations with effective SLAs
Sourcing DDoS mitigation is a valid option, provided you build a strong service provider relationship with an effective Service Level Agreement. An SLA can cover various kinds and degrees of services benefiting the customer, and it should be geared toward your specific requirements. Creating an effective SLA may be a joint effort between parties, and it typically addresses factors that range from the definition of services to disaster recovery operations. The most effective SLAs will be regularly reviewed to measure performance and ensure both parties are meeting their respective responsibilities.
8 Provide user training
Threats continue to evolve as technology does, often dynamically, and end users need to be kept up-to-date on the ever-changing threats and vulnerabilities as they evolve in the financial enterprise. User awareness training should be standard protocol for all who have access to your network, or require access. Training services may be available through consulting partners and offered at specialized training centres or on-site at your business.
9 Establish an incident response plan
If a DDoS or other security incident does occur at your financial enterprise, you can reduce the amount of potential damage by responding to it in a systematic and predetermined manner. Often, this is in the form of organized chaos. Establishing an incident response plan is one of the most feasible ways to do just that, especially if you regularly test your plan in mock scenarios (red/blue team exercises) to ensure your plan is effective when put into action.
Communication is the key for any plan. Not only should team leaders be immediately alerted of an incident, but information channels need to be open to peer groups and, if necessary, law enforcement officials. A list of current contacts, including internal, legal, and media/public relations to protect brand and reputation is critical.
Incident plans typically contain an initial assessment to determine that an incident has occurred, action to contain the damage and reduce additional risk, and identification of the severity and type of incident with which you are dealing. Identifying severity level and type allows you assign a priority level to the incident and then act accordingly. The protection of any evidence is dire for a thorough investigation, either from your firm or from authorities.
The recovery phase is a critical step geared toward recovering your systems while a post-incident assessment is necessary for assessing the cost and damage. A regular review of your incident plan after each mock scenario can help you keep your procedures effective and up-to-date.
10 Employ digital and network forensics
Digital and network forensics are particularly essential for dealing with DDoS in the financial sector. Both serve to provide added visibility, remediation and legal response capabilities. Digital forensics relates directly to legal response capabilities, as it deals with discovering and analysing electronic data for use in a potential court case. Network forensics seeks to pinpoint the source of a security incident or attack by capturing, recording and analysing network events. Lacking either process opens your financial enterprise to additional legal ramifications and a higher risk of repeated attacks.