October is National Cyber Security Awareness Month, and the last week is focused on cyber security for small and medium-sized businesses. Many SMBs face unique security challenges due to having smaller budgets and fewer staff than their larger counterparts, but having to meet the same regulatory and industry requirements. For example, financial services organizations — regardless of size — must comply with the FFIEC Joint Statement: Distributed Denial-of-Service (DDoS) Cyber-Attacks, Risk Mitigation, and Additional Resources, which lists six steps that organizations need to take in order to reduce the risk of a DDoS attack.
A DDoS attack occurs when a threat actor or threat actor group tries to shut down an online service, such as a bank’s website, by inundating it with traffic. The traffic comes from a botnet, or a large group of computers compromised by malware. In addition to preventing customers from reaching a bank’s website, these attacks can also be used as a distraction for a cyberheist going on at the same time as the attack. While DDoS attacks are not always part of a larger crime scheme, they are widespread; during November 2012 through October 2013, more than 2,000 attacks were observed per day around the world. The attacks, although not always in the headlines, are still very popular. The costs can be devastating, especially for a smaller credit union or bank, which is why many small banks and credit unions have begun to take proactive approaches to protecting against them.
The Joint Statement released by the FFIEC applies to all FDIC supervised institutions, which includes small banks and credit unions with less than $1 billion in total assets. The six steps that the FFIEC outlines are:
1. Maintain an ongoing program to assess information security risk that identifies, prioritizes, and assesses the risk to critical systems, including threats to external websites and online accounts;
Threat actors can organize DDoS attacks by using paste and post sites in conjunction with social media sites. Once a threat actor’s procedure for planning an attack and which industries are targeted are distilled from the data, that information can help your team prepare for any possible attacks. For example, “Operation Ababil” started out with a message on Pastebin.com, and was then announced on Facebook. The original message posted on Pastebin.com was:
Monitoring social media, blogs, and forums for groups that are organizing attacks can give your organization the upper hand in stopping an attack, or at least preparing for one.
2. Monitor Internet traffic to the institution’s website to detect attacks;
While installed appliances can help detect abnormalities in traffic to your site, open source intelligence (OSINT) can help your team find indications and warnings of possible attacks before they materialize. Oftentimes the compromised computers that make up the botnet are infected with malware found on social media sites, phishing scams, and websites. The Cyveillance Cyber Threat Center has an analyst toolbox with phishing, malware, and domain name databases that analysts can use to investigate any malware found on the network for connections to a DDoS attack. Additionally, the Cyber Threat Center can be used to monitor social media sites. While there are free tools your analysts can use and piece together the data that they find, having all of these tools and monitoring in a single platform can make it easier for your teams to find the information they need, saving you money and people power.
3. Activate incident response plans and notify service providers, including Internet service providers (ISPs), as appropriate, if the institution suspects that a DDoS attack is occurring. Response plans should include appropriate communication strategies with customers concerning the safety of their accounts;
Having an incident response plan in place before an attack is critical. Many organizations develop plans without ever rehearsing them, though, so it’s important to work with your internal teams and MSSP or other incident response provider to schedule practice sessions and ensure that contact lists for who needs to be notified are updated regularly.
4. Ensure sufficient staffing for the duration of the DDoS attack and consider hiring pre- contracted third-party servicers, as appropriate, that can assist in managing the Internet- based traffic flow. Identify how the institution’s ISP can assist in responding to and mitigating an attack;
Multiple security vendors now offer anti-DDoS solutions. When choosing a solution to meet your size and needs, consider the most likely attack methods that threat actors may use against organizations in your industry. Typical threat actor attack methods and targets can be investigated, or they can be found in a database such as the Cyber Threat Center Threat Actor Database.
5. Consider sharing information with organizations, such as the Financial Services Information Sharing and Analysis Center and law enforcement because attacks can change rapidly and sharing the information can help institutions to identify and mitigate new threats and tactics;
Many industry newsletters contain general information about current threats and attacks, and the FS-ISAC organization offers many resources. For specific information on the who, what, where, and when of attacks, the Cyveillance Cyber Threat Center provides a global intelligence report with details on daily threats against specific industries. This analyst-curated report contains the information that can help your team maintain situational awareness.
6. Evaluate any gaps in the institution’s response following attacks and in its ongoing risk assessments, and adjust risk management controls accordingly.
The Cyber Threat Center was designed specifically for security, risk, and compliance professionals, so it specifically monitors paste and post sites, as well as document sharing sites, for indications and warnings like the one shown above. Your analysts can quickly find posts that may indicate a DDoS attack is being organized, share the information with appropriate teams, and prepare for a possible attack. Knowing the specific attack being planned before it even gets near your network may save your team the time of trying to prepare for every possible situation and prevent a targeted attack more effectively.