By Richard Hummel, ASERT Threat Intelligence Lead for NETSCOUT

Over the last two years, the way in which financial institutions operate has changed significantly. Businesses in the finance industry have had to adapt their operation models and implement remote working policies as a result of the Covid-19 pandemic. By working from home, large volumes of employees’ private and sensitive material has been left exposed to cybercriminals operating outside of the traditional perimeters, owing to the data being accessed from off-site locations. Unsurprisingly, threat actors have taken advantage of the opportunity this has presented to them.

In its recently published Threat Intelligence Report, NETSCOUT discovered that threat actors had launched approximately 5.4 million Distributed Denial-of-Service (DDoS) attacks during the first half of 2021, an 11 percent increase from the same time period in 2020, with the peak occurring between January and March of 2021.

This should be significant cause for concern among those responsible for the security of these organisations, as the report also found that in the first half of 2021, more than 50 percent of those targeted by DDoS extortion attacks were in the financial industry. What’s more, NETSCOUT found that more than 7,000 DDoS attacks were launched against commercial banks and payment card processors during the first six months of 2021.

Although at first it may appear as if this attack activity is relatively minor compared to the overall numbers, many of these attacks succeeded in causing major disruption. This, in turn, had a damaging impact on downstream consumers attempting to use their credit cards as well as the targeted organisations. If a commercial bank or payment card processor is attacked, this can have major consequences, since credit card processors have the capacity to service over 5,000 transactions per second, so even in a scenario in which they suffer from a few minutes of downtime, there is the potential for millions of pounds of revenue to be lost. This can also have an extremely negative effect on the organisation’s brand and customer retention.

Types of DDoS attacks being launched by threat actors

As already discussed, financial institutions receive a large number of DDoS extortion attacks. These types of attacks differ from other DDoS attacks as the threat actors run a demonstration DDoS attack against elements of the business’s online infrastructure, either prior to or after sending an email to the company demanding for payment in cryptocurrency, usually Bitcoin.

One of the main reasons why threat actors target financial institutions using DDoS extortion attacks, is because these organisations are known to have access to large volumes of data and money. For example, the Lazarus Bear Armada (LBA) DDoS extortion campaign targeted financial institutions such as commercial banks and market institutions, including the New Zealand Stock Exchange. Further to this, professional ransomware gangs have added triple extortion attacks to their weaponry. Through a combination of file encryption, data theft and DDoS attacks, cybercriminals have hit a ransomware trifecta with the aim of increasing the payment potential.

In addition to this, threat actors are utilising increasingly complex techniques when it comes to launching DDoS attacks against financial institutions. Evidence of this can be seen with cybercriminals tailoring the types of attacks that they are using to try and overwhelm the several layers of on-premises and cloud-based DDoS protection, which have been installed in an attempt to penetrate financial organisations’ online infrastructure. An example of this can be seen with an increased usage of TCP ACK flood attacks, which are designed to overload and obstruct connections between servers against commercial banks and payment card processing solutions. As a result, both institutional and end customers utilising these services have been impacted by downtime and outages.

What can financial institutions do to protect themselves?

As is the case with numerous aspects of the human condition, the 80/20 rule – also known as the Pareto Principle after its famous expositor, the economist Vilfredo Pareto – can be applied not only to economics but also to internet security and DDoS protection. For around 80 percent of DDoS attacks, businesses that have put into effect the appropriate industry best current practices (BCPs) will be able to ensure availability in the event they’re hit by a DDoS attack. In terms of the remaining 20 percent of attacks, financial institutions need to optimise their DDoS defence systems based on numerous factors, including vector selection and attack behaviour. Nonetheless, the effort and time required to adequately prepare means that defenders need to react in a manner which is deemed situationally appropriate, so that the attacks are thwarted, and the resiliency of their online properties are maximised. As such, there are numerous actions businesses in the finance industry can take to ensure they’ve maximised their ability to defend themselves against DDoS attacks.

Firstly, for financial institutions to adequately defend their public-facing online infrastructure from this continued threat, it is essential for them to invest in a strong and effective DDoS protection system. Through the implementation of comprehensive DDoS mitigation, the threat posed by cybercriminals will be neutralised. This is because the system will prevent DDoS attacks from causing significant damage, due to the preventative measures which are in place. If organisations with an adequate DDoS defence system are on the receiving end of a DDoS attack, they will have peace of mind and full confidence in the system they’re using.

Secondly, finance businesses need to test their DDoS mitigation system on a semi-regular basis. Periodic testing ensures that any changes and tweaks to an organisation’s online systems are incorporated into the comprehensive protection plan, defending the whole of the online infrastructure from DDoS attacks. Finally, financial institutions should also strongly consider employing an on-demand DDoS attack specialist. By utilising the expertise of a specialist, businesses will be able to negotiate unfamiliar circumstances and terrain, which should benefit the entire company, as well as individual teams. So long as financial organisations adhere to BCP procedures and put into effect these aforementioned recommendations, they will be in a strong position to successfully defend their online properties should they be the target of a DDoS attack.

The continued evolution of DDoS attacks, which are constantly becoming more and more intricate and hard to defend, means financial institutions must implement security capable of preventing these complex attacks from causing serious damage. By doing this, organisations in the financial sector will be well placed to defend themselves from cybercriminals if they so happen to be on the receiving end of a DDoS attack.