By Mohit Bijlani, Head of UK&I at Cloudflare

At a high level, a distributed Denial-of-Service (DDoS) attack is like an unexpected traffic jam clogging up the highway, preventing regular traffic from arriving at its destination. DDoS attacks can be divided into three categories:

1. Application layer attacks that target the layer where web pages are generated on the server and delivered in response to HTTP requests.These attacks are difficult to defend against since it can be hard to differentiate malicious traffic from legitimate traffic.
2. Protocol attacks that cause a service disruption by over-consuming server resources and/or the resources of network equipment like firewalls and load balancers.
3. Volumetric attacks that create congestion by consuming all available bandwidth between the target and the larger Internet.

Late June of this year we saw some of the largest DDoS attacks the world has ever seen, including a 26 million request per second HTTPS DDoS attack where a small botnet of 5,067 devices hijacked virtual machines and servers as opposed to taking over physical machines.

Attacks over HTTPS are more expensive for the attackers to launch due to their scale, requiring more computer resources to establish a secure connection. The cost to the victim to mitigate against such an attack is also much higher. June’s attack broke records by generating more than 212 million HTTPS requests within 30 seconds, from over 1,500 networks in 121 countries, which revealed the growing complexity of DDoS attacks as they rise in frequency and size. Despite the development of complex mitigation methods to protect businesses from these attacks, hackers are becoming increasingly accomplished at overcoming these.

In the report DDoS attack trends for 2022 Q2, Cloudflare identified key insights and trends from the global DDoS threat landscape. One troubling trend from the findings is that, globally, businesses within the BFSI industry were the third most likely to suffer from a DDoS attack. And in the UK specifically, the BFSI industry was the most targeted of all sectors, with the highest percentage of attacks originating from the US (20%) and the second highest percentage coming from Singapore (12%).

As the complexity, scale, and frequency of DDoS attacks advances, so does the intensity of the impact to businesses, resulting in significant revenue loss, sensitive data breaches, and irreversible reputation damage, if businesses don’t protect themselves against these attacks. This should be a huge area of concern for the UK’s BFSI sector, as well as the wider industry globally. The UK banking sector market size (measured by revenue) is estimated to be at £96.1bn as of 2022, thus, failing to adapt to the evolving cyber landscape by putting in place crucial cybersecurity measures can lead to catastrophic financial losses for the sector as well as the broader economy.

With this in mind, let’s break down what this report data means for the BFSI sector, the emerging threats being identified, and how businesses can protect themselves from these powerful, ever-adapting and increasingly complex attacks.

Why is the BFSI Industry a top target?

In 2021, cybercriminals took advantage of the increase in online banking activity due to the Covid-19 pandemic, with an alarming 5.4 million Distributed Denial-of-Service (DDoS) attacks being recorded between January and June 2021. Even pre-Covid, the financial services sector has historically been especially targeted by bad actors due to the higher underlying financial value per transaction– not to mention the sensitive and lucrative data that can be compromised as a result of an attack. Enterprises within this industry make an ideal target due to the possible financial gain from an attack, both from the businesses themselves, as well as from the ecosystem surrounding them.

One huge and additional risk of a DDoS attack on the BFSI industry is the damage to a business’s reputation. This is due to the chaos these incidents can cause to services that such businesses deliver, including customers accessing their online banking, renewing insurance policies, or applying for other financial services. DDoS attacks target the application itself, focusing on specific vulnerabilities and subsequently disabling the application from being able to deliver content to legitimate users.

Along with restricting vital services, these attacks also pose the threat of leaking highly valuable and sensitive data – belonging both to the business and its customers. An estimated 42.2m people in the UK had their financial data compromised in 2021, a 1,777% increase from 2020. This mass increase in sensitive data breaches, in association with the risk of DDoS attacks, is evidence that greater security must be adopted to reduce the risk to such businesses.

Monitoring for emerging threats – What the BFSI Industry can expect?

Cloudflare’s DDOS report shines a light on attack trends targeting the BFSI industry so they can better equip themselves with appropriate cybersecurity solutions to help defend against growing cyber risks. The report named the top emerging threats of the last quarter, with three names topping the list: CHARGEN character generator, Ubiquiti network and devices, and the Memcached database system.

Top of the list were amplification attacks abusing the Character Generator Protocol (CHARGEN). As the name would suggest, CHARGEN generates characters arbitrarily, only stopping sending them once the client closes the connection. Originally used for testing and debugging, the protocol is now rarely used due to the risk of it being easily abused to generate amplification/reflection attacks.

These attacks take place when hackers can spoof the source IP of their victim and trick supporting servers to direct a stream of arbitrary characters “back” to the victim’s servers. Given enough simultaneous CHARGEN streams, the victim’s server would be unable to cope with authentic traffic and it would result in a denial-of-service event.

In Q2, attacks over Ubiquiti also increased – by a shocking 327% quarter-on-quarter. Ubiquiti is a US-based company, providing Internet of Things (IoT) devices and networking for both consumers and businesses. Similar to the CHARGEN attack vector, attackers can parody the source IP to be the victim’s IP address and spray IP addresses that have port 10001 open. Those would then respond to the victim and essentially flood the server if the volume is sufficient.

Lastly, Memcached DDoS attacks also increased last quarter, rising by 287% from the previous quarter. Memcached is a database caching system for speeding up websites and networks. Like CHARGEN and Ubiquiti, Memcached servers can be abused to launch amplification/reflection DDoS attacks. Here, an attacker would request content from the caching system and spoof the victim’s IP address as the source IP. The victim will be flooded with the Memcached responses which can be amplified by a factor of up to 51,200x and the server would be unable to cope and a denial-of-service event would occur. Due to the huge reliance on BFSI systems from users and the organisation networks themselves, these DDoS attacks can wreak havoc on their servers and the services they provide.

In addition to the rise in DDoS attacks, June saw ransom attacks peak to the highest of the year so far. In fact, one out of every five survey respondents who experienced a DDoS attack reported being subject to a Ransom DDoS attack or other threats. Additionally, the number of respondents reporting threats or ransom notes in Q2 increased by 11%.

In the last quarter, Cloudflare has been regularly mitigating Ransom DDoS attacks targeting both traditional financial institutions and  fintech companies. A large proportion have been launched by entities claiming to be the Advanced Persistent Threat (APT) group also called “Fancy Lazarus”. By sharing such threat intelligence with BFSI businesses, Cloudflare is helping such organisations understand the continually evolving nature of attack vectors being employed by an ever expanding pool of bad actors, and in turn, helping them adopt appropriate cyber security solutions and governance practices to stay protected in the long-run.  

Protecting BFSI businesses against cyberattacks

Organisations in the BFSI industry must prioritise shoring up their anti-DDoS and cyber defences – across networking, application layer, and corporate security realms.. While this may sound simple in practice, there are numerous options out there, making it hard to decide what cybersecurity cover is most appropriate for each business. However, there are some key considerations to keep in mind whilst selecting the best solutions.

Firstly, BFSI businesses must look to protect the entirety of their infrastructure –  from web assets, APIs, and  online customer facing domains, to the underlying network used, as well as internal applications leveraged by employees, contractors, and trusted partners.

While Zero Trust has become a buzzword in the cybersecurity space, each-step verification services are the best way to protect a business’s entire ecosystem. Requiring constant validation at every stage of a digital interaction can formulate the bare minimum protocol that helps ensure access is granted to only those who need it, thus ensuring everyone is who they say they are.

Bot detection and management is another essential consideration when it comes to implementing new security solutions. Malicious botnet attacks are now becoming responsible for the largest DDoS attacks on record. Given that these attack vectors employ AI/ML techniques to attempt to self-learn and evolve, any viable application layer cybersecurity solution must also leverage AI/ML algorithms to always stay one step ahead of these evolving attack vectors – so as to be able to mitigate these attacks both now and in the future.

Additionally, the best protection for businesses is one that offers automated monitoring for threats. This enables greater protection from attacks and enables them to be mitigated before damage can be caused. Predicting the size, duration, and/or type of threats that a business may face is impossible. However, the best form of protection for any BFSI businesses is a cybersecurity platform that automatically monitors for and mitigates large DDoS attacks, offering reliable protection whatever the climate.

In summary, keeping in mind the many considerations above, it can be incredibly daunting for BFSI businesses to find cybersecurity solutions that cover them against threats across the entirety of their infrastructure stack. For that reason, shortlisting providers that offer a secure and global network with integrated cybersecurity services that span across networking, application, and corporate security realms is the right approach and can seriously help reduce cyber (and hence business risk) exposure, whilst helping accelerate digital transformation efforts as well as the innovation that must occur alongside, and reducing costs by standardising consistent security governance measures across the entire organisation within a single platform.