How common are crippling denial of service attacks aimed at Western banks? Here’s one sign: Wednesday is unofficially “DDoS day” at Citi, according to a Senior Vice President for Information Security at the financial services powerhouse.
Speaking on Wednesday at an event hosted by Perdue University, Mamani Older told an audience at CERIAS 2013 that massive distributed denial of service – or DDoS – attacks have become “business as usual” for Citi, and that those launching the attacks have fallen into a predictable schedule of attacks. Hump day, she said, is Citi’s turn to fend off a torrent of Internet traffic designed to interrupt the bank’s operations and sever its connections to its customers, she said. “We should be getting hit right now,” she said.
Older was speaking on a panel on the topic of “security metrics” and “security analysis.” The panel was part of CERIAS 13, an annual information security symposium hosted by Purdue and in its 14th year. The event was viewed via a live stream.
Citi is among a cadre of top banks that have been the targets of sustained denial of service attacks, which began in late 2012. Other banks targeted include Capitol One, HSBC, Well Fargo and JP Morgan Chase. Just this week, American Express said that it, also, has been targeted by DDoS attacks, which harness infected or cloud-based systems around the globe to flood public facing systems with junk traffic, slowing down response times severely, or knocking the Web sites offline. Banks in Europe, as well as Asia have also been hit.
A group that calls itself the Izz ad-Din al-Qassam Cyber Fighters took responsibility for the American Express attack, as it has for other attacks on banks and financial services organizations. The group has claimed, in public statements, that it would attack banks during the work week, on Tuesday, Wednesday and Thursday. The reasons for the attacks have varied, but generally they have been couched as retaliation for insults to the Muslim religion, such as the incendiary YouTube film Innocence of Muslims. Third party analysis of the attacks on American Express and other banks suggest that those behind the operation are well-funded and sophisticated: leveraging networks of compromised web servers to host attacks and using sophisticated tools to target weak points in public facing banking and business applications.
Older told audience members that Citi is doing a “pretty good” job fending off the attacks, and that the company has some idea of who might be behind them. But she said she suspects that not all of the denial of service attacks can be traced back to tension between the West and the Middle East.
“We’ve seen other (DD0S) attacks disguised as this type of attack, but that didn’t come from these individuals. These were coming from other parts of the world,” she said. The DDoS attacks, she said, may well be “a distraction.” “We believe there’s more malicious activity going on behind the scenes. It could be internal – employees within the company – or external. We haven’t been able to find it yet,” she said.
Citi wouldn’t be the first company to discover that a massive DDoS attack was actually a cover for more traditional kinds of crime. In February, the website Krebsonsecurity reported that Bank of the West was the victim of a large denial of service attack that acted as cover for unauthorized transfers from one of the bank’s commercial customers that totaled $900,000.
However, Citi has been hampered in its investigation by a lack of reliable data, constrained funding and a dearth of forensic and case management tools to analyze it, she said.
IT security isn’t Citi’s core business, and most money and resources are devoted to supporting the company’s traders and investors, Older said. The bank has plenty of security software and hardware, and relies heavily on its security information management (SIM) systems, but the focus is still on protecting Citi’s network from external threats or removing threats, not analyzing activity within the network to spot malicious or suspicious goings on. Activity due to malware or phishing attacks and lateral movement on the network characteristic of so-called “advanced persistent threats” can be difficult to spot with current tools, she said.
Beyond that, Citi is often barred from accessing all the information it needs to conduct a proper investigation. As a global organization, Citi must adhere to data privacy laws in each of the companies within which it operates, Older said. Often, data must be made anonymous before it leaves the country, removing much of the value of that data. Out of 100 countries, Older estimated that only 50 have laws that allow Citi to look at the kinds of specific data on IP addresses, logins and other data that’s necessary to conduct a proper investigation. “We have cases where we know there’s malware there, and we know an investigation happened, but we can’t get the data back,” Older said. “I think it would benefit us greatly if we could get past that and find a way to be sensitive to privacy regulations in a way that also lets us get meaningful data.”
Eugene Spafford, Director of CERIAS (The Center for Education and Research in Information Assurance and Security) said that forensics have traditionally lagged far behind detection in the computer security. “I have heard that many times…and spoken about it. This has always been true, going back 20-30 years. Forensics has had a long lag,” he wrote in an e-mail.
Threat analysis and forensics are gradually slipping under the umbrella of “defense,” just as threat detection did with the advent of intrusion detection system (IDS) software in the late 1990s, Spafford wrote. “Over the last couple of years, as threats have become more stealthy and automated, analysis has been included in defense.