Red Alert -- Cyber Attacks on Banks of 100+ Billion Bytes per Second Escalate -- Fears of 'Cyber-Pearl-Harbor' Mount
London, UK - 22nd October 2012, 8:15 GMT
Dear ATCA Open & Philanthropia Friends
[Please note that the views presented by individual contributors are not necessarily representative of the views of ATCA, which is neutral. ATCA conducts collective Socratic dialogue on global opportunities and threats.]
From Bank of America to HSBC and from JPMorgan Chase to Wells Fargo bank a growing wave of cyber attacks has disrupted and crippled the customer-facing online presence of some of the biggest and most powerful high-profile Western financial institutions over the past several weeks. Ally Financial, BB&T, Capital One Financial, PNC Bank, Regions Financial, SunTrust Bank and US Bank have also been targeted. Customers trying to use the online systems of those banks after the latest digital attacks were denied access or faced long delays. Some of the digital attacks appear to have originated in Iran and Russia. Security experts now believe that multiple well-organised digital attackers rather than a single attacker are behind the events that caused day-long slowdowns and, at times, complete online outages at various top banks.
Red Alert -- Scale and Speed of Global Digital Attacks Escalates – US Cyber Command
US Secretary of Defense Cautions Against Cyber-Pearl-Harbor
The US Secretary of Defense Leon Panetta has warned that the country could face a 'Cyber-Pearl-Harbor' in the near future and has drafted new rules which would enable the American military to move quickly to thwart any such attacks. Panetta is also concerned that the “scale and speed” of the bank attacks is unprecedented. The digital attacks have continued this week despite a warning from him that America has the ability to determine who is responsible. Specifically, Panetta said, “Potential aggressors should be aware that the United States has the capacity to locate them and hold them accountable for actions that harm America or its interests” to business executives in New York.
Panetta also said that Iran has “undertaken a concerted effort to use cyberspace to its advantage.” Panetta added that digital attacks emanating from foreign soils could paralyse the country's power grid financial networks and transportation system saying that a cyber attack had the potential to "paralyse and shock the nation and create a profound new sense of vulnerability." "If we detect an imminent threat of attack that will cause significant physical destruction in the United States or kill American citizens, we need to have the option to take action against those who would attack us, to defend this nation when directed by the president," Panetta said in the speech to top business executives in New York.
Panetta also added that the "Shamoon" virus which attacked Saudi Arabia's state oil company, Aramco, was probably the most destructive attack the business sector has seen to date. The virus also struck a joint venture between the US oil firm ExxonMobil and state-controlled Qatar Petroleum. Iran is suspected of taking revenge for US sanctions by targeting oil companies with cyber attacks, knocking out Saudi Arabia’s Aramco’s computers for two weeks. A disruption to Saudi Arabia's oil exports could cause oil prices to spike from their already elevated prices and tip the fragile global economic recovery into recession.
Need for Emergency Board Meeting
If there ever was a time for any major organisation's board of directors to listen carefully to their Chief Information Officer (CIO) and Chief Information Security Officer (CISO) that time has now arrived. Call an emergency board meeting and please pay close attention to the advice of your CIO and CISO in regard to online security matters. Your online reputation, trust in your brand, customer confidence and share price may soon depend on the swiftness of your attention to this urgent matter. Companies have to be very aware of what’s going on in regard to this latest round of cyber attacks on banks of 100+ billion bytes per second and they have to start thinking about a Plan B and Plan C beyond Plan A if financial chaos is manifest in the near future.
Why the Red Alert? Possible Flash Crash?
The mi2g Intelligence Unit (mIU) and the ATCA 5000 Research & Analysis Wing (A-RAW) have become concerned about the latest round of digital attacks because US and Western large capital financial institutions have some of the best network security defences of any industry. Sustained attacks could disrupt customer confidence in industries beyond banking and may have a much larger cascading fallout given that Systemically Important Financial Institutions -- SIFIs -- are also coming under sustained attack. The latest campaign of digital attacks appears to have been near-100 percent effective, at least in bringing the targeted financial institutions some level of visible duress. The attackers are adapting to the banks’ defences and becoming more sophisticated in their tactics with every passing week. Is it plausible that the next flash crash which manifests in the global financial markets may be traced back to these swiftly escalating cyber attacks?
Who Is Responsible? And Why?
A hacktivist group calling itself the "Izz ad-Din al-Qassam Cyber Fighters" took credit for the cyber attacks against banking giants in a Pastebin post, which has since been removed. The group, perhaps Iranian, has claimed that it is protesting the presence of the anti-Islamic video 'Innocence of Muslims' on the Internet, which has helped spark outrage in the Middle East against the United States in particular and the West in general. There is scepticism that fringe Islamist groups are sufficiently organised to mount these colossal digital attacks on their own without nation-state assistance.
Some of the attacks are apparently linked to hacktivists associated with Anonymous. In a Pastebin post, UK-based Fawkes Security took responsibility for some of the attacks. "As some of you may be aware HSBC bank suffered several DDoS attacks on the named sites in the past hours us.hsbc.com hsbc.co.uk hsbc.com hsbc.ca they were all brought down by #FawkesSecurity," according to the post. "Before any claim [expletive] attempt to take ownership of this attack, the proof is all in our Twitter account, Targets, time and date :) @FawkesSecurity."
The source of some of the digital attacks, which are flooding the banking websites with so much traffic that they become unavailable, are still not fully known. United States authorities are used to cyber espionage from Russia and China, but have been surprised by the swift rise in Iran's digital warfare capability. Based on some limited data samples, some security experts suggest that the Iranian government may be behind the digital attacks against banks and oil companies as opposed to fringe Islamists or hacktivists. However, further definitive evidence is still needed. There’s no technical problem in forensically figuring out who did what. The problem remains that can one visit China, Russia or Iran and actually carry out the inspection of their equipment to know what’s really going on?
Why Is 100+ Billion Bytes per Second So Powerful?
There is no denying that the latest round of Distributed Denial of Service -- DDoS -- digital attacks are extremely powerful and unprecedented at 100+ billion bytes or 100+ Giga bytes per second. The leading DDoS prevention software more or less stops working when the digital attacks get larger than 60-70 Gigabytes per second and simply can't handle the bandwidth of these 100+ Gigabyte per second attacks. The major ISPs have only a few hundred Giga-bytes per second bandwidth for all their customers, and even if they add more on to that, the hacktivists could quickly and easily overwhelm any additionally allocated bandwidth.
This is an unprecedented escalation because the commercial servers that have been deployed in carrying out the digital attacks have not previously been utilised on such a large scale to deliver 100+ Gigabytes per second attacks. Along with using commercial servers, digital attackers are overloading bank websites with queries, such as requests to find branch locations, and sending encrypted data packets that bypass traditional defences and intrusion-detection systems.
DDoS attacks that are causing havoc are being launched from just 3,000+ compromised endpoints distributed around the world, all lobbing payloads of multiple megabytes per second that together add up to 100+ Gigabytes per second of a digital cacophony blasting into the banks through their digital plumbing. DDoS attacks have nearly doubled in frequency and tripled in size during the past year. The transition from digital attacks using botnets made up of low-bandwidth home computers to high-bandwidth corporate servers has definitely played a role in increasing the average attack bandwidth significantly. Ahead of the massive digital attacks reconnaissance, probing and scanning to evaluate the banking websites’ effectiveness is routinely taking place to see if they have certain attributes in place.
What Are the Attacks' Objectives?
The sole purpose of the attacks appears to be to disrupt banking customers' ability to access their funds. The goal of the digital attacks appears neither to have been to steal money, nor to steal personal identity, nor to take information or intellectual property from the financial institutions themselves, but actually to prevent banking customers from doing things that they like to do online from a convenience standpoint.
Who Is Winning?
Senior officials at some of the banks that have been targeted said that the large scale attacks stopped the day when the perpetrators issued a stop command to the network of computers they had commandeered. The assault stopped because the attackers quit or moved on to other banks, not because the banking groups defeated the attacks.
Firewalls Don't Work
Firewalls can no longer block these sophisticated digital attacks. In the case of some of the banks, excessive traffic was coming in at a rate of 100+ Gigabytes per second, totally overwhelming the infrastructure. DDoS and other advanced attacks can't be solved by opening up more bandwidth. The problem is that firewalls, Intrusion Prevention Systems (IPS) and other infrastructure aren't designed to deal with volumetric attacks and they simply freeze up.
What’s the Solution?
Networks need a new "first line of defence" at the perimeter. The solution may lie in a new type of hardware device designed to sit in front of the firewall. Its purpose may be to pre-evaluate all traffic and remove unwanted "digital noise" before it can get to the firewall, the IPS, and other points in the infrastructure. When the nefarious traffic is eliminated, these other devices can do the jobs they are intended to do. The new hardware device may need to systematically deploy several steps to move successively deeper into the protocol stack to inspect the packets more closely in order to counter more complex issues than any firewall alone may be able to mitigate:
Step 1: Utilise real-time reputation updates, current geo-location information and real-time threat detection to evaluate inbound traffic. For example, if packets are originating from a country where the network owner doesn't do business -- say China, Russia or Iran -- then the traffic ought to be blocked.
Step 2: Limit the frequency rates of self-similar traffic coming into the network from the same source. This would take care of repeated requests for specific pages originating from the same digital location.
Step 3: Analyse the behaviour of the digital traffic and toss out packets that violate protocol and application usage standards. Also, look for questionable outbound traffic not conforming to policies and/or standards.
Step 4: Look for known security issues in the digital traffic. This includes:
a. buffer overflows;
b. injections and brute-force password attacks;
c. random malware and exploits in the payloads; and
d. advanced evasion techniques such as fragmentation and segmentation that can be used to hide attacks.
By the time traffic has gone through all these extra layers of inspection, it may be sufficiently clean to continue to the second line of defence -- the firewall and the Intrusion Prevention System (IPS).
Of course, rapid identification and takedown of the offending endpoints conducting the DDoS attacks would be ideal. This ought to be possible as long as there is co-ordination and strong cooperation across countries and internet service providers. This is not a small feat. In the meantime, don’t hold your breath waiting for that to happen. Instead, evolve your "first line of defence", evolve multiple online banking relationships, alert your board of directors and get talking to your CIO and CISO straightaway!
We will shortly be conducting two face-to-face roundtables on this subject and if you would like to attend please let us know.
What are your thoughts, observations and views? We are hosting an Expert roundtable on this issue at ATCA 24/7 on Yammer.
Expert roundtables are the newly launched ATCA 24/7 Q&A private exclusive club service. They seek to become the killer application in strategic intelligence by delivering an unprecedented competitive advantage to our distinguished members. They can only be accessed online at https://www.yammer.com/atca
Q1: How to become a privileged member of ATCA 24/7 to participate in the expert roundtables?
A1: i. If you are a distinguished member of ATCA 5000, ATCA Open, The Philanthropia or HQR affiliated groups you may be allowed to become a privileged member of this new and exclusive private club.
ii. If you are pre-invited, visit the private intelligence network -- PIN -- by going to https://www.yammer.com/atca [Note: In https:// 's' is for security and encryption]
iii. If you don't have membership of the PIN yet, email the mi2g Intelligence Unit at intelligence.unit at mi2g dot com for an exclusive invitation.
Q2: How to participate in the expert roundtables and get domain-specific strategic intelligence questions answered?
A2: Access the ATCA 24/7 Private Intelligence Network -- PIN -- online and ask or answer a strategic intelligence question, no matter how complex. Receive expert answers within 24 hours or get pointers from:
i. ATCA 5000 experts who are online;
ii. ATCA Research and Analysis Wing; and
iii. mi2g Intelligence Unit.
Q3: Why is the ATCA 24/7 Q&A Exclusive Club special?
A3: ATCA 24/7 has now created an exclusive private intelligence watering hole and expert roundtable at the highest level where interesting and sophisticated questions are being asked from around the world, and intelligent answers are being provided, almost always by experts who have deep domain-specific knowledge. Come and check out the exclusive club, take it for a strategic test drive, which sign-of-intelligent life are you waiting for?
To learn more about "The Expert Roundtable: ATCA 24/7 Q&A Club" email: intelligence.unit at mi2g.com and if you are already a member visit https://www.yammer.com/atca
We welcome your thoughts, observations and views. To reflect further on this subject and others, please respond within Twitter, Facebook and LinkedIn's ATCA Open and related discussion platform of HQR. Should you wish to connect directly with real time Twitter feeds, please click as appropriate:
. ATCA Open
. mi2g Intelligence Unit
. Open HQR
. DK Matai