Case Study

What’s the best approach to take when you’re responsible for minimizing your company’s risk and safeguarding their assets during a distributed denial of service (DDoS) attack?

It’s the question that haunts every chief information security officer (CISO) across the globe, including one at the head of one of the largest banks in the United States. And for CISOs in the financial services industry, the consequence of a missed step could be disastrous.

Cybercriminals have used a number of reasons to deploy DDoS attacks against the financial services industry, including; interrupting access to online services, access to proprietary information, access to personally identifiable information, and the obvious motive of stealing large amounts of money.

Unfortunately for CISOs, the damages don’t end there. They also have to deal with the resource-intensive annoyance of being taken offline, as well as the cascading fallout of brand impairment and loss of customer trust that follows.

To make matters worse, some recent DDoS attacks against financial services companies are state-sponsored and are either plotted with the intention of disrupting the flow of money to competing economies, or used as a means of currency manipulation to affect stock markets and the value of a currency.

As attackers become increasingly determined and emboldened to lash out and launch DDoS strikes with impunity, the question for every CISO in the financial services industry continues to linger:

What do you do when you’re responsible for minimizing your company’s risk and safeguarding their assets during a DDoS attack?

For years, the answer seemed simple enough – throw a lot of hardware at the problem and lock up a single service vendor. This approach seemed to work until the bad guys caught on and adjusted. Now, the threat has changed, the technology used to launch attacks has changed, and worse, the size of attacks and what organizations can endure has changed. Unfortunately, the threats have overwhelmed defenses that were deemed sufficient not that long ago.

In today’s cybersecurity landscape, where DDoS attacks against financial institutions are a certainty and not a possibility, having a single defense solution is no longer sufficient. In fact, a single solution may become a single point of failure for the entire financial services industry. And if any industry knows it’s a high-profile target for DDoS attacks, and has a lot to lose – it’s the financial services industry.

The first high-profile case of DDoS attacks against the industry occurred in 2012 when a number of well-known banks were ruthlessly targeted and taken offline by a series of high-volumetric attacks that were unprecedented at the time. Despite reports that no data was lost or ATM’s taken offline, the attackers gained invaluable insight and knowledge into what it takes to overwhelm their defenses.

Since then, the onslaught against financial institutions has only increased over the years. And for financial institutions that didn’t heed the lessons from 2012 and build additional layers of security or redundancy into their systems, history soon would prove itself to be cyclical.

The debut of the Mirai botnet in the fall of 2016 forever changed the paradigm of DDoS attacks. The botnet, which was fueled by insecure Internet of Thing (IoT) devices, began to emerge as a new weapon for DDoS attacks.

With volumetric attacks surpassing 1 Tbps - the largest attack volumes ever seen in the industry - chaos reigned down on organizations across the globe. The most devastating incident occurred on October 21, when Mirai was aimed at a well-known DNS provider. The attack succeeded in not only taking the provider offline, but it also created a ripple effect of downtime for companies that solely relied on the DNS provider for access to critical Internet and infrastructure services.

The effect of the attack was so widespread that many began to wonder if the entire Internet had crashed.

To further complicate matters, the sheer size and impact from the Mirai Botnet created a moral and financial dilemma for DDoS mitigation providers. On one hand, they have an obligation to service the attacked company. But in doing so, they would exhaust their mitigation resources, which could affect other clients. And with a number of financial institutions solely depending on one DDoS vendor for protection - much like using only one DNS provider - the possibility of having that vendor become a single point of failure for the entire industry has become a reality.

In effect, the Mirai Botnet solidified the reasoning for employing a complementary or backup DDoS solution.

Seeking to apply lessons learned from previous mistakes, financial institutions are increasingly integrating best practices for building redundancy into their critical networks by either using dual primary DDoS solutions, or employing a secondary or failover DDoS mitigation solution in the event that attacks overwhelm their initial layer of protection.

How Neustar Helps

After the massive DNS outage caused by the Mirai Botnet, Neustar was approached by one of the 3 largest banks in the United States to ensure they had redundancy built into their DDoS defense system.

By turning to Neustar SiteProtect to act as a secondary DDoS solution, our customer was able to implement a robust, on-demand hybrid DDoS defense that’s capable of taking over from the customer’s primary DDoS mitigation provider in the event of mitigation problems or platform saturation. If the primary DDoS defense system stumbles, Neustar SiteProtect quickly takes over to detect and mitigate attacks while keeping critical systems online without any interruptions.

Our customer designed and provisioned the SiteProtect service to be dynamically customer-triggered, which allowed them to feel secure due to Neustar’s local mitigation capabilities. And for this customer, closer mitigation nodes means quicker traffic scrubbing, resulting in less website/application delays and disruptions.

It’s Time to Diversify Your DDoS Protection

In financial services, the best practice for customers is to diversify their investments to protect against market risks. Now more than ever, this practice should be applied to your DDoS defenses.

You need to reassess your current DDoS mitigation strategy and understand if your provider could become a single point of failure and represent a costly liability to your organization by becoming overwhelmed by a large attack.

Now is the time to diversify your DDoS mitigation solution because we’ve seen that relying on just one vendor could spell disaster if they are ever overwhelmed or taken down by a massive DDoS attack - or coordinated attacks against multiple financial institutions.

Now is the time to look for either a dual primary or complimentary provider that’s equipped with a redundant and robust DDoS mitigation platform that can supplement your initial solution in the event of an emergency.

Download PDF