Who can forget the series of distributed denial of service (DDoS) attacks on American banks back in 2012 and 2013? Some of the attacks were highly effective in knocking online banking services offline for days at a time. Over time, financial institutions (FIs) learned to bolster their defenses until the attacks grew less and less effective at disrupting the banks' services. However, it was later shown that at least some of the banking websites that experienced a DDoS attack also experienced other types of criminal attacks.
Back in April, the Federal Financial Institutions Examination Council (FFIEC) issued a statement to notify FIs of the risks associated with DDoS attacks on public-facing websites. The statement described steps that FIs are expected to take to address these attacks and highlights resources that institutions can use to help mitigate the risks posed by such attacks.
It turns out that this advice is good for just about any organization that operates a public-facing website. You don't need to be a financial institution to benefit from this advisory, which includes the following steps:
- Maintain an ongoing program to assess information security risk that identifies, prioritizes, and assesses the risk to critical systems, including threats to external websites and online accounts.
- Monitor Internet traffic to the institution’s website to detect attacks.
- Activate incident response plans and notify service providers, including Internet service providers (ISPs), as appropriate, if the institution suspects that a DDoS attack is occurring. Response plans should include appropriate communication strategies with customers concerning the safety of their accounts.
- Ensure sufficient staffing for the duration of the DDoS attack and consider hiring pre-contracted third-party servicers, as appropriate, that can assist in managing the Internet-based traffic flow. Identify how the institution’s ISP can assist in responding to and mitigating an attack.
- Consider sharing information with organizations, such as the Financial Services Information Sharing and Analysis Center and law enforcement because attacks can change rapidly and sharing the information can help institutions to identify and mitigate new threats and tactics.
- Evaluate any gaps in the institution’s response following attacks and in its ongoing risk assessments, and adjust risk management controls accordingly.
Step 5 advises sharing information with other organizations that might see similar attacks, and notifying law enforcement. I want to take a deeper look at this recommendation.
The Financial Services Information Sharing and Analysis Center (FS-ISAC) is an industry forum for collaboration on critical security threats facing the financial services sector. As the name implies, this organization is for financial services institutions like banks, credit unions, brokerage houses and the like. If your company doesn't fall into that category, take a look at the other industry forums that are explicitly designed to share threat information—especially cyber threats. The National Council of ISACs lists a number of industry organizations covering a range of industries including the defense industrial base, national health, information technology, nuclear energy, and many others.
The ISACs are a safe and anonymous way to share explicit information about cyber attacks that are happening within a certain industry. Attackers often target numerous agencies or companies in the same industry using the same techniques over and over again. Sharing information about what one ISAC member is experiencing can help other members defend against a similar attack. Members of the FS-ISAC helped each other in this way during the 2012-2013 DDoS attacks, believing they were all in it together.
The FFIEC advice also recommends notifying law enforcement of a DDoS or other kind of cyber attack. You might think it's useless to get law enforcement involved, but this is the only way to bring any sort of criminal charges against an attacker, and prosecution can be a pretty good deterrent for keeping an attacker from coming at you or another victim again.
Regardless of your business or industry, it's good to follow the steps above to ensure that your organization is ready to take on a DDoS attack.