Stock Exchanges in the Line of Fire
During last week’s RSA conference in San Francisco, I gave a lecture titled "Stock Exchanges in the Line of Fire – Morphology of Cyber Attacks." Based predominantly on my experience as part of Radware’s Emergency Response Team (ERT) that provides 24/7 DDoS attack mitigation support, I focused on three specific topics:
1. It is too easy to hit a stock exchange with a DDoS attack
To demonstrate this point, I shared two examples of cyber attacks that contained multiple attack vectors. The first was on a stock exchange that had to suspend trades due to the attack, while the second was against three stock exchanges in the Middle East.
Although stock exchanges are better protected now than they were in the past, paradoxically, they are still vulnerable to cyber attacks. Today, an attacker can utilize five different DDoS attack vectors. All they need is one to be successful. Here is an example of a "classic" blend of attack vectors:
2. Morphology of Cyber Attacks
It is very important to understand the characteristics of contemporary DDoS attack campaigns. These are prolonged attacks that average between three days and one week, and in some cases, can last up to several weeks. Today’s DDoS attacks deploy multiple attack vectors, with the anticipation that at least one of those vectors will successfully breach the target’s defenses. Adding to their complexity, attacks often change tactics during this time period to ensure that even if your organization has fully mitigated the current attack, you’ll still have others to contend with.
In order to be successful in the face of a prolonged attack campaign you’ll need to have the right tools in your toolbox. Unfortunately, DDoS attacks require a complex solution with multiple components that some organizations are still missing.
3. Transition from a two-phase security approach to a three-phase security approach
Some organizations are still operating under a two-phase, "pre" and "post" attack approach. Simply put, prior to an attack, they are well prepared, having acquired mitigation solutions under the assumption that the attack duration will be as short as they have typically been in the past. After the attack, these organizations then draw conclusions from the event in order to improve accordingly.
To mitigate today’s threats, organizations must be prepared for prolonged DDoS attack campaigns. With a prolonged attack campaign, however, you have to react DURING the attack. Unfortunately, many organizations simply do not have the capacity to do so.
As a result, it is critical for organizations to enlist the services of a dedicated "response team" that has experience mitigating prolonged DDoS attacks in order to match the capabilities of the attackers. If skilled hackers are attacking your organization around the clock for days or weeks, you’ll need similar capacity in order to counter the attack. Furthermore, if the attackers are conducting reconnaissance on your site, you’ll need your team to gather intelligence in order to learn more about the attackers and their motivation as well as deploy countermeasure techniques in order to cripple an attack.
Although the theme for my presentation at RSA this year focused on stock exchanges, it’s clear that the subject matter is applicable to other sectors as well. For instance, the lessons learned from cyber attacks on stock exchanges are critical for understanding the recent spate of DDoS attacks on US banks.
Once an organization understands the need to prepare themselves for prolonged attacks, and recognizes the value of a dedicated and experienced response team to back them up, we should expect to see an increase of elite "task forces" that will respond with tenacity and fervor similar to the attackers.
To learn more, check out my RSA presentation here or share your comments below – Have you experienced an increase in attack length or number of attack vectors used against your organization?