I recently talked to Davi Ottenheimer,* Senior Director of Trust at EMC, about the guidelines released by the Federal Financial Institutions Examination Council (FFIEC) in April of 2014 regarding preparations financial institutions must take to protect against DDoS attacks.
DDoS attacks are a cause of concern across all major industries, from charity organizations to high-value targets like banks and financial institutions. However, recently there has been an increasing focus on the financial industry due to the potential impact to the economy.
Financial institutions—with online banking, mobile-device access to account information, and even back-office systems tied to the network—are highly susceptible, which is why the FFIEC has the new guidelines.
The FFIEC’s “Joint Statement: Distributed Denial-of-Service (DDoS) Cyber-Attacks, Risk Mitigation, and Additional…” specifies six steps that supervised financial institutions are expected to take. If you are responsible for networks at an FFIEC-supervised institution, you should review this Joint Statement carefully, and understand what your company is being asked to do at a policy level.
I talked to Davi Ottenheimer on what the new regulations mean, and he said, “Availability of systems is a foundation of trust in today’s always-on, always-connected world of commerce. The recent regulatory guidelines are a logical continuation of long-standing disaster-recovery and business-continuity concepts. Financial service providers now need to be ready not only to withstand denial-of-service attacks on their own, but also need to be using intelligence-driven security to catch wider threats and to participate with others in defense of the industry as a whole.”
Does This Mandate Apply to You?
The FFIEC Joint Statement clearly applies to all FDIC-supervised institutions, including those with less than $1 billion in total assets.
- While it sets forth no legal requirements with penalties for noncompliance, FIL-11-2014 clearly implies that the FFEIC is placing the burden of protecting against DDoS attacks squarely on financial institutions and their IT teams.
- The Joint Statement provides links to two resources to guide financial institution IT teams in meeting the expectations:
o A detailed technical discussion of attack targets and types titled “DDoS Quick Guide” from the National Cybersecurity and Communications Integration Center
o A more process and best practices oriented “Computer Security Incident Handling Guide” from the National Institute of Standards and Technology
What Infoblox Can Do to Help You Comply
Interestingly, the DDoS Quick Guide talks about DDoS attacks impacting different OSI layers. We have seen attackers increasingly use DNS to launch DDoS attacks that are not only volumetric, impacting the victim’s WAN bandwidth, but also can cause significant damage by impacting the DNS servers at the application layer. I asked Davi if there was anything specific to DNS that was called for.
“DNS is clearly within scope of recent regulatory guidelines,” he said, “even though they are not specifically named.” The following paragraphs explain how Infoblox capabilities match up with the specific requirements for addressing DDoS as well as how they address DNS vulnerabilities.
Monitoring Internet Traffic (Step 2)
Infoblox Advanced DNS Protection (ADP) provides forms of monitoring purpose-built to counter the DDoS threats the FFIEC is asking institutions to guard against. The solution delivers a unique approach to protecting against DNS-based attacks by continuously monitoring, detecting, and dropping packets of DDoS attacks—including amplification, reflection, floods, exploits, tunneling, cache poisoning, and protocol anomalies.
Ensuring Staffing for the Duration of an Attack and Managing Traffic Flow (Step 4)
Infoblox Advanced DNS Protection meets the expectation set forth in Step 4 and goes it one better. ADP automatically distinguishes between legitimate queries and malicious traffic during an attack. It also automatically—and intelligently—manages the traffic flow, serving legitimate requests while it drops malicious ones. So it makes the kind of on-call contract staff recommended in Step 4 unnecessary by supplying a more reliable automated alternative.
The illustration shows Infoblox Advanced DNS Protection under DDoS attack, and its response to good DNS queries. While the attacks were being launched (red line graph), Advanced DNS Protection also received 50,000 good DNS queries per second, all of which it responded to (blue line graph), even as the attacks peaked. The test was done using an independent third-party security and performance-testing platform.
Continuing to respond to legitimate queries, even as an attack peaks
Sharing Information to Help Identify New Threats and Tactics (Step 5)
Advanced DNS Protection receives regular automatic updates based on detailed threat analysis and research, providing ongoing protection against new attack types as they surface. This information can be shared across and between institutions and agencies.
Adjust Risk Management Controls in the Wake of an Attack (Step 6)
In the wake of an attack, Infoblox security solutions can help IT take measures to fortify DNS services against future attacks based on detailed reporting that provides a centralized view of all the attacks happening across the network, giving visibility into the type and scope of the attacks. Reports include details like number of events by category, rule, severity, member-trend analysis, and time-based analysis. In addition to providing the intelligence needed to take action while an attack is in progress, they can be analyzed for the planning of future defense.
But wait—there’s more.
The FFIEC points out that during 2012 and 2013, attacks launched by a Hamas Organization calling itself “Cyber Fighters of Izz Ad-Din Al Qassam” hit U. S. banks and in some cases shut down services altogether. The FFIEC expects attacks of this sort to continue, and warns that financial institutions are at risk of disruption of operations, loss of reputation, and even fraud committed under the cover of DDoS attacks launched as diversions.
Infoblox has this covered as well. Infoblox DNS Firewall protects enterprises against malware-based data exfiltration by blocking malware accessing the Internet via DNS.
For more details, see our white paper titled “FIL-11-2014: What Does It Mean to You?”, which summarizes the FDIC letter and the FFIEC Joint Statement and then matches the capabilities of Infoblox solutions for protecting against DDoS attacks to specific expectations in these documents.
*Davi Ottenheimer has over 20 years of experience managing global security operations and assessments, including a decade of leading incident response and digital forensics. He is author of the Wiley books “The Realities of Securing Big Data” and “Securing the Virtual Environment.” He formerly was responsible for security at BGI, the world’s largest investment fund manager. Before that he was a “dedicated paranoid” at Yahoo! and responsible for managing security for hundreds of millions of mobile, broadband, and digital home products. Davi received his postgraduate academic master of dcience degree in international history from the London School of Economics.