A financial services industry consortium recently warned that a type of cyberattack known as distributed denial of service (DDoS) has grown in prevalence over the past year, and the group recommended vigilance among banks and credit unions to ensure the typically annoying but nondestructive attacks do not become disruptive.
The Financial Services Information Sharing and Analysis Center (FS-ISAC), which primarily focuses on reducing cybersecurity risks, said in
Hacktivist groups that have taken sides over Russia's war in Ukraine are "largely" to blame for the increase, according to the report. Most of the new attack volume affected Europe, where attacks on financial services increased 73%.
FS-ISAC and Akamai also noted that financially motivated actors have stepped up their sales of cyberattack tools on the dark web, which may also explain part of the spike. As threat actors commodify DDoS capabilities, they are also monetizing attacks by offering victims relief in exchange for a ransom payment.
It's a new scheme in a relatively long history of denial-of-service attacks. According to the Carnegie Endowment for International Peace, one of the first major cyberattacks to hit the U.S. financial sector took place in 2009, when a DDoS attack hit the websites of the New York Stock Exchange, Nasdaq, the White House and The Washington Post.
Two years later, attackers allegedly acting on behalf of the Iranian government and Islamic Revolutionary Guard Corps went after 46 financial organizations, including Bank of America, the New York Stock Exchange and Capital One.
Large banks and credit unions have since created multiple lines of defense against DDoS attacks, which have grown in sophistication to target more fundamental systems in the tech stack financial institutions use to serve their digital products, according to Teresa Walsh, FS-ISAC's global head of intelligence. The result is that most members of the group report little to no disruption when a DDoS attack happens.
"One company might say that they can shrug it off, and it's because they've invested quite a bit in their ability to shrug it off," Walsh said. "But not everybody is able to do that."
Smaller and mid-size financial institutions tend to lack the necessary protections, according to Steve Winterfeld, advisory chief information security officer for Akamai. DDoS attacks are all about scale — overwhelming a server or system with more requests than it typically gets or can handle. As such, large-scale attacks can become a daunting risk for smaller institutions.
"The large banks are much more mature and have their denial of service protections always on and have done an exercise," Winterfeld said. "It's the mid-range and smaller banks, generally speaking, that aren't as well protected and well exercised."
Small and medium-sized financial institutions need to implement general cybersecurity practices as a basis for protecting themselves against DDoS attacks, but they also have to rely on systems that specifically defend against huge spikes in network traffic — typically by purchasing such defenses.
Akamai offers so-called DDoS protection services, as do others. Cloudflare provides DDoS protection in its suite of free-tier services; Fastly, Imperva, Radware, Neustar and other companies also provide such services.
These services work by putting customers' web servers behind a content delivery network, which spreads out the traffic generated during DDoS attacks such that many content delivery servers take on the load of the traffic and let in only what the service determines to be legitimate traffic. The services have a number of methods for determining whether traffic is legitimate, including tests such as CAPTCHAs that are designed to catch malicious bots.
Without adequate protection, the primary risks that banks and credit unions face during a DDoS attack are operational disruption and reputational harm, according to the report from FS-ISAC and Akamai. According to Walsh, although DDoS attacks are an old and familiar problem for banks, they still have the potential to become a reputational hazard.
"Even if you're down for a few seconds, or a couple of minutes, it will be talked about in the media, it will be talked about on Twitter, it will be talked about everywhere," Walsh said. "If your website goes down, that's public, and people see that."