Best Practices to Prevent Revenge DDoS in Banking Using QRadar

As corporations and governments shift various forms of information gathering and hostilities into the online world, hacktivist organizations such as Anonymous engage in DDoS and as a primary weapon of revenge. For example, this past September Newsweek found itself under a DDoS attack after it released an article about Donald Trump’s business dealings in Cuba. Preventing this kind of attack should be a top concern in any boardroom, especially within the banking industry, since sudden PR fallouts will incur near disastrous results.

Unfortunately, banks by and large do not take the threat of revenge attacks seriously, and that needs to change today. It is important for banks to have a plan in place to prevent revenge hacking from taking your bank offline, and that plan must involve capable security intelligence tool such as QRadar.

The Evolution of DDoS Attacks

As espionage, corporate sabotage and activism battlefields have all shifted from the physical to the digital world, the game of thwarting attack—in particular DDoS attacks—has also changed and matured. With revenge attacks now being executed on a global scale, the onus is on identifying these attacks as quickly as possible to protect not just the data, but also to keep primary business systems up and running.

I am going to key in on DDoS attacks, as these are the easiest attacks to pull off and the hardest to trace back to the origins. These attacks do not generally result in acquiring information to be sold or ransomed. No, DDoS attacks are purely revengeful ways to bring an organization down, and banks are increasingly in the crosshairs.

Where Do These Attacks Come From?

The first thing I emphasize with clients is the need to understand where the attacks they may face will most likely come from. The days of cyber-kids or lone wolf hackers have come and gone, and have been replaced by international crime syndicates, hacktivist organizations and nation-states, all whom conduct revenge attacks as a weapon. All of these organization types actively recruit hackers, enticing them with cash and equipment that allows them to step up their game even more. And, while a many attacks originate in countries overseas, US-based hackers and hacktivists cannot be ignored either.

So, if a DDoS revenge attack can now be sourced from anywhere in the world by anyone in the world, how does a bank figure out from where an attack is going to come? I like to walk clients through these key steps in establishing the origins, and as a bonus, when an attack is most likely to occur:

  • Know thine customer. A banking institution may have great PR and a good reputation, but that may not apply to some of your customers. Monitor social media and customer press release landing sites for potential PR events that may turn things sour fast. I like to recommend a combination of GitHub and Google Alerts to quickly identify potential events that may place a client’s bank in an elevated attack risk.
  • Using a tool like QRadar, monitor for a sudden drop in network performance, especially if only impacting a cloud based service. Often times, attackers will use a cloud-based service to initiate a larger scale DDoS attack on a bank.
  • Monitor spam email traffic as the volume of spam emails will spike in the moments leading up to a DDoS attack.
  • Particularly monitor the email accounts for management level and up for overseas email routing signatures. Attackers will fire off emails from overseas or encrypted email providers such as ProtonMail. Because you can’t digitally send a list of demands after a DDoS attack has been implemented, it is common practice for hackers to send their demands before beginning an attack.

For those in the banking sector, this short list will give you a great head start in knowing when to be most diligent in DDoS attack remediation efforts so that effective countermeasures can be put into place.

Detecting and Defeating An Attack

While the list of items to monitor in order to understand when a DDoS is most likely to target your bank, having an advanced security detection tool in place is the most ideal step those in banking must accomplish. QRadar is a one-stop tool that accomplishes active and real-time response to DDoS attacks by triggering network behavioral anomaly rules. In doing this, QRadar can invoke automated responses, such as blocking the IP address of the DDoS source, in near instantaneous fashion. The bank will then be left with a fully functioning network and a resolved generated alert, as well as already gathered and parsed event logs and mediation steps in a ready to be viewed state, available in the QRadar web based console.

When I configure QRadar for a bank, I like to focus in on three key aspects of QRadar’s security intelligence functionality, including its ability to:

  1. Automatically detect advanced APTs, malware and DDoS attacks in real-time by leveraging behavior-based anomaly detection data to initiate automated responses that resolves security incidents without intervention by IT staff.
  2. Combine gathered forensic data, full packet capture data and real-time threat detection data for ongoing investigations and attack vector tracing.
  3. Centralize and normalize vulnerability data from multiple system sources to determine which systems pose the highest risk to the bank. This can then be leveraged into an actionable patching process to close security holes within minutes of discovery.

Simple, Yet Complex

While saying “watch for these and install QRadar” makes this all sound easy, it unfortunately is not. You will need an experienced hand at the helm to minimize potential revenge hacking attacks on your banking institution. You will gain this by enlisting the engineering prowess that Champion has on hand.


The Key Methods to Establish PCI Compliant Risk Management for BYOD Initiatives


Managing and Regulating Third Party Data Loss Prevention Through Enterprise Rights Management


Erick Bacallao joined Champion Solutions Group in 2015 after a career of Software Development in Cuba at the National Cancer Care Institute of Cuba, followed by moving to the States with allAware.


Champion acquired allAware and its properties and Erick has utilized his extensive background and expertise in IT and Software Development to rise to VP of Product Development in less than 5 years. During this time, Erick has been involved with key projects that led to the launch of numerous products including CSP Boss, Inscape platform and 365 Productivity Insights.


Erick has a Bachelor of Science in Computer Science from the University of Havana. He won Gold Medals for Programming from the Ministry of Education in Cuba, and he is certainly still a Gold Medalist for Champion!


As President and CEO, Chris is responsible for the development of key strategic alliances and solution portfolio. He leads Champion’s go-to market and execution strategies for integrated offerings in the cloud, in security, and in digital infrastructure, always focusing on improving the customer experience and driving transformative business outcomes.


He also aligns key partner initiatives with company strategy and oversees corporate marketing and messaging to gain mindshare with customers and partners. It’s his vision and innovativeness that have catapulted Champion up the ranks to become a $100M+ organization—and one of the most respected solution providers in the industry.


Over the past two decades, Chris has also focused on mergers and acquisitions, as well as innovative product development. He is the original founder and an active member on the Board of Managed Maintenance, Inc., a SAAS provider and consulting firm that utilizes their award-winning One-View Portal to help the IT Channel and its customers manage their IT Maintenance.


Chris is also the original founder and chief strategist behind one of the original storage cloud providers, Storage Access / BluePoint. During the course of a few short years, he had raised $20M and took that company public on the Toronto Stock Exchange. It has since been acquired by Pomeroy.


In 2012, Chris led the acquisition of MessageOps and continued the product development and worldwide launch of its premier SAAS, 365 Command. Built on Microsoft Azure, 365 Command is currently managing over 1 million seats of Microsoft’s Office 365. After achieving this phenomenal milestone, 365 Command and other MessageOps O365 utilities were sold to Kaseya.


Over the past 35 years, Chris as worked tirelessly to not only advance his own career, but those of his employees. In addition to leading a $100M organization, Chris can also be found sitting with sales teams, cold calling and coaching, and validating why Champion has been listed on Best Places to Work by both South Florida Business Journal and Computerworld.

Ultimately, the success garnered by Champion Solutions Group, its associated companies, and their employees is due in large part to the leadership of its President and CEO. Perhaps the most fitting award Chris has earned is South Florida Business Journal’s 2013 Ultimate CEO Award.