Best Practices to Prevent Revenge DDoS in Banking Using QRadar

As corporations and governments shift various forms of information gathering and hostilities into the online world, hacktivist organizations such as Anonymous engage in DDoS and as a primary weapon of revenge. For example, this past September Newsweek found itself under a DDoS attack after it released an article about Donald Trump’s business dealings in Cuba. Preventing this kind of attack should be a top concern in any boardroom, especially within the banking industry, since sudden PR fallouts will incur near disastrous results.

Unfortunately, banks by and large do not take the threat of revenge attacks seriously, and that needs to change today. It is important for banks to have a plan in place to prevent revenge hacking from taking your bank offline, and that plan must involve capable security intelligence tool such as QRadar.

The Evolution of DDoS Attacks

As espionage, corporate sabotage and activism battlefields have all shifted from the physical to the digital world, the game of thwarting attack—in particular DDoS attacks—has also changed and matured. With revenge attacks now being executed on a global scale, the onus is on identifying these attacks as quickly as possible to protect not just the data, but also to keep primary business systems up and running.

I am going to key in on DDoS attacks, as these are the easiest attacks to pull off and the hardest to trace back to the origins. These attacks do not generally result in acquiring information to be sold or ransomed. No, DDoS attacks are purely revengeful ways to bring an organization down, and banks are increasingly in the crosshairs.

Where Do These Attacks Come From?

The first thing I emphasize with clients is the need to understand where the attacks they may face will most likely come from. The days of cyber-kids or lone wolf hackers have come and gone, and have been replaced by international crime syndicates, hacktivist organizations and nation-states, all whom conduct revenge attacks as a weapon. All of these organization types actively recruit hackers, enticing them with cash and equipment that allows them to step up their game even more. And, while a many attacks originate in countries overseas, US-based hackers and hacktivists cannot be ignored either.

So, if a DDoS revenge attack can now be sourced from anywhere in the world by anyone in the world, how does a bank figure out from where an attack is going to come? I like to walk clients through these key steps in establishing the origins, and as a bonus, when an attack is most likely to occur:

  • Know thine customer. A banking institution may have great PR and a good reputation, but that may not apply to some of your customers. Monitor social media and customer press release landing sites for potential PR events that may turn things sour fast. I like to recommend a combination of GitHub and Google Alerts to quickly identify potential events that may place a client’s bank in an elevated attack risk.
  • Using a tool like QRadar, monitor for a sudden drop in network performance, especially if only impacting a cloud based service. Often times, attackers will use a cloud-based service to initiate a larger scale DDoS attack on a bank.
  • Monitor spam email traffic as the volume of spam emails will spike in the moments leading up to a DDoS attack.
  • Particularly monitor the email accounts for management level and up for overseas email routing signatures. Attackers will fire off emails from overseas or encrypted email providers such as ProtonMail. Because you can’t digitally send a list of demands after a DDoS attack has been implemented, it is common practice for hackers to send their demands before beginning an attack.

For those in the banking sector, this short list will give you a great head start in knowing when to be most diligent in DDoS attack remediation efforts so that effective countermeasures can be put into place.

Detecting and Defeating An Attack

While the list of items to monitor in order to understand when a DDoS is most likely to target your bank, having an advanced security detection tool in place is the most ideal step those in banking must accomplish. QRadar is a one-stop tool that accomplishes active and real-time response to DDoS attacks by triggering network behavioral anomaly rules. In doing this, QRadar can invoke automated responses, such as blocking the IP address of the DDoS source, in near instantaneous fashion. The bank will then be left with a fully functioning network and a resolved generated alert, as well as already gathered and parsed event logs and mediation steps in a ready to be viewed state, available in the QRadar web based console.

When I configure QRadar for a bank, I like to focus in on three key aspects of QRadar’s security intelligence functionality, including its ability to:

  1. Automatically detect advanced APTs, malware and DDoS attacks in real-time by leveraging behavior-based anomaly detection data to initiate automated responses that resolves security incidents without intervention by IT staff.
  2. Combine gathered forensic data, full packet capture data and real-time threat detection data for ongoing investigations and attack vector tracing.
  3. Centralize and normalize vulnerability data from multiple system sources to determine which systems pose the highest risk to the bank. This can then be leveraged into an actionable patching process to close security holes within minutes of discovery.

Simple, Yet Complex

While saying “watch for these and install QRadar” makes this all sound easy, it unfortunately is not. You will need an experienced hand at the helm to minimize potential revenge hacking attacks on your banking institution. You will gain this by enlisting the engineering prowess that Champion has on hand.


The Key Methods to Establish PCI Compliant Risk Management for BYOD Initiatives


Managing and Regulating Third Party Data Loss Prevention Through Enterprise Rights Management