How To Defend DNS Tables From Data Loss After an IoT Bot Attack

Late last month Dyn, an internet infrastructure company, discovered that it was under attack by multiple DDoS attacks that were launched via infected IoT devices and controlled by Mirai. The attack against Dyn’s DNS tables literally shredded the DNS entries for thousands of websites, leading to a global disruption in web services. Some of the most prominent of these web services were Twitter, Spotify, PayPal, Amazon and Netflix.

According Network World, the still unidentified attackers took advantage of infected IoT devices that were instructed to send nonstop garbage data to overwhelm Dyn’s services. The devastating result, though the FBI and the Department for Homeland Security continue to investigate the event, is still being felt through residual issues today.

The Best Defense Is A Good Defense

The Mirai attack illustrates in definite terms why organizations in the financial sector must be using a powerful tool to detect and defend themselves from large scale DDoS attacks. This defense must not only detect and alert a financial house of an impending attack, but also learn and adjust to changing business and network traffic patterns on the fly.

What’s more, this system should be able to automatically remediate threat and DDoS attack attempts in real-time, be able to gather information from multiple platform types and generate robust and detailed reporting in an easy to read and understand way. The best defense for thwarting next generation attack modalities is QRadar.

The Besieged Gates

The scenario I often like to present to clients in terms of DDoS attacks are centered on UDP Flood (User Datagram Protocol) attacks, which are basically able to run without the use of any network sessions or connections. According to a VeriSign report, 49% of all DDoS attacks launched in Q3 2016 were launched using UDP, making this form of attack internet enemy number one.

As a UDP Flood DDoS attack unfolds, the points at which a financial institution send and receive transactional data begin to drop off before coming to a screeching halt once the attack is under full steam. And what happens to financial organizations when they cannot send or receive transactions?

This becomes a catastrophic business event, and not just the initial hit to the bottom line. Integrity and customer trust may be shaken or completely lost, making losses even more difficult to recover from. This is why those in the financial industry need to sit up and take particular notice of the increase in both volume and complexity of UDP flood DDoS attacks.

Ending The Siege

The time has come for the financial industry to declare itself “victims no more” and take the leap into the QRadar family. When I bring QRadar to the table with a financial client, I bring with me a security information and event manager (SIEM) solution that provides all of the DDoS detection, remediation and preventative needs of that client. The ability of QRadar to monitor and gather logs from everything in a financial environment, including customer-facing devices such as ATM’s or complex systems like Linux-based firewalls and switches, is a great addition to any financial organization’s overall security posture.

With the recent increases of DDoS attacks on the financial industry, I have started to lean more heavily on QRadar to identify and detect increased traffic from darknets that could indicate an organization is about to be targeted. Once we establish a QRadar environment and develop the set of customized traffic rules that apply for the specific client, QRadar is highly capable of not only detecting the DDoS attack.

It is also good at identifying and generating alerts for what I like to call probing DDoS attacks, in which a potential attacker is looking to find the best time and place to strike, or is simply running a diversion to hide the true nature of an attack. These attacks are then easily thwarted through the establishment of automated mediation rules that will run in real-time while generating a play-by-play log that an IT security staff can review at any time via QRadar’s easy to understand web-based dashboard.

The White Hats Are Here

It is becoming increasingly important for all industries, especially those businesses in finance, to have a strategic DDoS defense and remediation strategy in place as part of their overall security policy. This ensures that financial data is protected, and that the business remains up and running while others fall to the same attacks. When you engage Champion, you gain our expertise to protect your network and your clients’ valuable financial data through a strategic and well executed implementation of a DDoS security defense plan, all thanks to the power behind QRadar.


The Causes and Costs of Data Breaches in the Financial Industry


Multi-Factor Authentication Can Protect Your Customers - and Your Financial Services Firm