Theories mount on bank attacks, but experts stress defense
Defense and response key to BofA and JPMorgan attacks, say security experts, one noting: 'It's probably going to get worse before it gets better'
September 25, 2012 — CSO — The unexplained outages last week on the public websites of Bank of America and JPMorgan Chase have led to as many as five theories about the source.
However, security experts say the most important thing for financial institutions is not so much the source of attacks, but an effective defense against them, along with an incident response and recovery plan.
"We will always have to deal with hacking, breaches, new malware variants and new attack technique -- they are facts of life as we know it today," said Rob Kraus, director of research for managed security service provider Solutionary's Security Engineering Research Team (SERT).
The attacks were not catastrophic -- the problems at both Bank of America and JPMorgan Chase were relatively brief and intermittent. But Bill Pennington, chief strategy officer at WhiteHat Security, told InformationWeek that last week's attacks may be only the beginning. "It's probably going to get worse before it gets better," he said.
Still, much of the buzz was about trying to figure out where they came from. Sen. Joseph Lieberman (I-Conn), chairman of the Senate Homeland Security Committee, offered Theory One last week in an interview on C-SPAN's Newsmakers, saying he believes a unit of Iran's Revolutionary Guard Corps was behind the disruptions.
Lieberman gave no evidence to support the claim, and Iran denied it, claiming the U.S. was trying to "demonize" Iran, but there is certainly motive. As Bloomberg and other outlets reported, the U.S. has been leading the imposition of economic sanctions on Iran, trying to slow or stop its capability to build a nuclear weapon.
There is also the admission by U.S. officials several months ago that the U.S. was involved with Israel in efforts to sabotage Iran's nuclear program with a computer worm labeled Stuxnet. The malware temporarily took out nearly 1,000 of the 5,000 centrifuges Iran had spinning at the time to purify uranium.
The Washington Post, citing unnamed U.S. intelligence and industry officials, reported last month, "Iranian cyberforces attempted to disrupt the Web sites of oil companies in the Middle East by routing their efforts through major U.S. telecommunications companies, including AT&T and Level 3."
"The effort did not cause serious disruptions, but it was the largest attempted denial-of-service attack against AT&T 'by an order of magnitude,' said one of the industry officials," the Post reported.
The second theory comes from a message on Pastebin claiming to be from "cyber fighters of Izz ad-din Al qassam" -- the military wing of Hamas, the Islamic party that governs the Gaza Strip -- declaring that it would attack Bank of America and the New York Stock Exchange (NYSE) as a first step in a campaign against "American-Zionist Capitalists," and that the "attack will continue until the Erasing of that nasty movie" -- a reference to a trailer of the independent film "Innocence of Muslims," which Muslims say insults the prophet Mohammed.
The third theory is based on a fraud alert issued last week by the FBI, warning financial services firms that cybercriminals might try to disrupt their websites in an effort to distract them from noticing fraudulent wire transfers.
Two days after that alert, The Financial Services Information Sharing and Analysis Center (FS-ISAC), a group owned by dozens of large firms including Bank of America and JPMorgan Chase, raised the cyber threat level to "high" from "elevated" in an advisory to members.
The fourth theory says it was not an attack at all. WhiteHat's Bill Pennington, noting the recent outage at GoDaddy that was caused by an internal technical error, said it was possible that the multiple slowdowns and outages were simply a coincidence. That theory gains a bit of weight from the fact that there was no perceptible problem with the NYSE -- one of the declared targets of the Hamas group.
Jason Healey of the Atlantic Council, shares a fifth theory: That they might have been "simply a low-level attack in their own right, intended only to be disruptive to the websites themselves, and not to provide cover for other attacks," said Healey, a former security official at the White House and at Goldman Sachs.
"This is frankly common, with attacks by anti-capitalist groups, especially if there happens to be an IMF (International Monetary Fund), WEF (World Economic Forum), G7 or other conference," he said.
Solutionary's Kraus said his firm doesn't focus so much on where the attacks come from, but how to help clients prepare and respond to them. "They're not going away anytime soon," he said. "So preparation is key. It's like buying extended insurance coverage on a used car."
He also stresses a second important step: "Implementing mitigating controls and a formal incident response plan before an attack occurs," he said.
Kraus said when attacks do occur, a firm should leverage its relationship with its security vendor. "They've seen plenty of DDoS and phishing, and they can tell you what is probably going to happen again."
Finally, he said firms should conduct a "post-incident review," much like a military after-action report, to determine what worked and what didn't, and make improvements based on those findings.
From everything Kraus has seen, both banks handled the attacks well. "It was almost like they were brushing off an annoying fly," he said.
But he added that threats are always becoming more sophisticated. "Some malware is now as good as enterprise-class software," Kraus said.
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.
Other stories by Taylor Armerding