Unanticipated cyber threats can rapidly exhaust cyber security budgets and derail carefully planned strategies. Among these challenges, distributed denial of service (DDoS) attacks stand out as a prime example of how unexpected risks can disrupt even the most secure systems.

DDoS Attack at SJD-Bank (fictitious)

It was a routine evening at SJD-Bank’s security operations center (SOC), where the team was wrapping up case analyses before the shift handover. Suddenly, a major incident alert broke the calm. An emergency bridge call was initiated to investigate a sharp spike in activity that was impacting the bank’s perimeter firewalls. The incident was also causing unexpected disruptions to SJD-Online Banking, a platform fortified with robust security measures, including network DDoS protection and a web application firewall (WAF).

Initial Investigation

The SOC’s preliminary analysis pointed to a potential targeted DDoS attack. However, SJD-Online Banking was not the apparent target, as logs and events gave no indication of a direct assault. This raised a critical question: why was the online banking platform being affected?

Tracing the Source

Deeper analysis from network DDoS control revealed the issue stemmed from a fraud attack (that resulted in DDoS) targeting a set of external-facing IP addresses linked to the 3D Secure (3DS) application—a fraud prevention system for online transactions. The attack, indirectly tied to credit card fraud (to be explored in a future article), created a spike in traffic that overwhelmed the shared infrastructure, including firewalls. This overflow indirectly impacted SJD-Online Banking.

The investigation also exposed the limitations of the layer 3 DDoS protection in use providing visibility only at network layer (IP). Operating these controls in an inline/preventive mode offered limited visibility, underscoring the trade-offs between proactive defense and operational monitoring.

Mitigation Challenges

To counter the attack, the SOC engaged the network DDoS service provider to initiate traffic scrubbing, a process that filters malicious traffic. While effective in mitigating the attack, this approach introduced new challenges, such as increased service latency. Traffic was rerouted through the provider’s scrubbing centers before reaching SJD-Bank’s systems, adding delays and affecting overall performance.

Despite having robust WAF-based DDoS protection for SJD-Online Banking, the shared perimeter controls left the platform vulnerable to collateral damage. This highlighted the risks of shared infrastructure and the need for more comprehensive protection.

Remediation Steps

To prevent future incidents, all 3DS URLs and IPs were onboarded to the WAF, providing dedicated protection. However, this solution significantly increased costs, consuming a notable portion of the cyber security budget and requiring prioritization in the organization’s risk management plans.

This incident underscored the delicate balance between business operations and cyber security. Robust defense’s must be weighed against operational efficiency and cost considerations.

Key Takeaways

The event revealed the intricate interplay between advanced security systems and operational impacts. It also highlighted the importance of balancing proactive prevention with system performance to minimize disruptions and collateral damage.

By understanding incidents like this, organizations can better prepare for the unexpected, ensuring their cyber security strategies remain robust without compromising operational efficiency.

  1. Cyber security professionals must deeply understand the businesses they protect. It’s not enough to focus solely on technical aspects; a solid grasp of the critical infrastructure being defended is essential.
  1. Know your assets and the architecture that supports them.
  1. Never assume that an environment safe from attacks in the past will remain so in the future.
  1. When planning budgets, always account for unforeseen events by including a buffer of +/- 20%.
  2. Crisis management is crucial. While prevention is a priority, don’t overlook response and recovery. Many organizations, even large ones, struggle to manage crises effectively despite having strong preventive and detective measures in place.
  3. Trained professionals are invaluable in navigating crises, including engaging with regulators. AI can assist, but it cannot replace the accountability and responsibility of human leadership.
  4. Simplify, streamline, and automate operations to focus quickly and effectively on investigations.
What is 3D Secure (3DS)?

3D Secure is a fraud prevention protocol designed to verify the identity of cardholders during online transactions. Key aspects of 3DS include:

  • Parties Involved: The card issuer, the merchant’s bank (acquirer), and the cardholder.
  • Purpose: Prevent unauthorized transactions and reduce fraud.
  • Access: 3DS URLs and IPs are generally not directly accessible to end users and are targeted via merchants or point-of-sale terminals.
  • Exploitation by Bad Actors: Cyber criminals often use stolen credit cards (active or deactivated) sourced from underground markets. To validate active cards, they perform low-value transactions to avoid detection. In this scenario, attackers used multiple cards and sources, creating a surge that triggered the DDoS event. This attack, while not highly sophisticated, highlighted vulnerabilities in the system.

You may also like