In the US, an FBI agent told the Marketwatch.com website that more than 100 companies including banks and brokerages had received DDoS threats since April. Richard Jacobs, assistant special agency in charge of the cyber branch at the FBI's New York office, said the ransom requests were usually for tens of thousands of dollars.
While a £6,000 ransom amount may seem high, especially compared to the typical ransom demands for consumers held hostage which typically are in the £200 range, banks facing a DDoS attack could be looking at losses of £60,000 an hour, according to Neustar, an information services and analytics company based in the US. With numbers like that, £6,000 may seem like a small price to pay for continuity of service.
Mitigation against DDoS attacks can be achieved through various methods including the use of cloud-based services that filter out spurious internet packets, delivering only clean packets to the customer's servers.
Graham Mann, managing director, Encode UK Ltd said that he believes RBS should have been able to cope with this attack. “There are numerous DDoS solutions for protecting against such attacks and so it's surprising that an organisation such as the RBS group should still be thus afflicted,” he said. “Equally, it also seems strange that as in December 2013, they suffered a DDoS attack following an apparently unconnected network problem a few weeks prior. If the two events are connected, perhaps that explains why this DDoS attack had the effect it did.”
Mann added, “There is no such thing as 100 percent security and so it's very difficult to eradicate all such attacks, however, given previous DDoS attacks on RBS, it does beg the question: how much effort and investment have they put into security since 2013?”
Brian Chappell, director of technical services EMEAI at BeyondTrust, said: “Think of how long DDoS has been a threat, there are reasons we don't have a simple solution. The supposition...that many organisations have paid the ransoms to avoid repeat attacks is a clear indication of the difficulty. It's cheaper and easier to pay the ransom.
“As network solutions are growing in capability it's easy to imagine that the defence here will move up to the internet service providers, allowing them to sink-hole the malicious traffic while still allowing legitimate traffic through before it gets anywhere near the target systems. Once the traffic's at your door, it's next to impossible to escape unaffected.”
Gary Newe, technical director at F5 Networks, said: “Generally there has been a surge in more blended attacks that merge traditional DDOS attacks with more specific application layer or application logic attacks to take a service down. Therefore, companies need to be aware of their exposure at an application (L7) level to new attacks and take necessary mitigation action. Best practice would dictate that when it comes to DDoS specifically, a hybrid approach is best. Using cloud mitigation services can pick up the majority of volumetric attacks, while using an application-aware proxy solution in the data centre will help protect against the surgical strikes that can cripple most organisations.”
Bryan Lillie, chief technical officer for cyber-security at QinetiQ said: “These [attacks] are less frequent than financial crime, and as such they can be harder to predict and plan for. And whilst embarrassing, they tend to be more inconvenient to customers than actually harmful. Unless they become daily events, maintaining website capacity to cope with these isolated events may not be worth the bank's while.”
Mark James, security specialist at ESET, said many organisations don't pay attention to security until they are under attack. “In all honesty, in this day and age there's no excuse for not being prepared, its only down to cost and knowledge,” he said. “You need to understand what's available for your protection and have the funds to pay for it. Can you put a price on customer retention or happiness… apparently, yes.”