RBS and NatWest bank attacks should have been mitigated

News by Tom Reeve

The attack which disabled the RBS and Natwest Bank online services on Friday morning appears to be part of a renewed trend of DDoS attacks against the banking industry.

According to law enforcement sources in America and Europe, distributed denial of service (DDoS) attacks against banks and other financial institutions are increasingly accompanied by ransom demands.

Given the critical importance of the banking sector to customers and the economy, some security experts have told SCMagazineUK.com that the banks should have been prepared to mitigate the attack.

According to a statement from NatWest bank, part of the Royal Bank of Scotland Group, “The issues that some customers experienced accessing online banking this morning was due to a surge in internet traffic deliberately directed at the website. At no time was there any risk to customers.”

However, customers took to Twitter to complain about the outage, with some expressing concerns that it might affect salary payments and other critical banking transactions as happened in another DDoS attack in 2013.

— NatWest Help (@NatWest_Help) July 31, 2015

RBS has suffered from a series of IT issues and internet attacks which led CEO Ross McEwan to say to the FT.com in a 2013 interview that systems failure was unacceptable: “[Monday] was a busy shopping day and far too many of our customers were let down, unable to make purchases and withdraw cash.”

In 2014, RBS was hit by £56 million in fines for the failures in 2012 that disabled 6.5 million customer accounts. Critics said that the acquisition of so many disparate banks has led to a hodge-podge of IT systems, leaving the system vulnerable to outages and attacks.

In June 2015, RBS pledged to invest £150 million a year on cyber-security on top of hundreds of millions it had already spent for security and resiliency projects.

Security experts were not surprised by Friday's DDoS attack. It follows warnings from both the FBI in America and the Swiss Governmental Computer Emergency Response Team that DDoS extortion rackets against banks are on the rise.

The Swiss CERT said it had been made aware of a group called DD4BC which had started DDoS extortion schemes in 2014 which are increasingly focussing on European banks. “MELANI / GovCERT.ch is aware of several high profile targets in Switzerland that have recently received a blackmail from DD4BC and have consequently suffered from DDoS attacks, obviously conducted by DD4BC,” it said.

“The DDoS attacks usually start with NTP (port 123 UDP) and SSDP (port 1900 UDP) amplification attacks targeting the victims public website, taking advantage of millions of insecure or misconfigured devices around the world. Later on, we have seen the attackers moving to TCP SYN flooding and layer 7 attacks to bypass mitigation measures taken by the ISP. Taking advantage of amplification attacks by abusing the NTP, SSDP or DNS protocol, the attackers are in theory able to launch DDoS attacks consuming a bandwidth of up to 500 Gbit/s,” he said.

In the US, an FBI agent told the Marketwatch.com website that more than 100 companies including banks and brokerages had received DDoS threats since April. Richard Jacobs, assistant special agency in charge of the cyber branch at the FBI's New York office, said the ransom requests were usually for tens of thousands of dollars.

While a £6,000 ransom amount may seem high, especially compared to the typical ransom demands for consumers held hostage which typically are in the £200 range, banks facing a DDoS attack could be looking at losses of £60,000 an hour, according to Neustar, an information services and analytics company based in the US. With numbers like that, £6,000 may seem like a small price to pay for continuity of service.

Mitigation against DDoS attacks can be achieved through various methods including the use of cloud-based services that filter out spurious internet packets, delivering only clean packets to the customer's servers.

Graham Mann, managing director, Encode UK Ltd said that he believes RBS should have been able to cope with this attack. “There are numerous DDoS solutions for protecting against such attacks and so it's surprising that an organisation such as the RBS group should still be thus afflicted,” he said. “Equally, it also seems strange that as in December 2013, they suffered a DDoS attack following an apparently unconnected network problem a few weeks prior. If the two events are connected, perhaps that explains why this DDoS attack had the effect it did.”

Mann added, “There is no such thing as 100 percent security and so it's very difficult to eradicate all such attacks, however, given previous DDoS attacks on RBS, it does beg the question: how much effort and investment have they put into security since 2013?”

Brian Chappell, director of technical services EMEAI at BeyondTrust, said: “Think of how long DDoS has been a threat, there are reasons we don't have a simple solution. The supposition...that many organisations have paid the ransoms to avoid repeat attacks is a clear indication of the difficulty. It's cheaper and easier to pay the ransom.

“As network solutions are growing in capability it's easy to imagine that the defence here will move up to the internet service providers, allowing them to sink-hole the malicious traffic while still allowing legitimate traffic through before it gets anywhere near the target systems. Once the traffic's at your door, it's next to impossible to escape unaffected.”

Gary Newe, technical director at F5 Networks, said: “Generally there has been a surge in more blended attacks that merge traditional DDOS attacks with more specific application layer or application logic attacks to take a service down. Therefore, companies need to be aware of their exposure at an application (L7) level to new attacks and take necessary mitigation action. Best practice would dictate that when it comes to DDoS specifically, a hybrid approach is best. Using cloud mitigation services can pick up the majority of volumetric attacks, while using an application-aware proxy solution in the data centre will help protect against the surgical strikes that can cripple most organisations.”

Bryan Lillie, chief technical officer for cyber-security at QinetiQ said: “These [attacks] are less frequent than financial crime, and as such they can be harder to predict and plan for. And whilst embarrassing, they tend to be more inconvenient to customers than actually harmful. Unless they become daily events, maintaining website capacity to cope with these isolated events may not be worth the bank's while.”

Mark James, security specialist at ESET, said many organisations don't pay attention to security until they are under attack. “In all honesty, in this day and age there's no excuse for not being prepared, its only down to cost and knowledge,” he said. “You need to understand what's available for your protection and have the funds to pay for it. Can you put a price on customer retention or happiness… apparently, yes.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews