Distributed Denial of Service Attacks on Financial Institutions: A Cisco Security Intelligence Operations Perspective
The past few weeks have had many on heightened alert from the initial threats to the ongoing attacks surrounding U.S.-based financial institutions; to say folks have been busy would be quite the understatement.
These events spawned a collaborative effort throughout the Cisco Security Intelligence Operations (Cisco SIO) organization, as depicted in the diagram below.
* Note: As Cisco products have not been found to be vulnerable to these attacks the Cisco PSIRT (Product Security Incident Response Team) provides feedback and peer-review, hence the reason that no Cisco Security Advisory (SA) is present for this activity.
Our process began by leveraging the intelligence and resources derived from the Applied Security Intelligence and Strategic Security Research teams’ depth, analysis, and understanding of the attack vectors, and as much pertinent detail as possible to determine attack patterns and profiles so that we can provide the most effective mitigations and countermeasures. Subsequently, this information is communicated to the management team, which hosts a threat mitigation meeting that connects key members of each Cisco SIO team. This call serves as a method to establish, commit, and execute a plan that results in the streamlined orchestration of the various moving parts. For example, think about all the channels that need to be apprised, how the channels will be informed, who will deliver the updates, and when the updates will be delivered, just to name a few considerations. That said, the call to action includes the following teams:
- Applied Security Intelligence (ASI)
- Strategic Security Research (SSR)
- IntelliShield Analysts
- Content Delivery
- IPS (IPS Services and Signature team)
- Security Technology Assessment Team (STAT)
- Product Security Incident Response Team (PSIRT)
- Triage team (Consists of a group of managers representing each of the above teams and senior researchers)
* Note: The PSIRT and STAT teams were tasked largely with providing feedback and peer reviews for this event. In addition, the Content Delivery team ensures that collateral such as IntelliShield alerts, threat responses, and so on, have been reviewed, edited as needed, and subsequently published.
During this event, it was established that the following collateral (in order of priority) would be produced:
- HOT Page – This is an internal web page that typically operates as a first point of information for Cisco account teams and personnel throughout the organization. Please note that as advocates for our customers, the account teams have the responsibility to prepare and inform their customers about the upcoming events.
- Cisco IntelliShield Alert – The IntelliShield alerts (IS alerts) are also referred to as security activity bulletins. These alerts (produced by the team of IntelliShield Analysts) provide summaries and brief descriptions of the event, in addition to highlighting any Cisco products that may be affected/vulnerable (don’t worry there are none at the moment).
- Event Response Page (ERP) – For those familiar with Cisco IOS Bundle events and monthly Microsoft Security Bulletins you have likely seen these pages in the past. The ERP (produced in a cumulative effort by the Applied Security Intelligence, Strategic Security Research, and Content Delivery teams) acts as a common landing page for a particular event. The ERP contains links to the various collateral documents published in relation to the event.
- Applied Mitigation Bulletin (AMB) – The AMB (produced by the Applied Security Intelligence) provides details on identification and mitigation of the attacks/vulnerabilities (Hang tight, it’s on the way!).
- IPS Signature – Pending further testing.
The ball starts rolling with the HOT Page. For this event, a member of the SSR team created and maintained the HOT Page and provided the following summary of the event:
On the week of September 23, 2012, Cisco Security Intelligence Operations (SIO) became aware of denial of service (DoS) activities targeting U.S.-based banking institutions. As this is directly impacting a number of our customers (banking institutions) this page has been provided as a point of reference and communications surrounding awareness, mitigation factors, and subsequent details of these events.
In addition, the Hot Page contains initial threat details, workarounds, and potential mitigation factors (don’t worry, all of which have been further refined and offered to the public via the ERP and AMB :-))
* Note: The summary on the ERP is very similar, yet refined!
As the Hot Page is continually updated with new information, the ERP tends to progress alongside the AMB. As seen in the diagram above, a member of the Applied Security Intelligence team owns the AMB, while another member of the team works in tandem with the Content Delivery team on the ERP. While progressing through this process, the triage team keeps us honest with our deadlines and timetables to ensure the collateral documentation is released according to the schedules defined in the morning threat mitigation meeting.
Make no mistake, subsequent calls and chats are held amongst engineers, publishers, and managers as each entity works to ensure all bases are covered.
For the engineering teams (AI/SSR) this includes:
- Replaying exploits and attacks gathered
- Creating packet captures for further observation
- Continued packet and attack analysis
- Hot Page creation (Internal only)
- Testing proposed mitigations and countermeasures (to be unveiled in the AMB)
For the IntelliShield Analysts team this includes:
- Collecting security information and data
- Analyzing and validating the source of the information
- Sharing the security intelligence across the Cisco SIO organization
- Producing the IntelliShield (IS) alert(s) to report the security intelligence
- Continuing to track the event, and update the IS alert(s) and security teams with the latest intelligence
Additionally, our teams collaborate and provide peer reviews on the collateral documentation to be published. Moreover, it is important to check back on these documents as we continue to update them.
Take a look at the ERP, IS Alert, and pending AMB. Enjoy the reading; we hope we have provided you with a bit of insight as to how these events come together from a Cisco Security Intelligence Operations perspective!
Links to Resources/Collateral:
IntelliShield Alert – http://tools.cisco.com/security/center/viewAlert.x?alertId=27076
Event Response Page – http://www.cisco.com/web/about/security/intelligence/ERP-financial-DDoS.html