Further details have emerged on the Lloyds DDoS attack from two weeks ago. Lloyds revealed little at the time, despite a flood of Twitter complaints. But it has emerged that the National Cyber Security Centre is working with the bank on the attack. IT security experts from Lieberman Software, DomainTools, AlienVault and ESET commented below.

Jonathan Sander, VP of Product Strategy at Lieberman Software:

Jonathan Sander“The important thing to remember in a denial of service attack is that the bad guys are denied service as well – so during this attack they couldn’t break into the Lloyds accounts any more than customers could log in.

Clearly there is still active investigation happening right now. More details may emerge. One thing to look out for is the trick where bad guys will use a DDoS to mask another attack. The DDoS overwhelms while something quieter sneaks in the back. That doesn’t appear to have happened here, though; only time will tell.”

Kyle Wilhoit, Sr. Security Researcher at DomainTools:

kyle-wilhoit“It appears, based on the limited telemetry data we have about this attack, that Lloyd’s fell victim to an IoT botnet generated DDoS. Ever since the Mirai source code emerged, more nefarious criminals have been weaponzing the code to target additional IoT devices. Unfortunately, DDoS are one of the most common cyber attacks against financial institutions.

While no customer data appeared to have been compromised – it seems it was just a service outage – imagine if a lender couldn’t access bank services for two days because of a DDoS. That could cause some market turmoil.

There are a few ways banks could help protect themselves. First, using one of the many available DDoS mitigation technologies certainly helps. While these services aren’t failsafe, they can help cut out lower-volume DDoS attacks and help reduce a lot of traffic during big DDoS incidents. In addition, using reverse proxies to filter inbound traffic can help offset some of the risk associated with DDoS incidents. Ensuring that you have a properly outlined incident response is also key. Attackers use DDoS as a diversion tactic quite regularly. Attackers can and will move laterally throughout networks while a DDoS is happening, since engineers are focused on returning services to customers and not necessarily focusing on internal assets. Having a finely tuned incident response plan can help offset the risk of attackers moving laterally in a network during an incident.”

Javvad Malik, Security Advocate at AlienVault:

Javvad Malik“DDoS attacks are intended to be loud, disruptive and make a statement. With ever-expanding capabilities, including many new internet-connected devices, cyber criminals have the ability to launch bigger attacks.

These attacks could be motivated by political reasons, activism, even competition. In some cases, DDoS attacks can be used as a smokescreen to cover for another attack happening at the same time.

Cyber criminals know all too well the impact of their actions. When a business loses its online presence, it loses its primary interface with its customers. In such circumstances, most resources are devoted to bringing the service back online. However, they shouldn’t neglect other areas of their infrastructure, and have reliable threat detection and response controls to pick up on any malicious activity that may be occurring under the covers.”

Mark James, IT Security Specialist at ESET:

mark-james“Banks are under attack almost continuously. Most cyber-attacks these days are driven by monetary gain and usually include trying to trick someone into handing over money in small amounts. But if the cyber criminals can go for the source or the “jackpot” then for them that makes a lot more sense.

Distributed Denial of Service (DDoS) attacks can in some cases be a smoke screen for other attacks, while resources are put into stopping the loss of service then other attacks may be happening elsewhere.

For the bank to lose the ability to offer its facilities to its users then the attack must have been quite substantial. It would appear on this occasion that no cash was stolen, but as with any attack like this it’s imperative you keep an eye not only on your balance but also future transactions. Question everything however small, if you have a concern then contact your bank and ask them. Remember cash is not always the number one objective, data that could be used later or together with other information gained previously could be used for future attempts at stealing your money.”

Information Security Buzz