In an alert issued by the Office of the Comptroller of the Currency (OCC), Deputy Comptroller for Operational Risk Carolyn G. DuChene warned financial and other critical institutions about the wave of ongoing distributed denial of service (DDoS) attacks targeting their networks. DuChene is urging the banks in particular to share data about the attacks with one another and reiterated the OCC’s expectation that banks have risk management plans designed to mitigate such attacks in place ahead of time.
The alert comes as a response to DDoS attack campaigns carried out by what the OCC believes to be sophisticated and organized hacking groups targeting national banks and federal savings associations. The OCC claims that the groups launching such attacks are many and that the motives for the attacks, whether political or financial, vary from group to group.
The memo is formally addressed to the “Chief Executive Officers of All National Banks, Federal Branches and Agencies, Federal Savings Associations, Technology Service Providers, Department and Division Heads, All Examining Personnel, and Other Interested Parties.”
In terms of mitigation techniques, DuChene encourages that banks have plans in place to effectively identify dynamic threats and make changes to online customer accounts and authentication mechanisms as needed. The advisory calls on banks to have a heightened sense of awareness regarding the attacks and recommends that potential targets ensure sufficient staffing while the attacks are ongoing, including contracting third-parties to help regulate online traffic flow to the banks. Banks should also coordinate their efforts with any internet service and Web-hosting providers that could provide assistance in the event of a sustained DDoS attack.
The OCC is perhaps most adamant in its insistence that banks share attack information with one another. The advisory points banks toward the Financial Services Information Sharing and Analysis Center (FS-ISAC) as a facilitator of data sharing and the United States Computer Emergency Readiness Team (US-CERT) as a resource to find more information about attack methods and ways to minimize their impact.
Lastly, banks are expected to report accurate information to their customers about any outages and potential fraud that could occur as a result of the attacks. They are additionally expected to report any related incidents to the appropriate regulators and law enforcement agencies.
While the OCC alert doesn’t mention any specific groups, it is hard to separate this memo from the repeated warnings issued as well as attacks carried out by a hacktivist group calling itself Mrt. Izz ad-Din al-Qassam Cyber Fighters. The group began publishing warnings on the text-sharing site Pastebin in September, taking credit for and promising future attacks against U.S. banks. They reemerged in mid-December reiterating that attacks targeting U.S. Bancorp, JP Morgan Chase, Bank of America, PNC Financial Services Group and SunTrust Banks were imminent.
In a blog post on their site, Gartner analyst and financial fraud expert Avivah Litan lauded the OCC’s actions, saying that the regulator is doing an excellent job of telling banks what these attacks will look like and providing specifics on what they should look out for. Moreover, she believes it is helpful that the OCC is drawing a clear link between DDoS attacks, which often seem intangible, like little more than nuisance, and customer account takeovers where actual people lose actual money.
“It’s reassuring to see that the OCC takes these threats very seriously,” Litan wrote. “No doubt, they will step up their enforcement of FFIEC guidance on Internet banking security. That’s actually a good thing because regulators drive security action and spending, even though we would all like to think that this focus on security would exist independently in all cases and across the board – even without the regulators.”