DDoS Test Results Shock a Bank into Action

Background

The bank is one of the largest in its region, offering a comprehensive range of international, commercial, domestic, and personal banking services.

The bank operates traditional security and network operations centers (SOC/NOC) and a dedicated network team as part of its IT ecosystem. Other DDoS mitigation measures include a managed protection service offered by the bank’s ISP, which focuses on the provider’s infrastructure, and an on-premises WAF for filtering, monitoring and blocking suspect HTTP traffic.

The Challenge

Banks have strong reason to be concerned about DDoS attacks, given the critical nature of their online services and the potential impact on service availability. As global DDoS campaigns continue to increase in scale, sophistication, and frequency, the CISO initiated a comprehensive assessment of the bank’s DDoS mitigation posture to evaluate detection, response, and resilience capabilities, and to identify areas for improvement.

The Solution

The bank’s security executive turned to Red Button due to our reputation as a thorough DDoS testing provider.

After reviewing the client’s DDoS protection architecture, we ran controlled DDoS attack simulations. This involved resistance and penetration testing that challenged both the network and relevant bank applications. 

Network and application testing

The three standard infrastructure attack simulations we carried out – SYN, ACK and UDP floods – were only partially resisted. To test the applications, we prepared three mock attacks of increasing severity. However, after the bank’s standard protection tools failed to mitigate or resist the first , we immediately ended the simulation.

The bank leadership was very surprised at the results. Our DDoS testing had revealed that the bank’s ISP protection just did not have the capacity to handle relatively basic attacks, even without any extreme frequency rates.

Next, we provided the bank with recommendations to improve DDoS protection using their current technology. These included: more effective security configurations for the on-premises WAF; options to discuss with the ISP; improvements to the DDoS mitigation layer; migration to a cloud WAF and scrubbing center; written protocols for DDoS real-time response; and a shortlist for DDoS mitigation technology vendors.

From complacency to perpetual action

The bank was very proactive in their response. While they decided to continue with the technology they were using, they immediately implemented recommended improvements to both their preventative measures and procedural responses to DDoS attack.

As a follow-up step, the bank hired Red Button for guidance in hardening their IT architecture and procedures. We conducted another detailed review and provided further systemic recommendations. This was followed by the bank again calling on Red Button to carry out tests, including a repeat of the simulated network attacks, that would measure the benefits of the various DDoS security optimizations they implemented.  

Measurable results – with more to come

The last set of tests we carried out for the bank after they implemented our recommendations provided a clear indication of improved protection against DDoS attack. In fact, the bank reached the maximum protection possible with the technology they were using in their IT ecosystem.

The bank’s resiliency score in the first Red Button DDoS test was 3.0, which jumped to 4.7 after implementing our recommended measures. We estimate that the bank can further increase its score to 6.5 when it integrates additional technologies and architectural optimizations we suggested.