The cyberattack that almost broke the bank

How a CIO switched providers and saved the day

by Anthony Leggio, Vice President of Finance Solutions, AT&T Business

Not again.



For the second time in a week, an attack was underway at one of the largest regional banks in the U.S.

Ominous notifications rippled through the beleaguered ranks of staffers and managers. Digital defenses had been breached on multiple fronts. Credential-stuffing bot attacks were locking users out of their accounts, putting their sensitive information at risk. At the same time, Distributed Denial of Service (DDoS) attacks were overwhelming the bank’s web servers, shutting down mobile and online banking, their two primary channels of business. Call centers and social media were soon flooded by frustrated customers.

The severity of a DDoS attack is commonly measured in the number of minutes a website is knocked offline. The result of this attack, like the dozens of others endured over the preceding months, was measured in hours. Lost revenue was becoming a serious concern.

False sense of security

Existing cyber-defenses, purchased from a lower-tier provider, had proved spectacularly inadequate. Some executives favored doubling-down on what was already in-place, incrementally adjusting algorithms with a trial-and-error approach. Others thought “rip-and-replace” was the only solution for firewalls so frequently scorched.

The company’s reputation was on the line.

Integrated solution

Full engagement from the C-suite cleared the way for an immediate, multi-tiered solution. The CIO knew the process of assembling new defenses from a patchwork of different providers would further delay remediation. He also wanted to avoid internal finger-pointing if a single entity wasn’t solely accountable for the outcome.

He chose AT&T Business.

As one of the world’s largest Internet providers, AT&T has an expansive view of the global threat landscape. The under-siege CIO used this unique intelligence-at-scale to help identify, predict, and thwart incoming attacks, while simultaneously defending against new and emerging threats with a full stack of best-in-class applications and expertise.

A DDoS attack is often a diversionary tactic to enable other illicit activity like data theft or fraud. Attackers can be motivated by political agendas, financial gain, or bragging rights. Many DDoS attacks are volumetric, attempting to slow or stop a targeted network by overwhelming servers with packet requests. Others exploit Transmission Control Protocol (TCP) layer vulnerabilities. Some do both. An attack can be aimed at the origin servers in a data center, or the proxy servers spread across locations on the Content Delivery Network (CDN). Local servers, the ones designed to cache content to help accelerate user experience, can be the focus of application-level DDoS threats.

Because attackers tend to change tactics in response to defensive measures, the implementation team upgraded Web Application Firewall (WAF) defenses and deployed a full suite of proactive cybersecurity solutions on the AT&T Content Delivery Network (ACDN). Detailed traffic analysis identified anomalies within seconds. Malicious traffic bound for specific IP addresses was diverted to out-of-path scrubbing locations instead. While the offending data packets were cleaned, valid traffic was permitted to reach network destinations via VPN Business. The ability to drop attack packets at the network edge helped minimize negative impacts and allowed the bank to restore digital operations.

Enterprise threat protection

To help identify and block additional threats like ransomware, malware, phishing, and domain name system (DNS) data exfiltration, enterprise traffic protector (ETP) services were also deployed on the ACDN layer. This effectively enforced acceptable use policies across the enterprise. The bank benefited from the efficiency, security intelligence, and global recursive DNS that a cloud-based portal provided, requiring no new hardware or software for the CIO team to purchase or maintain.

ETP relies on data gathered every day from the AT&T global cloud security intelligence platform, which manages up to 30% of global web traffic and delivers up to 150 billion DNS queries daily . This intelligence is enhanced with external threat feeds, and the combined data is analyzed using advanced behavioral analysis. As new threats are identified, they are immediately added to the ETP service, helping to improve near-real-time protection against threats for enterprises and their employees.

While DNS is the foundation for most internet services, many malicious domains, including sources for malware, ransomware, and associated command and control (CnC) servers, use recursive DNS for attacks. The bank’s external recursive DNS traffic was directed to ETP so that requested domains were checked against global risk scoring intelligence. This helped proactively block users from accessing malicious domains and services. Because validation occurred before the IP connection was made, threats were stopped earlier in the security kill chain, further from the enterprise perimeter.

Bot management

To mitigate the deluge of automated bots, AT&T Bot Manager was activated as well. This allowed the bank to create custom bot signatures and categories to identify bots that routinely interact with their website, and assign specific actions to be taken, including “alert”, “block”, “delay”, or “serve alternate content.” Traffic from unknown bots was detected by identifying request rate, request characteristics, bot behavior, and workflow validation. Bot Manager’s Security Center dashboard provided the bank with near-real-time visibility into bot traffic for their website, and the Cloud Security Intelligence (CSI) data analysis engine provided a continuously-updated directory of known bot categories.

Rapid results

This integrated connectivity and cybersecurity ecosystem had an immediate effect. 100% of incoming attacks were shut down. The bank’s web traffic speed increased nearly 84%. Contact center resources recovered from exhaustion. With a front-row seat to remediation efforts, a top executive expressed being “shocked by the effectiveness.” The implementation group called it “a real eye opener.”

The CIO and his team had unpacked the scale, experience, and adaptability required to rebuild customer trust, improve the bottom line, and defend against future threats.

How prepared is your business? Are you one of the 50% of IT pros that say your security policies are “ad-hoc, not risk-driven, and not integrated with overall security goals?” Read the report.

AT&T Business is a leading provider of edge-to-edge solutions for Financial Services Solutions and is the largest SD-WAN provider globally. Achieve smarter, more trusted interactions with business solutions that integrate our unique ecosystem of technology and expertise with our highly-secure global network to obtain near-real-time intelligence from virtually every corner of your enterprise.