By Simon Mullis, Chief Technology Officer at Venari Security
The tense political climate means mounting cyber threats and increasing challenges to cyber defences– particularly with new methods of attack making it even harder to detect threats on their network. For critically important sectors in the UK including finance – known as the UK’s Critical National Infrastructure (CNI) – having a grip on the attacks that might be hiding in plain sight, such as threats sitting in encrypted traffic on the network, is vital.
The National Cyber Security Centre outlines 13 CNI sectors in the UK – defined as the critical systems, processes, people and information upholding UK infrastructure, the loss or compromise of which could have severe and widespread economic or social consequences as a result. While it’s our basic utilities, such keeping the lights on and the water running, that might immediately come to mind when thinking about critical infrastructure, the finance sector comprises many organisations providing essential services too. From cash withdrawals and deposits, to digital wire transfers, loan applications and investments – citizens and businesses rely on financial interactions every day. The responsibility for banks and financial institutions to maintain secure systems is huge, and the consequences for failing to do so even more significant.
But with attacks on CNI on the rise, how can financial institutions ensure they are doing everything possible to guard against them? Let’s explore what some of the risks to CNI include, and how the finance sector specifically can be proactive in protecting its customers, their data, and overall trust in its institutions.
The consequences of CNI attacks
One of the most recent high-profile CNI attacks that the finance industry must analyse and ensure is guarding against is the Colonial Pipeline ransomware incident, which took place in May 2021. The pipeline operator reported that a cyberattack had forced the company to temporarily shut down all business functions.
What is particularly significant about this attack is that it was simply an exposed username/password that allowed the attackers to gain access. Once in, their activity was end-to-end encrypted – just like all the other traffic. Vast swathes of the US were affected – with 45% of the East Coast’s fuel operations halted as a result.
In this case, despite the organisation protecting its data with strong encryption standards, attackers were able to enter the network through a legitimate, encrypted path and thus rendered many of the counter measures ineffective. With the operators unaware of any anomalous activity on their networks, the intruders had all the time they needed to assess the system and get organised.
This presents a dilemma for CNI sectors, especially finance, where interactions and operations have to be encrypted.
The issues with relying on encryption
As happened in the Colonial Pipeline incident, the use of end-to-end encryption enabled attackers to conceal themselves in legitimate traffic. While critical to support data privacy and security in the event of breaches, end-to-end encryption renders many established means of detection ineffective.
Most defence methods still rely heavily on decryption and relatively rudimentary analysis to detect when traffic might be “known-bad” or deviating from expected patterns. The volume and speed of encrypted data now passing across networks means that it is impossible to detect everything with processes and techniques requiring this type of inspection.
And indeed, this is not a cutting-edge approach by cybercriminals. In the first three quarters of 2021 alone, threats over encrypted channels increased by 314% on the previous year. If organisations continue to use the same inadequate detection techniques to uncover malicious activity on their network, the rate of attacks using encrypted traffic will continue to grow at this rate or higher.
The security industry has long understood that breaches are “not if, but when” scenarios. And the current global climate, sparking a rise in nation-state attacks, undoubtedly increases the threat level further for CNI – and especially for sensitive sectors such as finance.
Better visibility holds the key
Financial institutions must strike a careful balance when it comes to security. On the one hand, it is vital they gain back visibility of their networks that end-to-end encryption might be at risk of concealing; on the other, it’s a necessity that they maintain a level of encryption in the first place.
Decryption is a too cumbersome and time-consuming approach now that our entire networks are encrypted – both data-at-rest and in motion – and organisations can only hope to keep up if they monitor for aberrant behaviour and malicious activity in their traffic without having to rely on decryption.
The solution? Security teams need to look towards using behavioural analytics to detect what is happening within encrypted traffic flows. A combination of machine learning and artificial intelligence, behavioural analytics can analyse encrypted traffic in near real-time without decryption. By accurately understanding the abnormalities between normal and anomalous behaviour, it significantly increases the rate and speed at which malicious activity concealed in encrypted traffic can be detected, whilst ensuring data remains private.
Security teams can then react immediately to contain the threats it identifies – rather than responding after the fact, when banks might only realise that an attack has taken place after a customer has experienced a breach.
Keeping a critical eye on finance security
Ongoing geo-political conflicts and the ever-increasing interconnectedness of all things mean that attacks to critical infrastructure are hardly likely to go away, but in fact, become more frequent.
Financial services sit as an obvious target, meaning security teams need to quickly wake up to the reality that the threat isn’t just incoming, but that there may already be malevolent presences on their network already concealed within encrypted traffic. And the longer they wait to identify it, the greater risk it poses when the actor decides to strike.