By Tom Kellermann, Head of Cybersecurity Strategy, VMware
Trust has always been the cornerstone of the banking industry. Without customer confidence that their assets are secure, banks cannot function. A reputation for having the strongest vaults with the thickest walls and unpickable locks is fundamental. But, as the means of protecting financial assets has moved from the physical to the digital realm, the role of custodian of customer trust has shifted inexorably onto the shoulders of CISOs. Now, cybersecurity is not just essential to preventing criminals from theft, it has become a brand protection imperative.
VMware’s annual Modern Bank Heist report has identified critical escalations in the sophistication and co-ordination of attacks against the financial services sector. Cybercriminals and nation-state actors are capitalising on the dual disruptions of the global pandemic and banks’ ongoing digital transformation programmes to broaden and deepen their attack techniques. They are no longer focused simply on direct monetary gain through wire transfer fraud, but on hijacking the digital transformation of a financial institution through island hopping, and holding them hostage to the threat of destructive attacks.
Island hopping escalates as attackers hijack banks
38 percent of the financial institutions surveyed in the study said they had encountered island hopping, representing a 13 percent increase over 2020 (respondents were asked to exclude the SolarWinds campaign from their response).
Island hopping has become the attack vector of choice because, as banks have digitised and their supplier ecosystem has grown, the attack surface has expanded correspondingly; there is quite simply more opportunity now than ever before. And to capitalise on it, cybercrime cartels have taken the guesswork out of the game by studying the interdependencies of financial institutions. They have identified entities such as the Managed Service Providers and outside Counsels used by their target companies. These businesses have become the prime target for infiltration as a stepping stone into the target network. What might previously have constituted a “lucky hit” for a cybercriminal campaign is now a well-researched route to a valuable payoff.
Another commonly reported form of island hopping is watering hole attacks. Here, adversaries hijack websites or mobile apps used by customers for digital banking. This has a direct brand impact where customer’s trust in the visual assets they associate with the bank is hijacked to steal credentials or money. The reputational damage caused by these attacks is immense.
CISOs’ respond to increased attacks
Faced with these escalating and stealth-focused tactics, what should CISOs be doing in response? The financial institutions we surveyed are committing budget to the battle, with eight in ten planning to ramp up spending by between 10-20%.
In terms of where spending will be focused, investment priorities include: Extended detection and response (XDR); threat intelligence; workload security and container security. These priorities paint a picture both of how attacks have evolved and the new cloud-based infrastructure that has become the target.
Particularly encouraging is the frequency and impact of threat hunting. 48% of surveyed institutions conduct weekly threat hunts and, as programmes become more mature and hunters gain more understanding of their environment, they are driving change at a process and technology level. We are seeing more use of data science, machine learning and artificial intelligence to determine what normal looks like and spot anomalies. This is driving a true partnership between human-led hunting and automation.
Best practices to defend against modern bank heists
Adversaries are focusing on gaining undetected access to networks and this means that incident response must be conducted under the assumption that the network has been compromised. The following best practices are advised for defence teams:
- Deploy honey tokens or deception grids, especially on attack paths that cannot be hardened.
- Apply just-in-time administration.
- Integrate your network detection and response with your endpoint detection platform.
- Deploy workload security.
- Conduct weekly threat hunting.
- Stand up a secondary line of secure communications to discuss ongoing incidents without risk of interception and compromise. This channel should allow for talk, text and file transfer.
- When responding to an incident- Assume the adversary has multiple means of gaining access to the environment and avoid alerting them that you know they’re there. Watch and wait before taking action – don’t start blocking malware or terminating C2 systems until you are sure you understand all possible avenues of re-entry.
- Deploy agents in monitor-only mode. If you begin blocking or impeding their activities, they will change tactics, potentially leaving you blind to their additional means of re-entry. Rename agents to something innocuous.
On top of these tactical activities, we need to see a strategic shift. Three quarters of CISOs at financial institutions still report to CIOs, yet the landscape has changed dramatically over the past year. The switch to work from anywhere has put cybersecurity and CISOs at the centre of business continuity and resilience. CISOs should be promoted to a true C-level to ensure they have the strategic influence they need to discharge their role effectively. As custodians of a financial institution’s greatest asset – customer trust – their position should be elevated accordingly.
Financial institutions are unquestionably facing new and more pernicious threats but, by leveraging advanced tools and intelligence, they can successfully hunt out and suppress cyber cartels preying on the extended ecosystem. Trust and confidence will depend on vigilant digital transformation.