Financial Services sector relies on elite threat intelligence to wage an effective defense against cybercrimeBy: Secureworks
Financially motivated cybercriminals never rest. That means neither can you. Last year, banks, credit unions, financial services firms and other institutions experienced an uptick in attacks involving social engineering, ATM and point-of-sale malware, extortion and credential-stealing malware. Big established banks aren't the only targets. Trends in the financial services space have led to increased threats against online lenders, alternative payment providers and small and mid-size firms.
According to the Ponemon Institute's "2016 Cost of Data Breach Study: Global Analysis", it took an average of 201 days to identify and 70 days to contain the attacks analyzed in the report. The last thing your board of directors wants to hear is that an advanced persistent threat has been working its malicious magic undetected, enabling cybercriminals to commit fraud and steal data. Your customers won't like it either.
There simply isn't enough time or staff to address every conceivable threat. And yet, your security-hardened IT teams know it's a matter of when, not if, a security breach will occur. Prevention is the ultimate goal, but the constant barrage of threats and security-related incidents make timely detection and rapid containment and remediation vital to the integrity of financial networks.
Not even banks have unlimited funds and resources. In fact, the truth is quite the opposite. IT security teams in the financial services space need to fully exploit threat intelligence to make smart decisions about where, when and how to apply security resources. With timely, relevant and contextual insight into the tactics, techniques and procedures (TTPs) cybercriminals use to target the financial services sector, you can better align security.
The key advantages of using threat intelligence against cybercrime in the banking sector
Elite threat intelligence can bring you several key advantages in the ongoing battle against cybercrime. First and foremost, you will see ahead of time which attack scenarios are most likely to be launched against your company and why. You can prevent cyberattacks from escalating when you understand how threat actors may target your organization. In addition, having the latest threat intelligence will help you detect the threat actor's tradecraft, conduct timely and effective incident response, and eradicate the adversary from your environment.
Take the example of a malicious actor trying to steal your employees' credentials. Spear phishing and whaling are two methods that use legitimate looking emails to lure employees into providing credentials to the attacker. Often the attacker will conduct detailed reconnaissance to make the messages appear more genuine. Whaling takes this same approach to the next level by targeting a much larger pool of victims. Even the CEO's email can be spoofed, directing finance departments to make large wire transfers into fraudulent accounts.
After achieving the goal of stealing employee credentials, many cybercriminals create additional privileged accounts for future use. Financial IT security teams should strongly consider auditing their infrastructure for the creation and use of privileged accounts. And you may need to monitor for specific events using a Security Event and Incident Management (SEIM) system. Another solution is to adopt a privileged account management technology. But these are relatively small efforts compared to credentialed threat actors roaming undetected on your network.
Focus on early cyber threat warnings to stay ahead of bank cybersecurity adversaries
One way to stay ahead of advanced adversaries is by focusing on early warnings of compromise. This requires a powerful combination of threat intelligence, security expertise and technology. Some threat actors will steal credentials from an organization and then immediately move to the firm's legitimate remote access solution as their primary access vector. Based on the current level of network and endpoint monitoring at most organizations, the threat actors seem to disappear after moving to the legitimate remote access platform. They become difficult to track by appearing to be legitimate users and relying on the organization's own native infrastructure rather than their own tools and malware. Organizations that do not apply two-factor authentication (2FA) to all remote access solutions (including VPNs and Outlook Web Access (OWA) servers) should consider prioritizing this effort. It requires fewer resources to establish, monitor and maintain than approaches such as instrumenting all endpoint systems for monitoring.
Security intelligence analysis and incident response must become a daily habit, and you will need a single pane of glass through which you can see and interpret all of the threat data on your network. Look to apply advanced endpoint detection and network protection that can spot not only malware and other malicious activity, but that also recognizes attacker behavior patterns and other indicators of compromise that are harder to detect. This will help you spot, contain and eradicate the APTs that could infiltrate your network without using malware at all.
To learn more about the intersection of security intelligence, visibility and threat detection in the battle against today's threats, please read our latest whitepaper [insert link].
 "Financial Institutions on High Alert for Major Cyber Attack;" by Warwick Ashford; ComputerWeekly; Feb. 16, 2016; http://www.computerweekly.com/news/4500272926/Financial-institutions-on-high-alert-for-major-cyber-attack
 Ponemon Institute, "2016 Cost of Data Breach Study: Global Analysis", June 2016.