High Stakes of Securing the Financial SectorFinancial services sector relies on tailored threat intelligence to wage an effective defense against cybercrime. By: Spencer Ingram
Financially motivated cybercriminals never rest. That means neither can you. Last year, banks, credit unions, financial services firms and other institutions experienced an uptick in attacks involving social engineering, ATM and point-of-sale malware, extortion and credential-stealing malware. Big established banks aren't the only targets. Trends in the financial services space have led to increased threats against online lenders, alternative payment providers and small and mid-size firms.
According to the Ponemon Institute's "2017 Cost of Data Breach Study: Global Analysis," it took an average of 191 days to identify and 66 days to contain the attacks analyzed in the report. According to our Secureworks™ 2018 Incident Response Incidents Report, for the nearly 1,000 Incident Response ("IR") engagements we were involved in during 2017, advanced threats went undetected for an average of 380 days. The last thing your Board of Directors wants to hear is that an advanced persistent threat has been working its malicious magic undetected, enabling cybercriminals to commit fraud and steal data. Your customers won't like it either.
There simply isn't enough time or staff to address every conceivable threat yet your security-hardened IT teams know it's a matter of when, not if, a security breach will occur. Prevention is the ultimate goal, but the constant barrage of threats and security-related incidents make timely detection, rapid containment and complete remediation, vital to the integrity of your network.
Not even banks have unlimited funds and resources. In fact, the truth is quite the opposite. IT security teams in the financial services space need to fully exploit tailored threat intelligence to make smart decisions about where, when and how to apply security resources. With timely, relevant and contextual insight into the tactics, techniques and procedures (TTPs) cybercriminals use to target the financial services sector, you can better align security defenses with your budget.
Tailored threat intelligence can bring you several key advantages in the ongoing battle against cybercrime. First and foremost, you will see ahead of time which attack scenarios are most likely to be launched against your company and why. You can prevent cyberattacks from escalating when you understand how threat actors may target your organization. In addition, having the latest threat intelligence will help you detect the threat actor's tradecraft, conduct timely and effective incident response, and eradicate the adversary from your environment thereby limiting damage.
In an attempt to stay ahead of advanced adversaries, you must also focus on early warnings of compromise. This requires a powerful combination of threat intelligence, security expertise and technology. Some threat actors will steal credentials from an organization and then immediately move to the firm's legitimate remote access solution as their primary access vector. Based on the current level of network and endpoint monitoring at most organizations, the threat actors seem to disappear after moving to the legitimate remote access platform. They become difficult to track by appearing to be legitimate users and relying on the organization's own native infrastructure rather than their own tools and malware. Endpoint and network visibility is a critical requirement for enhanced detection.
Business email compromise, ransomware and banking trojans continue to account for a significant percentage of incident response engagements. Spearphishing and whaling are two methods that use legitimate looking emails to lure employees into providing credentials to the attacker. Often the attacker will conduct detailed reconnaissance to make the messages appear more genuine. Whaling takes this same approach to the next level by targeting a much larger pool of victims. Even the CEO's email can be spoofed in an attempt to direct finance departments to make large wire transfers into fraudulent accounts.
After achieving the goal of stealing employee credentials, many cybercriminals create additional privileged accounts for future use in what is referred to as ‘living off the land'. Financial IT security teams should strongly consider auditing their infrastructure for the creation and use of privileged accounts. Organizations that do not apply two-factor authentication (2FA) to all remote access solutions (including VPNs and Outlook Web Access (OWA) servers) should consider prioritizing this effort to ensure account integrity. You should monitor for specific host events using a Security Event and Incident Management (SEIM) system or ensure your security provider is doing the same. These are relatively small efforts compared to credentialed threat actors roaming undetected on your network.
Security intelligence analysis and incident response must become a daily habit, and you will need a single pane of glass through which you can see and interpret all of the threat data on your network. Look to apply broad and deep security logging, advanced endpoint detection and rigorous network protection combined with accurate and tailored threat intelligence to enable the detection of malware and other malicious activity, but that also recognizes attacker behavior patterns and other indicators of compromise that are harder to detect. Most importantly, be sure to regularly test your incident response planning. This will help you detect, contain and eradicate the threat actors working against your network.
 "Financial Institutions on High Alert for Major Cyber Attack;" by Warwick Ashford; ComputerWeekly; Feb. 16, 2016; http://www.computerweekly.com/news/4500272926/Financial-institutions-on-high-alert-for-major-cyber-attack
 Ponemon Institute, 2017 Cost of Data Breach Study: Global Analysis, June 2017.
 Secureworks 2018 Incident Response Insights Report, https://www.secureworks.com/resources/rp-incident-response-insights-report-2018