Mark Jow, Technical Evangelist, Gigamon
The critical role of the banking sector has made cyber security a focal point in recent years. Since 2020, the Bank of England’s annual survey has shown that 70% of financial executives believe cyber-attacks are a major risk to the nation’s financial stability. But the question is – do they know who they’re up against?
As banks become increasingly modernised, turning to open banking and enhancing their hybrid-cloud environments, they are not alone. Cyber criminals’ tactics are also evolving, creating an ongoing arms race between security teams and threats. And with banks housing a plethora of sensitive payment data, having access to high-profile information, and playing a critical role in the country’s operations, ransomware actors continue to target this sector with attacks, hoping a big payout could be on the table.
A shift in the landscape
The financial sector has undergone a digital revolution in the last decade. As financial processes move online and the world becomes increasingly cashless, banks are embracing the cloud for more internal and customer-facing processes. It’s a no-brainer: the cloud offers scalability, efficiency, and more flexible digital banking options for customers. And with young FinTech challengers quick to offer open banking, traditional financial services organisations that are slow to digitise may lose out to competition.
In a recent report, UK Finance estimated that by 2032, only 7% of all payments in the UK will be note and coin-based transactions. Rapid migrations and a new, hybrid cloud environment requires far more than traditional on-premises security tools, leaving critical security blind spots. If digital payment systems are left with security gaps, one well-placed attack could disrupt national stability on a scale we have not yet seen.
Biding their time
Financial institutions face higher stakes than most organisations. As part of critical national infrastructure (CNI), banks are ripe for nation-state attacks: often more sophisticated, with more time, resources, and skill allocated to each attempted breach. Back in February, the NCSC warned CNI security leaders of a new attack method that has become commonly used by nation-state actors, ‘Living-off-the-Land’ (LotL) attacks. These see hackers persist on networks for months at a time, moving laterally to collect intelligence and locate sensitive data stores. Any further actions, such as launching malware, stealing data, or destroying a server, can then cause maximum damage.
As hybrid cloud environments grow more complex, workloads and data become more widespread and broaden the attack surface of any organisation. For financial institutions, finding and illuminating any potential blind spots needs to be a key consideration before, during, and after every cloud migration. Moreover, security teams must reconfigure their tool stacks to achieve sufficient visibility into the cloud. Traditional, on-premises security tools are often over-reliant on data from logs, traces, and event files, making them very easy for today’s more sophisticated threat actors to exploit. Logs are mutable, meaning criminals can manipulate these records to cover their tracks and successfully evade detection. The only way for security teams to successfully expose hidden threats is by gaining complete visibility of all the traffic on their networks, including East-West traffic in both on-premises and cloud environments.
Hiding in plain sight
Threat actors also exploit a common security strategy: encryption. Employed for years to protect data in motion, TLS/SSL encryption now masks over 85% of malware attacks. Not only that, but encrypted traffic can hide malicious East-West movement, preventing security tools from detecting suspicious network behaviour and even data exfiltration.
Over two-thirds of organisations allow encrypted data to flow freely, discouraged by the cost and complexity of decrypting and analysing so much traffic. But in doing so, security teams are leaving their networks vulnerable to attacks, running the risk of only discovering a breach when it’s too late and stolen data is already on the dark web.
Financial institutions cannot afford to fall behind today’s cybercriminals. With the Digital Operational Resilience Act coming into force in January 2025, financial organisations are mandated to manage risk effectively. No organisation can defend against a threat that they don’t know is in their network, so achieving deep observability over all network traffic – including East-West and encrypted data – is the only way to protect against unforeseen attacks and disruption. With Operational Technology (OT) also in DORA’s spotlight, security teams must act now to proactively remove blind spots across their entire infrastructure, or else face fines come January.
