Simon Mullis, Chief Technology Officer at Venari Security
In recent years we have seen a sharp increase in geo-political tensions and a range of novel and emerging cyber threats. One of the greatest threats we currently face is right under security teams’ noses: malicious activity hidden within encrypted traffic on their network. The UK’s Critical National Infrastructure (CNI) is firmly in the crosshairs for these attacks, so it is imperative that organisations are prepared to defend against them – not least in the finance industry.
The National Cyber Security Centre’s outlines 13 CNI sectors in the UK – defined as the critical systems, processes, people and information upholding UK infrastructure, the loss or compromise of which could have severe and widespread economic or social consequences as a result. While power grids and water supplies might immediately come to mind when thinking about critical infrastructure, the finance sector contains many organisations providing essential services – from cash withdrawals and deposits, to digital wire transfers, loan applications and investments – that citizens and businesses rely on every day and it must be treated in the same regard. The responsibility for banks and financial institutions to maintain secure systems is huge, and the consequences for failing to do so even more significant.
But with attacks on CNI on the rise, how can financial institutions ensure they are doing everything possible to guard against them? Let’s explore what some of the risks to CNI include, and how the finance sector specifically can take action to best protect its customers, their data, and financial assets.
What are some of the security risks faced by CNI?
One of the most recent high-profile CNI attacks that the finance industry must analyse and ensure is guarding against is the Colonial Pipeline ransomware incident, which took place in May 2021. The pipeline operator reported that a cyberattack had forced the company to temporarily shut down all business functions.
What is particularly significant about this attack is that it was simply an exposed username/password that allowed the attackers to gain access. Once in, their activity was end-to-end encrypted – just like all the other traffic. Vast swathes of the US were affected – with 45% of the East Coast’s fuel operations halted as a result.
In this case, despite the organisation protecting its data with strong encryption standards, attackers were able to enter the network through a legitimate, encrypted path and thus rendered many of the counter measures ineffective. With the operators unaware of any anomalous activity on their networks, the intruders had all the time they needed to assess the system and get organised.
This presents a dilemma for CNI sectors, especially finance, where interactions and operations have to be encrypted.
Encryption is not a silver bullet
As happened in the Colonial Pipeline incident, the use of end-to-end encryption enabled attackers to conceal themselves in legitimate traffic. While critical to support data privacy and security in the event of breaches, end-to-end encryption renders many established means of detection ineffective.
Most defence methods still rely heavily on decryption and relatively rudimentary analysis to detect when traffic might be “known-bad” or deviating from expected patterns. The volume and speed of encrypted data now passing across networks means that it is impossible to detect everything with processes and techniques requiring this type of inspection.
And indeed, this is not a cutting-edge approach by cybercriminals. In the first three quarters of 2021 alone, threats over encrypted channels increased by 314% on the previous year. If organisations continue to use the same inadequate detection techniques to uncover malicious activity on their network, the rate of attacks using encrypted traffic will continue to grow at this rate or higher.
The security industry has long understood that breaches are “not if, but when” scenarios. And the current global climate, sparking a rise in nation-state attacks, undoubtedly increases the threat level further for CNI – and especially for sensitive sectors such as finance.
Driving visibility in financial networks
Financial institutions must strike a careful balance when it comes to security. On the one hand, it is vital they gain back visibility of their networks that end-to-end encryption might be at risk of concealing; on the other, it’s a necessity that they maintain a level of encryption in the first place.
Decryption is a too cumbersome and time-consuming approach now that our entire networks are encrypted – both data-at-rest and in motion – and organisations can only hope to keep up if they monitor for aberrant behaviour and malicious activity in their traffic without having to rely on decryption.
The solution? Security teams need to look towards using behavioural analytics to detect what is happening within encrypted traffic flows. A combination of machine learning and artificial intelligence, behavioural analytics can analyse encrypted traffic in near real-time without decryption. By accurately understanding the abnormalities between normal and anomalous behaviour, it significantly increases the rate and speed at which malicious activity concealed in encrypted traffic can be detected, whilst ensuring data remains private.
Security teams can then react immediately to contain the threats it identifies – rather than responding after the fact, when banks might only realise that an attack has taken place after a customer has experienced a breach.
Protecting finance as CNI
The ever-increasing interconnectedness of all things and ongoing geo-political conflicts means that attacks to critical infrastructure can only increase, with financial services front and centre as an obvious target.
Security teams need to quickly wake up to the reality that the threat isn’t just incoming, but that there may be hostile presences on their network already concealed within encrypted traffic. And the longer they wait to identify it, the greater risk it poses when the malicious actor decides to strike.