by Josh Lefkowitz, CEO, Flashpoint
There’s no such thing as one size fits all when it comes to the intelligence needed to uncover, specify, and prevent cyberthreats. Each industry faces unique challenges and vulnerabilities as criminals tailor their activities to target prime assets. The financial services sector occupies an undeniable position in the crosshairs of cybercriminal activity. Intelligence analysts and cybersecurity teams tasked with protecting the business need in-depth understanding of the risks and weaknesses of financial institutions so they can mount an effective defence.
Targeting the digital vault
Banks and financial institutions face a complex set of circumstances when it comes to threat management and compliance risk. First, their “product” is the very thing that cybercriminals typically desire most – money – meaning that, unlike many other industries, they are directly targeted on the basis of their core activity. Instead of primarily targeting customers, cybercriminals are also focusing on stealing money directly from the source by attempting to access and maintain a persistent presence on banking networks such as the Society for Worldwide Interbank Financial Telecommunications (SWIFT) network. In 2016, for example, this presence was used in an attack against the Bangladesh Bank, which resulted in more than $850 million in fraudulent transactions initiated through the network.
Second, banks collect and process huge amounts of personally identifiable information (PII) to verify customer identities and protect against fraud. This credential data is a sought-after commodity among criminals who plan to use it to perpetuate the very fraud it’s meant to prevent. The risk here lies on at least two fronts: the data stored on bank networks may be targeted directly, such as through credential theft, credential-stuffing attacks, or insider threats, among other means. Alternatively, the bank’s customers may be hit by phishing and other social engineering schemes as well as banking trojans designed to steal their passwords, other security information and credit/debit card numbers.
In addition to these external threats, financial institutions have to manage insider threat risk, and the regulatory and compliance risks they face if their systems are used for illicit purposes such as money laundering.
Tracking emerging tactics, techniques, and procedures
Faced with this litany of threats via multiple vectors, banks adopt a strong defensive posture to protect systems and customers. From physical security to cybersecurity, the finance sector is probably the most advanced in the world.
Defence is less effective, however, without solid intelligence on specific risks that guide where efforts should be focused. To ensure that financial institutions are marshalling their defences effectively, and prioritising responses to meet current and emerging threats, business risk intelligence (BRI) provides essential context.
The effective use of BRI starts with anti-fraud and cybersecurity teams working together to build a comprehensive picture of business risk and the weaknesses exacerbating that risk. They then map this information to current intelligence about how their adversaries are planning to exploit those weaknesses. This intelligence can be gathered from multiple sources, from illicit deep & dark web (DDW) forums and open web sources, to “card shops” where stolen credit card data is offered for sale – anywhere cybercriminals discuss tactics, plan campaigns, and market their stolen goods. The aim is to utilize the security and anti-fraud teams’ knowledge of the high-level threats the institution faces to hone in on specific indicators of emerging threats directly targeting the company.
From general risk to specific threat
Take as an example the issue of password security. Passwords are a weakness in the security chain and hackers regularly devise tools to crack them and access accounts. Consequently, banks devote resources to protecting against this general threat. However, when BRI uncovers a DDW actor that has released a new version of a password-cracking tool specifically designed to compromise online accounts of a particular bank, that bank can use this information to act swiftly to mitigate the vulnerability.
Similarly, money laundering is a critical risk for financial institutions who are subject to strict regulation with international jurisdiction and large financial penalties for negligence. All institutions must protect against money laundering through robust policies and compliance checks. However, cybercriminals are always looking for new ways to launder money, so companies must remain alert. As a case in point, our BRI analysts observed discussion of a new criminal technique to launder funds from compromised bank accounts and stolen credit cards by leveraging subscription services offered with business accounts with a major online payment service. Alerted to this risk, clients were able to take corrective measures to protect customer accounts and eliminate that specific money-laundering risk.
Thinking ahead to monitor strategic risk
Risk assessments and threat monitoring cannot be limited to a point-in-time activity. The financial services environment is constantly changing and threats emerge and evolve to match. As fast as the sector devises new ways to serve customers and provide convenient, secure access to banking, the cybercriminal community is working on ways to infiltrate and leverage them. The use of mobile phone text codes, used to provide authorisation for transactions, is one such example. This additional security layer was exploited earlier this year by cybercriminals who intercepted messages by tracking customers’ phones, and used the information gleaned to empty bank accounts.
Financial institutions need to think ahead whenever a new feature or service is introduced and anticipate how it might be breached, because they can be certain that threat actors are doing just that. Our analysts encountered this prior to the launch of chip-based credit cards in the US. They spotted indicators of compromise on the DDW relating to EMV chip recording software and manufacturing techniques that could be used to make fake chip-enabled cards. This intelligence was used to inform rollout strategies and re-evaluate the risk associated with EMV.
Intelligence analysts need to be fully briefed on the roadmap for financial products and services so that they can keep watch for evidence of emerging threats in the cybercriminal communities that they monitor. Armed with BRI, financial institutions can assess risk and identify specific threats. They can also adjust their risk posture based on valid intelligence and better focus defensive activities. This strengthens their ability to protect the digital vault and keep customers’ money, and data, safer.