Banks ripe for the next cyberattack

In January this year, three major UK banks came under attack. For two full days Lloyds Banking Group, Halifax and Bank of Scotland fought to counter an online attack that saw their systems bombarded by millions of fake requests in a denial of service (DOS) attack. The attack had the potential to block access to more than 20 million British accounts.

This is just one example of the threats that banks around the world face and it comes just a few months after another attack against Tesco bank that compromised 9,000 accounts and cost more than £2.5 million ($3.2 million).

With Prof Richard Benham, chairman of the National Cyber Management Centre, warning that “a major bank will fail as a result of a cyberattack in 2017 leading to a loss of confidence and a run on that bank,” the issue of cybersecurity in the financial sector has risen in prominence. Recent cyberattacks on the UK’s NHS and attempted cyberattacks on Parliament have demonstrated the threat such attacks could pose and emphasised the need to address vulnerabilities. Most experts agree it is not a matter of if but when. The question is: what can be done to prevent such attacks in the current context?

Venafi’s Chief Cybersecurity Strategist, Kevin Bocek notes that 2016 saw multiple attempts to hack the SWIFT system, one resulting in an $81 million loss for Bangladesh’s Central Bank and he believes that we are likely to see this trend continue. In the case of the SWIFT hack, the attackers were able to use malware to access the SWIFT user interface, which gave them access to the system and allowed them to conceal fraudulent transfer requests made over SWIFT, hiding the fraud in plain sight. “Future attacks on banks and other financial institutions are likely to follow this pattern, using trusted traffic for a more nefarious purpose,” he says.

Rafe Pilling, senior security researcher at SecureWorks, believes that the failure of a major bank in 2017 due to cyberattack is unlikely. He does, however, note that the cyberthreats to the financial sector are significant and persistent because as the saying goes “that’s where the money is”.

“In the past 12 to 18 months we’ve seen attempted and successful thefts of millions of dollars from banks around the world by state sponsored actors,” Pilling says. There has been a persistent deluge of banking trojans, ransomware and business email compromise frauds indiscriminately affecting the financial sector and a concomitant rise of targeted cybercrime against banks in Eastern Europe and Asia.

“This trend is likely to continue as organised cybercrime gangs migrate from indiscriminate banking Trojan fraud to more targeted surgical attacks against banks, although we’re less likely to see this in Western Europe and the US as they focus on softer targets in other regions.”

Stu Bradley, VP of Cybersecurity at SAS, says that no geography is immune to cyberattack—and, historically speaking, banks have been high on the list of targets. There are many methods hackers use to steal credentials, take over accounts, or compromise payment functions that result in losses for the bank. In fact, Bradley says, even as the community of adversaries is growing, one can go on the dark net and buy all sorts of different malware or even the blueprints to execute an attack on a specific organisation. This sort of information is being bought and sold every day, and it’s a very sophisticated business.

He adds that these criminals are operating in a fairly risk-free environment, since a hacker can perpetrate an attack from anywhere in the world and likely not be caught and prosecuted. “Banks are facing an ‘it’s not if, but when’ cybersecurity scenario,” he says.

In most instances, attacks against banking or financial services systems tend to focus on the systems of authentication, privacy and control—which establish trust on the internet—essentially turning our defences against us.

Bocek says the real the dilemma for banks is that such traffic needs to be encrypted to be protected. “Traditional cybersecurity tools are unable to inspect encrypted traffic, and are therefore blind to nefarious intruders that are misusing encryption,” he says. “So to fix this problem banks need to lift the blinders and ensure they are decrypting and inspecting this traffic, to ensure they are not unwittingly letting the bad guys into their systems.”

A critical step for banks, and systems such as SWIFT which has already shown itself to be vulnerable, in mitigating the risk of breaches like these is to make sure they are able to determine who and what can and cannot be trusted. Only by understanding how this system of digital trust that depends on keys and certificates is breached can they hope to secure the global banking system of the future.”

Bradley says that unfortunately, most intrusions go undetected for weeks or months, and the majority of hacks are still detected third parties—in this case the bank’s customers—rather than the bank itself.

He advises that security analytics provides financial institutions with a scalable means to analyse the breadth of their network data to identify slight anomalies in patterns that signal a hacker’s movements. Once detected, they can take immediate action to eradicate the threat and prevent a breach.

Tim Helming, director of product management at DomainTools, says that if threat hunting is not already part of a bank’s SOC (security operations centre) methodology, it should be. Attacks have to be staged before they are ultimately carried out, and good threat hunting teams can sometimes discover and stop the adversary before the attack is fully carried out. He also highlights the need for banks (and all organisations) to review their logging policies, because logs—from servers and network devices—can be key to spotting adversary activity.

Since attackers typically have to exfiltrate data, Helming advises organisations to lock down the egress of traffic, for example, by running security systems that enforce protocol adherence to prevent attackers from “tunnelling” valuable data out of the organisation.

This alone is not enough and banks need to ensure that in addition to their own defences, they are also educating their customers about security risks in the digital space.

Michael Fimin, CEO and cofounder of Netwrix, emphasises that no matter what cybersecurity defences financial companies implement, they cannot escape being a prime target. Fimin notes, though, that while banks and financial institutions recognise the need to address cybersecurity, they tend to be quite cautious and conservative in their approaches.

This is reflected in their relatively cautious approach to the cloud. “Most services offered by major cloud providers have advanced levels of security that many organisations could not justify replicating on premise. Yet, banks are in no hurry to embrace cloud services,” he says.

Netwrix’s 2016 Cloud security survey of financial organisations offers a clue to why. Among the institutions polled, unauthorised access (80%), need for encryption (60%) and denial of service (45%) emerged as the top security concerns. Asked directly whether service providers, hackers or employees pose the biggest risk to data in the cloud, 58% of banks didn’t hesitate to say “employees”.

“When it comes to data security, banks are most concerned about the unpredictable nature of the threat from within and the fact there isn’t any easy way to stop them,” Fimin adds.

The survey found that 95% of banks in the study said the answer lies in having much clearer visibility of the activity within business critical systems.

“The best way forward is to make use of systems that enhance network visibility coupled with reliable user behaviour analytics,” Fimin says. “Then, regardless of whether the threat comes from inside or out, is sophisticated, unexpected or as yet unknown, banks will be able to detect suspicious activity at an early stage and take action before any harm can occur.”