The losses being reported for recent bank cyberattacks are frighteningly large– banking cybercrime in 2016 most definitely pays.
Things used to be so simple in the Good Old Days…
Ever since the earliest forms of banking were established there has always been a need to protect the currency of the day. The first treasuries were established within temples to ensure that the loot was not only protected physically, but morally too by the overseeing deity.
Bank strong rooms evolved to incorporate increasing levels of physical security. Safes became vaults, with more steel and concrete being used. Similarly, lock technology increased in sophistication and complexity from simple keys to multiple layers of codes and combinations.
When bank heists began to find success via brute force – drilling, explosives and thermic lances will defeat any lock and even reinforced concrete – alarm systems became increasingly valuable. Sensors to detect unexpected activity could alert bank security before the physical vault defenses were breached. Alarm systems meant that the perpetrators were apprehended before a robbery succeeded, a valuable lesson from history that still holds true today.
In the last 20 years, in the banking sector, as in all other industries, the internet has proven to be a game-changer.
The opportunities for banks to trade faster, more simply and on a global scale has revolutionized the business. Unfortunately, the cybercrime industry has developed even faster and man, have they seized the opportunity to make money from the internet-enabled bank!
The big ones that have caused problems recently are the Carbanak APT which is estimated to have netted $1B worldwide, much of this in cold hard cash from hacked ATMs. There was also the more recent Bangladesh bank heist which shows that attacks often succeed more as a result of opportunism rather than necessarily being due to being uber-sophisticated.
What are the attack methods being used? Are these uniquely crafted for the Banking Sector?
Yes and no! The issue is that there is still the ‘mainstream’ tide of malware which is still an issue and a potential threat, but the major concern are the more targeted attacks. Using a modified or mutated version of existing malware provides a convenient, zero day version – zero day means invisible to anti-virus systems and to an extent, sandbox and IPS systems.
How are these new APT Malware attacks formulated?
Right now there has never been less of a need to create new malware as Brian Krebs reported recently. Existing malware only needs minor modifications to become operational as a zero day threat.
There still needs to be a vector for the malware – a means by which it can be transmitted – typically a vulnerability that is exploited or complicit or gullible personnel (i.e. phishing attacks), which is why vulnerability management and system hardening are key actions to take in order to mitigate the threats.
If a system is infiltrated by a Banking APT, what is the likely trajectory or behavior of the attack?
In a sophisticated attack such as the Carbanak attack, this was the very model of an APT (Advanced, Persistent threat) in that it gradually penetrated further into banking systems over time, stealing credentials in order to gain progressively higher access to more critical systems and provide remote control capabilities and video monitoring of systems usage. The payoff for the attack was to allow the gang to help themselves to bank reserves and move money to their accounts at will through their access and control of core bank systems. In one especially audacious and creative move, the gang re-programmed ATMs to dispense cash on demand, issuing 5,000 Ruble notes when 100 Ruble notes were requested.
Targeting of ATMs is a scary prospect – how do Banking cyberattacks differ to those active in the Retail sector?
The banking attacks have been successful in directly providing access to funds transferred from bank reserves, whereas Retail attacks have tended to focus on Card Data theft, such as Home Depot, Target etc. Card data is still a highly valuable commodity that allows goods to be acquired fraudulently to be converted to cash. Card Payment Merchants are mandated to comply with the Payment Card Industry Data Security Standard, or PCI DSS, which outlines a series of 12 requirements for the operation of cyber security controls. These include vulnerability management, secure application design and testing, data encryption and breach detection technology, such as file integrity monitoring and event log analysis.
What are the key action points for Information Security teams in the banking sector?
In common with the PCI DSS, layered security best practices are needed to defend effectively against the entire range of insider threats, malware and phishing. Systems must be hardened to reduce the ‘attack surface’ presented by systems, and this must be underpinned by regimented patching with tight change control to better highlight the smoking gun of a breach – unexpected system changes. Internal segmentation of networked systems will help compartmentalize any malware infiltration. And because no system can ever be truly 100% secure, breach detection is critical.
Seems that when it comes to security, as with most other things in life, history tells us everything we need to know.