New “super attacks” are making traditional methods of defence obsolete
There’s a cultural misconception that security equals lockdown in the financial sector; disclosure runs counter to that perception. Banks are less inclined to share intimate details of attacks because they don’t want to damage market confidence and that makes cyber security a major challenge for the sector.
Swift has recently sent a letter out to customers admitting it had suffered further attacks and that the threat is “persistent, adaptive and sophisticated – and is here to stay”. It identified the weak point as bank environments themselves. Like an extreme form of invoice fraud, fraudulent payments have been submitted from these compromised networks, leading the payment provider to urge its members to up their security game.
But if, as was stated, the threat is adaptive, how can these organisations hope to counter this fraud? The static nature of security provision means most of these organisations will struggle to adapt in time, making compromise inevitable.
Swift has quite rightly encouraged more widespread disclosure: partnerships with other banks, academia and international partners will allow financial institutions to share threat information and improve their shared defences. In the future, banks will have little choice but to engage more with international partners on incident handling, situational awareness, building technical capabilities and capacity. But for now there is a general reluctance to share cyber intelligence. So what can be done?
Vigilance in the form of monitoring, detection and prediction, is the ONLY recourse for defending against this particular type of constantly evolving attack. There needs to be a shift away from post-incident to pre-incident threat intelligence. Detection and remediation is no longer enough. Threat hunting is therefore crucial.
Attacks on global payment mechanisms do not happen overnight. They are carefully planned and orchestrated and evolve. Probing attacks will often follow and if you’re lucky enough to have prior intel from a previous attack, as in this case, patterns may well emerge.
Threat intelligence can mitigate the impact of these attacks and involves aggressive focused tactics that see data sourced from dynamic sources, such as the dark web, before being analysed and filtered for the sector, geography and regulations etc. It’s that active threat intelligednce that makes the difference between a reactive and a proactive capability, buying the sector the time needed to organise defences.
Of course, truly sophisticated attacks will continue to adapt to evade detection and this is why simple signature-based solutions and are powerless in the face of these attacks. Machine learning, whereby the security solution seeks to learn, adapt and even predict the evolution of attacks, is likely to be the way forward.
Predictive threat intelligence which can help determine the probability of an attack happening and the shape of an attack, will allow financial institutions to better correlate likely attack patterns and entry points in their systems.
The concept is still in its infancy but one way of doing so is to use a next generation Security Operations Center (SOC) to provide alerts of specific pending attacks through proactive threat intelligence. The SOC can collect and analyse the motivations, intentions, objectives and capabilities of specific threat actors helping refine results specific to the given industry.
In terms of keeping the local infrastructure secure, the CBEST testing framework (launched by the Bank of England last year) is considered the leading framework for delivering controlled, bespoke, intelligence-led cyber security tests to financial institutions. The tests replicate behaviours of threat actors, assessed by the government and commercial intelligence providers and posing a genuine threat to financial institutions.
CBEST differs from other security testing currently undertaken by the financial services sector because it is threat intelligence based, is less constrained and focuses on the more sophisticate attacks on critical systems and essential services. CBEST provides a holistic assessment of a financial services or infrastructure provider’s cyber capabilities by testing people, processes and technology in a single test which will be less time constrained that traditional penetration testing.
The next step for financial institutions will be to not only anticipate what will happen and when it will happen, but also what they should do. This will be achieved by incorporating prescriptive business intelligence into threat intelligence. Prescriptive business intelligence is largely about understanding the focused threat allowing the business to decide on a suitable course of action before an attack.
The lesson from the Swift attacks has to be that this and other types of super attack will become commonplace, making traditional methods of defence obsolete. Waiting until an attack happens is no longer sufficient; we need to begin moving towards predictive threat intelligence that listens to – rather than simply reacts to – attacks and which looks for patterns, monitors, and adapts in concert with attacks.
By James Parry, technical manager, Auriga