The financial sector is historically one of the most secure industries in the world. It needs to earn trust and convince customers that their hard-earned money is safe. Nevertheless, the fact that banks are guardians of the one thing cybercriminals typically desire most, money, means security teams are under relentless pressure.
Attackers are prepared to invest time, resources and collaborate to develop new and more effective ways to reach the digital vault and make off with the money. Our third Modern Bank Heist report collected the views of 25 security leaders. It found that attackers are evolving and getting more sophisticated as they aim to secure long-term illicit access to banking systems. And they are capitalising on the disruption of COVID-19 to help. So, what can we learn from the data revealed in the report, and how can we combat the emerging threats?
COVID-19 surge hits the financial sector
Among the CISOs we surveyed, 80% said they had experienced an increase in cyberattacks over the past twelve months. It is up 13% compared with a year ago. Some of this is attributable to the COVID-19 surge. Separate VMware Carbon Black data shows there has been an increase in attacks on finance sector targets of 238% from February to April 2020. We also saw ransomware attacks on the sector increase by a multiple of 9 during the same period. Closer analysis shows that notable alerts observed in VMware Carbon Black data spiked in correlation with significant moments in the COVID-19 news cycle. It indicates that attackers are capitalising on disruption to attack while the world looks the other way.
The majority (82%) of our CISOs noted an increase in attack sophistication over the past year. The ways attacks are developing gives us valuable insight into attacker behaviours that should inform our response. Overall, we’re seeing attackers moving past inelegant “smash and grab” tactics, and towards more of a “hostage situation.” Their motivation is to gain and retain footholds in target networks for long term campaigns.
The Kryptik trojan and Emotet malware continue to feature among the top attack types experienced. These are often used in longer and more complex campaigns aimed at leveraging native operating systems tools. The goal is to remain undetected or gain a base to island-hop to a larger and more lucrative target. Another indication that attackers are operating for the long term is that the most prevalent MITRE threat ID affecting the finance sector over the past year is T1507 – Process Discovery (comprising 64% of attacks). It shows that attackers are investing in increasing their knowledge of policies and procedures in financial institutions. It allows attackers to work out how to infiltrate financial institutions undetected. They are also ramping up their awareness of incident response tactics and seeking blind spots that they can exploit to remain invisible.
Island Hopping experienced by one third
33% of the CISOs surveyed reported experiencing island hopping, where supply chains and partners have been unwitting vectors for attacks. The most common type of attack is network-to-network. However, one fifth reported suffering watering hole type attacks. This is where hackers target a website frequently visited by customers of the target and attempt to gain access credentials for the site of the financial institution itself to launch malware into visitors’ browsers.
Island hopping-as-a-service is also on the rise. In 2019 our analysts uncovered a secondary component in a well-known cryptomining campaign. It was designed to exfiltrate system access information that was destined for sale on the dark web. It is a significant change in behaviour that defenders need to keep on the radar as what looks like one type of attack may be cover for another.
“Virtual Invasions” on the rise
Almost two thirds (64%) of those surveyed said that they had seen increased attempts at wire fraud transfer, up 17% compared with 2019. These attacks rely on attackers’ knowledge of business process gaps in the verification process, or direct social engineering of customers or customer service representatives.
Counter-incident response up as attackers evade detection
Almost a quarter (24%) of our surveyed CISOs had witnessed counter-incident response as attackers prioritise persistence and seek to retain their foothold in the financial institution’s network. It is something we expect to escalate in the coming year. Tactics such as log deletion, manipulation of time stamps and disabling of security controls, will all feature as attackers cover their tracks. Related to this are destructive wiper attacks designed to “burn the evidence” of infiltration. It prevents defenders from conducting forensic analysis to stop the same vectors being used in future. It has major implications for incident response: we need to get more clandestine.
Five tips for incident response
VMware Carbon Black Senior Threat Researcher Greg Foss has five tips for incident response to avoid alerting adversaries:
- Stand up a secondary line of secure communications: This is vital to discuss the ongoing incident. Assume all internal communications are compromised and visible to the adversary.
- Assume adversaries have multiple entry points: Shutting off one entry point may not remove the attacker and may have the opposite effect by notifying the attacker you are aware of their presence.
- Watch and wait: Don’t immediately start blocking malware activity and access, or terminating the C2. You need to monitor closely to assess the scope of the intrusion to work out exactly how to remove the adversary fully.
- Deploy agents in monitor-only mode: If you begin blocking or otherwise impending activities, they will realise and change tactics, possibly leaving you in the dark.
- Deploy honey tokens or deception grids: Particularly on attack paths that cannot be hardened.
The financial sector is facing a threat that evolves as fast as it can adapt. To combat the tactics adversaries are developing, we need to understand more about their behaviour. That means that kneejerk shutting down of attacks must be exchanged for a more clandestine and nuanced approach. An approach that allows us to learn, combined with our own collaborations across the cybersecurity and financial sector. The digital vault is hostage to persistent, resilient attackers who have strategic plans for getting into and remaining in the network. Defenders need to think strategically too if we are to stand a chance of mounting a successful counterinsurgency.
VMware Carbon Black is a leader in cloud-native endpoint protection dedicated to keeping the world safe from cyberattacks. The VMware Carbon Black Cloud consolidates endpoint protection and IT operations into an endpoint protection platform (EPP) that prevents advanced threats, provides actionable insight and enables businesses of all sizes to simplify operations. By analysing billions of security events per day across the globe, VMware Carbon Black has key insights into attackers’ behaviours, enabling customers to detect, respond to and stop emerging attacks.
More than 6,000 global customers, including approximately one third of the Fortune 100, trust VMware Carbon Black to protect their organizations from cyberattacks. The company’s partner ecosystem features more than 500 MSSPs, VARs, distributors and technology integrations, as well as many of the world’s leading IR firms, who use VMware Carbon Black’s technology in more than 500 breach investigations per year.