How Bank CISOs Can Respond to a Digital Hostage Scenario - Image by Лечение наркомании on Pixabay Trust has always been the cornerstone of the banking industry. Without customer confidence that their assets are secure, banks cannot function. A reputation for having the strongest vaults with the thickest walls and unpickable locks is fundamental. But, as the means of protecting financial assets has moved from the physical to the digital realm, the role of custodian of customer trust has shifted inexorably onto the shoulders of CISOs. Cybersecurity is not just essential to preventing cyber criminals from stealing assets. It has become a brand protection imperative.

VMware’s annual Modern Bank Heist report has identified critical escalations in the sophistication and coordination of attacks against the financial services sector. Cybercriminals and nation-state actors are capitalising on the dual disruptions of the global pandemic and banks’ ongoing digital transformation programmes to broaden and deepen their attack techniques.

They are no longer focused simply on direct monetary gain through wire transfer fraud. They are now hijacking the digital transformation of a financial institution through island hopping and holding them hostage to the threat of destructive attacks.

Island hopping escalates as attackers hijack constituents

38 percent of the financial institutions surveyed in the study said they had encountered island hopping. It represents a 13 percent increase over 2020 (respondents were asked to exclude the SolarWinds campaign from their response).

Island hopping has become the attack vector of choice because, as banks have digitised and their supplier ecosystem has grown, the attack surface has expanded correspondingly. There is quite simply more opportunity now than ever before. Cybercrime cartels have also taken the guesswork out of the game by studying the interdependencies of financial institutions.

They have identified entities such as the Managed Service Providers and outside Counsels used by their target companies. These businesses have become the prime target for infiltration as a stepping stone into the target network. What might previously have constituted a “lucky hit” for a cybercriminal campaign is now a well-researched route to a valuable payoff.

Another commonly reported form of island hopping is watering hole attacks. Here, adversaries hijack websites or mobile apps used by customers for digital banking. It has a direct brand impact where customer trust in visual assets they associate with the bank is hijacked to steal credentials or money. The reputational damage caused by these attacks is immense.

CISOs respond to increased attacks

Faced with these escalating and stealth-focused tactics, what should CISOs be doing in response? The financial institutions we surveyed are committing budget to the battle, with eight in ten planning to ramp up spending by between 10-20%.

Where should spending be focused? Investment priorities include extended detection and response (XDR), threat intelligence, workload security and container security. These priorities show both how attacks have evolved and the new cloud-based infrastructure that has become the target.

Particularly encouraging is the frequency and impact of threat hunting. 48% of surveyed institutions conduct weekly threat hunts. As programmes mature and hunters gain more understanding of their environment, they are driving change at a process and technology level. We see more data science, machine learning and artificial intelligence used to determine what normal looks like and spot anomalies. It is driving a true partnership between human-led hunting and automation.

Best practices to defend against modern bank heists

Adversaries are focusing on gaining undetected access to networks. It means that incident response must be conducted under the assumption that the network has been compromised. The following best practices are advised for defence teams:

  1. Stand up a secondary line of secure communications to discuss ongoing incidents without risk of interception and compromise. This channel should allow for talk, text and file transfer.
  2. Assume the adversary has multiple means of gaining access to the environment and avoid alerting them that you know they’re there. Watch and wait before taking action. Don’t start blocking malware or terminating C2 systems until you are sure you understand all possible avenues of re-entry.
  3. Deploy agents in monitor-only mode. If you begin blocking or impeding their activities, they will change tactics. It potentially leaves you blind to their additional means of re-entry. Rename agents to something innocuous.
  4. Deploy honey tokens or deception grids, especially on attack paths that cannot be hardened.
  5. Apply just-in-time administration.
  6. Integrate your network detection and response with your endpoint detection platform.
  7. Deploy workload security.
  8. Conduct weekly threat hunting.

On top of these tactical activities, we need to see a strategic shift. Three-quarters of CISOs at financial institutions still report to CIOs. Yet, the landscape has changed dramatically over the past year. The switch to work from anywhere has put cybersecurity and CISOs at the centre of business continuity and resilience.

CISOs should be promoted to a true C-level to ensure they have the strategic influence they need to discharge their role effectively. As custodians of a financial institution’s greatest asset – customer trust – their position should be elevated accordingly.

Financial institutions are unquestionably facing new and more pernicious threats. But by leveraging advanced tools and intelligence, they can successfully hunt out and neutralise infiltrators preying on the extended ecosystem.


VMware Carbon Black is a leader in cloud-native endpoint protection dedicated to keeping the world safe from cyberattacks. The VMware Carbon Black Cloud consolidates endpoint protection and IT operations into an endpoint protection platform (EPP) that prevents advanced threats, provides actionable insight and enables businesses of all sizes to simplify operations. By analysing billions of security events per day across the globe, VMware Carbon Black has key insights into attackers’ behaviours, enabling customers to detect, respond to and stop emerging attacks.

More than 6,000 global customers, including approximately one-third of the Fortune 100, trust VMware Carbon Black to protect their organizations from cyberattacks. The company’s partner ecosystem features more than 500 MSSPs, VARs, distributors and technology integrations, as well as many of the world’s leading IR firms, who use VMware Carbon Black’s technology in more than 500 breach investigations per year.


Please enter your comment!
Please enter your name here