Two-thousand sixteen continues to deliver a growing number of cyber attacks, while financial institutions continue to be threatened and vulnerable. Sophisticated cyber attackers are clearly able to circumvent traditional cyber defenses and gain access to internal networks—and the longer they stay there, the more likely it is that their attack will succeed.
The strategy of defending a perimeter to keep attackers out is no longer sufficient. Organizations instead need to assume that their network will be penetrated. From this perspective, it is important to define and deploy tools, tactics, and procedures that provide greater visibility into the attacker’s activities. This approach provides the most effective options for finding attackers inside your networks quickly and removing them before they achieve their goals.
We will take financial institutions as an extended example of what’s occurring with cyber attacks.
Cyber attacks continue to significantly impact financial institutions globally. According to TrapX Labs estimates, financial services lost more to direct fraud and theft of monetary assets over the last two years than any other industry. Meanwhile, attacks on critical financial infrastructure continue to spread, targeting automated teller machine (ATM) networks, online banking systems, and specialized financial application transactions.
In one attack, highly sophisticated cyber thieves stole more than $1 billion from more than 100 banks in 24 countries using ATM networks. In another wave of attacks against the SWIFT financial network, attackers harvested more than $100 million in cash from banks worldwide.
At the end of the day, cyber attackers understand bank operations and combine that knowledge with expertise about tools and techniques to conduct sophisticated and remote attacks knowing also that any intervention by local law enforcement will be almost impossible.
Sophisticated cyber attackers have to plan their assaults carefully in order to penetrate a network undetected and bypass perimeter and endpoint security defenses. These attacks often include social engineering as well as other stealth technologies, deployed in reasonable volume or surgically targeted, with the goal of just one successfully penetrating the network. During the initial phase of the attack, perpetrators often deploy specialized malware designed to become a network resident, and then establish a “back door.”
Specifically, a back door provides the attacker two-way access to the network—a way to reach financial institution’s internal systems from the outside, as well as the ability to communicate externally from within. Once the back door is established, the attacker can download sophisticated software tools, establish command and control centers, and begin reconnaissance to map and understand the network’s structure and resources.
Additionally, the hacker can identify resources that support or interconnect with online banking, ATM operations, and specialized financial applications, among other things. A backdoor also allows the hacker to observe banking operations and processes associated with moving and securing money, as well as critical customer data and other core assets.
Once reconnaissance is complete, the attacker can begin in earnest, starting by exfiltrating key data or creating fraudulent transactions to siphon off funds. From there, the attacker steals customer data records and intellectual property, placing them for sale to the highest bidder. Once defrauded, it’s not uncommon for hacked systems to show a series of financial transactions and wire transfers that end in bitcoins transferred via the dark web.
On average, it takes about 98 days for a financial institution to detect an attacker. For attackers, this time is critical due to the fact that it can take days to weeks and even months of work to see an attack through—from establishing a back door to conducting fraud on a major application to extracting customer records. That said, 98 days gives the majority of attackers the time they need to succeed.
Meanwhile, these attackers can remain in the network for week or months because many existing technologies are focused on protecting the perimeter. While a large percentage of banks’ cyber defense budgets is allocated toward advanced firewalls, endpoint detection, and centralized network heuristics (intrusion detection), these technologies consistently fail to keep sophisticated attackers out (as news headlines continue to reveal).
Going forward for financial institutions, and any company, it will be imperative to identify new technologies that can detect an attacker moving deep within internal networks once they’ve already bypassed initial security defenses.
Valuable customer financial data and other liquid assets will continue to position banks as prime targets for cyber thieves. Consequently, attacks against financial institutions won’t go away anytime soon, and in fact, will likely accelerate.
However, new next-generation technologies and the best practices that support them are increasingly able to detect stealthy and sophisticated cyber attackers often in real time.
Detecting threats early in the cycle drastically reduces the window of opportunity for attackers, depriving them of the essential time needed to successfully complete the attack. Dramatically reducing the time attackers typically take to roam throughout the network at their discretion gives financial institutions the ability to turn the cyber thieves into the hunted. And by saving a few seconds, they have the potential to save their organizations millions.
Moshe Ben Simon is the co-founder and vice president of TrapX.