Authored by: Vijay Bhat, Sales Engineer, Cyberbit
In May this year, a leading provider of title insurance and settlement services to the mortgage and real estate industries, First American, faced a data breach. Interestingly, the data was first exposed in 2013, in document number 000000075. This data contained sensitive information of customers including their Social Security numbers, driver’s licence images, financial data, and transaction records. On the whole, the critical vulnerability had exposed 885 million customer records.
This wasn’t the only breach, however, that took place in 2019. According to Stan Black, CISSP and CIO at Citrix Systems, FBI had contacted the American multinational software company to inform that it had been compromised by an international network of cyberattackers. The cyberattackers had penetrated its server – which is used by more than 400,000 organizations globally – and downloaded sensitive business documents.
The Financial Crisis: How can technology prevent new-age financial cyberattacks?
Lately, there has been a rise in cyberattacks carried on the Financial Institutions (FIs) and their third-party vendors. The attacks are getting more sophisticated with every passing day, with a hint of iteration of already known TTPs (Tactics, Techniques, and Procedures). The terabit-level DDoS attacks, novel APTs (Advanced Persistent Threats), and quickly proliferating malware are a few examples.
Over the yesteryears, there also have been a range of attacks that used social engineering to hack some of the most foolproof FIs, as in the case of attacks conducted via SWIFT (Society for Worldwide Interbank Financial Telecommunication). SWIFT provides a secured network which is used by global banks to send and receive information of financial transactions. Using social engineering, cyberattackers obtain legitimate SWIFT credentials of a bank and then use it to relay multiple fund transfer requests. If the other bank honours them, the exploit becomes successful, making the bank lose the transferred amount.
Beginning with the 2016 Bangladesh Bank heist, this tactic has been used over and over again to transfer millions of dollars from FIs belonging to Vietnam, Ecuador, Ukraine, Russia, and India alongside other countries.
Over the recent years, the industry has developed AI-based technolgoies that leverage big-data to analyse large amounts of information to detect these types of attacks. An example is Endpoint Detection and Response (EDR).
An EDR uses an agent installed on the oranization’send points. It records all activity over a central big-data repository and analyses it, to reveal the most evasive and signature-less threats targeting financial institutions, serving as an effective last line of defence.
Here are three ways in which EDR solutions help FIs:
- Detecting Signature-less Attacks: When your antivirus blocks a malicious file, it detects the characteristics of the file, i.e. its ‘signature’. If the signature of a file is identical to a known malware, the antivirus automatically flags and blocks it. However, seasoned attackers will never leverage a file that uses a known signature. Rather, they will package a dedicated file that can circumvent endpoint security solutions and sandboxes. Modern EDR solutions do not rely exclusively on file signatures, rather, they adopt AI-based algorithmic approaches as well as behavioural analytics which can identify malicious activity.
- File-less Attacks: File-less attacks exploit legitimate, whitelisted applications, such as Windows PowerShell, to send malicious commands. These commands/scripts go undetected by most security solutions, often allowing attackers access to critical applications, gaining administrative permissions, etc. This is another area where behavioural analytics can play a critical role to identify the anomalous activities of a whitelisted application.
- Low and Slow Attacks : Attackers often maintain a low-profile to go under the radar, to explore the organizational network, or peform small scale malicious actions like transferring small funds that do not get alerted. EDRs keep collecting all relevant data and analysing it across a long period of time. This approach enables them to identify “low and slow” attacks and detect them before they cause businesss damage.
Apart from deploying an effective EDR, FIs must build their cyber resilience by defining their incident response playbooks and using repeatable processes. Start with reading the detailed Reserve Bank of India Guidelines defining how FIs should develop and implement their cybersecurity framework. The majority of processes can be automated using a SOAR (Security Orchestration, Automation, and Response) solution, which can dramatically reduce response time.
In a nutshell, the cybersecurity measures taken by Indian FIs, who are also rapidly digitizing with India’s ongoing digitization, must be enhanced to avoid the next wave of cyberattacks. This will be a prudent step that will help the FIs, their customers, and the market. The decision is completely for them to take.