Safe Deposit: Defeating Cyberattacks on the Finance Sector

The opening weeks of 2015 have already seen two of the biggest cyberattacks in history make headlines worldwide. First there was the massive data breach at the leading US health insurer Anthem, which exposed the identifiable personal data of tens of millions of individuals – including those in health plans not operated by the group. This was swiftly followed by reports of the Carbanak cyber-heists that are estimated to have stolen up to a US$1bn from more than 100 banks and financial entities worldwide.

The attack on Anthem was probably not a smash-and-grab raid, but instead a sustained, low-key siphoning of information over a period of months. The breach was designed to stay below the radar of the company’s IT and security teams. It did so by using a bot infection to smuggle out of the organisation the type of personally-identifiable data that is the stock-in-trade of operators across the finance sector. It is believed that the attack may have started up to three months before it was discovered, using customised malware to infiltrate Anthem’s networks and steal data. The exact malware type was not disclosed, but is reported to be a variant of a known family of hacking tools.

In the Carbanak attacks, a series of thefts occurred as hackers breached banks’ systems using spear phishing techniques. These tricked employees into clicking on malicious downloads by using crafted, targeted emails. The malware gave the hackers access to banks’ internal networks, where they could quietly explore and gather information on the organisations’ systems and procedures, and work out the best method for stealing money. In some cases, this involved quietly transferring funds between various accounts and even crediting accounts with large sums before withdrawing identical amounts, so that the thefts appeared to be erroneous transactions.

Attacking under the Radar

Following the Carbanak cyber-thefts
an international survey of 175 heads of financial organisations
by PwC showed that they rated online attacks as the second-biggest perceived danger to their industry, with only regulation a greater concern. The reason why finance executives are particularly worried about cyberattacks is because of their sophistication.

The recent online breaches had gone undetected for weeks, or even months, because the criminals manipulate institutions’ own business-as-usual processes to stealthily move assets around and siphon them away without attracting attention. In many cases, the banking transactions made by the hackers appeared to be legitimate – making the attacks a true ‘inside job,’ devised by individuals or gangs with in-depth understanding of how the organisations’ business and financial systems work.

While these attacks employed a variety of approaches to breach very different types of organisation and gain different rewards, they had a great deal in common. Both started with simple, targeted phishing emails, probably containing a file attachment with a malware payload. Once an unwitting employee had clicked on the attachment, the security of the organisations was compromised and the malware was able to infect the network. It’s just a numbers game for the hackers, as it is only a matter of time before a user falls for the social engineering exploit.

Drawing a Line in the Sandbox

So how should the finance sector secure itself against such online threats? In the majority of cases, the attacks are able to evade conventional security defences because the criminals use obfuscation tools to conceal the malware’s identity from traditional, signature-based antivirus solutions. This means that even older, known malware can be disguised and slip under the security radar.

To mitigate this risk, organisations can add an extra layer of defence against malware using a technique known as threat emulation or ‘sandboxing.’ This technology analyses the files carried in emails for virus-like behaviour, then isolates any suspicious files before they arrive in employees’ email inboxes. It can be deployed on the gateway at the network edge or in the cloud, ensuring that infection does not occur in the first place – thus providing an external layer of protection against attacks without impacting the flow of business.

Employee education about email- and web-based infections is also an important step in protecting against breaches. Teaching staff to watch for vital email social-engineering clues -such as misspelled emails, unexpected email attachments or links – can make a big difference in reducing the potential for a hacking attempt being successful.

In conclusion, even the most sophisticated attacks against the finance sector start with the same, simple steps that try to exploit peoples’ weaknesses. Stopping these attacks requires a mix of employee awareness and updated, comprehensive security protections on both organisations networks and employees’ computers. With these measures, there’s the best possible chance that future attempts at cybercrime won’t pay.

Further articles on tackling cybercrime will be published by gtnews in March 2015


Related reading