Financial institutions are highly vulnerable to cyberattacks. According to Verizon’s 2019 Data Breach Investigations Reports, 10% of breaches were breaches of the Financial industry.
Not only is the number of attacks increasing, but the attacks have become ever more sophisticated and targeted. As a result, regulatory bodies worldwide like the Reserve Bank of India (RBI) are coming up with a more stringent plan of action.
The world has witnessed several financial cyber heists over the last few years, particularly in Asia, some of which include:
- Banco del Austro (BDA), Ecuador in early 2015 where malicious actors stole $12 million US by issuing unauthorized SWIFT messages.
- The Bangladesh Bank Cyber Heist in early 2016, resulting in $101 million US stolen by means of fake instructions issued via the SWIFT network.
- Far Eastern Bank, Taiwan in October 2017 where hackers managed to take hold of US $60 million after planting malware on the Taiwanese bank’s servers.
- Cosmos Bank, India in August 2018, where attackers attacked a SWIFT server and transferred nearly $14 million to foreign accounts.
- Bank of Valetta, Malta in February 2019 where hackers broke into the bank’s system and transferred about 13 million Euros to foreign accounts.
The US-CERT published several reports tying the North-Korean group, HIDDEN COBRA, to cyber-attacks on banks in Africa and Asia. Sanctioned countries like North Korea have built cybercrime capabilities to illicitly secure funds from abroad.
Attack Methods and Modus Operandi
The common factor in most of these attacks was compromising SWITCH and SWIFT systems, responsible for the authorization process of funds transfers. The reason attackers have been successful was their ability to identify weak spots, either architectural and operational weak spots, such as exploiting 3rd party interfaces, or human weak spots – especially by leveraging well-targeted spear-phishing and social engineering. Attackers would then use evasion techniques to bypass conventional security solutions and perform lateral movement to locate the target servers, transferring funds to foreign accounts.
Why were these cyber-attacks being successful?
- Lack of Organizational Awareness and Training: according to Verizon’s DBIR, the click rate on phishing emails in the financial industry, as observed in tests, is 2.04%.While lower than the education sector with nearly 5%, even a single click can result in substantial damage. Financial organizations lack proper awareness training for employees which can reduce risks like phishing and social engineering.
- Lack of Security Team Training: the security teams in these organizations have never experienced attacks at this type and magnitude before, and have experienced them for the first time when the attack took place, reducing their ability to detect and respond to these attacks effectively
- Long Patching Process: the organization often overlooked the reality of patching at the earliest point in time and gave precedence to the risk of downtime over the risk of deploying unpatched systems.
- Lack of 2-factor authentication: the #1 tactic causing financial breaches according to Verizon DBIR is hacking and use of stolen credentials. Proper implementation of two-factor authentication can drastically reduce this risk.
- Lack of Next Generation Endpoint Security: hacking/backdoor, and malware, are the #3 and #4 most common reasons for financial breaches, according to Verizon DBIR. The lack of advanced endpoint security products which can detect unsigned, evasive endpoint threats, targeting financial organizations, increases risk significantly. Many financial institutions sill use endpoint security solutions that rely on IoCs (indicators of compromise) or signatures, which are easy for attackers to evade. AI and behavioral based solutions like EDR, which leverage big-data to collect endpoint data from the entire organization, are more likely to detect such attacks.
- No Automated Monitoring of Critical Systems: lack of specific automated monitoring of mission-critical components including SWIFT servers and ATMs.
- No Manual Check Points to Review Large Transfers: There should be a manual check to review large transfers.
How EDR Detects Financial Attacks:
Statistics prove that it is only a matter of time and persistence before evasive attackers make their way into the organizations network. Financial organizations must therefore assume they will be attacked, and that not 100% of attacks can be prevented. To be ready for this attack, they must implement more advanced security solutions, which can quickly alert their analysts and provide rapid situational awareness and visibility. Here are some use cases where endpoint Detection and Response (EDR) can help a BFSI organization:
- EDR Detects signature-less attacks: most attacks on BFSI will not have a known signature. unlike conventional solutions like AV, EDR uses algorithmic approaches including machine learning, artificial intelligence, and behavioral analysis, to detect suspicious behaviors.
- EDR Detects file-less attacks: nowadays, evasive attacks often leverage whitelisted Windows applications like PowerShell, to generate damage, in a completely file-less fashion. EDR solutions work by analyzing behaviors, rather than evaluating files, and therefore the only effective way to cope with fileless attacks.
- EDR Detects low and slow attacks: EDR aggregates endpoint data in a big-data repository and continuously analyzes, gradually connecting the dots to build a story by correlating suspicious individual activities into an unequivocal coherent multi-stage attack. As a result, it can detect “low and “slow attacks which often go under the radar.