Hackers vs. Finance: Strategies CISOs Can Take to the Bank
In recent years, financial and banking institutions worldwide have been the preferred targets of many cybercrime groups. Targeted attacks allow them to divert increasing sums of money, which impacts the production stability and reputation of the organizations targeted.
Both IT and security managers at these institutions must invest in understanding the specific cyberthreats that affect them, then implement the countermeasures necessary to safeguard their banking or financial activities.
The unique challenges of banking
and financial information systems
Banking and financial information systems have characteristics that tend to make their protection more complex than traditional IT environments:
- Multiplicity of information systems: Banking information systems (IS) are essentially split into several related sub-IS, making end-to-end consistency extremely complex. This complexity and fragmentation, whether desired or merely tolerated, causes irreparable structural weaknesses.
- Opening the IS to the outside: Banking or insurance systems must be open to the outside, both to customers wishing to access their management interface and to trusted third parties and intermediation partners in order to ensure financial or fiduciary transfers. The IS are interconnected with various external entities, which can be called “partners” in the broad sense of the term.
- This is a particularly attractive target for attackers: It is obvious that attackers will target the most vulnerable IS (reducing the complexity and the incubation period of the attack), as well as the IS with the best promise of profitability. Thus, a banking or financial system represents an especially attractive target.
The three main IS that make up financial institutions generally have the following characteristics:
Distribution Network IS: Whether in the banking or insurance world, this information system is by nature connected to users and various ATMs. Furthermore, it very often comprises several regional IS, which historically have consisted of autonomous IS. Because of its visibility, the reputation of the institution can be jeopardized if this IS is compromised in any way.
Electronic banking and exchange IS: This IS manages interactions with trusted third parties. Historically, this IS has been centralized by the group and is subject to PCI-DSS controls. Usually of modest size, its operation nevertheless allows the smooth flow of payments and some financial exchanges with partners.
Investment IS: In the banking world, the investment IS bears weight in terms of risks. Even though user access is more restricted compared to the distribution network, this IS generally produces a large part of the organization’s profits. It is usually centralized at the group level and follows specific rules of management and separation of powers.
Financial organizations face complex challenges in operational and strategic security. The IS security managers’ duties are characterized by intense technical vigilance, a good understanding of the tactics used by attackers, and the ongoing development of adequate countermeasures to protect the systems. It is therefore essential to know the types of attacks that are executed on financial institutions.
What types of attacks
target financial IS?
Most of the known “classic” attacks can be made against financial institutions’ IS, but as we saw earlier, financial IS have their own characteristics that entail different risks and issues than the IS of industrials or large distributors, for example. Depending on the sub-IS targeted, the attacks may vary in the banking or insurance world. Still, it is possible to list the most common attacks:
- Distributed Denial of Service (DDoS): This is the most common type of attack, primarily impacting the IS of the distribution network. It has immediate impact and is usually aimed at compromising the institution’s reputation. It should be noted that some DDoS attacks have targeted the electronic payment system to block certain exchanges.
- Malicious code on points of sale and withdrawal systems: These attacks can take several forms, including specific malware to intercept data, data injections, copying payment methods, etc..
- Malware on the information system: Here, there is usually nothing specific to the banking or insurance environment, although recent attacks highlight the creation of malware specific to the financial environment to maximize the impact and efficiency of the attack. The intention here is to directly infect the sub-IS to access its data.
- Insider threat: Employees can carry out fraudulent transactions directly, whether voluntarily or involuntarily. In the case of a voluntary action, elevation of privileges and lateral movement on Windows systems are the most common strategies.
- Phishing: This attack can come from two angles, with very different objectives. (1) Phishing aimed at users (extremely widespread) is an attack that directly targets users of financial services, flooding them with emails, more or less accurately formatted, to harvest their digital financial identity and thus perform transactions in their name at a later date. (2) Phishing aimed at the financial institution’s sub-IS, with the main objective of establishing a backdoor or installing malware to take control of a part of the sub-IS and exploit the business data within the institution.
- Exploitation of vulnerabilities: These attacks directly use the configuration weaknesses of the sub-IS, or the fact that it is not updated regularly. These attacks mainly target Windows and Active Directory vulnerabilities, again with the aim of maximizing the chances of success and the ROI of the attack.
Each of these attack methods has been executed over the last three years, irrespective of country, irrespective of company size.
Some recent examples
The financial world is inherently discreet regarding the precise mechanics of observed or identified attacks. There are, however, known examples of attacks that have significantly impacted certain organizations:
- In 2018, the malicious codes FASTCash and ATMJackPot allowed attackers to steal cash directly from ATM-type withdrawal systems.
- In 2018, Carbanak and Cobalt malware targeted more than 100 financial institutions in more than 40 countries, resulting in the theft of over a billion euros. This malware had extensive coverage; it was installed on the IS and sub-IS of organizations and made it possible to manipulate bank accounts, establish fraudulent transfers, and take control of certain withdrawal points (ATMs).
- In 2019, the US bank Capital One was the subject of a personal data breach revealing information on more than 100 million customers (names, income, phone numbers, emails, etc.).
- In 2019, the financial corporation Mouvement Desjardins revealed that an internal attack by an employee resulted in the theft of information concerning almost three million individual or corporate members.
- In 2019, Dutch Bangla Bank Limited was the victim of an external attack through the withdrawal systems in Russia and Ukraine, resulting in the theft of more than three million dollars and delivering a devastating blow to its reputation.
And the list goes on…
What countermeasures should be
Considering the distributed model of financial IS, it is highly complex to deploy a comprehensive security policy across the organization. We can nevertheless suggest the immediate implementation of the following actions:
- Study the attack models in your sector and invest in red team-type exercises that will simulate targeted attacks in line with the specificities of the banking or insurance sector. Train your teams, update their skills, and perform regular intrusion and theft of data tests.
- Integrate the MITRE ATT&CK model into your study schema. This model is currently the most complete and most adapted to modern attacks; it will allow you to better understand the complexity of attacks and to build your own adapted schema of countermeasures.
- Deal with the most common vulnerabilities. Patch your systems, audit changes on sensitive systems, and monitor the actions of administrator accounts.
- Manage the Active Directory. Most AD designs were built about 10 years ago at a time when targeted malware attacks and modern phishing methods did not exist. Active Directory must be managed through a specific action plan.
The specific case of
Why is Active Directory
a latent threat to most organizations?
The Active Directory environment offers a favorable playing field for attackers or malware for several reasons:
- Incomplete communication from Microsoft about Active Directory security, including late release of documents describing tier-model design.
- Most Active Directory designs currently in production are more than a decade old, and regular update of domain controllers does not correct initial design.
- Since 2015, the explosion of malware specific to Active Directory during targeted attacks has coupled with the increasing efficiency of hacking groups.
- Active Directory coverage is exceptional for an attacker because this directory is used in more than 95% of organizations with more than 50 PCs.
To complement your IS evaluation, we recommend you read the compelling article, “Why Hackers Abuse Active Directory“, on the BankInfoSecurity.com. This piece explains in detail why attackers target Active Directory to achieve their goals, especially against financial institutions.
A favorite target in the banking world
There are usually many Active Directory forests in different sub-IS, and in most cases these have trust relationships which provide the SSO mechanism to certain users.
Often, the distribution network has many forests inherited from old regional organizations. These AD forests sometimes have extremely heterogeneous levels of maturity and security. These are usually the largest and most complex Active Directory databases because many people work on these distributed entities.
Generally, the investment IS encompasses one or more forests, usually on a global scale, to manage different marketplaces or investment locations. It is not uncommon to find one forest per continent: America, Europe, and Asia, with inbound and outbound approvals for each forest.
Finally, the electronic banking IS usually has its own forest to specifically manage the mandatory features of the PCI-DSS compliance rules, a highly structured axis in payment systems. The electronic banking forest is very often cut off from the rest of the IS, avoiding approval relationships with other Active Directory environments in the organization.
All these characteristics specific to financial and banking institutions, namely the multiplicity of sub-IS, distributed Active Directory model, multiplicity of forests, numerous approval relationships, and sometimes old Active Directory designs, represent fertile ground for attackers wishing to take control of your information system.
Securing Active Directory is of the utmost urgency for
organizations in the banking and insurance sectors
The diversity of activities and the distributed model of financial institutions make them extremely appealing to attackers. Effective countermeasures should therefore be put in place to protect them.
Financial institutions must consider three dimensions in their Active Directory protection:
- Check the upstream configuration. Check the correct configuration of the Active Directory service on an ongoing basis; with several thousand changes per day in the directory, it is an indispensable background task.
- Implement an attack detection plan. Active Directory is susceptible to specific and sophisticated attacks; it should be able to detect these targeted attacks using solutions dedicated to the AD environment.
- Have knowledge of all changes made in the directory in case a remediation plan needs to be executed. In case of attack, the institution must be able to ascertain every change made during the attack period in order to execute a remediation plan and trace the attack back to the source (patient zero).
What’s the next step?
The unique characteristics of financial institutions’ IS make them sensitive to attacks using Active Directory. Protection against these attacks will be a major pillar of bank and insurance security in the coming months. This paradigm should be considered, and an action plan should be implemented to avoid data leakage or, worse, a loss of confidence in the institution itself. To take your research a step further and improve your ongoing security plan, Alsid.com provides many more analyses and guides.