Cybercrime follows the money. In today’s increasingly interconnected world they conduct digital hold-ups and cause major disruption by targeting critical infrastructure. So, how do those in the financial services industry get inside the mind of the hacker? How do they separate the signal from the noise to gain effective threat intelligence insights?
We live in digital times. The banking and financial services industry talks regularly about digital transformation. In truth, the transformation has already happened and there is no going back. Every organisation is a digital business by default, if not by design – writes Joyrene Thomas, Payments Cards and Mobile.
Being digital means being interconnected: individuals with businesses, businesses with suppliers, governments with businesses and individuals and so on. This is both an opportunity and a threat. Being interconnected allows organisations to derive additional value from digital. Yet it also broadens the attack surface via social media, digitally-integrated vendors or the ever-growing number of internet of things
The cyber threat intelligence industry has grown in recent years. But for too long has suffered from being big on threats and small on intelligence and insight. There are signs that the market is maturing. Vendors as well as banks and financial institutions are improving with regard to their use of threat intelligence. They are also working together and benefiting from open standards in this area.
Cybercrime is a form of organised crime, which is exactly that — organised. Syndicates are set up according to the division of labour principle adopted by many large companies. There are marketing, finance and IT departments, each of which contributes to the performance and overall success of the organisation. Cybercriminals have also borrowed sales and marketing practices from the legitimate economy. They operate star ratings systems and bug bounties, and offer crimeware with 24-hour customer helplines and money-back guarantees.
There are hackers who work office hours with weekends and bank holidays off. Plus a burgeoning freelance or crime-as-a-service market, where customers can hire hackers, or buy or rent the latest tools. These include exploit kits to infect victims with malware, steal credentials or hold an organisation’s files to ransom.
Money is flowing from other criminal activities towards cybercrime, precisely because the business model stacks up. “Cyber criminals are very practical. If something doesn’t generate an income, they’ll walk away from it and start using something that does,” said Rik Ferguson, special advisor, Europol EC3 speaking at Info Security Europe.
Ransomware grabbed headlines last year and became the favourite attack methodology used against businesses, particularly in North America and Europe. Ransomware locks computers or encrypts files and demands money from victims to regain access to their devices or data. Distribution of ransomware between January and November 2016 increased more than 265 percent, says cyber security firm Malwarebytes.
The scourge of ransomware continues in 2017. Just weeks after the WannaCry ransomware virus caused chaos across the globe in May, some of the world’s largest companies were hit by Petya, a second huge cyber attack. This hit the Ukrainian central bank and other government departments, and brought Kiev airport and the metro network to a standstill, before quickly spreading to at least 60 other countries.
Botnets, a robot network of compromised computers, are growing in strength by targeting internet of things (IoT) devices. This means ever-more powerful distributed denial of service (DDoS) attacks, which overwhelm specific IP addresses or web services with fake traffic to knock them offline. For example, in addition to corporate targets, the Austrian parliament and more than a hundred government servers in Luxembourg have been affected by DDoS attacks this year. However, banks and financial services companies remain the most attractive DDoS targets. Attacks are capable of causing such serious material and reputational damage that many organisations choose to pay ransom demands to prevent them.
“The only way to understand what the threats are and what is looming is threat intelligence. Threat intelligence is the key to proactive security.” Itay Yanovski, Cyberint
DATA INTO INSIGHT
Unsurprisingly, the threat intelligence industry has ballooned in recent years in response to the number and nature of cyber threats. The growth can also be attributed to the emergence of new technology vendors, changing legislation and government incentives designed to help organisations strengthen their cyber resilience. Many companies provide threat data, such as black lists, white lists, IP addresses, e-mail senders, DNS servers, as opposed to threat intelligence. So, how do banks and financial services companies separate the signal from the noise to gain effective threat intelligence insights?
“We see threat intelligence as being divided into three sub-segments,” says Elad Ben Meir, vice president, marketing at Israeli cyber security firm Cyberint. “The first one is intelligence feeds — any indicators that are collected by security vendors and distributed. The second is what we refer to as ‘strategic intelligence’ — reports delivered on a monthly or weekly basis about trends or general threats per industry. The third is taking the strategic position of threat intelligence and making it targeted to customers,” he explains.
Distilling what starts out as threat data into useful intelligence is key. “To be effective, cyber intelligence must be contextualised. One of the most challenging hurdles that financial institutions face is that they receive intelligence that is not in context to their activities, business needs or processes,” says Itay Yanovski, co-founder and senior vice president, strategy, Cyberint. “It may be important knowledge, but it is not actually something that is actionable.”
Turning data into insights may well begin by separating the intelligence types. Data feeds can be incorporated into an organisation’s current controls, usually via a general collection method or a SIEM (security information and event management), which attributes general indicators to the data. Strategic threat intelligence can be used at board level by directors considering the financial and reputational impact of cyber threats, plus the potential opportunities.
Contextualised intelligence can be used operationally to augment current controls and understanding, particularly in the area of simulations or scenario planning. “Once you understand who is targeting you, what they are targeting you with and their attack plan, you can simulate the same type of scenario,” explains Ben Meir. This allows companies to understand where the weaknesses with their defence controls lie, and act to correct them.
There are other ways to use threat intelligence to get inside the mind of the hacker. “Threat intelligence can be used partly at the detection phase, partly at the understanding and diagnosis phase and partly in response,” says Piers Wilson, head of product management at Huntsman, a cyber security firm providing defence-grade security. If a bank knows that a certain range of IP addresses, domain names or indicators is significant – as it represents a particular type of attacker or piece of malware – it can watch for this and then prevent or detect it straight away, Wilson explains.
“Threat intelligence indicators of compromise can be used to verify and diagnose the nature of a particular intrusion. It may also be used in attribution to find out where a threat or attack originated from,” says Wilson.
He also emphasises the importance of understanding the threat context. Internal lists of senior executives, users that have administrator privileges or are involved in a particular project may not count as threat intelligence. Overlaid with external data, however, this information can help organisations understand the risk, the threat or attack when it occurs, and shape the response.
In this regard, banks have a head-start over other sectors in working with threat intelligence data. “Banks are quite used to dealing with fraud-type risks, for example blacklists of credit card numbers or accounts under suspicion. When you start to apply fraud-like thinking to security threat data, it’s easier to translate into intelligence,” Wilson contends.
Secondly, banks have historically been good at working together to share information. “Although they compete quite fiercely, there has been a co-operative view in banking that fraud, against one or against all, is always going to be a challenge.” As such, Wilson has seen banks exchanging information on what he describes as a “semi-formal” basis. This is mostly at the operational level, for example around attack vectors or domain names and IP addresses that have been involved in botnets or phishing campaigns.
Sharing threat intelligence in a type of ‘community health’ approach is helpful. This can be done via vendors or government-run initiatives, which establish communities and facilitate information exchange. The adoption of open standards, such as STIX and TAXII, also helps in this regard. These formats for data structure or transmission are useful for passing information between organisations in a common format, with the meaning, notes and diagnosis appended.
A prominent vendor with a proprietary threat intelligence feed converted this to being STIX and TAXII-compliant about a month ago, according to Wilson. The UK government threat intelligence feed conforms to a STIX format file. “There’s definitely a need to move towards a more structured and co-operative, standards-based way of working, which will benefit vendors and users alike in terms of exchanging information,” said Wilson.
THE GEO-POLITICAL DIMENSION
“Over recent months, we have seen the Democratic National Committee hack, which appears to have been the work of Russian state hackers to cause disruption and controversy around the US elections,” says John Bambenek, manager, security threat, Fidelis Cybersecurity. There has also been the potential information gathering of known Chinese hackers ahead of negotiations between President Trump and Xi Jinping; and the alleged DDoS attack associated with the Brexit ‘register to vote’ site, he continues.
Attacks against enterprises are just the same. While some may be conducted to hold the organisation to ransom, others may be used to access confidential information. Sometimes it could simply be about causing a stir or a distraction. Who would have thought that the disclosure of British cyclist Bradley Wiggins’ medical records, or e-mails between SONY colleagues would have generated so much publicity? This merely shows that victims, hackers and the public place different value on information.
Banks and financial institutions must consider this as well as the geo-political dimension to threats. They are caught in the cross-hairs of geo-political aggressors for two reasons. Firstly, they are critical infrastructure targets for those wanting to disrupt trade and the economic health of a country. Secondly, they are financial targets for those wanting to rob the bank. Banks and financial institutions are also more likely to be targeted by state-sponsored attackers. So, how important is attribution after a cyber attack?
The reasons that attribution is difficult in cyberspace are many and varied. The internet is an anonymous platform with no centralised legal authority. Digital identities are inherently weak, easy to fake and hard to attribute back to a real person. “Other methods of attribution, such as looking at the code or other elements within the code itself, are also being manipulated by actors, who want to distract the investigators. This is the key for cyber insecurity,” says Yanovski.
Whilst difficult to do, attribution has “value in terms of understanding the attack, recovering funds and tracing the movement of funds and data around the world,” says Wilson. “Possibly less so in terms of prosecution because you very seldom get back to an entity, organisation or individual that you can point the finger at. The value of attribution is understanding whether there is a political motive and tracing
Attribution is also useful in helping to prevent an attack from happening again and as an indicator of what may happen next. “The more you can understand of how adversaries are going to work, what type of code they are using, what their attack methods are, clearly the more you can do to defend against it. Attribution certainly has value, maybe not in the courts, but value to the defenders,” says Wilson.
The various sub-divisions of cyber threat intelligence — data feeds, strategic intelligence and contextual intelligence — help organisations to protect, detect, respond and recover from threats. Most importantly, however, threat intelligence helps organisations anticipate threats before they become incidents. “The only way to understand what the threats are and what is looming is threat intelligence,” says Yanovski of Cyberint. “Threat intelligence is the key to proactive security.”
Threat intelligence is most useful in context. Every day is different in cyber, so context in a temporal as well as a business sense is everything. Understanding threat intelligence in context of cyber posture is the best tactic. That is to say, understanding how an organisation’s external-facing assets can be used as an attack vector into the organisation. Taking an outside-in as well as an inside-out view of the organisation’s data, assets and digital footprint is akin to getting inside the mind of the hacker and thinking from their point-of-view.
Moreover, what is important to an organisation may not be what is important to the hacker. The value of protecting customer data is not just avoiding regulatory fines for data loss, but avoiding the business continuity risks, legal and contractural obligations, and reputational impacts of a cyber attack. Banks and financial institutions may have a head-start in understanding the fully-loaded costs of a cyber incident. They hold so much personal and financial data, and already have a mindset around the importance of protecting it, even before the General Data Protection Regulation (GDPR) comes into force next year.
However, it is not just the confidentiality of data that is important, but the integrity and availability of it, too. Customer information should remain uncorrupted and accessible when needed. It is this availability of data that is often more important to customers in the short-term. Customers can quickly become upset if they cannot access their online banking or cash from an ATM. They worry if payments are not settled or they cannot pay bills.
Probing inside the mind of the hacker reveals that it is a busy, well-organised, well-funded one. It is capable of doing patient research, taking calculated risks and changing quickly as circumstances require. However, those that understand the mind and ecosystem of their cyber adversaries are much better equipped to mitigate their threats. Or as Sun Tzu, the Chinese general and military strategist, said in his The Art of War, if you know the enemy and know yourself, you need not fear the result of a hundred battles.