Intsights report: Key Learnings for FSI
Michael Tan, Regional Sales Director, Asia at IntSights speaks to Enterprise IT News about cybersecurity for the financial services industry.
EITN: What are the top highlights of the report you have received?
Michael: In our findings, compromised payment card information or online banking credentials are often sold to third parties in underground black markets at a fraction of its face value. One example would be a Russian-speaking criminal auctioning a database of bank account details of 20,400 US bank customers at a starting price of $10,000 and a ‘buy now’ price of $20,000, demonstrating how banks can be vulnerable to second-hand risks and fraud resulting from attacks on merchants in other industries.
On top of that, we see a proliferation of mobile banking Trojans that are responsible for a large share of attacks on banks, indirectly via their customers. Compromising mobile devices with banking Trojans can facilitate attacks on online banking credentials by enabling 2FA bypasses. Starkingly, some of these now have SMS interception functionality and have the ability to collect 2FA codes from authentication apps. Most mobile banking Trojans are for Android rather than iOS.
EITN: What is the most high profile attack that your report covers, and the key learning for businesses to take away?
Michael” The North Korean Lazarus Group and its threats to the banking sector is one of the most formidable ones considering their ability to gain access to sophisticated capabilities similar to that of a government. The Lazarus Group’s attacks on the banking sector have been more complex than those of common criminals and they aim to achieve more ambitious goals by enabling very large fraudulent transactions via the SWIFT interbank payment network.
Some of their attacks involved breaching the Bank of Bangladesh in 2016 and their target on banks in developing countries like Vietnam and Ecuador. Attacks by the Lazarus Group usually involve lateral movement within the compromised networks of these banks to SWIFT accesses, and has evolved to ATM fraud which targets servers inside bank networks.
Businesses are constantly targeted by various threat actors that use different tools and techniques to gain access to their data and networks, and need to guard against any form of attack with threat intelligence that provides information that is timely, accurate and actionable. Simply taking ‘just enough’ measures to fulfil regulatory requirements is not sufficient.
EITN: There are so many ways and methods that cybercriminals are attacking and compromising the FSI industry. What are the methods that you found is most useful for cybercriminals?
Michael: There are three methods that we found to be increasing. First, payment card fraud to steal money from banks has shifted from in-person to online fraud. Threat actors do not act against the banks themselves but other businesses that accept payment by cards and e-payment gateways, leaving the banking sector uniquely exposed to the impact of breaches in other sectors like retail, hospitality, and e-commerce.
Next, cybercriminals are also attacking banks through the bank networks, and at times targeting their partners, like insurance companies, third-party service providers and technology vendors in order to move laterally into the said bank networks. Access to these bank systems can enable large scale fraud involving SWIFT terminals or servers that support ATMs, for example.
Also, the compromise of online banking credentials on customers’ devices via banking Trojans remains partially beyond the control of banks, aside from the application security efforts and education of users on security hygiene such as password complexity and 2FA. While 2FA is an important defense for online banking credentials, as earlier mentioned, some mobile banking Trojans can bypass it, posing a significant threat.
EITN: What are the top best practices businesses should practice to defend from all these attacks you have covered in your report?
Michael: Within the bank’s network, security teams can improve defenses for its financially sensitive systems by using network segmentation to prevent lateral movement into their networks and put in place more rigorous authentication to access them.
To prevent fraud, bank fraud detection and prevention teams can set up measures to identify breaches at their merchants and contain the flow of compromised data. Any future compliance requirements and investigations on attacks should consider the growing trend away from in-person to online compromises and fraud.
Businesses need to leverage solutions that proactively identify and validate threats targeting the organisation so that security practitioners can prevent devastating cyberattacks from taking place by neutralising them at the source.
EITN: What is Defend Forward? How can businesses apply this? Can there be something for cybersecurity vendors to learn and apply as well?
Michael: Defend forward is a movement for organisations to take a proactive approach in identifying, blocking and taking down threats with a next-generation threat intelligence solution in the early stages of the cyber-kill chain before they hit the organisations’ network.
Businesses can evaluate their current security posture, and develop a clear strategy of what is important and urgent for their organisation.
Speed is another important factor. Businesses need to think about their speed of remediation in the event of any potential breach, and whether they have sufficient visibility and rapid, automated response to guard against and lower the risk of external threats.