Threat intelligence sharing more crucial than ever

Teresa Walsh, Global Head of Intelligence, FS-ISAC, is of the opinion that nation state threat actors and cybercriminals are converging. She chats with Enterprise IT News about this and more.

EITN: Please explain why you say nation state threat actors and cybercriminals are converging, especially since both parties have different objectives that they want to achieve.

Teresa: With leakages of state actor tools like we saw with the Shadow Brokers and the plethora of research on nation-state cyber activities, cyber criminals can learn or even replicate tools and tactics used by the more sophisticated groups. Conversely, nation-state actors who want to hide their activities will use commodity malware or other widely available tools to complicate attribution. Wittingly or otherwise, cyber criminals may support nation-state operations through selling initial access to compromised environments as well. Nation-state cyber actors benefit from the mass “workforce” of the cybercriminal underworld constantly seeking to compromise networks who will handle the first step of an attack that they can then take advantage of.   

The Solarwinds supply chain attack highlighted a very worrisome issue that exists. Even investigation and forensic tools of a vendor was compromised. Can you share the top methods/steps your report cybersecurity recommends to mitigate supply chain attacks like Solarwinds?

The SolarWinds compromise revealed the scope and severity of third party breaches for the financial sector. The breach happened through a weaponized security update that was downloaded by 18,000 firms, including financial institutions and third party suppliers the industry uses.

In terms of impact to the financial sector, the dominoes are still falling. What data was compromised and how the threat actors intend to use it remains unknown. Just because the confirmed compromises were largely towards government targets does not necessarily mean everyone else who was affected are safe from potential intrusion attempts. Third party attacks, separate from the SolarWinds issue, have already hit in 2021; they will not be the last.

Tactics that firms can use include exercising, red teaming – simulating attacks to measure how well you are prepared to respond – and threat hunting. The premise behind threat hunting is to assume you are already compromised and have a team comb your systems for what the compromise is. To do this effectively, cyber defense teams should understand the current threat actors targeting the sector and their attack strategies. FS-ISAC produces finished intelligence reports for security testers that detail attack scenarios that they can use internally to detect the same malicious behaviors.

EITN: Can you share the top tech tools and solutions you use to facilitate the “central hub of threat intelligence and intelligence sharing that you speak of”?

Teresa: With the shift towards higher adoption of digital banking services and employees working remotely because of COVID-19, cyber criminals are taking advantage of these new opportunities. Last year, we rolled out the FS-ISAC Intelligence Exchange to facilitate the sharing and consumption of actionable cyber threat intelligence across the financial services sector to help our members be prepared for emergent threats.

The FS-ISAC Intelligence Exchange is comprised of applications designed to meet the evolving needs of FS-ISAC members. Specifically, these applications:

• Facilitate the sharing and consumption of actionable cyber threat intelligence across the financial sector.

• Enable more strategic and in-depth sector analysis from FS-ISAC

• Build strength and trust of peer-to-peer networks

• Enhance the effectiveness of collective efforts to reduce cyber risk across the global financial system

Connect is a secure chat capability that facilitates real-time communication with peers and groups. Connect enables industry collaboration with dedicated discussion threads based on topics and communities of interest. We also spin up new channels on specific topics of importance to the industry such as COVID-19, ransomware, and cloud as needed.

Share is a hub for threat intelligence sharing that provides access to actionable intelligence that members can customise and embed in their institutional processes and environments.

EITN: What are the top trends from the report that financial services industries need to be aware of, and how do you recommend to address/approach these trends?

Teresa: Here are some top trends from the report:

· Convergence of nation-states and cybercriminals: Nation-state actors are leveraging the skills and tools of cyber criminals, either knowingly or not, to enhance their own capabilities.

· Third-party risk on an upward trend: Suppliers to financial firms will continue to be lucrative targets for threat actors, as shown by three highly visible incidents in the last two quarters.

· Cross-border attacks will increase: Cyber criminals test their attack in one country before hitting multiple continents and sub-verticals, as shown by a DDoS extortion campaign targeting ~100 financial institutions in months.

· Malware and ransomware will be increasingly commoditized: Threat actors are evolving their business models for a higher return, using strategies such as selling components on the dark web for assembly into kits and auctioning off stolen data on the dark web.

We have seen that attacks begin in one region and quickly spread to other industry verticals in other parts of the world. Given the cross-border nature and complexity of these threats, it is critical that the financial services industry share sector-specific intelligence on a global basis.