NGFWs, antivirus, spam filters, multi-factor authentication, and a comprehensive breach response plan all have an important job to do. But the issue rests with what’s missing.
The same concept holds true for cybercrime and the Financial Services industry. At the end of the day, regardless of who the ultimate victim of a cyberattack is, the end goal of most cyber events continues to be financial gain. And capitalizing on the theft of information, whether credit card or banking data or the selling of PII on the dark web, ultimately involves taking advantage of someone or some organization associated with the Financial Services sector.
Exploits targeting banking apps on mobile devices, for example, are a significant part of this growing threat trend that must be addressed. Compromising mobile devices not only allows attackers to steal data stored on that device, but can be used to collect personal banking information using phishing apps, intercept data moving between a user and his or her online bank, and monitor financial transactions when purchasing goods or services online.
In addition to mobile threats, we have documented three additional attack strategies that financial security teams need to be paying special attention to:
Cryptojacking has become a gateway for other attacks. In many industries, including financial services, cryptojacking has leapfrogged ransomware as the malware of choice. While ransomware continues to be a serious concern for financial networks, the number of unique cryptojacking signatures nearly doubled in the past year, while the number of platforms compromised by cryptojacking jumped 38%.
Encrypted traffic has reached a new threshold. While encrypted traffic has always been a staple of financial organizations, it now represents an unprecedented 72% of all network traffic, up from 55% just one year ago. While encryption can certainly help protect data and transactions, it also represents a challenge for traditional security solutions. The critical firewall and IPS performance limitations of most legacy security solutions continue to limit the ability of organizations to inspect encrypted data at network speeds.
Botnets are getting smarter. The number of days that a botnet infection was able to persist inside an organization increased 34% during Q3 2018, rising from 7.6 to 10.2 days, indicating that botnets are becoming more sophisticated, difficult to detect, and harder to remove.
Security sprawl is the real challenge for financial organizations trying to address todays threats. Most networks have loaded with a hodge-podge of perimeter defences over the years. Most of these tools operate in isolation, watching a particular gateway looking for specific types of threats.. You’ve also likely added some rudimentary tools to try and spot rogue insiders, and added various filters and password protections to stop your employees from clicking on things they shouldn’t.
And if something nasty does get through, you have a plan in place to deal with it. You know who’s responsible for what in terms of isolating and restoring damaged systems – and you’re all geared up for forensic investigations and learning lessons from what just happened to keep the security lifecycle rolling along.
This approach is the definition of a purely reactive security strategy. It relies almost entirely on being able to shore up your defenses before cybercriminals can target and exploit a new vulnerability, or responding to an alarm that indicates that your network has been breached. Such an approach to cybersecurity keeps you and your security team in constant firefighting mode. Still, it’s the way the majority of organizations implement and maintain their security posture.
Of course, NGFWs, antivirus, spam filters, multi-factor authentication, and a comprehensive breach response plan all have an important job to do. Turn off your traditional Layer 2-3 firewall and see how long it takes for your network to catch on fire. The issue rests with what’s missing.
Here are some of the ways to tell that a shift from a reactive strategy toward proactivity might be needed within your organization:
You’re constantly “cleaning up on aisle 9”
You may be confident that your perimeter defenses are robust enough to pick up on most threats. And in any event, you estimate that the risk of being targeted is low and that the loss to your business will be manageable. When viewed in this way, a purely reactive security policy may make perfect sense.
But we’re long past the age when being hit with a cyberattack was a once-in-a-blue-moon event or a case of bad luck. The reality is much different. Nearly half of all organizations experienced a cyberattack last year. Smaller businesses, which typically have smaller budgets and staff, had it even worse, with 67% percent of SMBs experienced a cyberattack in 2018. These breaches forced 60% of small businesses to close within six months of an attack.
Of course, you could sit back and hope that your perimeter defenses catch those threats – but it’s increasingly likely that they won’t. The more sensible approach is to adopt a more proactive, zero-trust strategy that starts with an assumption of compromise. If you knew that your network had already been breached, what would you do differently than you are doing now? What resources would you isolate? What control measures would you put in place? Those are the things you should be doing now.
Threat actors are always one step ahead
Cybercriminals have long known how reactive cybersecurity tools work—and they make it their mission to circumvent them. On the one hand, we have polymorphous malware to deal with: malicious code with the ability to constantly change to evade antivirus (AV) detection. Even by blending malware with seemingly innocuous code, it can become possible to bypass an AV solution’s methodology.
And while malware-for-hire is readily available to multitudes of relatively unsophisticated end users over the dark web, the actual producers of those scripts tend to be much more professional. When a business gets an update from its AV provider informing it of the latest batch of identified malware variants, it’s a safe bet that the authors of that malware are signed up to the very same update. It’s their cue to launched their ‘new and improved’ version deigned to evade detection. With purely reactive security measures in place, businesses constantly find themselves one step behind the criminals.
Insiders are well placed to bypass reactive security measures
Half of data breaches originate from insiders – whether through accidental or malicious actions. Such breaches also tend to be among the most difficult and costly to rectify.
But one of the biggest problems you face comes in the form of privileged users. These are the people who know precisely what reactive measures you have in place. They know how to cover their actions without triggering a reaction. And they also know where your most valuable data resides. When one of those actors becomes rogue, it can be impossible to respond effectively when your security defense system is built around a reactive model.
Data compliance: the stakes are getting higher
A data privacy breach resulting from a security compromise doesn’t automatically lead to a sanction. What happens depend on the account you are able to provide to the investigating regulator.
Were the reactionary security solutions you had in place reasonable and adequate? Did you regularly stress-test your security infrastructure? Compliance isn’t a one-off exercise—staying compliant demands that you invest sufficient resources to meet an increasingly complex threat landscape. Sticking to your current reaction-oriented security framework that only responds after an update or event occurs is no strategy.
A proactive threat-hunting approach pays dividends
So what does a proactive strategy actually look like? Proactivity involves identifying and mitigating those hazardous conditions that can give rise to all manner of “nasties” cropping up – in whatever form they may take. Take the example of the malicious insider. His intention is to steal and exploit some of your most valuable data. He still hasn’t decided precisely how he’s going to do it – but he’s got numerous extraction options open to him. If you are very lucky, your purely reactive security measures might pick up on a one-off illegal action – but the chances are that the insider will be able to bypass them.
A proactive approach involves identifying the hazardous conditions that tell you something’s afoot: How has this individual’s behavior strayed from the norm recently? Has he been moving files to new servers? Is he logging in to resources he previously rarely accessed? Is data moving in unexpected ways?
Getting out of the trap of reaction-based security requires organizations to rethink both their networking and security strategies. Organizations need to begin by anticipating attacks by implementing zero-trust strategies, leveraging real-time threat intelligence, deploying behavioral analytics tools, and implementing a cohesive security fabric that can gather and share threat intelligence, perform logistical and behavioural analysis, and tie information back into a unified system that can pre-empt criminal intent and disrupt criminal behaviour before it can gain a foothold.
The author is Regional Vice President, India & SAARC, Fortinet. Views are personal.