Riders on the Storm: Preventing Cascading Cyberattacks in the Financial Sector

 Tom Kellermann,  CEO

lightning-storm-over-new-york-city

“The greatest trick the devil ever pulled was to convince the world he did not exist.”  (The Usual Suspects, Bryan Singer, 1995, film)

Cybercriminals hide behind a cloak of invisibility, and as result successfully colonize large swaths of the world’s corporate networks.  For 19 years I have danced with the devil in cyberspace. Through this process I have witnessed modern cybersecurity defense architectures fail the western world.

The rapid evolution of cybercriminal capabilities are becoming increasingly problematic to enterprises as they continue battling adversaries determined to circumvent perimeter and end point controls. A major shift in security spending is necessary to provide improved situational awareness and visibility into the more advanced attacker movements post breach. This spending must be strategic and accompany a tactical paradigm shift from prevention to detection. As corporations continue to deploy additional services and IoT based devices, the surface area prone to attack is becoming too vast for existing static and sparsely deployed preventative controls. The increasing attack surface coupled with the utilization of advanced tactics has allowed the adversary to become clairvoyant.

Examining the financial sector as a case study, we must acknowledge that their cybersecurity posture is more advanced than other sectors.  Within this sector there are a few institutions who are light years ahead of their competitors in cybersecurity.    These elite financial institutions suffer from breaches via compromises within their information supply chain. The mission of the typical eastern European hacker who “island hops” through these financial supply chains is to conduct virtual insider trading or front running as illustrated by the World Bank report “Capital Markets and E-fraud”.

The Technical Service Providers (TSPs) of the financial institutions are in the crosshairs of cybercrime syndicates. These TSPs are regulary targeted by cybercriminals.  These companies have been slow to adopt “intrusion suppression” technologies and thus have become the weak links in the financial sectors information supply chain.  Intrusion suppression is a concept of cybersecurity wherein the lateral movement of an adversary is detected in real time and the adversaries “kill chain” is disrupted and subsequently contained. As evidenced by the FDIC’s own inspector general “The FDIC’s oversight process used for identifying, monitoring, and prioritizing TSPs for examination coverage needs improvement. The FDIC does not have a current, accurate, and complete inventory of TSPs that are used by FDIC-supervised institutions and have access to sensitive customer information. Additionally, our evaluation of TSP data in ViSION found that the Division of Supervision and Consumer Protection (DSC) had not implemented adequate controls to obtain and maintain TSP data. As a result, the FDIC’s ability to identify and monitor TSPs; assess risk, including risk related to sensitive customer information; and prioritize use of examination resources for financial institutions and TSPs is limited”

It is high time the cybersecurity standards espoused by the FFIEC be revisited for these entities.

The major gap is visibility and time to detection, which is particularly troubling as it pertains to deterring an attackers’ ability to move laterally within enterprise environments post breach.

Financial Institutions must have three important sets of data specific to this lateral movement in order to close the gap and reduce risk through rapid detection/response:

  1. High fidelity telemetry with to discern when adversaries are active in the network and on devices.
  2. Correlated lateral movement telemetry with other sensors such as egress monitoring.  Developing a comprehensive near real time “sight picture” of attacker behavior specific to internal movement and external command and control channels.
  3. Rapid acquisition and automated analysis of attacker tools, and indicators of compromise that can be vetted and communicated to existing control mechanisms through integrated workflows for automated response and defense.
  4. Automated vulnerability management and attack path deterrance.

Mitigating the threat of cyber criminals “island hopping” through technology service providers should involve a modernization effort of the  FDIC and FFIEC supervisory guidance.  We are riders on a storm one which must be fully appreciated in order to eliminate this cascading risk to our financial sector.

Strategic Cyber Ventures is investing in cybersecurity companies whose platforms can mitigate and manage this type of risk.