The financial sector is historically one of the most secure industries in the world. It needs to earn trust and convince customers that their hard-earned money is safe. Nevertheless, the truth that banks are guardians of the one thing cyber criminals typically desire most means security teams are under relentless pressure.
Attackers are ready to invest time, resources and collaborate to build up new and more great ways to reach the digital vault making served by money. Our third Modern Bank Heist report collected the views of 25 security leaders and found that attackers are evolving and getting modern-day as they try to secure long-term illicit access to banking systems. And they're capitalising around the disruption of COVID-19 to help. So, so what can we learn from the data revealed within the report, and just how can we combat the emerging threats?
COVID-19 surge hits financial sector
Among the CISOs we surveyed, 80% said they had experienced a rise in cyberattacks over the past 12 months, up 13% in contrast to last year. Some of this really is due to the COVID-19 surge – separate VMware Carbon Black data showed there has been an increase in attacks on finance sector targets of 238% from February to April 2022, and we saw ransomware attacks around the sector increase with a multiple of 9 throughout the same period. Closer analysis implies that notable alerts noticed in VMware Carbon Black data spiked in correlation with significant moments in the COVID-19 news cycle, indicating that attackers are capitalising on disruption to fight as the world looks another way.
The majority of our CISOs noted a rise in attack sophistication in the last year, and the ways attacks are developing gives us a valuable understanding of attacker behaviours which should inform our response. Overall, we're seeing attackers moving past inelegant “smash and grab” tactics, and towards much more of a “hostage situation” where their motivation is to gain and retain footholds in target networks for long term campaigns.
The Kryptik trojan and Emotet malware continue to feature one of the top attack types experienced, our research has found, which in many cases are used in longer, complex campaigns aimed at leveraging native os's tools to stay undetected or obtain a base to island hop to some larger and much more lucrative target. Another indication that attackers are operating for the long term is the fact that the most prevalent MITRE threat ID affecting the finance sector in the last year is T1507 – Process Discovery . This shows attackers are investing in increasing their knowledge of policies and procedures in banking institutions, the better to work out how you can infiltrate them undetected. They are also ramping up their awareness of incident response tactics and seeking blind spots that they'll exploit to stay invisible.
Island Hopping experienced by one third
33% of the CISOs surveyed reported experiencing island hopping, where supply chains and partners happen to be unwitting vectors for attacks. The most typical type of attack is network-to-network, only one fifth reported suffering watering hole type attacks, where hackers target an internet site frequently visited by customers from the target and try to gain access credentials, or even the site of the financial institution itself to launch malware into visitors' browsers.
Island hopping-as-a-service is also increasing. In 2022 our analysts uncovered a secondary component in a well-known cryptomining campaign that was made to exfiltrate system access information which was destined on the market around the dark web. This is a significant alternation in behaviour that defenders need to continue the radar as what looks like one type of attack might be cover for another.
“Virtual Invasions” around the rise
Almost sixty-six per cent of those surveyed asserted they had seen increased attempts at wire fraud transfer, up 17% in contrast to 2022. These attacks rely on attackers' understanding of business process gaps in the verification process, or on direct social engineering of customers or customer support representatives.
Counter-incident response up as attackers evade detection
Almost one fourth of our surveyed CISOs had witnessed counter-incident response as attackers prioritise persistence and seek to retain their foothold in the financial institution's network. This really is something we anticipate seeing escalate in the coming year. Tactics such as log deletion, manipulation of your time stamps and disabling of security controls will all feature as attackers cover their tracks. Associated with this are destructive wiper attacks made to “burn the evidence” of infiltration and prevent defenders conducting forensic analysis to prevent the same vectors being used in future. This has major implications for incident response: we have to have more clandestine.
VMware Carbon Black Senior Threat Researcher Greg Foss has five strategies for incident reaction to avoid alerting adversaries:
- Stand up a secondary line of secure communications
This is vital to discuss the continuing incident. Assume all internal communications are compromised and visual to the adversary.
- Assume adversaries have multiple entry points
Shutting off one access point might not remove the attacker and could have the opposite effect by notifying the attacker you are aware of of their presence.
- Watch and wait
Don't immediately start blocking malware activity and access, or terminating the C2. You need to monitor closely to assess the scope of the intrusion to sort out what to do to fully take away the adversary.
- Deploy agents in monitor-only mode
If you begin blocking or else impending activities, they'll realise and change tactics, possibly leaving you in the dark.
- Deploy honey tokens or deception grids
Particularly on attack paths that cannot be hardened.