Since the Bangladesh Bank heist back in February, there have been two further attacks on the SWIFT system, the most recent resulting in US$ 12 million (£9 million) stolen from an Ecuadorian bank. With each attack taking a two pronged approach – first installing malware to prevent workers from discovering the fraudulent transactions, and secondly, obtaining authentic SWIFT credentials to send out the fraudulent requests – there seems to be a very real, widespread attack on our global banking and financial sector.
What's worrying is not just the scale and severity of these hacks, but how these attacks were able to take place and remain undetected. Indeed, this heist was only discovered when bank employees noticed a printing error.
There has been a sharp rise in attacks involving stolen credentials over recent years as cyber-criminals use new methods to bypass traditional security defences. Unsurprisingly, the most recent Verizon Data Breach Investigations Report revealed that stolen credentials have been the number one attack vector for web applications for the past two years.
While any organisation can fall victim to compromised credentials, the financial industry in particular is a target for hackers given the large volumes of money and confidential financial information banks hold. A big problem is that the financial sector is incredibly siloed due to its size, with many different segments, banks and countries operating across the industry that never intersect. Legacy systems are also in place that don't interact well, which can make it difficult to have a ubiquitous security programme in place that fully protects important assets.
Unfortunately, today's threat landscape means hackers will get in – it's become inevitable. But, unlike in the SWIFT case, they can be stopped before any damage has been done. Organisations need to take a different approach to cyber-security; instead of trying to keep the criminals out, they need to focus more on reducing the time it takes to identify and respond to a threat. Perimeter tools, of course, still play a part in protecting against an external threat, but with more and more attacks coming from within – whether from a malicious insider or the unauthorised use of credentials – businesses need insight into suspicious or anomalous activity that could, to the human eye, appear normal.
This is why behavioural analytics is now so important. Behavioural analytics alerts businesses should an employee do anything out of the norm or if legitimate credentials are used in an unusual way – for example, someone logging in from two different locations, or an individual transferring an abnormally large amount of money.
For so long, intrusion detection has been focused solely on viruses, malware and exploited vulnerabilities, however the threat landscape is changing radically. As technology advances, attackers have become more creative and we have seen their strategies increasingly shift towards the use of stolen credentials. While creating malware and abusing web vulnerabilities takes quite a lot of skill, employee credentials are easy to get hold of, whether via spear phishing or by purchasing them on the dark web – just consider the recent LinkedIn and Tumblr data dumps, which saw hundreds of thousands of log-ins and passwords up for sale online.
Updating anti-virus and implementing firewalls is obviously important, but companies need to maximise security intelligence and behavioural analytics to protect their networks from all corners. Impersonated employees can remain undetected for weeks, months or years unless there is a system or tools in place that identify abnormal behaviour. Furthermore, with so many alerts being flagged to organisations per day, it's important that businesses have the ability to quantify them and identify those that could indicate suspicious behaviour. Just consider the Target breach a few years ago – the retailer did receive an alert as to what was happening, but it got swept up in the noise and they subsequently became the victim of one of the biggest data breaches we have seen. With such a big global system like SWIFT, and so much at stake, it's even more important that network activities between each bank is monitored and put into context.
Ultimately, it is a fight of ‘us' against ‘them'. Everyone involved in a global network, whether it's a multi-national company or a worldwide community of like-minded organisations, such as SWIFT, needs to have full insight into what is happening across their network so that red flags can be raised as soon as suspicious activity occurs. Stolen credentials are increasingly becoming a thorn in the side of every security professional because they give hackers the opportunity to access confidential data easily and without detection. However, by having the ability to monitor for compromises and respond to threats as soon as they happen, the financial industry will be in a much better position to fight modern-day cyber-criminals and prevent any lasting damage.
Contributed by Ross Brewer, VP and MD of EMEA, LogRhythm