Advanced Persistent Threat (APT) have increased frequency substantially since 2014, and these cyber-attacks are particularly insidious because they are extremely difficult to detect. As the name implies, APT attacks rely upon advanced cyber-attack techniques focused on establishing a covert remote access channel through which attackers can expand their control of victim systems and networks. Recently APT attacks launched by organized cyber-crime gangs such as “Lazarus,” and the widespread Carbanak attack that resulted in over 1 billion dollars in losses across over 100 banks around the world, started targeting internal bank and financial institution information processes rather than focusing on individual financial account which was previously their mode of operation. Since APT is a stealth attack that occurs over a relatively long time period, understanding the phases of an APT attack (which happens to follow the Lockheed Martin “Cyber Kill Chain” framework) is key countermeasure configuration and deployment, blocking APT advances, incident response, and managing internal and external communications during a suspected incident.
During the reconnaissance phase, APT attackers focus their efforts on gathering information about the targeted victim. They often employ common tools such as Internet search to learn about the inner workings of the targeted organization, and specialized tools such as the Shodan search engine provide details about the system configurations on the targeted victim’s networks. Other tools that map the victim’s network, and identify and log system attributes are also employed. Social engineering techniques may also be used to gather information about the target organization’s internal business processes, organizational structure, contact names and contact information such as email addresses and phone numbers.
During “weaponization,” APT attack groups process information captured during reconnaissance by identifying vulnerabilities and mis-configurations for exploitation that may provide them with remote access. APT attack groups often use online databases of known vulnerabilities by cross-referencing system and software version numbers obtained during reconnaissance to pinpoint exploitable vulnerabilities are not patched. In addition, APT attack groups usually have teams that work to identify new “zero-day” vulnerabilities within the target system for which there is no known security fix.
Tools designed to exploit vulnerabilities uncovered during the “weaponization” phase are then developed that include capabilities aligned with the APT attack group’s carefully constructed plan. For example, the Carbanak attack included keystroke logger tools and malicious video capture applications that the APT attack group installed on financial organization workstations, then captured authentication credentials along with video and pictures of bank operations, and uploaded the captured information to APT attack group servers on the Internet in preparation for the Command and Control attack phase.
Command and Control
APT attacks focus on gaining remote “command and control” anytime access of systems internal to the target victim’s network. Remote control is usually established through a covert channel using network traffic that is very difficult to detect. Attackers use remote command and control access to repeat attack phases from inside the target network and gain control over additional systems required to attain their goal (such as capturing customer confidential information).
APT attacks are carefully planned and precisely executed, often taking months for attackers to achieve the purpose of the attack. A layered information security strategy that includes measures for prevention, detection, and response is essential for financial institution readiness. Preventative measures include a well planned and maintained best practices based information security program for managing defense countermeasures, employee security training (which includes social engineering education and response, for example), auditing, administration, and intrusion prevention systems. An incident response program must also include a well-managed crisis communications program that ensures all stakeholders are accurately informed about the organization’s strategy for preventing incidents from occurring and that accurately communicates status and manages public relations when a suspected incident occurs. Contact us today for more information on cybersecurity planning and crisis communications management.
New cybersecurity threats to the financial industry, which includes automated threats such as malware, are now produced and actively deployed at an exponential rate. Newly introduced technologies that increase organizational efficiency, employee productivity, and profitability, also introduce new “zero-day” vulnerabilities (security flaws discovered by cyber-criminals before the release of a security patch), resulting in cyber-attacks targeting vulnerabilities that security updates cannot fix. For this reason, best practice cyber security defense planning and implementation are essential to ensure your organization is not an easy target, also enabling the organization to detect cyber-attacks trigger a pre-planned security incident response to thwart attacks and prevent compromise of organization and customer confidential information.
Cybersecurity planning starts with leadership support. Once leadership announces support for an organizational cyber security planning initiative, they appoint a cyber security planning leader and grant authority necessary to meet the organization’s cyber security objectives (which should include securing critical and sensitive information systems and assets, developing a cybersecurity incident response plan, and regulatory compliance).
Determine Current Cybersecurity Status
Identifying current and critical system and information assets is an essential step to understanding and prioritizing what the organization must protect. Assessing the value of each asset to the organization, potential for loss due to identified threats, and impact of asset compromise to the organization enables the organization to prioritize assets and determine appropriate cost and justification for protecting each asset.
Define Future Cybersecurity Status
Establish organization specific objectives for the developing cyber security plan by identifying what the organization must accomplish with the plan. Areas to address include regulatory compliance, cyber security system administration and maintenance objectives (such as centralized management and system status visibility for management), employee training, change management, and security incident response and business continuity planning objectives.
Develop Cybersecurity Plan Objectives
Formulation of the cyber security plan framework occurs through the development of policies and procedures that dictate how the organization will configure and maintain a secure environment. Responsibility and accountability assignment ensure policy implementation, status monitoring, and maintenance. Written procedures define vulnerability countermeasure assignments and deployment specifics. Cybersecurity and incident response teams (which could be in-house or outsourced) are also established during this step.
Final Approval and Strategic Implementation
Since a best practice, cyber security plan addresses security for the entire organization, plan presentation to the management team must occur before deployment. The final schedule for implementation is also presented and resources assigned according to the schedule and authority granted to the cyber security team to move forward with the cyber security initiative.
The cyber security, incident response, and change control board teams are responsible for maintaining cyber security within the organization and providing the leadership team with continuous visibility into the organization’s cyber security status. The cyber security team ensures that technical implementation meets the new cyber security policy standards through regularly scheduled audits and monitoring and maintenance of all cyber security systems (such as firewalls and intrusion detection systems) and documentation. The incident response team meets regularly to rehearse incident response procedures and crisis management communications so that response to a detected cyber-attack will be quick and communications effective. The change control board will work with both the cyber security team and incident response team, along with IT staff, to ensure that all maintenance activities are well planned, avoiding business system disruptions.
Organizations within the financial sector are a primary target for cyber-attacks. Incident prevention starts with a best practice cyber security plan designed to protect all company assets according to their priority and importance within the organization. Since some attacks, such as Denial of Service, cannot always be prevented, establishing detection systems and an incident response team ensures quick reaction to protect company assets, system up-time, and avoid/minimize loss of productivity during business hours. Contact us to learn more about cyber security planning, incident response, and crisis management communications.
In a world where our technological capabilities are rapidly advancing and creating new and exciting opportunities, there is also an element of security that needs to be strongly considered and given the appropriate resources. An ever-expanding Internet of things is making it virtually impossible to secure every route and door to the Internet and your information. The latest cyber attack to make big headlines the WannaCRY incident has shown a lot of people just how vulnerable they really are. Big organizations like Target, Sony, FedEx, and the Uk’s NHS have been attacked successfully. Now it is more important than ever, especially for individuals and organizations that work in the financial industry to be dedicating enough time and energy to protecting their systems and information.
The WannaCRY Incident
Last month, over 200,000 computers in 150 different countries were affected by a cyber attack. The WannaCRY attacks focused on a weakness in the Microsoft Windows operating system and locked people’s information and computers. The virus demanded a ransom payment in BitCoin in order to unlock the computer and the information stored on it. Fedex, Telefonica, and the UK’s NHS are just a few of the big name organizations to be hit by this attack. Payment of the ransom did not result in the release of the lock on the computer and information.
Systems attacks like the WannaCRY incident are all too common. However, professionals working in the financial sector cannot afford to lose their or their clients information to cyber attackers so easily. It is very important that cyber security is given the utmost importance in all fields, but especially in the financial industry.
What You Can Do About It
- Make sure all of your computers and connected devices are up to date with the latest software and security programs. It is imperative to ensure that all computers and devices being used on your network are vetted and approved. It can be hard to do this since so many people have their own personal devices that they bring to work, but it is essential to make sure any and all access points to your network and information are secure.
- Spend more time and resources on creating a fast-response plan rather than trying to create a security plan that focuses solely on total prevention. Total prevention of cyber attacks on today’s Internet is just not realistic. A number of different devices that can potentially access the Internet is overwhelming. Instead, security should be mainly focused on detecting and reacting to different cyber attacks as quickly as possible.
- Share your data. The financial industry like all industries is very competitive, but it is in everyone’s best interests to share the data they have on cyber attacks that have been attempted on their networks, servers, and computers. The proliferation of data is a great way to stop cyber attackers from gaining the upper hand. Institutions need to be able to share cyber attack data freely so that they can recognize and react quickly to all incoming attacks. If a financial institution were to lose control of its information or its systems, it would be devastating.
There are still a lot of companies that do not take cyber security that seriously. The world of technology is evolving at a very rapid pace and most if not all of our information is being digitized and uploaded to the Internet. If you can gain control for even a few minutes of someone’s network and information, you could wreck serious havoc. Financial institutions do not have the luxury of taking cyber security lightly. Please contact us to learn more about the services we offer the financial industry.