Cyber threats can be broadly categorised as either a Computer Network Attack (CNA) - aiming for the disruption, degradation or destruction of information and systems; or Computer Network Exploitation (CNE) - which focuses on accessing, stealing and exploiting information. Unfortunately both are regularly used against the financial sector. When it comes to who is behind these attacks they come from all corners of the web – from a lone hacktivist to a full-blown state-sponsored attack.
To get a grip on the question of what are the cyber threats faced by the financial sector, we need to explore who the potential attackers are, what they’re after and what their motives are.
Who is attacking?
MWR’s research has uncovered six different types of threat actor, each with their own methods, context and incentives, but all similar in that they are a real and very serious threat to financial institutions the world over:
Nation States - Nation states have many reasons to attack the financial sector, such as aspirations to boost their own financial centres through stolen software and data or to derail the systems of another states for political ends. Nation-state cyber capability is widely varied – some may only be able to carry out a low-skilled DDoS attack, while others have highly skilled teams able to penetrate multiple organisations to reach their goal.
Terrorists - Terrorists are increasingly using cyber means to reach their goals – Al-Qaeda has called for e-jihad in the past while ISIS are attempting to recruit sympathetic hackers through social media. Terrorists may target financial institutions that support critical national infrastructure with the intent of causing chaos and destruction, or they may have direct financial goals in order to fund future terrorist activities.
Hacktivists - Hacktivists’ political motives vary, but all use cyber attacks to express opposition to institutions and policy. Hacktivists identify financial institutions as valuable targets for disruptive and attention-seeking purposes. Patriotic hackers are a key facet of this group and tend towards a focus of supporting national agendas and industry, and actively damaging competitor nations. This includes targeting the other nations’ industries, such as the financial sector.
Well-placed Individuals - Current or former employees with insight into systems and information, or contractors managing IT, could inflict high-impact damage. Resentment or financial gain are typically the key motivators. The insider threat is serious both in this deliberate sense, as well as in the accidental sense – attackers often use spear-phishing to gain access and compromise a network.
Organised Crime - A major source of financially-incentivised cyber attacks, organised crime is actively pursuing the low-risk yet high yield potential of cyber crime. With the resources at their disposal to build custom tools, this threat actor has very high-capabilities for attacks.
Competitors - Competitors engage in cyber operations motivated by economic advantage, either directly through in-house capability, or more often through intermediary actors such as criminal hackers for hire, or nation states supporting their industry.
How will they attack?
Cyber attacks can be highly specialised and bespoke; however, the majority of hostile actors opt simply for the most time- and cost-effective methods of compromise:
Computer Network Attack - The most common CNA is a distributed denial-of-service (DDoS) attack, which involves overwhelming online and internet-connected services with large volumes of traffic, thus compromising availability. The attack stems from varied, often geographically disparate sources, usually compromised computers. This provides both a force multiplier and a veil to obscure the attacker’s identity; it could even implicate an innocent party.
Computer Network Exploitation - Social engineering is a common aspect of CNE, whereby sophisticated attackers use highly targeted phishing attacks as opposed to attacks where emails are sent to thousands of random users. Spear phishing is extremely effective, as specific details relating to the recipient’s work or personal life might be included, making the email far more believable. Alternatively, the attacker might use watering holes, where websites regularly visited by targeted individuals are compromised and infected with malware for the targets to unwittingly download.
Looking at these two main kinds of threat, the actors behind them, and those organisations best able to deflect their advances, typically they possess common characteristics. Here’s a list of five key conditions that, together, will help financial organisations defend against attacks:
- A good understanding of the motives of the attacking groups likely to target them.
- Undertake an extensive programme to identify information assets.
- Instigate an extensive project that identifies all the attack paths connected to these assets.
- Justify the cost of removing these attack paths, and/or consolidating the assets to reduce the attack surface area.
- Augment their attack monitoring and response, so that attacks can be efficiently curtailed in the early phases.
The financial sector is a beguiling target to a huge variety of threat actors with wildly varying levels of skill. Managing this cyber risk is not about inhibiting business; on the contrary, when done properly and with the correct expertise, it ensures that institutions are best placed to manage cyber risk while driving forward innovation and success in a turbulent geopolitical environment.
Organisations need to be aware of the various threats that face them, and accept that their part in UK society places them in the firing line. An up-to-date threat picture and a risk management strategy that is flexible to this dynamic risk are essential; after all, targeted attacks need targeted defences.
By Samuel Higgins, security analyst of MWR InfoSecurity