An obsession with the latest and greatest cybersecurity technology and a lack of empowerment for chief security officers is holding banks and others in financial services back from tackling the real root of the problem – cybercriminals already infesting their networks.
“The security industry is obsessed with technology, but not really focused on the adversaries and the impact they can have on an organisation. You can become almost tech blind to individual attacks and controls,” says Andrzej Kawalec, director of strategy and technology at Optiv Security.
“A belief has long been held – and it is actually true – that we see greater levels of security, maturity and investment in financial services. So, you can ask ‘why do people rob banks?’ and the answer is always ‘because that’s where the money is’.”
According to Tom Kellermann, chief cybersecurity officer at Carbon Black, cybercriminals have changed their tactics. “They have switched from performing bank heists – taking the money and running – to creating a hostage situation. They don’t want to leave the victim alone, they want to maintain their presence in that institution, and they're willing to fight back.”
A March report from Carbon Black, in association with Optiv Security, reported that 67% of financial institutions have experienced an increase in cyberattacks over the past 12 months. 32% of firms surveyed indicated that they were experiencing counter-threat response – attackers fighting back to protect their position once detected in the network. The report also found a 160% increase in destructive cyberattacks, which aim to wipe data and render whole systems inoperable.
“It's something that we should be very concerned about,” says Kellermann, “because what that says to me is that [cybercriminals] are willing to shoot the hostages now, they're willing to burn down the infrastructure, and destroy segments of a financial institution because they're angry that you are reacting to them in the first place.”
“I think it’s heartening that we’re now at a level of sophistication where we can recognise that’s what happening,” adds Kawalec. “If you think about all the effort that goes into selecting a target, doing your research, and gaining control of a network or structural asset then it’s natural that you wouldn’t want to give that up or burn it.”
New channels and greater authority
Data breaches and cyberattacks targeting banks have increased by 480% in the UK, according to Financial Conduct Authority (FCA) figures. According to Kawalec, financial services are now at the “tip of the spear” when it comes to bearing the brunt of damaging attacks. “[The industry] is having to respond to growing attack surfaces, a dynamic adversary, the implementation of new mobile services, and ever more complex and punitive regulatory regimes. When you’re reacting and responding to all of those things you can become stretched really thin.”
In October 2018 the FCA fined Tesco Bank £16.4m for failures in its cybersecurity defences which led to hackers escaping with £2.2m in 2016. Mark Steward, executive director of enforcement and market oversight at the FCA, said at the time that banks “must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place.”
Banks will continue to feel the security pressure as they add new channels and entry points to their systems, says Kawalec. “Every time we add a new way of working, every time a bank adds anything online or engages in a new way, it is introducing and broadening new attack surfaces. Every time they offer multiple devices on multiple platforms, they’re stretching their defences.”
“It is a systemic mistake and it is a terrible mistake,” to open up new channels to satisfy customer demand without proper security testing, says Kellermann. “They’re doing this to increase access to their systems. What they’re not understanding is that if you build it they will come and not all of them will be righteous.”
To create greater security controls, more responsibility needs to be given to chief information security officers (CISOs) at firms. “CISOs need to be promoted, they should no longer report to CIOs. It’s ridiculous and it’s a huge governance problem,” says Kellermann. “CISOs require empowerment, require greater resources and authority within their organisations. At the same time, they shouldn’t be spending money willy-nilly on cybersecurity technologies just for the purpose of compliance. The most proactive thing they should be doing is conducting threat hunting within their systems to identify what is already inside their institution.”
While an incident response team acts like a group of firefighters, says Kellermann, a threat hunting squad can perform like a special operative, proactively finding threats and neutralising them before they grow any further.
“Security operations teams need to move away from being reactive,” says Kawalec. “They need to no longer see a single instance on a single computer, bucket it, shut it down and start a new scan. Questions need to be asked, like ‘how did this happen?’, ‘where did that come from?’, ‘why were we targeted?’ and more.”