Combating the virtual and physical threats banks face
The banking sector has always been at the center of criminal attention. Today, banks must contend with near-constant cyber attacks from organized criminal gangs, as well as highly skilled and well-resourced threat actors working on behalf of nation-states.
In recent years we have seen multiple APT groups launching sophisticated attacks on financial institutions around the world. For example, there are the attacks on US and Saudi Arabian banks by APT33, believed to be funded by Iran. APT38, which has links to North Korean-backed Lazarus Group, has specialized in striking the SWIFT system and is connected to more than £100m in in stolen funds.
The Russian-speaking Silence group has initially targeted banks in former Soviet countries but has expanded to more than 30 countries including the UK; and the infamous Cobalt Group has specialized in highly orchestrated heists on ATMs as well as card processing and payment systems.
Groups like these are well organized and often have state funding and few resource or time limits. The cyber threats facing banks are exacerbated by a large and complex infrastructure that presents threat actors with an extensive attack surface, allowing them to strike network infrastructure and systems like SWIFT, employees, customers, and physical assets like ATMs. The extent of these threats demands a proactive and persistent security program.
An array of digital threats
The tools and techniques used to attack the banking sector are not that different from the ones used against any other kind of business. Indeed, these groups are often the creators of new zero-days exploits and malware strains later repurposed to target other sectors, as we saw with the Hermes ransomware, which is used extensively to hit organizations in the banking sector and which served as the basis for the more widely used Ryuk.
Alongside sophisticated malware, banks must contend with increasingly sophisticated phishing attacks. Such attacks have also become more viable for less experienced criminals thanks to the supply of automated tools, meaning that any attacker who does their homework can launch targeted attacks that even a trained individual will have a hard time spotting.
These threats have been amplified by COVID-19 and the accompanying remote working. Previously, many organizations heavily relied on the defenses deployed through their corporate network to detect threats. This means that when staff are working from home, they are much less secure as they have to rely solely on the endpoint detection on their laptop. Home Wi-Fi networks are also much easier to breach than their corporate counterparts, subsequently creating an easy attack path to the employee’s device.
Unique physical threats
While physical infiltrations are rare, the banking sector is a viable target for such an attack, and the results could be devastating. The nature of the banking sector means organizations face a higher risk of criminal attacks that combine cyber and physical tactics.
For example, while the money in ATMs is secured, other components are only protected by thin sheets of metal and flimsy locks. One bank our pen testers assessed was (worryingly) using 4G for communication with ATMs at remote sites. The real danger here is that the 4G router could be removed and taken away, yet still provide a path into the ATM network, giving whoever steals it the run of the place.
Physical branch locations can also be exploited to enact major cyber attacks. Due to the large volumes of cash onsite, bank branches are generally secured against the threat of an armed robbery. However, in the course of our red team assessments we have frequently found that few are prepared or have any counter measures in place for the more subtle threat of an infiltration as part of a cyber attack.
For instance, our red team operatives are frequently able to enter the restricted areas of bank buildings with minimal challenges, armed with only a cover story and perhaps a fake badge on a lanyard. In one instance we not only passed unsuspecting armed guards but got them to buzz us through with the aid of a “faulty” RFID card. Furthermore, in another investigation we were able to remain on-site until 10pm when the other staff had left, granting unfettered access to their desks.
Such an intruder can leave behind a drop box to gain access to the network mimicking the connection of an existing device such as a printer. From there they can leave and take their time going low and slow to remotely scan the entire network.
Keeping pace with threat developments
Faced with one of the fastest moving threat landscapes of any industry, banks should be deploying a persistent and proactive threat detection program that combines both automated and manual scanning.
Automated vulnerability scanning is now affordable and accessible enough that there is no reason not to be doing it as frequently as once per month. These scans will help quickly identify the majority of the low-hanging fruit vulnerabilities and provide direction for the SOC team’s investigations. However, they will usually miss some of the more sophisticated and subtle threats utilized by more advanced attackers.
Complex, multi-step attacks and those exploiting zero-day vulnerabilities will fly under the radar of standard scans which means automated scans must be paired with manual investigations by human security professionals. An experienced analyst will be able to think like a threat actor and ask the right questions to uncover both potential vulnerabilities and signs of active threats before these attack paths can be exploited. As this is a more resource-intensive process it is often scheduled on an annual basis, but this is an extremely long time in the lifespan of vulnerabilities so it is advised to carry out these investigations as often as you can afford.
The value of red teaming combined with human security
The banking sector has perhaps the most to gain from full red teaming exercises. These should be no-holds-barred events that allow the red team operatives to simulate all possible scenarios, including advanced social engineering and the infiltration of branches and attacks on infrastructure such as ATMs, alongside purely digital attacks.
Human security must also be a major priority. With remote working now likely to be a mainstay for the foreseeable future, banks should ensure their workers are still secure when away from the corporate network. Assets such as strong access and authentication controls will help mitigate the threat posed by a compromised endpoint. A potential long-term solution for the most sensitive staff roles is to issue a select number of corporate routers that are centrally managed, although this is prohibitively expensive on a larger scale.
The single biggest mistake any organization could make is to think that security is done to death. With banks facing one of the most innovative and well-resourced set of threat actors around, they must ensure they have the combination of technical security and human ingenuity needed to match them blow for blow.