Four ways banks are turning the tables on cybercriminals
Instead of waiting for the next cyberattack, banks are taking several steps to get ahead of the problem.
“The whole financial services sector is trying to be more proactive relative to information-security controls,” said Jason Witty, the chief information security officer at U.S. Bank in Minneapolis.
Ransomware attacks, high-stakes wire transfer fraud and other incidents that have inflicted escalating damage have created a sense of urgency. Banks, especially large ones, also see innovative counterpunches as a way to dissuade regulators from stepping in with new requirements, Witty said.
Jason Witty, the chief information security officer at U.S. BankHolger Schulze, founder and manager of the Information Security community on LinkedIn and an independent consultant, said all companies — but especially banks — have no choice but to get creative.
They “can’t afford any more hacks to occur or for adversaries to spend months undetected in corporate networks, databases and applications … only to find out after a breach occurred and after data has been exposed or transactions have been meddled with or Social Security numbers have been stolen,” Schulze said.
Still, banks cannot go on the attack — their own lawyers, regulators and law enforcement won’t allow it. In the U.S. and most other countries, it would be illegal to hack back at a cyberattacker.
Witty compares this situation to being a Samurai warrior who may not fight.
“You have beautiful armor and a beautiful helmet but you don’t have a sword, and if you do have a sword you can never use it,” he said. “You can only block, parry, duck, jump or run.”
That said, banks are finding ways to block and parry more assertively. Here are four of them:
1. Reading criminal minds
One bank recently hired former secret agents from Israel’s Shin Bet, the agency that handles security within the country’s borders, to help it understand how cyberattackers think and operate.
“Some Israeli companies are trying to find the person behind the attack, because they’re usually launching multiple campaigns,” said Avivah Litan, vice president at Gartner. “By finding the individuals, you can preempt new campaigns, and it’s very effective.”
The former Shin Bet agents, who have formed a company called Diskin Advanced Technologies, spend hours lurking on the forums in the dark web where cybercriminals gather, reading their conversations and watching their movements to understand their motives and strategies. They use that knowledge to help the bank understand what’s coming at it and recommend the right defensive measures.
Given the fast-changing cyberthreat landscape, security analysts no longer have the time to conduct traditional data analysis and investigations, said Noam Jolles-Ichner, senior intelligence specialist at Diskin.
“The adversary is moving very fast, he’s highly dynamic, he’s adjusting during the campaign,” she said. “You need to be dynamic to counter that.”
To perform true counterintelligence, “you need to let go of everything you think threatens you and to think -- not like a hacker, not like an attacker, but like an adversary.”
This practice is becoming more common.
“It’s well understood you need to know who your enemy is and how your enemy operates to come up with a proactive defense,” said David Pollino, deputy chief security officer at Bank of the West.
Many banks monitor dark- web sites for attacker activity and try to read their conversations to find out their plans to compromise and commit crimes against their institutions, Pollino said. They also look for their data, such as credit card data, being sold on dark-web sites.
Bank of the West partners with third parties and law enforcement agencies to monitor the dark web.
2. Automating threat intel
Banks have been stepping up their use of threat intelligence, especially information about attacks on other banks.
“Cyberthreat intelligence is a burgeoning area of focus for financial institutions, especially USAA,” said Gary McAlum, chief security officer at USAA. “Cyberthreat intelligence and the associated operational processes can certainly inform security measures and help shed light on risk exposure.”
U.S. Bank was one of the first banks to automate threat intelligence, using software called Soltra that was originally developed by the Financial Services Information Sharing and Analysis Center and the Depository Trust & Clearing Corp. As banks share security threat information with the FS-ISAC, Soltra translates that into machine-readable text that security software can act on automatically. (In an odd little hiccup, Soltra was briefly shut down last year, then bought by the software company NC4. Witty says everything is back to normal now.)
“Automated threat intelligence is one of the newest things that has gone mainstream in the past few years,” Witty said. “It’s taking it a step further than just knowing this particular malware is targeting institution A, or that institution B just had a phishing attack, and being able to turn that information from indicators of attack or compromise to courses of action.”
With everything working perfectly, one bank shares information about an attack over the automated channel, and when the attacker tries the same tactic on other banks, “it doesn’t work because their shields are already up,” Witty said. “An attack on one means a response from all.”
None of the banks that use Soltra are fully automated yet. U.S. Bank is working on the first stage of it, automating threat detection.
“A phishing attack happened on another bank yesterday, and we knew whether it was happening to us immediately based on automated rules that got put in place looking for those subject lines,” Witty said.
3. Setting traps
Another increasingly popular approach is deception technology, which allows banks to set up honeypots and decoys that lure in cybercriminals and throw them off track, with the purpose of keeping them away from the live system.
Honey nets have been used by information security researchers and law enforcement for many years, but typically they’ve been external to the bank, Pollino noted.
“Recently, I’m starting to see companies promoting the use of honey net tech to be deployed internally,” he said. “The idea is you have a portion of your network where there’s no legit use for it so if you do see something happening, it’s an indication that somebody internal may be doing something.”
Witty said that deceptive technologies are still new.
“I’ve never believed in honeypot technology, because it seems to me to be inviting the bad guy to try to hack into something on your network,” he said.
U.S. Bank does use what Witty calls “honey data.” Instead of creating a fake server that might tie up a cybercriminal for a while, the bank puts fake data in specific places around its network, then watches to see if anybody is accessing it, because no one should be. An example might be a file that has a million credit card numbers in it that are mathematically valid but not real.
“If we see someone take that file and stick it on their laptop, then we know something is amiss,” Witty said.
4. Battle testing
So-called bug bounty programs are used by PayPal, Western Union, Square, Simple and other financial services companies. They invite hackers to search a company’s websites and software applications for security bugs and offer a financial reward for every reported glitch that turns out to be a true software problem that can be patched.
USAA has been using a bug bounty program for over a year.
“We had to work through a rigorous legal review process, but we are happy with the results from the first year,” said Gary McAlum, chief security officer for USAA. “We see the bug bounty initiative as another line of defense to complement strong application security and internal testing controls.”
Threat hunting is another rapidly growing practice among companies of all kinds.
In threat hunting, companies use dedicated people and software to find threats that more traditional security and information event management tools cannot detect. The software uses machine learning to detect certain suspicious behavior, and people analyze the behavior patterns to identify things that are unusual.
In a recent survey, Schulze found that about three-quarters of cybersecurity professionals say threat hunting should be and will be a top security initiative.
Some of the emphasis on newer, more capable software is a result of the lack of available experts in network and application security.
“Those folks are exceedingly rare,” Schulze said.