By Ofer Or

The banking industry is no stranger to cyber-attacks. The latest attack uncovered by Kaspersky Labssaw cybercriminals use known malware, Carbanak, to exploit the vulnerabilities found in banks too large to keep all their systems patched.

However , this attack marks a departure from more common attacks directed at banks in so far as the criminals were not after the usual treasure trove of personally identifiable information (PII) belonging to bank customers, but instead targeted the banks’ own systems: internal money processing services and automated teller machines(ATMs).It’s the first instance we’ve seen of a cyber-espionage technique used in nation-state attacks being turned on the private sector for financial gain. And since it was successful – to the tune of $1 billion—we can bet it won’t be the last.

Big Phish: Reeling in the victims

Kaspersky Labs revealed that the initial infections of bank machines by Carbanak malware, possibly linked to Russian or Ukraine cyber groups, were achieved through spear phishing emails that appeared to be legitimate banking communications. Recipients of this email believed the messages were legitimate notices from within the company or from trusted sources such as the Russian Federal Bank, and clicked on email attachments as instructed. Phishing essentially opened the gateway for hackers to exploit known vulnerabilities in commonly used Microsoft Office applications that remained unpatched by large banks due to their cumbersome infrastructures. Once the malware was embedded, the hackers were able to take control of the infected machines and move laterally throughout the banks’ IT network in order to launch the next phase of the attack.

It’s hard to believe that in 2015, we are still seeing spear phishing attacks. But phishing scams aren’t going away anytime soon. In the UK alone, online banking losses attributed to phishing scams cost £30 million, according to a report by banking organisation Financial Fraud Action. In the US, the month of December 2014 saw 46,747 identified phishing attacks, according to the RSA Anti-Fraud Command Center.

The very the nature of a financial organisation’s IT infrastructure makes it easy to launch a phishing campaign. Most banks have a large number of employees spread out across multiple locations, and numerous business applications requiring constant upgrades. But bank IT teams remain focused on protecting customer data and tracking fraudulent behaviour rather than their internal systems due to financial regulations and a number of recent credit card breaches that have put customers’ PII at risk.

A moving target

Historically,cyber attacks have been aimed at the bank’s customers. The common goal: stealing PII such as bank account and credit card numbers, social security numbers, dates of birth and other data that can be used in global identity theft schemes. The target for cyber attacksis shifting from banking customer to the bank itself. As we’ve seen with this Carbanak attack, the payoff of this kind of cyber heist is enormous – far more than cyber criminals could make on credit card or identity theft.

Locking down the vault

Is this far-reaching cyber attack the beginning of a disturbing new trend? What can banking organisations do to mitigate risk and prevent even more devastating theft like this? Here are a few steps.

• Define your organisation’s security policy. In order to truly be able to have an adaptive security architecture or framework, banking IT organisations must have a well-defined security policy in place. A security policy helps the people tasked with protecting systems and data determine the desired, optimal way the network operates with the least amount of risk. This includes approved applications, proper configurations and upgrades, what kind of network connectivity will be allowed, and how often are patches happening. Further, your security policy takes into consideration all regulatory requirements coming from outside your industry, as well as best practices coming from inside. The security policy serves as the organisation’s road map to successful risk mitigation.

• Ensure that your security policy mirrors actual behaviour. While your security policy defines how the IT platform behaves, for many organisations, this is only theoretical. And that can lead to trouble. For example, an unnamed but large UK bank ignored a serious two-factor-authentication (2FA) flaw, as well as 22 other vulnerabilities uncovered by a security consultancy, just months before the Carbanak attack was detected. A good policy is not a static document. Instead, your security policy is a dynamic, constantly evolving approach. It should be updated continuously whenever something has been overlooked. Sometimes there are legitimate reasons for gaps in a security policy, but the bank’s CISO is responsible for reconciling them. A CISO is charged with asking the hard questions and comparing how employees and network activity behaves day-to-day, and what’s desired. This requires collaboration with network operations, security ops, and the CIO to mitigate those gaps, one at a time.

• Assume you have already been or will be breached. While it may be difficult to face it, the smartest thing banking organisations can do is assume that their network defense systems have already been infiltrated by cyber threats. Based on this assumption, which parts of your network would be the worst to fall into the wrong hands? And how easy would it be for cyber criminals to gain access to them? This is where network segmentation comes in as a strategy. When properly executed, network segmentation minimises risk by limiting lateral movement through a compromised network. Enforcing network segmentation is an ongoing effort of updating and reconfiguring, but it’s vital. Segmentation is what keeps cybercriminals from reaching beyond an employee’s infected desktop computer into your system’s ATM network.

Managing network security for today’s financial organisations has become a complex, resource-intensive operation involving hundreds of firewalls, router, switches, applications, regulations and more. Despite all of this complexity, senior management requires an accurate, realistic picture of the organisation’s security posture at all times, and take measures to improve gaps as quickly and efficiently as possible.  We’re facing a new era of bank robbers, armed with intimate knowledge of banking systems’ inner workings. The Carbanak attack demonstrates that the industry requires a better approach that is less about prevention of zero-day incidents, and more about mitigation of breaches that may already be happening under the radar.

About the author

Ofer Or is vice president of products for Tufin. Tufin automates and accelerates network configuration changes while maintaining security and compliance for the world’s leading financial institutions. For more information, visit http://www.tufin.com.