Applying Active Defense to Strengthen FSI Security

What financial services organizations can learn from the government sector

By Ofer Israeli, CEO and founder, Illusive Networks

It seems like no matter what organizations do to protect their networks, cybercriminals are at least one step ahead – and breaches continue to occur. The standard cybersecurity paradigm is reactive and passive, but with today’s attacks having such long dwell times and the potential for such significant damage, IT teams need a more active defense stance. The federally funded not-for-profit, MITRE, has taken this position with the introduction of its Shield framework. Any strategy to defeat cybercrime must include active defense.

MITRE wrote this framework with government agencies in mind, but its principles translate well to the world of financial services. IT teams that know the latest strategies and recommendations put their companies in a strong position to remain secure.

Why MITRE Shield is important

MITRE’s Shield is an active defense knowledge base developed from over a decade’s worth of enemy engagement. With it, MITRE is trying to gather and organize what it has been learning with respect to active defense and adversary engagement. This information ranges from “high-level, CISO-ready considerations of opportunities and objectives to practitioner-friendly discussions of the tactics, techniques and procedures (TTPs) available to defenders.” The goal is for Shield to encourage discussion around active defense.

Understanding active defense

Financial institutions need every advantage to keep their highly valuable, in-demand data secure. Active defense involves using limited offensive action and counterattacks to prevent an adversary from taking digital territory or assets. Active defense covers a myriad of activities, including engaging the adversary, basic cyber defensive capabilities and cyber deception. Taken together, these activities enable IT teams to stop current attacks as well as get more insight into the attacker. Then they can prepare more thoroughly for future attacks.

Deception capabilities are a necessity in the modern security stack. In Shield’s new tactic and technique mapping, deception is prominent across eight active defense tactics—channel, collect, contain, detect, disrupt, facilitate, legitimize and test—along with 33 defensive techniques.

What FSI should know about deception

From small credit unions and regional insurance companies to global banks and investment houses, financial services organizations all face the same business risks that come with big breaches: significant financial losses, hefty regulatory fines and damage to their reputations. The movement of financial services applications to the web and the rise of mobile applications, including mobile banking, greatly expanded the attack surface for the sector.

Financial data is, of course, a prime target for attack, but the industry has to contend not only with outside attacks but those from within, as well. These internal attacks could be from malicious insiders or even from inadvertent acts in which an employee, while reading a phishing email, is tricked into opening an attachment containing malware or clicking on a link leading to a malware-infested site.

Deception technology is helpful and effective in all these cases, but there are common misconceptions about deception that financial institutions must overcome in order to feel confident using it. A prevailing misconception is that deception is synonymous with honeypots, which have been around for a long time and aren’t always effective. And to make them as realistic as possible requires a lot of management so that if attackers engage with a honeypot, they won’t be able to detect that it is not a real system and therefore know they’re in the middle of getting caught.

Quite the opposite is true, actually. Honeypots and deception are not the same thing. That’s how deception began, but it has changed significantly since then. Today’s deception takes the breadcrumb/deceptive artifact approach that leads attackers on a false trail, which triggers alerts so that defenders can find and stop the attackers in real time. Only unauthorized users know the deceptions exist, as they don’t have any effect on everyday systems, so false positives are dramatically reduced. These aspects of deception technology add tremendous security and financial value to the IT security team.

Finally, some organizations mistakenly assume that deception is too complex to implement well, with comparatively little return-on-investment. Security organizations could enjoy the benefit of using deception technology – which is lightweight and has a low cost of maintenance – but are not engaging because they think it’s an overwhelming, complex approach that they won’t get enough value from.

Active defense is key

As financial institutions seek to serve their customers better with modern options like online banking and mobile apps, the threat landscape expands. So, too, do cybercriminals’ arsenals. And the rapid changes many institutions went through to manage the pandemic’s impact opened new attack doors, too. All of these new security risks require a stronger and broader defense strategy to protect that coveted financial data. That’s why MITRE’s Shield framework is so timely and worth heeding – even for organizations outside the government sector – particularly the recommendation to use active defense in general and deception technology in specific. Use the information above to strengthen defenses for a more active, real-time response to network threats.