Cyber criminals are holding the financial services hostage: Here’s how to defend against sophisticated attacks

By Zeki Turedi, CTO, EMEA at CrowdStrike

In the aftermath of the COVID-19 pandemic, financial services companies’ data will be subject to unparalleled levels of threat. The World Economic Forum’s Global Risks Report 2020 found that 76 per cent believe that the risk of cyber attacks will rise throughout this year. Financial services are particularly susceptible to this issue, as F5’s 2020 State of application services report found that 72 per cent lacked security skills. The consequences of the lack of knowledge are not hard to find: a financial services firm in the UK lost £71 million, putting the UK at the top of the list of the largest financial losses following cyber attacks in 2019.

The COVID-19 crisis has made the situation even worse. Since March, CrowdStrike’s 2020 Threat Hunting Report: Insights from the OverWatch Team observed a 330 percent increase in malicious files using COVID-19 themes. This is of particular concern to the financial industry, as it is often victim to the most sophisticated intrusions. Intrusions have increased by 112 percent compared with last year due to bad actors playing on people’s fears by using COVID-19 related spear phishing attempts. These often include financial and invoice related lures.

The move to remote working also has a significant role as companies try to navigate the current threat landscape. As technology departments try to make systems available remotely, they inadvertently leave open doors like Remote Desktop Protocol (RDP). This is one of the most common points of entry used by eCrime actors.

The issue for many companies is that by the time they have been compromised, it’s already too late

A long-established method that cybersecurity teams use for detecting such threats are Indicators of Compromise (IoCs), which can help determine whether a security incident has occured by detecting the remnants of an attack such as executables, registry changes or connected IP addresses . Their nature, however, means that IoCs have security teams investigating and searching for breaches that have already happened, rather than trying to prevent them. Fortunately, recent years have brought about next-generation cloud security solutions; these help security teams to really understand the attacker’s end goal, allowing them to counter breaches more effectively by leveraging Indicators of Attack (IoAs).

A beginners guide to Indicators of Attack

IoAs help security teams to determine and understand common actions that an attacker must conduct to succeed, allowing their investigations to take a more proactive method to thwart attacks. These actions include pro-actively identifying techniques such as initial access,code execution, persistence, privilege control, lateral movement plus many others within a network. The key advantage of acting on IoAs is that they allow security teams to stop attackers in their tracks, before they’re able to jeopardize an organisation’s defences, if they are spotted and acted on.

A spear phishing campaign, which is designed to test a system’s defences, as an example, could be a precursor to a cyber attack. This usually begins with an email which aims to convince a target to open a file that will allow an attacker to execute a malicious implant . Once compromised, the adversary will discreetly perform the steps necessary to have a persistent foothold within the targets network . Security teams proactively checking for IoAs will be able to identify the implementation of any of these steps and recognise an attacker through interpreting what these activities are trying to achieve. This way, security teams are more likely to spot malefactors before they’re able to compromise a network.

A real-world parallel

In a number of ways, one could liken a data breach to a bank robbery. The attacker needs to overcome the target’s security systems and successfully act towards their objective – whether that be sensitive data or bars of gold. In the case of a bank robbery, authorities usually arrive after the crime has happened and can start gathering evidence. The security cameras may contain proof; the robber drove a blue hatchback, wore a bucket hat and used a drill to break into the vault.

Much like IoCs, these pieces of evidence are only discovered after the incident – they show that there was an attack, but the money is already gone. This same evidence could be used to eventually find the robber, but only if they stick to their techniques. If the next time they use a red convertible, wear a baseball cap, and use liquid nitrogen to break into the vault, they will likely be successful again. This is because these new points of evidence will not be a part of the security team’s set of indicators.

A robbery could be completely anticipated and countered, however, if the bank was set up to monitor for IoAs. Just as a phishing attack often foreshadows a data breach, a bank robber might ‘case’ the bank before the heist. Like a phishing campaign, this operation is made of steps that a proactive security team could detect. If the perpetrator tries to disable the system, move towards the vault or attempts to decipher it, the security team can deduce they are trying to rob them. Thanks to this information, they can then intercept the attempt before the thief is able to steal anything at all.

IoAs in practical terms

Although the points of evidence may be less apparent during a cyber attack than in a bank heist, the same principles apply. If a security team can spot IoCs such as an MD5 hash, a C2 domain or a hard-coded IP address, they might be able to use these indicators to prevent future intrusions. However, given that IoCs aren’t a constant parameter, security teams could be left on the back foot as they strive to keep up with the ever-changing threat landscape.

IoAs on the other hand, help security teams to quickly adjust to the situation and intervene to prevent a breach, by allowing them to monitor for suspicious demeanours. By focusing on the strategies, methods and processes attackers follow, security teams can determine who the adversary is, what they are trying to access and why, while providing a proactive approach to confronting advanced threats.