By Alon Arvatz, Senior Director of Product Management at IntSights
The financial industry is the bullseye of a lot of cybercriminal activity, and it experiences countless attacks from threat actors and their evolving techniques every day. But today, the stakes are higher than ever. With industry regulators like the Financial Conduct Authority (FCA) bearing down on financial organisations to meet compliance criteria, accompanied by the threat of fines and law-suit action should they fail, the pressure is on for these businesses to tighten their security and do everything in their power to deflect incoming cyberattacks.
The rapidly evolving attack methods are accompanied by a rising demand for them to be developed into purchasable services, turning the pool of capable threat actors into an exponentially expanding market. Research shows that almost half of businesses experience a cyber attack at least once a month, and a roughly a quarter are hit at least once a week. Financial organisations must therefore act quickly to get ahead of all current and future attacks if they’re to avoid a potentially devastating breach.
What are the current threats?
Unsurprisingly, ransomware remains one of the biggest threats facing the financial industry. And while the primary motivation for a ransomware attack is still financial gain, the methods used have shifted to focus on personal data. People today are willing to pay more money to keep their data private. Cyberspace is expanding and almost anything can be connected to the internet. Data therefore has leapt up in value and has become a highly lucrative market for cybercriminals.
There are several different forms of ransomware attack, with varying levels of complexity. Most attacks have moved beyond the traditional method of encrypting data until a ransom has been paid, and now also threaten to publish the stolen data on the clear, deep, or dark web. This is known as double extortion. It’s no longer just the organisation’s finances at risk, but also their customers’ confidential data and their own reputation. When this level of loss is on the line, businesses are often willing to pay a much higher price to avoid it.
Some attackers choose to take their campaigns to the next level and carry out a triple extortion: encrypt the data and demand a ransom, threaten to publish data on the dark web or release to the public media, and launch a DDoS attack on the company’s website, leaving it unusable.
Supply chains are also a popular attack vector for ransomware attacks, and the number of cyber breaches originating from supply chains has skyrocketed, with a total of 929 attacks taking place in 2020 compared to 216 in 2015. Many of these breaches are linked to software suppliers, with open-source software attacks increasing by over 650 percent in 2021. Financial organisations are a key part of industry supply chains, and if breached, could send shockwaves along the entire chain of businesses.
The dark web – adding fuel to the fire
The dark web plays a massive role in today’s cyberattacks, as it makes cybercrime far more accessible to those who lack technical knowledge and skills, but also facilitates the trading of stolen data under anonymity.
One of the most common forms of trade taking place on the dark web involves remote access to private networks. For a couple of hundred pounds, anyone could take possession of the credentials for a network endpoint or financial service’s website. Nowadays, all you need is money to become a top-notch hacker – everything you need is available on the dark web. Furthermore, the development of phishing kits facilitates the expansion of the threat actor pool, as anyone can venture into the world of cybercrime. These kits provide the tools for a ‘do-it-yourself’ phishing campaign, including assets like email templates, a simple interface to manage the attack, and graphics and scripts. Cybercrime has never been so accessible.
Forms of identification are also popular on the dark web, especially as banks and other financial organisations make huge investments in being able to confirm someone’s identity before conducting confidential business. As such, there is currently a big industry for threat actors harvesting personal data and selling fake IDs like passports.
What threats can we see on the horizon?
If this wasn’t already enough to deal with, there are signs of new, alarming threats closing in which could prove devastating for financial companies. One to be especially aware of is deepfakes – the ability to impersonate an individual, including their face and voice.
While we haven’t seen deepfakes being used in many attacks to date, we expect to see a rise in this activity in the near future. The power of this technology could be catastrophic. A UAE company has already experienced its strength, when attackers impersonated the Director’s voice to receive a $35 million bank transfer.
The concept of deepfakes is gaining traffic on the dark web as discussions show a growing interest amongst threat actors. We recorded a 43 percent increase in the number of posts discussing deepfakes on the dark web since 2019. As soon as this technology becomes an everyday threat, it won’t be long before it’s monetised on a large scale and made into a tradeable service on criminal marketplaces.
How cyber threat intelligence can help
The foundations of a strong cyber defence strategy are complete visibility and the understanding of any vulnerabilities that criminals could use to gain access to your network. Threat intelligence delivers insights into an attack before it can happen, unlike other security solutions which only step in once a breach has occurred.
Threat intelligence has two primary uses. Data harvested from the internet, the dark web and cybercrime forums can identify signs of future attack plans against the business, as well as provide general insight into popular attack methods being discussed. On the flip side, recorded criminal characteristics can help organisations manage their internal security by scanning for potential indicators of compromise (IOCs) within their infrastructure, and securing any vulnerabilities.
Using threat intelligence to track ransomware attack vectors, for example, is critical. In previous years, remote desktop protocol (RDP) was the most common method for deploying ransomware, but recently we’ve seen a decrease in this trend and an increase in phishing campaigns instead. Monitoring these changes in techniques is a key way for financial organisations to stay ahead of criminals. Knowing that phishing is a popular avenue means that businesses can prioritise email security to deflect incoming attacks.
However, the threat landscape is extremely dynamic and can change in the blink of an eye, so financial enterprises must monitor these twists and turns closely. For example, we predict a shift towards ransomware for mobile and IoT devices soon, so security strategies will need to consider the business response to these new threats, whilst also keeping a close watch on the threats we’re currently seeing.
States and governments are also becoming more involved with the response to cyberattacks, in an effort to support businesses caught in the fallout and to encourage victims not to give in to ransom requests. The more money paid out to threat actors, the greater their motivation for making a return. But financial organisations must go the distance and invest in threat intelligence to strengthen their defences. Staying just one step ahead of threat actors could be the difference between being a victim or a victor.