Over a quarter of surveyed financial institutions reported that they were targeted by destructive cyberattacks over the past year, bent on completely destroying data.
That’s according to a new Carbon Black report unveiled at RSA this year. The report, “Modern Bank Heists: The Bank Robbery Shifts to Cyberspace,” outlines the top attacks that financial firms are facing – from phishing techniques to malware and banking trojans.
According to the report, 67 percent of surveyed financial institutions have reported an increase in cyberattacks over the past 12 months, while 26 percent said that they were victims of a destructive attack focused on wiping out data (as opposed to aiming for financial or geopolitical gain).
Threatpost’s Lindsey O’Donnell talked to Tom Kellermann, chief cybersecurity officer at Carbon Black, about the findings.
“We’ve noted a dramatic increase in destructive attacks not just in general, but specifically in the financial sector over the past year, and it’s taking different forms,” Kellermann told Threatpost.
Listen to the Threatpost podcast for more:
For all Threatpost’s RSA Conference 2019 coverage, please visit our special coverage section, available here.
For direct download click here.
Below is a lightly edited transcription:
Lindsey O’Donnell: This is Lindsey O’Donnell with Threatpost and I’m joined today by Tom Kellermann, the chief cybersecurity officer at Carbon Black. Tom, thanks so much for joining us today.
Tom Kellerman: Thanks for having me. Are you getting geared up for RSA which is right around the corner? The thing that I’m most interested in learning about this year is the evolution of destructive malware — how it’s being used, and the counter-intuitive response techniques that we’ve seen a lot of. I feel like with everything that’s happened in the past year, that is something that is definitely increasing in popularity, and the implications there are so terrible for victims.
We’ve noted a dramatic increase in destructive attacks not just in general, but specifically in the financial sector over the past year, and it’s taking different forms. And I’m just curious to learn from my peers about what other forms they’re seeing it take now.
LO: Apeaking of the financial sector at RSA this year, you guys are releasing a new report called “Modern Bank Heists: The Bank Robbery Shifts to Cyberspace,” and is this the second annual report you’ve released [on this subject].
TK: It is, I have a passion for financial-sector security … and I think we can learn a lot from the cyber-crime epidemic that the the financial sector is facing, because eventually it spreads to other sectors. And since the banks are typically more secure than other industries, we can learn a lot.
LO: This report, having read it, covers everything from cyberattacks down to specific trojans and malware that are constantly changing up their tactics and evolving. So, can you break down the key takeaways from the report?
TK: Yeah, I think there are a couple of things. First of all, we surveyed dozens of significant systems and financial institutions, including for the top 10 banks in the world, and nearly 70 percent of these folks said that they’ve seen a dramatic increase of attacks. And then approximately 80 percent said that they had seen cybercriminals become much more sophisticated.
They essentially [said] that they observed a transition from bank heists to hostage situations wherein the adversary, the criminal, or the nation state for that matter, not only wanted to maintain persistence on the system but also wanted to use the financial sector’s brand and institutional network itself to target their customers, to target their partners and to target their largest shareholders. So it’s not just the one company really being targeted at this point. It’s so much more than that. That’s a scary thought.
LO: It is.
TK: When I say hostage situation, I state the following because, you know, they saw a 160 percent increase in destructive attacks, and so the adversary becomes more punitive, whether that was a reaction to the defenders trying to kick them out or whether that was just geopolitical tension, I’m not sure. Given that one out of three investigations into bank heists determined that the adversary was leveraging counter-incident response, this is something we should pay attention to, because it harkens to a dark time coming.
LO: I think you mentioned that 32 percent of those surveyed said that they encountered “island hopping,” which was an attack where supply chains or partners are utilized to target the primary financial victim. So there’s really there’s a lot more breadth there than you would think when you’re looking at the scope of victims who are part of a cyberattack.
TK: Very much so. I think most organizations haven’t really done an effective job of inventorying their information supply chain, which does also include your outside general counsel, your outside marketing firm, etc. It’s not just about the bank suffering from [direct] attacks, but the banks themselves then becoming part of that island-hopping phenomenon.
And that takes really three forms . You have the typical network-based attacks which we’re all familiar with, you’ve got watering-hole attacks where the bank website actually is polluting visitors. And then lastly, but more importantly, we’re starting to see this thing that I call reverse business email compromise, where the bank server itself is commandeered. Then it leverages files as malware attacks. That is so difficult to spot. What would be the telltale signs of reverse BEC scams? Honestly, you need to have true visibility on those servers and all the endpoints that actually have administrative control of those servers. A lot of people don’t even have that, so a lot of people can’t catch it.
LO: You mentioned watering-hole attacks before. I think the survey said it was over 20 percent experienced a watering-hole attack during the past year. Was that was that an increase or decrease from the previous years?
TK: That’s not a dramatic increase, but it’s an increase, and again, we have to pay attention to that because watering-hole attacks are not just specific to the bank website being commandeered. It’s also the mobile apps themselves that facilitate electronic finance, and we need to pay close attention to that because I don’t think we’re doing an effective job at protecting [them].
We also need to do a better job when it comes to website security, because a lot of times there are sections of a website that are managed by an outside marketing firm. For example, blogs and other kinds of features and functionalities that are useful for capturing the interest of millennials — and these things are not sufficiently tested or secure. That’s a tactic that’s going to be hard to keep up with, both on the firm’s part but then also, you know, by people who are actually visiting those those browsers.
What needs to change here is that chief marketing officers typically control between 20 and 30 percent of corporate budgets, regardless of industry, and they’re focused obviously on enhancing and improving the perception of the brand, right? These folks, 95 percent of what they’re spending their money on is going to be on digital marketing and digital initiatives, much of which is never [evaluated] for security vulnerabilities.
And so security is becoming a brand-protection problem, and CMOS needs to [keep those who need to know] in the loop. Maybe they should be allocating some of their monies to helping protect the digital assets that they’ve created.
LO: That reminds me of another part of the report that you guys had highlighted, which said that 62 percent of CISOs who are in a financial firm still report to the CIO as opposed to the CEO. I thought that was a really interesting point as well. It really points to the fact that when comes to security, what kind of authority would someone in that role need to have to really become more effective to their total organization? And I think what you’re saying about the marketing piece of it too, that ties into that as well.
TK: You know, there are proactive CIOs out there, okay? So those are the ones probably listening to this podcast, right? That being said, there are CIOs out there that want to maintain plausible deniability. Most CIOs basically act like chief financial officers, they’re all about increasing efficiencies, increasing access and increasing resiliency. By the way, I don’t think resiliency means cybersecurity — we can go down that rabbit hole later.
These folks act like offensive coordinators. They want to go for it on fourth and one every time, and they’re also the bosses of the defensive coordinators. Do you have a governance problem?
LO: Looking at the financial industry now, what kind of awareness do you see when it comes to security? Do you think they are properly equipped to handle these evolving threats? What do they need to do in terms of shifting roles within the organization that are dedicated to security or using other methods to really address this in the most proactive manner?
TK: Well, there are a couple of things there. First of all, they need to recognize the increase in geopolitical tensions. You’ve got nation-states that are targeting large companies on the regular. Now, many of these nation-states are doing so to offset economic sanctions.
In the financial sector, [cyberactivity] is not specific to only moving money out. There are also all sorts of schemes and scams within the capital markets arena where you can essentially understand what positions this financial institution is going to take, let’s say on the international currency markets.
There’s still this mythology of maintaining plausible deniability, as evidenced by the fact that less than 50 percent of these institutions actually are conducting regular threat hunts. Like why wouldn’t they? I’m sure bank managers in the physical world actually check to see if anyone’s in the vault before they shut down the bank for the day.
LO: Do you have any top advice for financial firms regarding the security steps that they could take? Is there one big security piece of advice you would give?
TK: You have to dispel plausible deniability. You have to conduct regular hunts to see what part of your infrastructure has already been commandeered or compromised, in order to prevent your organization from being used as part of an island-hopping campaign, and to prevent your organization from dealing with wire-transfer fraud. But most importantly, I think that there needs to be a shift in the CISOs themselves, they need to be given their own authorities, their own budget and become equal to CIOs.
LO: Do you see that happening, knowing the culture of the financial industry?
TK: It’s happening typically large institutions that have been hit before, it’s happening in institutions that are global in nature, it’s happening within institutions that are more concerned with the regulatory regimes of the Europeans of Singaporeans. It’s happening. It’s slow though. The regulator’s No. 1 thing that they should do is mandate that the CISOs become equal to the CIO.
LO: Shifting gears, I just wanted to touch upon the top trojans that you guys had mentioned in the report. You mentioned Emotet, which you know has really hit this space hard over the past few years. Are there any other top banking trojans that that financial firms are seeing or should look out for? And on that note also, how are some of the existing ones changing up their tactics?
TK: In terms of specific trojans that are problematic in the sector Emotet is interesting, because of the fact that it’s modular, because of the fact that it’s constantly being evolved and because of the fact that it…allows for lateral movement to be conducted.
In 70 percent of these financial institutions, they are dealing with lateral movement, so they need to be more cognizant of East-West traffic. And this is compounded by the fact that you’ve got nation-states like North Korea and Russia that are leveraging significant campaigns to attack banks for the purpose of offsetting economic sanctions.
The North Koreans truly have arrived now, as evidenced by Lazarus and Cobra, and the fact that they’re no longer just using Russian payloads. They’ve created their own, and it’s malware with multiple variants.
LO: You touched upon this briefly before, but in terms of attackers, who are they when it comes to financial institutions? Are you seeing more and more become geopolitically motivated at this point, or are most still financially motivated? What do firms really need to look out for in terms of these motivations behind some of these actors?
TK: So the best hackers when it comes to hacking banks, No. 1 are the Russians, period. What’s changed there though is the fact that the great cybercriminal minds of Russia are now acting as cyber-missionaries for Putin, because he’s called upon them to be patriotic in their endeavors, sometimes as evidenced by Fancy Bear, etc.
This is probably why the…MITRE testing framework is aligned with [APT29/Cozy Bear]. That being said, many of these other folks are emulating the Russian kill chain, which is incredibly advanced. It involves the use of things like steganography.
The North Koreans have done that, as well as the Brazilian underground. The Brazilian underground are experts at hacking banks, because Brazil was one of the first countries in the world to move to electronic finance back in the day. But they are not necessarily operating for the regime. What they do do is outsource themselves to narco-trafficking syndicates around the world.
LO: So how would those geopolitical types of threats be different that the financially motivated actors. Are they backed by a more money, or are they more organized?
TK: Look, what it means is that you will not be 100 percent effective in stopping them, even after you’ve had an incident and you feel like you’ve cleaned up your infrastructure. You triage the event, but they will be back in, because they will have secondary commanding control during the sleep cycle, or they’ll be using steganography. So, you really need to be on point and you need to conduct regular hunts to ensure that you kick them out fully.
LO: Tom, are there any other key takeaways from the report that you want to highlight?
TK: We need to evolve the way we conduct incident response. We’re being too loud. Like in a hostage situation, you don’t send in SWAT right off the bat. [When attacked], you do not just turn on the lights, call out that you have a gun and then call the cops, because they could become destructive.
LO: Well, that’s a really good point and excited to hear more at RSA and kind of look deeper into this report. So thanks so much, Tom, for taking the time to talk to us today.
TK: I appreciate it. Have a good show. Thanks.
