“When,” not “if.” For financial cybersecurity teams, dealing with regular cyberattacks is part of the job. Almost 23 percent of all cyber attacks were aimed at financial institutions in 2021. And 63 percent of financial institutions experienced an increase in destructive attacks last year.
Several factors are shaping today's financial services threat landscape:
- Regulatory attitudes and rushed digital transformations are squeezing security teams
- Profit-minded attackers and nation-state-sponsored groups alike are targeting financial services more often
- Advanced threats using sophisticated techniques and mimicking legitimate actions can bypass scanning-based security controls
Unfortunately, effectively mitigating these risks won't happen with status quo security controls, or one-size-fits-all solution stacks. Instead, it's time for organizations to build powerful Defense-in-Depth (DiD).
Digital Transformation Creates New Risks and Resurfaces Old Ones
Digital transformation has some stark downsides. In general, the more connected financial IT environments become, the higher the risk of a breach. More deeply integrating financial networks to the cloud gives threat actors new network entry points and reignites dormant attack vectors.
However, even with digital transformation, financial institutions will remain dependent on legacy servers for some time. And these predominantly Linux and Unix builds are often decades-old and either unprotected or covered only by legacy antivirus (AV) solutions. Modern endpoint detection and response (EDR) solutions are challenged by working in a legacy system environment. (Don’t secure Linux servers with Windows solutions.) They tend to be too resource-intensive and flag routine legacy processes as potential threats.
To protect legacy servers, security teams rely on strategies like segmentation and network isolation. However, as network complexity grows, legacy servers’ risk of unknowingly being exposed increases too.
Another risk in financial industry digital transformation is the growing use of third-party software and SaaS. As the SolarWinds hack showed, supply chain risk is never far away with on-demand software. In a 2022 VMWare study, about 6 in 10 financial institutions said they noticed an increase in supply chain attacks this year, a 58 percent rise over the previous year.
Events like mergers and acquisitions further compound these risks by introducing more sources of vulnerabilities into a network.
But perhaps the biggest source of digital transformation risk for financial institutions is moving processes, workloads, and data storage to the cloud. Most cloud migrations are rife with vulnerabilities. For example, Microsoft Azure virtual machines have a misconfiguration rate of over 60 percent.
Advanced Attacks Targeting Financial Institutions
The security environment surrounding financial institutions is a two-sided coin. On one side are the vulnerabilities created by financial institutions themselves. On the other are advanced threats.
Fileless attacks, zero-day attacks, ransomware, supply chain attacks, and other attacks targeting memory at runtime were once the weapons of advanced persistent threat (APT) actors. They were rarely seen in the wild. Today they’re everywhere. A 2021 Picus report finds defense evasion is the most common MITRE ATT&CK tactic seen in attack chains.
Last year, three of the five most common ATT&CK methods involved device memory. Old banking-specific threats like the Emotet trojan are resurfacing with new in-memory capabilities.
There are increasing numbers of advanced threats targeting Linux, too. The Symbiote malware strain discovered early this year is designed to avoid telemetry-based detection in Linux environments.
Threat actors use tools like Cobalt Strike to linger in financial networks, move laterally, and open backdoors. They then use remote code execution or deploy RATs as a precursor to devastating attacks like ransomware. Morphisec’s incident response team often sees threats like these lying dormant, waiting for opportunities to move into critical server environments.
Geopolitical risk is also increasing the frequency of these kinds of threats targeting financial institutions.
Other Factors Driving the Need for Improved Financial CyberSecurity
Financial institutions have always been bound by a wide range of cyber-related rules and standards. Now, regulators’ view of cybersecurity and privacy are changing.
New and evolving legislation from the EU’s GDPR to California’s CPRA shows how regulators are shifting. Their focus was on ensuring the integrity and availability of IT systems; now it's increasingly on remediating consumer confidentiality risks.
Overstretched financial security teams will have to dedicate more of their time to following new privacy-centric regulations. One report notes how a CISO and his team spend 40 percent of their time reconciling various regulatory agencies’ requirements. Sometimes at the expense of actual cybersecurity.
Failure to meet regulations can mean high fines and group lawsuits. Capital One bank’s 2019 data breach resulted in an $80 million penalty and multiple lawsuits. Increasingly, consumers are more likely to blame financial institutions, not hackers, for data breaches.
In the past, some financial institutions could rely on cyber insurance to cover partial liability for breaches involving customers’ personally identifiable information (PII). But insurance is getting more expensive. And it's increasingly difficult to get coverage in the first place, so this may no longer be a possibility for many institutions. JPMorgan Chase has reportedly already reduced its cybersecurity insurance.
Insurance providers like Lloyd’s of London intend to exclude state-backed cyberattacks from coverage beginning in 2023. A recent Trellix survey found 45 percent of financial institutions and insurers that experienced a breach said they believed Russia was behind it.
Even when cyber insurance is possible, it doesn’t guarantee peace of mind. Counterintuitively, it can actually increase financial institutions' risk of cyberattacks. A rep from infamous ransomware group REvil called organizations with cyber insurance “one of the tastiest morsels.” He said they hack the insurers first, “... to get their customer base and work in a targeted way from there. And after you go through the list, then hit the insurer themselves.”
Defense-in-Depth Is Crucial for Financial Institutions
Thanks to evasive malware capable of lateral movement, threat actors targeting the financial industry have many paths to exploit. These range from IoT devices and endpoints to exposed servers and vulnerabilities in supply chain products as well as the software used by contractors or third parties.
All these attack vectors offer a potential path to critical servers and profit. To counter them, security teams at financial institutions must deploy best-in-breed solutions on a layered basis.
This is what Defense-in-Depth (DiD) does. Rather than relying on a single solution or vendor-provided solution set, DiD uses multiple layers of defensive mechanisms to protect an organization’s network and assets, creating critical redundancy.
With DiD, even if one layer in your security stack fails, there’s another fallback layer to detect/prevent the threat.
MTD and Defense-in-Depth
At the macro level, DiD controls for the fact that no one layer or control will catch every threat attempting to infiltrate an organization’s environment. However, the same logic is true within each layer too.
Traditional security tools such as next-generation antivirus (NGAV), EDR, endpoint protection platforms (EPP), and extended detection and response (XDR) are good at spotting known threats with recognizable signatures. But they're not effective at detecting and stopping unknown malware, and fileless, in-memory, and evasive threats. These were three of the five most common MITRE ATT&CK threats seen last year. To effectively stop these advanced threats, another layer, like Moving Target Defense (MTD) technology is needed.
MTD is designed to stop advanced threats on endpoints and servers. Unlike traditional cybersecurity tools, MTD doesn’t need to find a signature or activity that looks dangerous. Instead, MTD morphs the memory environment during runtime to make it impossible for threats to find their targets. It breaks out of the reactive arms race of traditional cybersecurity solutions, by offering proactive, automated, preventive security. This keeps critical memory assets like hashed passwords hidden from threat actors and prevents techniques like shell injection and buffer overflow exploits from finding their targets.
Learn more about the financial cybersecurity threat landscape and best practices for stopping cyberattacks at Morphisec’s Banking and Financial Services Virtual Event. Happening Tuesday, October 25th from 1-3 pm ET, register to secure your place now.