Cyberattacks against financial institutions are most often conducted for the purpose of yielding illicit financial gain. These attacks are typically undetectable, global, and instantaneous. During the past three years, researchers have seen a tremendous amount of innovation from cybercriminals. Over the past six months specifically, the cybercriminal modus operandi has evolved. Cybercriminals are leveraging new techniques, tactics and procedures (TTPs) specific to maintaining persistence and countering incident response.
To better determine how cybercriminals are hiding behind invisibility cloaks to remain undetected, Carbon Black conducted a survey, comprising input from chief information security officers (CISOs) at 40 major financial institutions. The purpose of the survey is to improve telemetry for threat hunting teams and defenders.
Key Findings:
Cybercriminals are continuing to hide in plain sight and move laterally leveraging nonmalware attack methods. PowerShell (89%), Windows Management Instrumentation – WMI (59%) and Secure File Transfer Protocol – SSH (28%) were the top three “good tools” attackers leveraged nefariously to target financial institutions, according to our survey.
These “non-malware” (or fileless) attacks now account for more than 50% of successful breaches. With non-malware attacks, attackers use existing software, allowed applications and authorized protocols to carry out malicious activities. Non-malware attacks are capable of gaining control of computers without downloading any malicious files, hence the name. Non-malware attacks are also referred to as fileless, memory-based or “living-off-the-land” attacks.
There is a common theme why cybercriminals are increasingly leveraging non-malware attacks: they are following the path of least resistance. Financial institutions are not immune. The silver lining here is that awareness of malicious usage for tools such as PowerShell has never been higher. The fact that 90% of CISOs reported seeing an attempted attack leveraging PowerShell is a good thing. Not seeing such attempted attacks means the attacker has remained hidden.
90% of financial institutions reported being targeted by a ransomware attack during the past year
CryptoLocker. GoldenEye. Locky. WannaCry. 2017 was, perhaps, the most notorious year on record for ransomware. Even a casual news consumer can identify the menacing ransomware attacks that have cost worldwide businesses as much as $1 billion in 2017, according to FBI data. Financial institutions are clearly not immune. The overwhelming majority of CISOs in our survey reported seeing some kind of attempted ransomware attack during the past year. This is not surprising. Last year, Carbon Black researchers monitored 21 of the largest dark web marketplaces for new, virtual offerings related to ransomware. Our research found a 2,502% increase in the sale of ransomware on the dark web. This increase is largely due to a simple economic principle – supply and demand. Cybercriminals are increasingly seeing opportunities to enter the market and looking to make a quick buck via one of the many ransomware offerings available via illicit economies. In addition, a basic appeal of ransomware is simple: it’s turnkey. Unlike many other forms of cyberattacks, ransomware can be quickly and brainlessly deployed with a high probability of profit. In our previous report, we found more than 6,300 estimated dark web marketplaces selling ransomware, with more than 45,000 current listings.
Only 37% of financial organizations have established threat hunting teams
Active threat hunting is an important step for organizations with mature security programs. It puts defenders “on the offensive” rather than simply reacting to the deluge of daily alerts. Threat hunting aims to find abnormal activity on servers and endpoints that may be signs of compromise, intrusion or exfiltration of data. Though the concept of threat hunting isn’t new, for many organizations the very idea of threat hunting is. The common mindset regarding intrusions is to simply wait until you know they’re there. Typically, though, this approach means that an organization will be waiting an average of 220 days between the intrusion and the first time they hear about it. And even then, it’s typically an external party such as law enforcement or a credit card company that’s telling you. With threat hunting, defenders are deployed to go out and “find the bad” versus waiting for technology to alert you. Successful threat hunting teams proactively chase down signs that intruders are present or were present in the recent past. They look for anomalies – things that don’t usually happen
1 in 4 financial institution CISOs reported experiencing counter incident response
This figure is concerning. It means cybercriminals are increasingly reacting and adapting to defenders’ response efforts. Cybercriminals realize there are humans on the other end actively countering their techniques. They realize that teams are, in some cases, instrumented to detect and respond to their activities. They also realize that teams have specific IR playbooks for these types of scenarios. Attackers are able to go off their scripts while defenders are sticking to manual and automated playbooks. These playbooks are generally based off simple indicators of compromise (IoCs). As a result, security teams are often left thinking they have disrupted the attacker, but with counter incident response, attackers maintain the upper hand. This problem is compounded with secondary command and control (C2) present in several victims (1 in 10, according to our survey). We forecast this will become a more prevalent tactical shift in the coming months. As SOC and IR teams begin to react, attackers are doing a number of things to counter the defenders such as changing code to evade new technology, targeting security analysts and engineers in separate but coordinated attacks, deleting logs from endpoints to hide nefarious behavior and executing DDoS attacks on applications and systems critical for defenders and/or the business.
Cyber defense is evolving into a high-stakes game of digital chess where opponents are responding to every move made on the board. Teams should be prepared to throw out the IR playbook when necessary.
Nearly half (44%) of financial institution CISOs said they are concerned with the security posture of their Technology Service Providers (TSPs)
These TSPs are regularly targeted by cybercriminals. As evidenced by the FDIC’s own inspector general: “The FDIC’s oversight process used for identifying, monitoring, and prioritizing TSPs for examination coverage needs improvement.” Island hopping via information supply chains is growing. Our recommendation is for threat hunt teams and defenders to closely assess TSP security posture. Given that 63% of financial institutions have yet to establish threat hunting teams, there should be concern regarding limited visibility into exposure created by TSPs. Cyberspace is fluid and exposure may become systemic.
Russia (59%), China (23%) and North Korea (16%) are the most concerning nation-state actors associated with cyberattacks, according to financial institution CISOs in our survey
Geopolitical tension serves as a harbinger for cyberattacks. There’s perhaps no surprise with the results to this question with Russia leading the way, given the country’s continued efforts to attack and influence the West, including the United States’ 2016 presidential election.
The “Silicon Valley of the Dark Web” lies in St. Petersburg, Russia. Russian cybercriminals have demonstrated advanced sophistication among hacking groups. Russia’s motivation for targeting financial institutions appears to go beyond financial gain or countering economic sanctions. Since 2014, many of the best cybercriminals have acted patriotically on accession to support Russia’s strategic goals. Corporate espionage, sensitive data, trade secrets and personal information for executives, partners and customers all seem to be in play when it comes to Russia’s cyberattack efforts.
Recommendations:
Given these trends, modernizing defense in depth is imperative to preserve a high-functioning cybersecurity posture. The technological dependency of financial institutions to internet-based platforms has dramatically increased the industry’s exposure to reputation, market and operational risks. The major gaps for many of these institutions revolve around visibility and time to detection. This is particularly troubling as it pertains to deterring an attacker’s ability to move laterally within an enterprise post breach.
Financial institutions should aim to improve situational awareness and visibility into the more advanced attacker movements post breach. This must be accompanied with a tactical paradigm shift from prevention to detection. The increasing attack surface, coupled with the utilization of advanced tactics, has allowed attackers to become invisible. Decreasing dwell time is the true return on investment for any cybersecurity program.