When it comes to tackling cyber-attacks, it is important for financial organisations to realise that cyber-crime can’t be dealt with in isolation by the IT department. Traditional security measures, such as anti-virus software and firewalls, are increasingly unlikely to be able to deal with the growing sophistication of modern cyber-attacks. The increase in risk means it is more important than ever for businesses to deal with any threats quickly, due to legislation requirements, the possibility of significant brand damage, and financial fines.
As more financial organisations continue to turn to technology to help their business operate, and with FinTech investment growing 177% in the first quarter of 2014, the tech uptake means that there is now a greater danger of cyber threats as there are more avenues available for attackers. Failure to mitigate this could mean sensitive financial data is at risk. Even with the best security technology in place, there are still plenty of channels for cyber-attackers to exploit, such as social engineering - a technique whereby cyber criminals can, for instance, insert links or attachments into an email, which when clicked on by the user gives them access to sensitive data.
Following an attack, organisations need to assess what has happened, which data has been breached, the systems that have been infected, and so on. But, what is more important, according to the ICO (Information Commission Office), is the assessment of the possible consequences, including how serious these are and how likely they are to happen. An in-house or external incident response (IR) team will then begin their investigation to collect all the necessary data, as well as review traffic, network activity and various log reports. This involves collecting all essential security data and working backwards to find Indicators of Compromise (IoCs) and then using forensic methods such as Lockheed Martin’s ‘Cyber Kill Chain’ to put everything into context. The Cyber Kill Chain, which is considered industry best practice and used by many organisations, or a similar approach, helps organisations attempt to identify how the attack happened, what the full impact is, and how to resolve it.
Discovering an attack
Once a business has discovered that a cyber-attack has taken place, which on average can take the IR team 206 days to detect, they then attempt to contain the issue, learning from it, and trying to prevent any further breaches. If the attack is left undiscovered for too long, then often the damage already done is likely to increase. In most cases, it can take an organisation between 21 and 35 days from the initial detection of a data breach to carry out analysis of the networks and resolve the issue. With this massive window of opportunity, cyber-attackers generally have plenty of time to not only act on their objectives, but to cover their tracks as well; by the time the attack is detected, a great deal of the incriminating evidence has either been removed or can no longer be found in security logs.
Minimising the damage
IR teams are tasked with the delicate balancing act of completely removing the threat as quickly as possible with the need to maintain operations. This is particularly poignant for financial businesses who have customers and clients relying on them. Few companies can afford to grind to a complete online halt, therefore they must aim to quarantine vulnerable or compromised systems to prevent the attack from spreading.
If the attack is on a large enough scale to disrupt an organisations entire service, for example if it was a DDoS attack, then the main objective would be to resume full operations as quickly as possible whilst simultaneously stopping and securing against future attacks. In recent high profile DDoS attacks, even a relatively short outage was enough to result in a significant impact in terms of both costs and customer confidence in the brand. The financial ramifications can be vast, as seen recently by one of the UK’s leading banks who was fined £56 million for a glitch that prevented many customers from being able to withdraw money.
Once the scale of the attack is determined, the business must then decide who needs to be notified, and use their local ICO guidelines to decide if the attack must be made public. Organisations need to be aware that UK laws aren’t the only guidelines they need to keep up-to-date with, further regulation and compliance changes such as EU General Data Protection Regulation (EU GDPR), which is set to come into force over the coming years and more recently the data privacy regulation, Privacy Shield.
Where to start?
Security Analytics and Network Forensics are a good place to start. These solutions record network traffic passing through the network and are able to automatically categorise traffic for in-depth analysis. More advanced solutions enable capabilities such as threat scanning and alerting, and session re-construction to enable companies to see the actual infected file that led to the attack. Meanwhile, Network Forensics plays a vital role in defending advanced attacks, because it allows all the information related to the attack to be viewed in a single place.
Another security mechanism is Sandboxing, which is a quarantine technique that helps IR teams resolve breaches by identifying the threats that have evaded the more traditional defences, such as anti-virus and firewalls. Sandboxes enable organisations to censor files coming into the network and declare them as ‘safe’ before they get passed through signature-based perimeter security controls. Many network security tools lack the ability to scan for threats inside of encrypted traffic, so implementing encrypted traffic management capabilities enables companies to decrypt traffic and forward it to other network security tools for scanning.
The task list
Before being able to declare ‘all clear’, there are a number of steps a company must take. Firstly, identifying the full scope of the attack and what has been lost. Then distinguish whether the method of attack and point of compromise has been stopped along the kill chain. Determine whether the data has stopped being leaked or the infection is no longer spreading. And finally make an inventory of all infected systems and if they have been able to restore them back to normal, preventing any chance of a recurrence. Once these steps are complete, the all clear can be given.
It is therefore important to keep up-to-date with cyber-attack trends and to know what to look for – particularly with the financial sector suffering 300% more cyber-attacks than any other industry. Financial firms need to encourage and understand the development of internal cyber-security policies to ensure that threats are minimised as quickly as they appear. They must assume that their IT systems will be compromised at some stage, and it is the processes put in place that will affect how they deal with the compromise. Investing in the right technology, such as security analytics, implementing strong cyber governance processes and developing IR teams is essential for firms looking to boost their cyber-security capabilities. Without any of this, the door is wide open to cyber-criminals.