How to reduce risk and deal with a cyber-attack

How to reduce risk and deal with a cyber-attack

Robert Arandjelovic

European Director of Security Strategy at Blue Coat

Views 724

How to reduce risk and deal with a cyber-attack

06.04.2016 08:15 am

When it comes to tackling cyber-attacks, it is important for financial organisations to realise that cyber-crime can’t be dealt with in isolation by the IT department. Traditional security measures, such as anti-virus software and firewalls, are increasingly unlikely to be able to deal with the growing sophistication of modern cyber-attacks. The increase in risk means it is more important than ever for businesses to deal with any threats quickly, due to legislation requirements, the possibility of significant brand damage, and financial fines.

As more financial organisations continue to turn to technology to help their business operate, and with FinTech investment growing 177% in the first quarter of 2014, the tech uptake means that there is now a greater danger of cyber threats as there are more avenues available for attackers. Failure to mitigate this could mean sensitive financial data is at risk. Even with the best security technology in place, there are still plenty of channels for cyber-attackers to exploit, such as social engineering - a technique whereby cyber criminals can, for instance, insert links or attachments into an email, which when clicked on by the user gives them access to sensitive data.

Following an attack, organisations need to assess what has happened, which data has been breached, the systems that have been infected, and so on. But, what is more important, according to the ICO (Information Commission Office), is the assessment of the possible consequences, including how serious these are and how likely they are to happen. An in-house or external incident response (IR) team will then begin their investigation to collect all the necessary data, as well as review traffic, network activity and various log reports. This involves collecting all essential security data and working backwards to find Indicators of Compromise (IoCs) and then using forensic methods such as Lockheed Martin’s ‘Cyber Kill Chain’ to put everything into context. The Cyber Kill Chain, which is considered industry best practice and used by many organisations, or a similar approach, helps organisations attempt to identify how the attack happened, what the full impact is, and how to resolve it.

Discovering an attack

Once a business has discovered that a cyber-attack has taken place, which on average can take the IR team 206 days to detect, they then attempt to contain the issue, learning from it, and trying to prevent any further breaches. If the attack is left undiscovered for too long, then often the damage already done is likely to increase. In most cases, it can take an organisation between 21 and 35 days from the initial detection of a data breach to carry out analysis of the networks and resolve the issue. With this massive window of opportunity, cyber-attackers generally have plenty of time to not only act on their objectives, but to cover their tracks as well; by the time the attack is detected, a great deal of the incriminating evidence has either been removed or can no longer be found in security logs.

Minimising the damage

IR teams are tasked with the delicate balancing act of completely removing the threat as quickly as possible with the need to maintain operations. This is particularly poignant for financial businesses who have customers and clients relying on them. Few companies can afford to grind to a complete online halt, therefore they must aim to quarantine vulnerable or compromised systems to prevent the attack from spreading.

If the attack is on a large enough scale to disrupt an organisations entire service, for example if it was a DDoS attack, then the main objective would be to resume full operations as quickly as possible whilst simultaneously stopping and securing against future attacks. In recent high profile DDoS attacks, even a relatively short outage was enough to result in a significant impact in terms of both costs and customer confidence in the brand. The financial ramifications can be vast, as seen recently by one of the UK’s leading banks who was fined £56 million for a glitch that prevented many customers from being able to withdraw money.


Once the scale of the attack is determined, the business must then decide who needs to be notified, and use their local ICO guidelines to decide if the attack must be made public. Organisations need to be aware that UK laws aren’t the only guidelines they need to keep up-to-date with, further regulation and compliance changes such as EU General Data Protection Regulation (EU GDPR), which is set to come into force over the coming years and more recently the data privacy regulation, Privacy Shield.


Where to start?

Security Analytics and Network Forensics are a good place to start. These solutions record network traffic passing through the network and are able to automatically categorise traffic for in-depth analysis. More advanced solutions enable capabilities such as threat scanning and alerting, and session re-construction to enable companies to see the actual infected file that led to the attack. Meanwhile, Network Forensics plays a vital role in defending advanced attacks, because it allows all the information related to the attack to be viewed in a single place.

Another security mechanism is Sandboxing, which is a quarantine technique that helps IR teams resolve breaches by identifying the threats that have evaded the more traditional defences, such as anti-virus and firewalls. Sandboxes enable organisations to censor files coming into the network and declare them as ‘safe’ before they get passed through signature-based perimeter security controls. Many network security tools lack the ability to scan for threats inside of encrypted traffic, so implementing encrypted traffic management capabilities enables companies to decrypt traffic and forward it to other network security tools for scanning.

The task list

Before being able to declare ‘all clear’, there are a number of steps a company must take. Firstly, identifying the full scope of the attack and what has been lost. Then distinguish whether the method of attack and point of compromise has been stopped along the kill chain. Determine whether the data has stopped being leaked or the infection is no longer spreading. And finally make an inventory of all infected systems and if they have been able to restore them back to normal, preventing any chance of a recurrence. Once these steps are complete, the all clear can be given.

It is therefore important to keep up-to-date with cyber-attack trends and to know what to look for – particularly with the financial sector suffering 300% more cyber-attacks than any other industry. Financial firms need to encourage and understand the development of internal cyber-security policies to ensure that threats are minimised as quickly as they appear. They must assume that their IT systems will be compromised at some stage, and it is the processes put in place that will affect how they deal with the compromise. Investing in the right technology, such as security analytics, implementing strong cyber governance processes and developing IR teams is essential for firms looking to boost their cyber-security capabilities. Without any of this, the door is wide open to cyber-criminals. 

Latest blogs

Jonas Andersson Fingerprints

In Consumer Biometrics We Trust: Authentication For the Data Privacy Age

Data privacy is high on the global agenda. In the wake of data protection policies such as Europe’s GDPR, ensuring the integrity of personal data is an increasingly pertinent subject. This is a governmental and corporate policy reflection of the Read more »

John Burgos Mindgate Solutions

Overcoming anxiety around mobile payments & digital payments - In the South Asia Pacific

Innovation and technology usually go hand in hand.  Therefore, for innovation to be fully realized, the technology that enables the innovation must be adopted as well.  During the last 5 years, we have had innovations from Google, Apple, Read more »

Stuart Robertson iDelta

Finance Sector PLCs Hold the Key to Economic Recovery

We have started to see the devastating impact the Coronavirus will have on our economy.  The travel, leisure and hospitality industry redundancies are rapidly mounting up with restaurant and bar owners facing no option but to shut up Read more »

Hirander Misra GMEX Group

Are UK Banks profiting from the current coronavirus crisis and failing SMEs?

A UK business could be eligible for a Coronavirus Business Interruption Loan Scheme (CBILS), as set out by the UK Government. However, it appears that despite the Government’s best intentions, this scheme is not working in practice and some urgent Read more »

Otabek Nuritdinov Safenetpay

A strong fintech needs more than just access to funding

  Investors, both private and institutional, are excited about investing in fintechs that are in the payments services business. What are the issues that really should matter to you, as a client? In 2019, institutional investors Read more »

Related Blogs

Tristan Morgan BT

Cyber security trends for 2020

This has been another busy year in cyber security, with hackers targeting business, governments and major cities across the globe. From a financial services perspective, 2019 witnessed a number of high-profile data breaches, some of the largest to Read more »

Amit Purohit LoginRadius

The Death of Passwords [Infographic]

In the beginning days of the Internet, Users had to remember only few passwords: An email, and a  bank password.But with the rapid development of e-commerce, self-service websites and social media, everyone now has to remember and manage dozens of Read more »

Andre Stoorvogel Rambus

Money20/20 Trends: AI, ‘Everyday Commerce’ and Security

The bright lights of Las Vegas have gone out on Money20/20 for another year. As always, the event brought together the biggest names in payments and provided unprecedented insight into the future of financial services. So, after four days of Read more »

Abdul Naushad PayCommerce

Cyber-security in Cross-Border Payments

As financial institutions make significant investments in cybersecurity technologies and systems, the hacking techniques of those determined to break into those systems and compromise information have become even more sophisticated. From the Read more »

Timo Ahomäki Tieto

WannaCry – What Was Old is New Again

Last Friday, the world saw an outbreak of one of the most extensive malware breaches in a while. This malware, called variously WannaCrypt0r, WannaCry or WCry, managed to infect tens of thousands of computers globally in the matter of hours. While Read more »

Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel