HEAT: Why a New Class of Cyberthreats is Targeting Financial Services
- Mark Guntrip, Senior Director of Cybersecurity Strategy at Menlo Security
- 23.01.2023 12:45 pm #cybersecurity
It’s little surprise that financial services organisations have a target on their backs.
Cybercriminals know they work with valuable personally identifiable information and proprietary financial information that can be monetised. Financial services companies are also likely to have a rainy-day fund that can be tapped for ransom payments.
As threat surfaces expand due to digital transformation and ransomware attacks become more prevalent – attacks in the UK reported to the Information Commissioner's Office (ICO) have more than doubled since 2020 – risk assessment no longer favours inaction.
Organisations will need to rethink their security strategies to be more proactive against today’s most damaging threats. These include Highly Evasive Adaptive Threats or HEAT, a new class of cyberthreat that turns the biggest productivity tool – the web browser – into a threat vector.
Adapting to new models
Financial services business operations have changed over the past three years. A new hybrid workforce has stretched threat surfaces thin, digital transformation and new customer engagement channels have moved critical information and systems out to the edge of the network and beyond. There is also a growing reliance on third-party partners and tools that have created visibility and control complications that make it difficult to identify and stay on top of security issues.
Financial institutions in the UK have taken note, and listed cyberattacks as one of the biggest risks to the UK financial system, according to research from the Bank of England. What’s the biggest problem? Security teams struggling to keep up.
Traditional detect-and-respond strategies are no longer viable as the speed of detection is unable to keep up with HEAT attacks. HEAT evasive techniques include HTML smuggling, sending malicious links through unprotected channels (such as text messaging, social media, and collaboration software), hiding malicious content inside web page source code, and using benign websites to deliver sophisticated malware. HEAT attacks can trick traditional detect-and-respond security solutions into assuming they are legitimate traffic.
Rethinking traditional security
Rethinking how we have approached security traditionally – by stopping the initial breach—is the only way to prevent attacks from occurring in the first place. Here are five tips that financial services businesses should keep in mind as they refocus on prevention in the face of HEAT attacks:
1. Plan your mitigation strategy ahead of time
Having a plan in place in case of a breach is critical. Identify the weakest links in your security posture, whether this is remote workers, the partner ecosystem, customers, or some other threat. Then educate these stakeholders on best practices to keep the organisation safe while making sure you create a recovery plan in the event of a breach. Knowing that the right safeguards are in place, there’s a recovery plan, and that everyone is onboard, provides peace of mind.
2. Push visibility and control to expanding threat surfaces
Business today is not just in-person, on the phone, or via email. Customers use private applications, third-party platforms and social media – channels that provide little to no visibility or control. Even the channels you do control, such as your website, chat function and private applications, run on a third-party cloud infrastructure, where each provider has its own set of security policies. Security requires a centralised security platform that provides visibility into applications, devices and applications across a multi-cloud infrastructure. A platform where you can create and apply reliable and consistent enterprise-level security controls that don’t impact productivity.
3. Scale wherever you do business with a cloud-native approach
Whether you are a global or regional enterprise, your operations have spread out of the office to the edge of the network and beyond. It is critical that security scales with the business and provides protection wherever you do business, whether it’s an analyst logging in overseas, a customer making a transaction in a mobile app, or someone checking an account balance from a branch location. This ability to scale requires a cloud-native security strategy that is flexible.
4. Create, manage, and apply context-aware policies
Applying the harshest security controls to all users puts unnecessary restrictions on ‘business as usual’. Workers in a bank branch use devices that are not connected to the Internet, so it makes little sense to impose the same controls as those applied to a remote mortgage agent who uses a laptop to check third-party rates. Your security strategy should be user, device, infrastructure and application-aware, allowing you to apply different policies. This begins with knowing who and where your users are, what sanctioned and unsanctioned applications they use, what they are allowed to do and how they are allowed to do it. Being armed with this information enables security teams to apply appropriate security controls without being disruptive to normal business operations.
5. Acknowledge the convergence of compliance and security
Financial services companies are the most heavily regulated organisations, but meeting compliance requirements should be more than just going through a checklist. Security teams should work with compliance teams to understand what they need to do (compliance) and how they should do it (security). Compliance needs to be baked into a preventative security strategy to ensure that you are meeting the letter and spirit of any compliance requirements.
Financial services organisations are under constant threat from HEAT attacks originating from the web and email. Security teams need to rethink the traditional detect-and-respond approach to be more proactive in preventing the initial breach. This requires foresight and planning, and a security framework that ensures visibility and control into new and expanding threat surfaces.