Even before the global pandemic, financial services companies were subject to unparalleled levels of cyber threat. The World Economic Forum’s Global Risks Report 2020 found that 76 per cent believed that the risk of cyber attacks would rise throughout last year.
Perhaps unsurprisingly, this threat has increased during the global pandemic. CrowdStrike’s 2021 Global Threat Report found that “interactive intrusions”, those driven by human, hands-on techniques, have increased fourfold in just two years. Of these, e-crime attacks, those non-nation-state actors motivated by financial gain, made up 79 per cent of all attributable attacks.
These attacks have been directed towards a plethora of industries. Globally, financial services companies suffered fewer ransomware operations than industrial and manufacturing firms, technology, retail and healthcare. The highly regulated nature of the sector means that financial services firms often have tougher cyber defences than organisations in other industries.
Nonetheless, this is not stopping cyber criminals and well organised, well-funded nation-state groups from trying. Of the 154 global threat actors tracked by CrowdStrike every day, 73 have a pattern of behavior of attacking the financial services industry, making it the second-highest concentration we witness across any sector. So what do we know about these threats and what can financial services firms do about them?
Knowing your spiders from your pandas
We saw a number of recurring adversaries of which financial services leaders should be aware, as they will only continue to grow throughout 2021. The terms “Spider”, “Panda”, “Chollima” and “Kitten” may not be commonly recognised by your average finance professional but knowledge of what they are is an important element of any defence.
These names are used by cyber researchers to quickly categorise threats, how they act and where they originate. Like the scientific naming of species, we can glean a lot from these terms and others like them – “Spider”, “Panda”, “Chollima” or “Bear” are the names given to attacks originating from cyber-criminal groups, China, North Korea and Russia respectively.
STARDUST CHOLLIMA, a North Korea-originating adversary, has aggressively targeted key elements of the global financial ecosystem such as the SWIFT international money wiring protocol, ATM networks, and payment processors, racking up large payouts in the tens of millions of US dollars. In 2020, CrowdStrike Intelligence observed STARDUST CHOLLIMA’s shift from operations targeting large financial institutions and moving toward cryptocurrency exchanges.
In addition to nation-state actors, targeted e-crime also didn’t cease for the financial services industry. Emerging threats during 2020 included KNOCKOUT SPIDER, which conducted low volume spear-phishing campaigns focused on companies involved in cryptocurrency. We also saw SOLAR SPIDER use phishing campaigns to deliver a sophisticated attack framework targeting financial institutions across Africa, the Middle East, South Asia and South-East Asia.
Getting ahead of the threat, early
A long-established method that cyber-security teams use for detecting such threats is indicators of compromise (IoCs), which can help determine whether a security incident has occurred by detecting the remnants of an attack such as executables, registry changes or connected IP addresses. Their nature, however, means that IoCs have security teams investigating and searching for breaches that have already happened, rather than trying to prevent them.
Fortunately, current next-generation cloud security solutions are helping security teams really understand the attacker’s end goal, allowing them to counter breaches more effectively by leveraging indicators of attack (IoAs). IoAs help security teams determine and understand common actions that an attacker must conduct to succeed, allowing their investigations to take a more proactive method to counterattacks. These actions include proactively identifying techniques such as initial access, code execution, persistence, privilege control, lateral movement plus many others within a network.
There’s no substitute for basic cyber sense
Despite the threat posed by motivated cyber criminals and nation-state adversaries to cyber defences, financial services firms can significantly reduce the risk of a breach by encouraging employees to practise basic cyber hygiene.
According to the latest Office of the Australian Information Commissioner (OAIC) statistics on notifiable data breaches, human error accounted for 38 per cent of all breaches in the latter half of 2020, up from 34 per cent tin the previous half. While cyber-security technologies and a zero-trust approach are critical to an organisation’s risk management strategies, ongoing staff security awareness training and education are just as important. That’s because over the last 12 months, attackers are increasingly targeting employees working from home. Regular staff training sessions and general awareness campaigns are good, but a more effective approach is to supplement this with “just-in-time”, contextualised training. This is targeted, dynamic and timely security awareness education for employees personalised to their specific roles, that can be triggered by real-life incidents detected by, for example, the CrowdStrike Falcon platform.
With the 2020 CrowdStrike Global Attitude Survey revealing that Australian companies that paid a ransom after being hit by ransomware paid on average $1.25 million to cyber criminals in 2020, robust preparation and strategic thinking are needed to reduce risk. It’s therefore crucial that financial services firms deploy technology that pre-empts breaches using indicators of attack whilst also educating employees to keep out the Spiders, Kittens and Pandas.
Scott Jarkoff, director, strategic threat advisory group, APJ and EMEA, CrowdStrike