RiskTech Forum

Wolters Kluwer: Cyber Criminals Target Second Tier Financial Firms and Their Advisers

Posted: 14 February 2017  |  Author: Nick Kochan  |  Source: Wolters Kluwer

Second tier financial institutions are at greater risk of penetration by the cyber criminal than the largest firms, says Troels Oerting, former head of Europol’s cyber-crime unit and now the managing director for cyber security at Barclays Bank. ‘The largest institutions have invested heavily in technology and training. They place cyber-crime higher up their agendas.’ Smaller financial institutions like fund managers and insurance companies, as well as financial services professionals like accountants and lawyers, are being targeted and are at greatest risk.

Oerting has recently been appointed the head of the Global Cyber Alliance (GCA), a partnership of the City of London Police and the New York Attorney’s Office for the Southern District. The GCA is a forum for sharing data and case material. Oerting now seeks to expand its reach, bringing in partners from both public and private sectors and from many jurisdictions.

Distributed Denial of Service (DDOS) attacks are at their highest ever level, he warns. One such recent case involved the closure of HSBC’s systems for 24 hours. DDOS is a type of attack where multiple compromised systems, which are often infected with a Trojan, are used to target a single system causing a Denial of Service (DoS) attack.

Collaboration between the public and private sectors is essential, says Oerting, if cyber criminals are to be restrained from infiltrating financial institutions and their customers protected from theft and distortion of their information.

The need for cyber security to counter the growing competence of cyber criminals to break into banks’ computers is paramount. Yet consultants FireEye (who support companies through a cyber attack) say that it takes a ‘brave security officer to stand up at a board meeting and say that the recent spending on cyber security has failed to deal with the problem’ and more money is needed. ‘No-one wants to hear that.’ In FireEye’s outlook for 2017, it says ‘threat groups will continue to target industrial control systems (ICS) in the near future. A recent report revealed that security patches were not yet available for more than 30% of identified ICS vulnerabilities. ‘What does the future hold for less security mature regions? Sophisticated financially motivated espionage actor groups are expected to continue to plague Asia Pacific and EMEA.’

The risk officer can respond to the sceptical board by pointing to the claim by Oerting, that gangs are moving away from small value attacks, and are now planning a $1 billion hit on a bank. This shocking claim should be enough to drive any board into urgent action, whatever the cost.

The operational risk officer charged with protecting the operations of business has to find intelligent systems that adapt to changing cyber risk, says Simon Placks, head of cyber-crime investigation at consultants Deloitte. ‘Many companies are being targeted and are in the crosshairs of hackers throughout the world. If someone is out to get you, they will find that small threat gap that allows them to slip through your defences.’

Placks advises companies to monitor potential external foes using internet intelligence; to use logging software to pinpoint vulnerabilities; to prioritise corporate information so they protect their exposures. High-level teams of executives are needed to respond quickly to cyber threat.

Companies are least likely to take a hit if they have planned their response in advance, says EJ Hilbert, Kroll’s head of cyber investigation and a former FBI agent. ‘Proactive preparation before an “accident” is far more important than what they do afterwards. The reactive approach is always slower, always clunkier, and is about ten times more expensive.’ Preparing for a hit avoids the danger – so often found in banks – of ‘panic and make kneejerk reactions that lack considered decision-making, says David Porter, a special adviser to Digital Shadows, who advises the Bank of England and corporate clients. ‘In the worst case this can result in unpredictable outcomes and loss of control. A better approach is to pause and apply a level of decision-making. An essential support tool is a pre-defined incident management plan’. Porter says that plans should be simple to be effective.

Porter says, ‘Cyber attackers are now so professional, targeted and sophisticated that they are bypassing traditional perimeter defences. This has resulted in a move towards detecting the enemy inside the castle wall using Security Information and Event Management (SIEM) software. These tools analyse audit log data produced by computer devices in order to detect security incidents as they occur.’

Access to the Bank of England’s CBEST standard enhances resilience to cyber attack using the intelligence-led approach, says Porter. This provides a ‘staged and methodical strategic approach’, to deal with the more sophisticated tools available to cyber criminals. Andrew Gracie, who heads up the Bank of England’s CBEST programme, says the system ‘brings together the best available threat intelligence from government and elsewhere, tailored to the business model and operations of individual firms, to be delivered in live red team tests, within a controlled testing environment. The results should provide a direct readout on a firm’s capability to withstand cyber attacks that, on the basis of current intelligence, have the most potential, combining probability and impact, to adversely impact financial stability.’

Technical responses to fighting cyber crime involve what experts call building a ‘high wall’ around the company’s technology. It presupposes that if enough complex defensive equipment is deployed to fight the enemy, the company is impregnable. That is a dangerous delusion, says Placks. ‘Firms used to assess the risk in their organisation by running an IT audit. They have devices on the perimeter to protect their data; they have IT audits, controls in place and certifications. But now they realise that this is not enough anymore.’

Cyber defence, says Gracie, is ‘not a matter of designing a hard perimeter that can repel attacks but detecting where networks have been penetrated and responding effectively where this occurs. As it changes and multiplies, cyber is elusive, hard to define and to measure. But it is clear that the risk is on the rise and a growing cause of concern to industry and authorities alike.’ Gracie argues that fighting cyber-crime involves human intervention working alongside technological hardware. In a speech in 2015, he said, ‘cyber is not just about technology. People matter. More often than not attackers may seek to exploit potential weaknesses in personnel, to establish a bridgehead for attacks. It is therefore essential that firms have the right arrangements in place so that all staff understand cyber risk and their responsibilities for information assurance.’

An intelligence-driven approach such as deployed in traditional military warfare is the model for the modern corporate stance against cyber-crime, says Porter. He points to two aims of such an approach. First, it prevents an attacker from successfully attacking the system. Second, it recognises and responds effectively to an attack that has already happened. ‘It involves moving beyond the technical details of the attack (indicators of compromise, or the “what”) towards a better understanding, and attribution, of the modus operandi behind the attack (the “when, where and how”) and, critically, the attackers themselves (the “who and why”). Such intelligence places cyber threats in context and, through improved situational awareness, better informs the countermeasures.’

An analysis of a company’s business sector, geography, product and market analysis is critical to the intelligence-backed approach. The stakes are enormous, as companies in politically sensitive sectors, such as defence, are vulnerable to state-sponsored attackers. Those in the high-tech sector may be faced with industrial hackers, operating through cyber space, and aiming to steal information. Small and medium sized enterprises are more likely to be targeted than large companies reports JP Morgan, in a comment that chimes well with Oerting.

The theft of data may be used either for direct monetary gain, and sold on to a rival, says Placks, or simply used by a competitor acting through a middle man to gain a commercial advantage. Industrial saboteurs will use blackmail to pressurise internal executives to obtain passwords or other information about the layout of a company’s network. The techniques closely mirror conventional fraud and the company’s defence requires as much understanding, not merely of their technical defences, but also of the state of their human defences. The vulnerable executive presents a threat to the company and management does well to have that covered. Many companies discover the vulnerability when the break-in has occurred and data is lost.

The team capable of leading this strategic approach to cyber warfare needs to be multi-disciplinary. Executives must also understand implications for the business as well as for the company systems. The composition of the team is critical, says Placks. ‘Upstream in the investigation, you need whoever owns cyber to be there. That might be the chief operating officer or the chief financial officer. You also want the chief information security officer, people from corporate investigations and from human resources, because there may have been an internal fraud ring. You have to decide how far to involve your business heads.'

Cyber investigation will involve bypassing business’s usual processes, to expedite the process. ‘If I need to scan all of your computers, to indicate that there has been a compromise, I cannot be waiting for change requests to go through lengthy IT “business-as-usual” processes.’

Maintaining security during the investigation of a hack will ensure information about suspected intrusion does not reach hackers. This is particularly important where the fraudster is suspected of either being a member of the company or working in collusion with a malicious outsider. One key precaution is to avoid or keep to the minimum use of an internal email system which cyber hackers may have compromised. Placks says, ‘the circle of trust needs to be kept very tight. At the start of an investigation, quite a lot of people will be involved!’

Early discovery is critical to the target of a break-in. Initial probing is likely to be low-key. If this early approach gets overlooked, the hacker will conclude that the defences are down and it can safely raise the stakes. ‘They might well be testing out the defences,’ said one. ‘The period of probing is often found to be very extensive.’ Hackers will seek to introduce devices into the company’s system that leave minimal footprints. For example, companies may not spot key-logging software without their own sophisticated tracking software, says one consultant.

A company’s intellectual property is most at risk from a hack, says Porter. ‘Unfortunately most organisations find out when it’s too late. In the case of stolen money it is quite obvious: the money has gone. But when valuable data, such as sensitive customer information or intellectual property, is exfiltrated then it is less obvious since a copy is taken while the original data stays intact. That said, it is possible to identify so-called “indicators of compromise” after data has been exfiltrated. These are forensic remnants of a cyber intrusion – data, location references and instruction codes – that linger in computer memory as by-products of rogue computer code. A skilled analyst can piece together these breadcrumbs to understand the anatomy of an attack. This information is more formally known in intelligence circles as TECHINT (technical intelligence).’

The first response to a suspected hack, is to preserve the key business data, without which the business itself may be jeopardised. The well-prepared company will not only have prioritised the data but also know exactly where on its network it is. Placks says, ‘Information needs to have been prioritised on the basis of what is fundamental and what the business can afford to lose. If that is in any danger of being compromised, you will want to jump on it straight away. Other data sources might be more ancillary to your business. Now for that, perhaps you can afford to monitor a little bit longer. But if you don’t know, you cannot make that determination.’

Companies can overlook the importance of the email server, and the email data that is sitting in there, says Placks. ‘It may not be one of your core knowledge systems, or your core IP databank. But it does contain an awful lot of very sensitive information – internal reports, financial reports. Some people email passwords to each other as raw data. Most IT departments are there to provide the plumbing. But how the data flows throughout that plumbing is not that clearly understood. So, there is the intelligence about what is going on in your network and intelligence about who is attacking your network. But there is also intelligence about how data is splattered across your network, and understanding where your important stuff is – your crown jewels.’

Investigators focus on the need to preserve evidence, the importance of understanding and thoroughly dissecting the route taken by the hacker, the care with which exits to the network are closed and the skill to require a degree of expertise not present in many security departments, says Placks. ‘The virtual crime scene is not unlike a crime scene. If your house has been burgled, you open the door and see everything is in a state. You don’t have a quick tidy-up before you call the police. You know that if you walk into a room and see a dead body on the ground, you don’t pick up the gun!’

Investigators scrutinising the evidence of the hack in the period after the event will concentrate on analysing logs through the firewall. But Placks warns that ‘when they start going across servers, you must know that they are trampling over evidence. Forensic guys are very good at getting deleted stuff, off computers, which is very important if the hacker has cleaned up after himself. But not only are the IT trampling over evidence – you are not going to take a foreign state-sponsored hacking team to court! It is the intelligence that you are losing. You are losing the footprints in the sand that tell me where that hacker went next. If you suspect that you have had a breach, the people you get in to have an initial quick look-around and assessment of whether you have had a real hack or not have to be trained forensic investigators.’

Where a hacker is found to have infiltrated a system, investigators may plant deceptive traps to lure hackers towards what appear to be easy targets. Placks says, ‘Some organisations have got more advanced in their thinking, and they will come up with honey pots and honey nets. These are designed to lure the hackers away from the really valuable stuff by making a server look like it is a soft target. They [hackers] go after the [apparently] soft target; and of course, that is being heavily monitored. Once it is clear that the safe email server has been compromised the rest of the network can be protected.’

Management responses to the discovery of a hack range between neglect in the belief either that the company has nothing to steal or the confidence that it won’t be found and the hacker will lose interest to an extreme fear about the company’s vulnerability. Some companies may even consider closing down their main networks, and setting up a parallel network as a survival strategy to ensure business continuity.

Both approaches can carry a high cost. Hilbert cites one case where a firm was losing some $12m a day but refused to close down the network, even though it had been infiltrated. ‘They would not shut down the network just to fix it because they were making $50m a day! And they said: We cannot risk losing the $12m. Very rarely is a company willing to pull the plug on their internet, or shut down business operations even for just a couple of hours, because they don’t know what occurred. And the bad guys take advantage of that. They know that even if they are caught they have got a window of time to use any of their backdoors. If those get identified, they stop, and they wait – say two to three weeks or months – depending on how the company responds. And then they come and try them again.’

For all the technology and systems to counter hacking, companies must also be aware that the infiltrators will have their own technical challenges. The failure of the hacker to cover his tracks can trigger a warning light in the well protected company. EJ Hilbert, the head of cyber investigations at Kroll, cites a case of one intrusion where ‘bad guys were in the system for four years. The only reason they found out was that on a particular day in 2011 the bad guy was supposed to take out 500 MB of data and he mistakenly took out 500 Gigabits of data. And when he did that it went from a garden hose to a fire hose. And all the sensors went off; [people asked] what the heck is going on? Immediately the company tried to identify where the flow was coming from and going to, and they did all they could to contain it.’

While technology will undoubtedly fight the hacker at the first hurdle, subsequent and future hurdles require a clear cultural approach to threat, says the Bank of England’s Andrew Gracie. ‘Information-gathering, testing and information sharing – are essential ingredients to improving the sector’s resilience to potential cyber threats. Underpinning all of these is a longer-term question about culture. Cyber risk is not just for technology specialists; this is part of a broader issue of how organisations defend themselves against attack.’

Cyber criminality is so pervasive that no company can rest in the belief that its IP or funds are secure. The key is alertness to minimise the threat of intrusion and preparedness should the walls be breached.