Mapping the financial services threat landscape
Up to 300 times more vulnerable to cyber threats than organisations in other sectors, financial institutions are a particularly attractive target for cybercriminals. Though a cursory glance at some of history's most massive data breaches shows this has always been the case, the allure of financial firms for cybercriminals is still growing exponentially.
In the UK, 70% of financial firms suffered a cyberattack in 2020, according to a report by Ponemon Institute. The start of the year appears to have been especially devastating for this sector. Between February and April of 2020, cyberattacks against the financial industry more than tripled. Worryingly, attacks on financial services are not only becoming more frequent, but they’re also getting more costly. The average cost of a data breach for the financial sector is now over $5 million, significantly higher than the average cost across all other sectors ($3.86 million).
Cybercrime is now so bad in the financial industry that Christine Lagarde, the President of the European Central Bank (ECB), has warned that cyberattacks on major financial institutions could cause a financial crisis, a sentiment that was later echoed by the Financial Stability Board (FSB). However, although the financial services threat landscape is undoubtedly becoming more critical, behind today's rising threat level are a number of key factors.
Rapid digitisation is fuelling financial cybercrime
With the sector as a whole being an early adopter of technological tools and processes, digitisation was on track to transform the financial industry long before the pandemic made getting up to speed digitally urgent for every business. According to the strategy+ business magazine, as far back as 2012, financial services and insurance was the most digitised industry in Europe.
However, as financial institutions embrace digitisation at an increasingly rapid pace, cybersecurity can sometimes be left as an afterthought. According to a Deloitte and FS-ISAC 2020 survey, “rapid IT changes and rising complexities” has been the number one cybersecurity challenge for financial institutions for the last three years.
As a result, the great leap forward in operational flexibility necessitated by the COVID-19 pandemic has not only further accelerated most financial institutions’ digitisation efforts but also greatly expanded attack surfaces. Accordingly, almost half (42%) of financial institutions said that remote work affected their security, with three quarters noting that the rise in cybercrime coincided with the COVID-19 pandemic.
The insider threat is still here
It’s not just cybercriminals taking advantage of remote work initiatives. In its 2021 Financial Data Risk Report, Varonis noted that failure to lock down exposed data while mobilising remote workers means that insider breaches are now a serious risk that financial institutions must contend with.
According to the report, the average financial services employee can access more than 10% of their organisation’s files, with workers at large organisations capable of reading as many as 20 million documents. Almost 20% of these files contain confidential employee and customer data. In the wrong hands, this information can cause a financial company a lot of damage. The average annual insider threat cost for the financial sector is $14.5 million, again, the highest of any industry. This amounts to a 20.3% increase since 2018. Now, more than ever, financial institutions need to monitor access controls and enforce the use of strong passwords and multi-factor authentication.
About the author
Brad Freeman, Head of Threat Analysis, SenseOn
Brad is an expert in his field, with over a decade’s experience conducting nationally significant cyber security investigations across the critical national infrastructure and telecommunications sectors. Drawing on his extensive industry experience and knowledge, Brad leads the threat analytics team at SenseOn, and specialises in finding and uncovering advanced actors deeply embedded within clients’ infrastructure. SenseOn.
Ransomware is a growing threat
Ransomware has affected untold numbers of businesses through the last year, and financial organisations were no exception. In the past twelve months, the financial industry was the sixth most targeted sector by ransomware attackers, with most financial organisations saying they feel like hackers have gotten more sophisticated and have better internal knowledge than before.
Data extortion ransomware, also known as double extortion ransomware, is a particularly prevalent threat facing financial institutions. Data extortion incidents in the financial sector rose by about 350% across 2020 compared to the pre-pandemic levels of Q1 of that year. Because cybercriminals not only encrypt files but also steal them and threaten the victimised companies to release them publicly if they fail to pay up, many ransomware attacks now double as data breaches. Paying a ransom doesn’t guarantee a successful outcome for victims either. Even when they get what they want, cybercriminals may still decide to sell, trade, or freely publish confidential customer and employee information on the dark web.
Most ransomware attacks in the finance industry start with phishing emails, remote desktop protocol vulnerabilities, or vulnerabilities in poorly secured internet servers. Of these, phishing is the number one attack vector, according to a recent Deloitte report.
Ryuk, the most reported malware in 2020 responsible for a third of all ransomware attacks last year, also utilises social engineering — about 80% of Ryuk ransomware attacks start with a phishing email. An especially dangerous strain of ransomware, Ryuk is highly targeted, with the group behind it best known for their manual hacking techniques. The ransomware strain is typically leveraged through multi-level attacks against an organisation and can spread from one infected network to another. Crucially, this strain of ransomware has recently been improved to steal confidential files from the finance sector.
However, even though ransomware developers are adapting tactics and strains specifically to target financial institutions, this threat is poorly recognised among decision-makers in the financial sector. In a recent survey of bankers by CSI about the most pressing cybersecurity issues, ransomware received less than 10% of the vote.
DDoS attacks may be masking other fraud
While ransomware is a rising threat to financial institutions, distributed denial-of-service (DDoS) attacks are a massive current issue. Last year, from late summer onward, cybercriminals threatened more than 100 financial firms with disastrous attacks unless a payment was made.
As a sign of how threat actors are increasingly knowledgeable about their victims, the attackers appeared to be extremely familiar with the structure of financial markets and financial industry groupings. Extortion demands were sent to banks, credit rating firms, clearinghouses, asset managers, and payment companies all over the globe, with cybercriminals behind the attacks impersonating well-known cybercriminal gangs like Lazarus Group and Fancy Bear in the hopes of scaring their victims into submission.
DDoS attacks, which temporarily stop victims from accessing critical systems, can be particularly disruptive to financial organisations because they prevent customers from accessing their accounts. About 8 in 10 financial firms say they typically lose $10,000 an hour during outages caused by DDoS attacks. However, DDoS attacks are also sometimes carried out by cybercriminals as a way to obscure network infiltrations, like ransomware, that are taking place behind the scenes.
Island hopping is becoming popular
How cybercriminals attack financial institutions is also changing. A technique known as “island hopping,” where attackers gain a foothold in smaller companies’ networks and then jump to other, more profitable targets, is becoming more common. Though it is not a new attack method, island hopping attacks have grown to the point where they are now the primary delivery method for about 50% of all cyberattacks.
From watering hole attacks to reverse business email compromise to network-based island hopping, island hopping encompasses many different techniques. Network-based island hopping is particularly popular and happens when hackers infiltrate one network with the intent of using it to hop onto an affiliate network. However, reverse business email compromise is also widespread in the financial sector and involves threat actors taking control of a victim’s email server and executing fileless malware attacks against people in the victim’s contacts list. As per the VMware report quoted earlier, 38% of financial organisations experienced island hopping attacks in 2020.
Cybercriminals are getting better at circumventing incident responders
In an effort to stay in their victims’ networks longer and outsmart incident response teams, cybercriminals are likely to use counter-incident response strategies against financial institutions. Returning to the report by VMware, financial institutions experienced counter incidence response 63% of the time in 2020.
A lot of the time, threat actors utilise evasion tactics, like blocking events from reaching the security information and event management (SIEM) systems and disabling the antimalware scan interface. However, they may also clear logs to stop IT teams from getting to the bottom of the attack and manipulate timestamps to evade detection and potentially alter the value of capital or trades.
The two kinds of financial institution
As PwC puts it, “there are two kinds of financial services firms: those that have faced a cyberattack and those that will.” However, with cybercriminals growing more greedy and amoral with every passing day, even financial organisations that have already experienced an attack are not immune from being breached in the future.
As hackers get smarter and the number of network vulnerabilities increases, for financial firms, the only way forward is investing in proactive defence. The cyber threat landscape for the finance sector may be becoming more complex, more dynamic, and ultimately more critical. However, for security-focused financial institutions, defence is still possible. Ultimately organisations that take an active approach to cybersecurity and arm themselves with comprehensive protection can still mitigate even the worst threats facing them.
