Posted May 1, 2019
In part one, we covered cyber threat actors who exist within the financial services sector. In this installment of the Follow the Money series, we explore the most common cyber attack methods used against the financial services sector. If you missed our first part of the series, read it for a primer on who is perpetrating these attacks, and why.
The Financial Services Sector (FSS) is targeted by cyber attacks more than any other industry – it averages 18 million USD per attack versus 12 million USD per attack in other verticals, and their likelihood of being attacked is 300 times more frequent than any other industry. From February to April 2020, amid the COVID-19 surge, cyberattacks against the financial sector increased by 238%, according to VMware Carbon Black data.It’s safe to say that if you work in financial services, you’re a target of threat actors.
We already know from the previous part that these attacks are most likely to be perpetrated by cyber criminals, nation-states, and hacktivists, now we’ll answer how they’re launching these attacks. Among the most popular tactics to use against FSS are distributed denial-of-service (DDoS) attacks, web application attacks, data breaches, insider threat, and mobile device threats. Though most of these attack vectors are commonly used against all industry verticals, the FSS experiences a high-volume of these types of cyber attacks, proving very costly.
Types of Cyber Attacks in the Financial Services Sector
DDoS attacks have been magnified in recent years by the explosion of the Internet of Things (IoT). These attacks are typically delivered through botnets or IoT devices, and can be used to bring down entire banking networks. By overwhelming targeting servers and networks with a high-volume of network traffic, attackers effectively block users from accessing a website or network. DDoS attacks in the FSS have averaged a cost of $1.8 million.
In 2016, seven Iranian hackers were charged with carrying out a string of DDoS attacks that occurred from 2011-2013. The attackers targeted 46 major financial institutions, including Bank of America, Capital One, and PNC. The hackers were government-linked. Though these attacks seem far in the past, financial services organizations across the world are experiencing the effects of DDoS attacks — in 2018, multiple Dutch banks were hit with back-to-back attacks. The Dutch government believes these attacks were a result of the media’s unfavorable coverage of Russian-U.S. election meddling. 2020 brought the largest DDoS attack ever measured against a large European bank, according to Akamai. Aimed to overwhelm network gear and applications of the target’s cloud environment, this high-bandwidth attack, if not mitigated properly, could have led to millions of user credentials stolen. Because DDoS attacks can mask other activities by hackers and cause major reputational damage, we’re likely to see DDoS attacks continuing to threaten U.S. financial services in 2020, either as a main attack tactic or one to distract from a more sinister threat.
Malware and Web-Application Attacks
Software vulnerabilities litter banking websites and applications. In 2017, 100% of tested banking web-applications had a high-risk vulnerability. Banking vulnerability exploits are available on the cyber crime market at very low prices—making them one of the most commonly used attack vectors, costing as little as $150 per exploit. The reason threat actors exploit these vulnerabilities? The end users. Because of the traffic that online and mobile banking applications garner, they are a very high-reward target for cyber criminals and other threat actors.
Due to its ease of use and low barrier to finding these exploits and malware, web-application attacks have been successful around the world. Russian group Cobalt has been using web-application attacks on financial firms in Europe since at least 2016, and is believed responsible for the theft of $9.7 million from a Russian bank, to name one of its many targets.
Third Party Breaches
2020 has shown a rise in cyber attacks from third-party breaches, over 13% more than the previous year. The increase in third party attacks on the FSS has put pressure on financial institutions—since 2013 legislation, the Federal Reserve (the Fed) released a supervision and regulation letter requiring that financial services organizations develop and implement risk management programs that ensure their service providers comply with the laws established by the Fed, and mandates that organizations review and update policies relating to third party and supply chain breaches. This new regulation has left the industry scrambling to meet the increasing pressure from regulatory committees to create effective risk management programs that protect customers’ data and their own reputation. 83% of financial institutions create vendor management to satisfy regulators. As financial institutions get smarter about cybersecurity, attack vectors become more complex and targeted.
Aside from regulatory penalties, data breaches from third party vendors in the FSS cause serious reputational damage to organizations—and for good reason. Financial services institutions hold both our most valuable assets and our most valuable information, and consumers and enterprises trust them with these assets. Firms that have had data breaches suffer the highest rate of customer loss among all industry verticals. As long as organizations have third party vendors, there will be third party breaches. The best defense against these third party breaches is continuous, scalable monitoring.
Both the most valuable and most dangerous asset a company has, its own employees pose serious risk to financial institutions. Employees of financial services organizations have the knowledge to access banking networks, stock valuations, cash tellers, and PII like few other industry’s employees have. 58% of cyber attacks on financial institutions were caused by insiders in 2016. Though only 5% of the attacks were malicious, it shows a serious need for education and training against incoming cyber threats. Accidental or unintentional insider threat is often associated with phishing and social engineering attacks—it is the most widely used infection vector, used by 71% of threat actor groups in 2017.
When insider threat attacks are malicious, attackers have the credentials and know-how to cause more damage than an outsider could, yet only 16% of financial institutions feel prepared to take on insider threat. Because these threats exist inside the firewall, they typically have about 32 months to launch their attack before it is detected. To combat insider threat, it is recommended that organizations implement top-down training and management of insider threat—the most successful cyber safety training comes from “the crown down”.
Though financial institutions face an onslaught of attacks every day, the key is creating an organization-wide cybersecurity policy that involves every level of employee. The onus is on each and every employee to take security seriously—and especially on the C-level executives to promote a cybersecurity forward company culture. These issues are sure to persist throughout 2019. Knowing the TTP’s of threat actors helps your analysts proactively plan and defend against entities targeting your organization. One way is by creating threat models tailored to your organization.
Want insights like these for your industry? Download our white paper on identifying cyber threats in finance or Contact us directly about our finished intelligence offering today.