Cyber crime dominated conversation on day 2 of the Swift Operations Forum Europe (SOFE) 2018 - from examples of how hackers have evolved and the methods they now use, to how institutions can protect themselves and what organisations should do when the worst happens.
Jamie Woodruff, director of MetricsCloud and a renowned ethical hacker, gave an entertaining and eye-opening keynote presentation on cyber crime to kick off day two of SOFE 2018 in Amsterdam. While there's a certain media perception of who a hacker is - usually living in his mum's basement with nothing but wall-to-wall computer monitors to light the room - Woodruff noted in reality it is much more likely to be a disgruntled current or former employee that is seeking to compromise your institution.
Woodruff then ran through how cyber crime has evolved, starting with viruses such as malicious code and trojans, through ID theft and then on to the opportunistic nature of botnets. Today, cyber threats are much more likely to attack institutions through social engineering, and the threats are certainly much more financially motivated than in the past where defacing or closing a website was the main goal for hackers.
Once a hacker has compromised your systems, the prospect of a 'smash and grab' raid is generally not that likely, they much prefer to sit in the system and monitor activity and the movement of data. In many ways, data is more valuable than simply removing money from an account.
Woodruff explained how it is possible to buy ransomware - similar to the infamous WannaCry software - for around $10,000. It is undetectable, and also comes with your own account manager. They can also offer 'customer' service support, essentially talking the victims of such an attack through the process of how to buy and send the crypto currencies required to release their computers or systems from the attack.
This is one example of the growth of organised business cyber crime. Woodruff spent some time describing an organisational structure of a typical organised cyber crime operation, starting with the team leader, who is responsible for the overall mission. They will have a coder, who writes the software to infect the specific systems targeted in the attack. A network administrator will ensure that the malware persists in the infect system(s). Data miners are used to make sense of the data that the malware is coming into contact with. Finally, a money specialist will identify ways to extract money from the compromised data.
Woodruff shared with the delegates his approach to social engineering that allows him to facilitate the ethical hacks he is hired to perform. Having defined the end goal or motivation of the hack, he will engage in online reconnaissance of the business, as well as profile physical and human targets. Once the information gathering is complete, he will select the specific attack vectors to use and launch the attack.
When it comes to selecting attack vectors, there are a number of common ones used to compromise organisations' data. Some of the methods mentioned by Woodruff included:
- Phone spoofing - impersonating someone to reveal information (Woodruff demonstrated how easy this is to do onstage to a couple of unsuspecting delegates!)
- Phishing attack - it is possible to buy domain names very similar to those of existing institutions, and then use these to launch phishing attacks.
- Eavesdropping - it is fairly easy to listen to conversation to gain actionable information.
- Diversion tactic - by creating a diversion, you can cause someone to temporarily lose their concentration. Woodruff said he only needs approximately 10 seconds for someone to stop paying attention to their laptop in order to gain access.
- Baiting - this could involve dropping company-branded USBs in and around the office environment of the target to get them picked up by employees. By also marking these with tags such as 'confidential' and 'management bonus structure', for example, at least one employee is likely to connect one to their computer in the office.
- Badge surfing - printing ID cards and potentially impersonating an employee within the organisation's structure.
- Man-in-the-middle attack - interception of information between the victim and the organisation's server.
- QR code attack - using QR codes to download droppers and/or trojans onto a victim's device.
- Quid pro quo - using the promise of future information in exchange for current information from the organisation.
Woodruff explained that even though companies may have very strict data security policies, they can still provide hackers with vital information from some surprising and unintentional sources. He used the example of a job advertisement that sets out the specific software requirements the organisation requires from candidates. To any hackers seeing the advertisement, they now know that specific software runs somewhere in the organisation's systems and can set about targeting that.
Addressing the cyber threat
In day two's afternoon plenary panel discussion on cyber security, Woodruff was joined by Petra Hielkema, director of payments and market infrastructure at the Dutch Central Bank, and Karel De Kneef, Swift's global head of security operations. The discussion was moderated by Saskia Devolder, head of Western and Central Europe at Swift.
Woodruff expanded on his earlier point about disgruntled employees as a potential weak link. To identify someone like this, he said they will often disassociate themselves from the organisation they work for. They may also enjoy taking company property home, for example. Woodruff noted that certain patterns of behaviour can be identified, and that this is a field where AI can be particularly helpful.
Hielkema made the point that institutions need to test what hackers do when they get into their systems, and that the focus cannot simply be on keeping them out. She added that there are two types of companies, those who know they have been hacked, and those that don't.
One way to prevent getting hacked is to ensure you are on the latest software version, so make sure to patch, De Kneef commented. Patching is very important as it is a good foundation. As he put it, don't invest in fancy technology if you keep the back door open.
Hackers will sit and watch you, not just in your system but physically in person, and they are prepared to wait. Woodruff said that organisations need to be aware of this. The incursion doesn't have to happen in the finance department, De Kneef noted, it could happen anywhere from HR to marketing. Once it, the malware can learn and spread, while remaining undetected.
Having spent many years looking into the security that organisations have on their data, Woodruff said that 'Big Pharma' is more secure than any other industry he has seen. He added that financial institutions are generally more secure than corporates, who may lack the budget for robust cyber security. De Kneef noted that over the past three years the response in financial services to cyber threats has been tremendous, from the regulatory side to the institutions themselves.
When a question from the audience asked about how robust cloud security is, Woodruff recommended that institutions adopt a multi-cloud approach if they haven't already. Essentially this breaks up information that is valuable into several different pieces on different clouds. Individually, the information is useless and therefore unusable by a hacker. He used the example of dividing up credit card details - every four numbers from the main number, the expiry date, the CVV number, etc - into different cloud storage.
Communication is a vital element in addressing any type of hack, both internally and externally, the panel agreed. Woodruff said that the reporting of a system compromise comes down to people. Some will be scared to report when they accidentally click a compromised link on their computer, in case they are disciplined by management. Organisations need to foster a culture where staff members are encouraged to report the slightest of suspicions they may have.
Additionally, companies and institutions themselves need to communicate to the market when they identify a hack on their systems. Hielkema said that organisations should have a communications strategy in place before anything like this happens so that they can react quickly - she noted that unofficial accounts can drop on social media really quickly so it is vital that companies can get out ahead of this.
A breakout workshop on day two of SOFE saw Bernard Spitz, financial services industry consultant for Swift, outline the concept of cyber resilience and what institutions can do to adopt a cyber resilience mindset. He began by putting some context around the cyber threats the world faces. He cited the World Economic Forum's (WEF's) Global Risks Report which placed cyber attacks only behind extreme weather events and natural disasters on an impact/likelihood axis of risks faced globally today.
Spitz echoed a theme from Woodruff's earlier presentation by noting that cyber threats are evolving. While new technologies offer institutions the ability to make quickly scalable products and services for their customers, they also allow the cyber threat to be scalable as well. Spitz also noted the evolving attack vectors, from intense distributed denial of service (DDoS) attacks, to the rise in ransomware, and the evolving zero day advanced persistent threats (APT). Spitz said that attacks that were once intrusive evolved to be disruptive and are now becoming destructive, noting there is an evolution in both the frequency and sophistication of cyber attacks.
According to Spitz, to respond to this evolving threat, the cyber response from financial services has to evolve from a position of control to one of resilience. He noted that banks need to look at their entire infrastructure, identify all of their end points and explore how they can manage any contaminations and bounce back effectively.
There is a difference between cyber security and cyber resilience, Spitz stressed. The key focus in cyber security is on protecting information systems and surviving an attack. Cyber resilience is a broader range of methods and services rather than simply focussing on one attack. As Spitz put it, cyber resilience is the ability to continuously deliver the intended outcomes despite adverse cyber events.
No institution or corporate is an impenetrable fortress to persistent hackers. Spitz recalled the example from 2016 where hackers compromised the IT environment of Bangladesh Bank and worked their way to the bank systems where the Swift instructions are generated and the confirmations received. Reflecting on this hack, he said that the interesting part was how very patient the attackers were, and that they had sat in the Bank's system and observed daily operations for somewhere between 18 months and two years. When they did attack, they timed it to occur just before a public holiday over a weekend, so while the attack itself only occurred for around three hours, the hackers had approximately four days to work on covering their tracks before bank staff returned to work.
Today, Swift's cyber resilience is built on the following four critical cyber resiliency layers:
4. Full infrastructure recovery.
3. In place recovery.
2. Detect and respond.
1. Identify and protect.
Spitz emphasised that this security methodology is key when designing new products, and that Swift's Customer Security Programme reflects these four layers.
Going into more detail on the layers, Spitz began with layer 1, identify and protect. This involves creating hurdles to repel or slow down attackers. Examples of tactics to deploy here include multi-factor authentification, multi-layered defence, and application security. Layer 2 - detect and respond - focusses on detecting abnormal activities as soon as possible, as well as retrospectively analysing the depth and breadth of the compromise. In place recovery refers to the cleaning and restoration of a system or a system subset, with the goal of restoring clean data. Finally, the full infrastructure recovery is the last resort for vital services in the case of very extreme scenarios. This will result in the 'best last version' being restored.
Spitz ended the workshop by covering some of the common mistakes that institutions can make when they discover they have been compromised. One that may be surprising to some is that powering off the compromised machine is a mistake - rather, banks should isolate a compromised machine from the network, but still keep it running until it can be investigated. Simply powering down a machine can permanently erase vital information about the hack. Using internal IT staff for the forensic investigation is also a mistake - they may themselves be compromised, but more likely they lack the resources of an external professional forensic company. You should not limit the scope of data collection or forensic information when examining a hack. Some companies may also neglect to share evidence or indicators of a compromise. While this may be an effort to avoid embarrassment or damage to the organisation's reputation, it can be far more damaging in the long-term if it emerges that the information was sat on for any period of time. Additionally, sharing this kind of information with the community helps everyone, as mentioned earlier in the cyber security panel discussion.