Preventing Ransomware Attacks on Financial Services
Invest in UEBA, SIEM and analytical capabilities for the best ransomware threat detection.
As the world continues to digitize, financial services become more susceptible to cyberattacks each year. With ransomware attacks, nation state recruitment efforts, the Great Resignation, changing employee behaviors, and partners, third-party contractors and consultants gaining more access to company software, there are a myriad of opportunities for attackers to target financial services organizations. Size is no defense – big banks like J.P. Morgan will be targeted because of the large amount of sensitive data they hold, while smaller financial institutions will be targeted because they don’t have the budgets for adequate security infrastructure and attackers know it.
Just how significant is the problem? Here are some statistics:
- According to Positive, 93% of company networks can be penetrated by cybercriminals;
- Sixty-six percent of financial institutions aren’t confident they could recover from an attack, Veritas Research reported; and
- Forty percent of banks receive irrelevant, incorrect or duplicate alerts from their security software, according to Ponemon Institute.
As cyberattacks targeting the financial sector proliferate, mandatory cybersecurity regulations force organizations to be held accountable for their security posture. Financial services organizations, depending on their type and size, are required to maintain compliance with regulations such as ISO/IEC 27001, NIST 800-53, PCI DSS, EU-General Data Protection Regulation (GDPR), UK-GDPR, the Sarbanes-Oxley Act (SOX), the Bank Secrecy Act (BSA), the Gramm-Leach-Bliley Act (GLBA), the Financial Industry Regulatory Authority (FINRA) and EU-Payment Services Directive 2 (PSD2).
To prevent targeted attacks and meet these regulatory requirements, the need for investment into cybersecurity software like User and Entity Behavior Analytics (UEBA) and Next Generation Security Information and Event Management (SIEM) is becoming critical. These platforms offer advanced analytical capabilities to protect against ransomware. So how do financial services organizations defend against these attacks?
Understand the Seven Stages of a Ransomware Attack
The first step to better defense is understanding how these attacks work. Ransomware attacks are carried out in stages. Detecting an attacker’s activity in each stage requires different techniques and, when viewed individually, activity in a certain stage might appear less dangerous or not suggest that a full attack is in process. The stages are:
1. Obtain false credentials; 2. Install malware; 3. Communicate to server; 4. Move laterally; 5. Discover critical assets; 6. Share encryptions keys; and 7. Exfiltrate data and/or detonate ransomware.
Why Is Detection So Hard?
The ransomware stages listed above can be spread out over a long period of time. Security operations center (SOC) teams may look at each stage individually and not realize what is actually happening because they don’t have the context or knowledge of previous stages. If SOC teams or threat detection systems do detect these early stages, oftentimes they are mixed in with hundreds of other security alerts that are either false positives or standalone incidents. It takes detailed analysis and knowledge to connect the dots that attackers leave behind in each stage to realize that a full attack campaign is in process. Without modern threat detection systems that provide context, it’s much harder to distinguish what is a real threat and what is not.
Another factor is the continued use (and exploitation) of legacy security systems. Hackers exploit legacy, rule-based systems that don’t adapt to variants of attacks and use this as a way to infiltrate other organizations’ systems. Even if the financial services company has strong security protections, their contractors or partners who have access to their network may not.
It’s also relatively straightforward for attackers to get false credentials (stage one of a ransomware attack), which they can use to make it harder for defenders to detect subsequent stages. One of the most common ways this occurs is through phishing attacks, which are unfortunately a very successful way of obtaining false credentials or gaining access to a network. Even with defenses such as email security tools and mandatory employee security training, all it takes is one user to make a mistake and click on a bad link that is connected to a phishing campaign. Valid credentials from past data breaches are also available to buy in hacker forums or on the dark web. Financial services organizations can’t rely on a strong outer shell to keep attackers out – they must prepare for attackers that get in. They inevitably will.
How Financial Services Can Protect Against Hackers
One of the biggest factors holding back financial institutions from better security is the lack of investment into modern threat detection and security analytics software like UEBA and Next-Gen SIEM. The combination of these two security solutions provides crucial analytical capabilities required to not only combat advanced threats, but detect them in their early stages. Using UEBA and SIEM together allows SOC teams to detect threats and anomalies based on stolen credentials, and other privileged access misuse and violations that could damage an organization.
In addition to utilizing UEBA and SIEM for modern threat detection and analytics, using a unified SOC view to streamline investigations is essential for detecting ransomware and other threats. Linking or unifying analytics allows SOC teams to have an overview of the different stages of an attack. This also reduces the amount of manual labor required by providing automatic initial responses to threats. This, coupled with actionable intelligence to security professionals, allows for a streamlined process that doesn’t overwhelm SOC teams with too many false threats.
While the attacks on financial services organizations continue to rise, there are options to defend against them and protect your organization’s sensitive data. There are many different stages when dealing with a ransomware attack, but by further investing in UEBA, SIEM and analytical capabilities, your organization will be given the best context and ultimately the best threat detection.
Nilesh Dherange Chief Technology Officer Gurucul El Segundo, Calif.