Webcast Replay: COVID-19 and Cyber Heists – Financial System Under Attack

This webinar covers:

Ways in which cybercriminals are capitalizing on COVID-19 and pooling resources to attack financial service companies
Tactics, techniques and procedures (TTPs) of sophisticated actors to bypass response efforts and maintain persistence
Examples of counter-incident response efforts
Important legal considerations for financial service companies responding to these incidents
Email thread hijacking and the latest advancements in phishing attacks leading to business email compromise, ransomware, Society for Worldwide Interbank Financial Telecommunication (SWIFT) fraud and more
Risks posed by third parties and ways to monitor vendors effectively
Reasons early detection remains crucial and ways to maximize detection investments

Notable Passages From the Presentation

On Financial Services by Threat Incident Type

“Kroll collects data from all of the incidents we engage. We work approximately 2,000 engagements a year, and as we collect this information, we review, we pull the data, and we analyze it. Looking at the financial services' sector itself, we've identified over 56% of the engagements have some type of nexus to that financial service with email compromise, which is the most observed threat incident that we see… Now, I'm sure that this is not a surprise to many but, not only is it the highest in the financial sector but really the most observant attack vector in all the core cases in 2019 and continues in 2020.” – Keith Wojcieszek

“In the last three months, we experienced an increase in custom malware and operating system attacks primarily because people are working from home. There is much more reconnaissance to be conducted on senior leadership teams and specifying who their executive systems are. They're leveraging unique vectors from island hopping to watering hole attacks, as well as smishing, but we've seen a dramatic uptake of custom malware and operating system attacks as well as attacks on applications themselves, or the APIs associated with FinTech.” – Tom Kellermann

On The Legal Perspective of the Response

“From a legal perspective and, frankly from effective response perspective, we really need to address three critical questions early on. What systems and data may have been accessed? Has the incident caused operational disruption that may material impact impair the financial institution's ability to provide services to its customers, or will the remediation efforts necessary cause a similar disruption? Three, what steps does the organization need to protect its customers, employees and to comply with its regulatory notification requirements? Really, one of the most critical steps in answering those questions is getting sufficient visibility into the organization's environment. This helps us understand which systems and data are potentially involved, how the attackers got into the environment and how the actress may have expanded their foot hold so that an effective containment plan can be built in parallel to investigating what the actors may have access or acquire.” – Will Daugherty“It's really critical, I think, for the financial institution, even if they do have an EDR solution (Endpoint Detection Response Solution in place) that they have an outside forensics firm that they can work with who can quickly collect available forensic evidence and get that visibility in the environment. Because a lot of times, what we see happen is organizations start taking immediate containment steps without actually understanding where the actors have expanded their foothold and fully understand what needs to take place to effectively kick the actors outside of the environment.” – Will Daugherty

“What are going to be the regulatory requirements for notification from a territorial scope? If we're looking at GDPR applicability, it requires notification within 72 hours to a data protection authority. Similarly, in the U.S. federal regulators have requirements as well if there's going to be an impact on non-public personal information of customers. So, we want to understand what that regulatory landscape looks like so that we understand what triggers are at play for notifying those regulators. Even if there's not a regulatory requirement, it's also really important to understand what the ongoing relationships are with their bank examiners, for example. Because, even though you might not have obligation to notify your examiners or the regulatory authorities that have oversight of your organization, from a practical perspective, it goes a long way to informally reach out early on to give them a heads-up rather than wait several weeks before you're able to answer some of the critical questions. That really helps you down the line in building trust. So, those are the main areas that I'm focusing on in the early days of a security incident.” – Will Daugherty

On The Role of Forensics

“Generally, I'll say let the forensics drive the communications because, really, we need answers to poor questions. What happened? How did it happen? What are we doing to protect the individuals that were affected, and what steps have we taken to prevent this from happening again. All those questions are generally driven by the forensics. When you're in a situation where you know that there's been unauthorized access or even exfiltration of some data, I caution clients to go immediately public with that because oftentimes we may not know the full scope of other information that could be involved. If you look back at some incidents such as target, where they go out very early on an investigation and say, ‘The information that was involved is limited to XY&Z. We're only two weeks in the investigation, pin numbers were not affected’ but then they have to come back a week later after the forensic progresses and they say, "Wait a second, more data, 40 million customers, usernames and passwords were affected. Tens were affected," the organization loses confidence from its customers, from the regulators and invites scrutiny.” – Will Daugherty

“I really want to be able to have high confidence in the forensic findings around the scope of the data that's involved before we actually start communicating to the public. We generally have a parallel path of going ahead and starting to prepare those communications. If we know that some data set is potentially accessed so that whenever the investigation has given us the answers of the scope of the incident, we're ready to go very quickly with those communications. But the reality is often forensics aren't able to specifically tell us what was and was not accessed. Unfortunately, the way that these data protection laws are structured in the way that the regulators interpret them, they're in consumer protection statutes. So, regulators expect that you err on the side of caution.” – Will Daugherty

On Destructive Attacks

“We've seen a dramatic uptake of destructive attacks. These are wipers being deployed into systems or ransomware being employed into systems, not Petia style, where they're not actually asking for ransom, and the destruction of entire subnets.” – Tom Kellermann

“We had a case in the Maze ransomware group and the Maze group. These guys are extremely sophisticated. They're starting to work in a cartel like manner with other groups to share malware, share ransomware, share information ideas and even their Maze new sites. So, you've seen all this collaboration between the criminals, which is dangerous in a sense. One of the things we identified was the Maze group got in there, they adjusted these logs and the timestamps to show that, "Okay, this was infected a year earlier than the attack actually occurred." So, it's throwing off this incident response when you're looking at all this time and effort going into a year before when it was only maybe a couple months prior. “ – Keith Wojcieszek

On Ransomware Exfiltration

“When you've got both ransomware and evidence of exfiltration and extortion, you really have to take a multifaceted approach. You still need to address the operational impact and assess whether or not your backups are going to allow you to restore those systems without a loss of data that's going to impact your business. So, you need to run through that contemporaneously, and that's going to impact whether or not you need to actually start negotiating with the attackers to obtain the decryption key.
Some ransomware attackers who also extort will provide separate ransoms, one for the decryption key, one for extortion. Others treat it as a package that: Look, you need to pay for the decryption key, or we're going to release this data and post it on this website." – Will Daugherty

“You also need to start understanding what the scope of the data that they may have is. It's a combination of forensics and also, based upon what screenshots they share, can we get enough information from what they've identified to understand where that data resides so that we can really start to hone in on the systems where we think the actors may have exfiltrated the data.” – Will Daugherty

On Attacking Backups

“Now, having been in law enforcement prior to this, I had the opportunity to arrest some of these large level criminals that would do some of this stuff. The first thing everyone told me is, ‘The first thing we did was go and we get the backups. We go for the backups. That's where we're attacking first.’ Because what are you doing when something happens? If it's online, if you can move laterally from your main network to your backup, why wouldn't you? They're doing that reconnaissance time and really try to find out what's going on within the environment.” – Keith Wojcieszek

“Many times, organizations are slow to update the software associated with the backups. They're exploiting obviously operational gaps and OS vulnerabilities in those backups, particularly in the more elegant, sophisticated groups like Maze.” – Tom Kellermann

On Island Hopping

“Now, this is so interesting because you're seeing this with these different types of Managed Service Providers (MSPs) trying to help. We don't have the funds, we don't have the resources to really go in and do what we need to do to secure. So, we're counting on these partners, these vendors in order to help secure our data and what's happening. The attackers are understanding this, and they're going in, and they're watching their attacks from here, and then they're going out and really trying to affecting everyone in general.” – Keith Wojcieszek

“I think the hacker community has now appreciated that they can commandeer your digital transformation efforts and use your brand, your network, your website, your applications and your users, to attack your constituency. Even the secret service put out a warning two weeks ago vis-a-vis MSPs being targeted heavily by organized hacker crews from Eastern Europe and Southeast Asia. We need to appreciate that. We need to appreciate worst case scenario has changed. It's not a question of whether your house is going to get burglarized anymore. It's the question of whether or not you're going to deal with a hostile situation while you're having a dinner party, frankly.” – Tom Kellermann

On Access Mining Marketplaces

“You've got an economy of scale on the dark web that the World Economic Forum says is going to be the third largest economy in the world by next year. Because you have Russian speaking dark forums that are allowing you to profile systems and literally purchase access through a remote access Trojan or RDP into some system that's been previously compromised, you don't even need to hack in anymore. You can literally use this as your own malware hopping platform for 5,000 bucks or enough.” – Tom Kellermann

On Investigations and Privilege

“What do we do to move forward? Really trying to figure out what we're doing and seeing that normally a cyber attack is seen as only as an IT issue. We obviously, in this conversation, know that's not the case. There are regulatory control questions that are being addressed. There's data that's been identified that would trigger notification. What are these obligations? I know we touched on them, but just really looking at the financial sector. It's really imperative to move forward to understanding your cyber maturity and your cyber risk and what you really need to deal with.” – Keith Wojcieszek

“Financial institutions are one of the few industries that are federally regulated for privacy and data security under the Gramm-Leach-Bliley Act. Each financial institution sector has a different primary regulator that is responsible for ensuring that the financial institution is compliant with Gramm-Leach-Bliley Act, and the regulations are promulgated by that regulator. Generally, they come in depth when we're talking about the obligation to safeguard data. The regulations thus far have not been very prescriptive and detailing the specific types of requirements that organizations must have. But what's really important is to learn through the guidance, for example, the ACC issues, OCIE, risk guidance on what they are seeing organizations do right and do wrong.” – Will Daugherty

“When you structure these investigations at the offset, you're going to be very likely subject to regulatory inquiries. It's really important to restructure your forensic investigations with the call, through outside counsel, to be able to assert privilege over the communication work products that the financial institution has with that forensics firm. Because one of the first things that the financial regulators are going to ask for is the forensic report that was prepared. A lot of times forensic reports, by necessity, detail some of the weaknesses that the actors leverage to bypass some of the securities. So, that's exactly what regulators are going to be looking for. So, it's really important to structure it in a way that's going to give you an argument that you don't necessarily have to produce that report if you don't want to.” – Will Daugherty

On Being Proactive

There are a few things you need to do and motivate your CIO and system to do. Number one, you have to integrate your security controls. They cannot be disparate. They must be integrated, that way you get a single pane of glass and greater visibility. You need to stand up or hire a cyber threat hunting team to come in and conduct regular cyber threat hunting. That is not incident response, that is proactively looking for behavioral anomalies or footprints on your systems that may exist before the alarms go off. Basically, metaphorically, before you close the bank for the day, you're checking the circuit, making sure that no one's in the vault. You also need to employ new technologies, like Next-Gen AV and EDR and systems. So, you have that visibility that Keith will require when he comes in to conduct that investigation. I firmly believe in something called just-in-time administration. No one should have administrative rights at all times. It should be limited to a specific task and role, including the C-level. Then, last but not least, application control. Our dependency on applications, the dramatic increase of attacks on applications, necessitate that we harden applications so that they only do explicitly what they're supposed to do. There's no deviation from that because that's how hackers write your code tails inside the bank.” – Tom Kellermann

“If your general council is on the line, you really need to understand that cyber security, data protection is an enterprise wide risk. The organization, at every level, needs to have a role in understanding and mitigating those risks. It's not a one stop and you're done type of a process and determining what your risks are and implementing mitigating controls. It's something that requires ongoing diligence to keep up with your evolving environment, as well as the evolving threat landscape.” – Will Daugherty

“Part of the enterprise approach is, number one, conducting risk assessments on a periodic basis to understand your risk profile, to do data mapping and data inventory, to understand where your critical assets lie. Because in these types of network intrusions, one of the first questions that Keith is going to ask is, ‘Where are the crown jewels in the environment that we really need to focus on to be able to determine whether there's been authorized access or acquisition.’ Far too often, we see organizations really not understand well where all of that sensitive data resides. Understanding your environment is very critical and then preparing the final piece. That means having a well developed incident response team that's multidisciplinary, that has members from your IT and security team, your engineering team, but also your general counsel's office, your communications department and your operational department because of the business continuity implications that a lot of these incidents present. Then, having tabletop exercises where you actually put that to test… Then, finally, as part of that incident response preparation, identify those vendors that you're going to need to lean on, to get assistance. Bring them in early and get them involved in your incident response planning, in your risk assessments, because the more they know about your organization, the quicker they're going to respond.” – Will Daugherty