As is often the case in cybersecurity, just when you think you are writing or talking about the “issue of the day” (most recently ransomware), some other issue comes up that makes you shake your head and wonder why each of us is working so hard to secure our networks when it appears so easy for attackers to steal important data or money.
That is certainly the case with the revelation of a recent spate of attacks involving the SWIFT (the Society for Worldwide Interbank Financial Telecommunications) banking network. SWIFT is the primary method for international bank transfers that is used by 11,000 financial institutions in 200 countries to coordinate communications and transfers.
In this case, it appears attackers (1) compromised the password and credentials of employees at a foreign bank (which apparently had not been changed for quite some time), (2) injected malware into the system to cover their tracks, and (3) sent messages through the Swift banking system to steal $81 million dollars from the Central Bank of Bangladesh.
A group of hackers later attempted to replicate this attack with another foreign bank, Vietnam’s Tien Phong Bank. Curiously, this second attack may have been structured by obtaining access to the computer system of a third-party vendor doing business with the Vietnam Bank. To those in the security community, that vector (a trusted vendor) sounds incredibly familiar.
A banking attack is, of course, troublesome to consider. A banking attack involving the Federal Reserve (which the Bangladesh attack did) is nothing less than frightening.
When examining the circumstances of the SWIFT banking attacks, there are some factors that we have seen in other attacks, and there are others that should worry us greatly from a systemic perspective. I have pulled some information together in the hopes of creating actionable measures from which all institutions can benefit. After all, losing $81 million to some organizations and institutions might be a rounding error, but to many others, that kind of a loss could be near-catastrophic.
Avoiding the circumstances and outcome of the Bangladesh Bank attack thus motivates our exploration of the following lessons:
1. Spear Phishing is Still the Primary Threat Vector of Most Attacks
From the mailroom to the boardroom, the refrain “Don’t click on suspicious links or email attachments” still holds true. Spear phishing (i.e. the art of crafting a social-engineered email to a select group of recipients) remains one of the primary attack vectors in 2016.
According to PhishMe, an anti-spear phishing training and intelligence company, the amount of spear phishing in the first quarter of 2016 increased to 6.9 million, up 789 percent. Ninety-three percent of those email contained ransomware. Furthermore, according to public reports regarding the Bank of Bangladesh attack, it was likely spear phishing that allowed the attacker to steal both the passwords and credentials they needed to carry out the attack.
We know it sounds repetitive and somewhat pedantic, but spear phishing can be remediated to a large extent by several tried-and-true methods:
- Employee awareness and training – Many companies regularly send fake emails with attachments to their employees to see if they fall for the tried-and-true techniques that attackers use daily. This training can also be computerized and scheduled by having anti-spear phishing programs reside on your network that both send out fake emails and track employees who “click on the link.” We think this somewhat regular training of all employees (C-Suite, directors and employees) is the best approach. It has been shown by PhishMe that regular anti-spear phishing training can potentially reduce the chances of a successful attack by at least 91 percent.
- Email Filters – Several of the large cyber consultants have hardware that automatically scans email attachments and links for potentially malicious content and then sandboxes those emails with suspicious attachments (and sometimes detonating those with malware attached). This sort of solution (once optional) now needs to be considered mandatory, as the threat environment is too dangerous to not have a backup/primary method to block emails from reaching a remote desktop or laptop.
2. “Patch and Pray” Is Not a Great Strategy
Many known security breaches occur from either a failure to patch, a failure to prioritize patching, or zero-day vulnerabilities that attackers discover and exploit before software manufacturers can publish a patch solution.
We know from statistics that some breaches occur because of companies’ failure to patch a vulnerability for as long as one year (and sometimes longer) after a patch was first announced. Such delay is dangerous in today’s world. As sure as the day is long, “Patch Tuesday” brings with it a boatload of patches that are issued to fix known vulnerabilities. Those patches are generally issued with codes like “critical,” which means one should consider patching those particular bugs ASAP.
Even then, large organizations running multiple software packages and applications on premises can adhere to a 24/7 patching cycle and still not catch up. Clearly, patch management is not an easy challenge. It is time-intensive; the patches never seem to end; and human resources are scarce in today’s IT environment.
Here are some actionable measures that might help make your patching process more efficient:
- Know your systems, resources and crown jewels. This sounds trite and silly, but in our estimation, many if not all cybersecurity issues stem from a lack of understanding and focus on an organization’s most important IT and IP assets. If budgets and resources are limited, we would suggest first that an organization concentrates on prioritizing their patching efforts around the systems, servers and network that house its most important assets. We would start there and prioritize patches accordingly.
- Given the prevalence of patches, constant monitoring and scanning of the network are necessary to understand what patches have been done and which have not.
- Finally, consider whether or not it is possible to automate your patching process as much as possible. This may be helpful in pushing critical patches out ASAP while scheduling less critical patches for points later in time.
3. Identity and Access Management is the New Holy Grail
The prevalence of spear phishing has brought upon a new industry around identity and access management, meaning (1) who, (2) how, and (3) what access and administrative privileges an individual has to the network or to a cloud-based network environment of the organization. This is a multi-part question with a multi-part answer:
- Organizations should consider multi-factor authentication to access their network, where a user attempting to access a network will be forced to also use an identity code sent to his or her smartphone, tablet or RSA token to gain access. There are more advanced authentication methods, such as biometrics, that also could be considered, but we won’t push our luck here.
- In addition, passwords should be changed every 90-120 days. As recent studies have shown, it is the strength of the password that matters most, not how often you change them.
- More security-mature organizations have additional methods to make sure it’s their own employee who’s accessing the network rather than a third-party who stole the password in a spear phishing exercise. For example, if your employee is located in the U.S. and access to the network is attempted from Estonia or Latvia, hardware may exist to monitor or block that access using an endpoint solution. Similarly, when employees leave or are terminated from the organization, their password and privileges should be terminated, as well.
- Finally, companies need to practice least privileged access, or the practice of limiting access to the minimal level that will allow normal functioning. Applied to employees, the principle of least privilege translates to giving people the lowest level of user rights that they can have and that allows them to still do their jobs. Line employees do not need administrative privileges, and passwords and privileges should not be shared among employees.
4. On a Clear Day, Can I Find My Attacker?
These last two points are related but they are nevertheless different points that deserve to be separated. “Can I Find My Attacker?” means the following: do I have the right hardware tools on my system to ferret out potential threats by allowing visibility into the network? There can be all sorts of indicators of compromise that are left on a network by a persistent attacker that either logs or other non-signature based intrusion detection systems might notice.
Today, these systems also may incorporate behavioral-based analytics (e.g. noticing that one of your NY-based employees signed onto this laptop at 3 PM from Estonia). Other newer systems might incorporate artificial intelligence. Simply put, next generation intrusion detection systems have a better ability to notice when something on your network is “not normal” and warrants further investigation.
Newer intrusion detection devices will also generally alert you to a potential problem and suggest how you should respond to a potential event or attack (these devices provide “automation and orchestration” services). According to one security firm, the average time an attacker is on a network before he or she is discovered is 146 days (almost 5 months) – that is an awful lot of time to do grave damage to a network and to its parent business. To be successful in our fight against cybercrime, this statistic must be reduced significantly.
5. Time for Mandatory and Regular Vulnerability and Compromise Assessments
Finally, we are huge believers in regular cybersecurity assessments. (We, in fact, used the word “mandatory” purposefully, as some U.S. regulatory guidance suggests that mandatory assessments are essential for compliance purposes.) Old literature says to do them once a year – we say you should strive to do them once a quarter.
There are two basic types of assessments:
- Vulnerability Assessments – A true vulnerability assessment examines all network infrastructures, servers, devices, applications, data storage sources, and types of data (ranked by importance) and then figures out how they might be vulnerable to an attack. A vulnerability assessment could identify a structural weakness or a software vulnerability. This assessment will then consider what controls are in place to mitigate, remove, or otherwise deal with the weakness. The end result should be a plan to fix your most important vulnerabilities in order of importance to the business.
- Compromise Assessment – A compromise assessment is designed to determine whether there are active attackers on your network. Compromise assessments are crucial to almost any entity – it’s better to find out yourself whether you have been breached rather than have the FBI, Secret Service, or some other third-party give you the bad news.
There is not a doubt that the circumstances of the Bangladesh Bank attack were both severe and very concerning. We note that SWIFT is requiring its users to step up their cybersecurity procedures given this attack, which may or may not be as easy as that sounds. The Bangladesh attack also raises the very real question of whether the Bank had both the human and IT resources necessary to discover and deal with a sophisticated attack. This is a huge problem today given the severe shortage of human IT cybersecurity resources to protect computer networks.
For a lot of reasons, the SWIFT/Bangladesh Bank should be seen as a huge wake-up call for the financial services sector. Time will tell whether institution truly “wakes up” organizations to today’s cybersecurity threats.
About the Author: Paul Ferrillo is counsel in Weil’s Litigation Department, where he focuses on complex securities and business litigation, and internal investigations. He also is part of Weil’s Cybersecurity, Data Privacy & Information Management practice, where he focuses primarily on cybersecurity corporate governance issues, and assists clients with governance, disclosure, and regulatory matters relating to their cybersecurity postures and the regulatory requirements which govern them.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.