GTIR 2018: Finance in the firing line
In our Global Threat Intelligence Report, the finance sector is identified as the “most attacked” sector throughout 2017. This was 26% of attacks globally – just over a quarter of all attacks. This was a significant shift, since the finance sector was targeted in only 14% of attacks in 2016. In the Americas, finance attacks jumped to 43% – almost one in every two attacks. Finance was also the most attacked industry in APAC and the second most attacked (by 0.07%) in EMEA.
1950s bank robber Willie Sutton is famously quoted as saying he robbed banks because “that’s where the money is”. The reality is that the financial industry manages data that cybercriminals want. Credit card details, account numbers, and other financial information can be used to directly steal funds, or to establish ongoing access to siphon funds over time.
NTT Security also detected sustained higher levels of malware in the financial industry for significant parts of the year. This included several spikes of keyloggers, spyware and banking Trojans – malware which is designed to help cybercriminals gather information and retain long-term access. Malware jumped during the year, with Trickbot, Emotet, Ursnif, and Locky ‘lukitis’ ransomware all seeing significant activity at various times.
The delivery of malware was also marked by an increase in phishing attacks – a jump of 74% in Q3 2017 alone. Finance was actually the target of 59% of all phishing attacks in the Americas. And in attempts to deliver malware or hostile links to financial organizations, over three quarters of phishing campaign files were malicious Microsoft Word documents.
Unsurprisingly, the summary of all this is that financial organizations have data that cybercriminals want. As a result, those criminals actively target financial organizations with attacks and malware designed to support long term access and steal credentials, as well as other data. Most of the attacks and malware can be bought relatively cheaply and do not require advanced skills – but they have become common attacks because they are weaponized quickly and implemented for mass consumption.
Financial organizations have the challenge of facing sustained, aggressive attacks while trying to support customers and their own business goals. Unfortunately, there is no single magic bullet which will make financial organizations impervious to these attacks. But to help control exposure related to these threats, there are three primary recommendations which have the highest probability of resulting in the most significant impacts.
- Ensure you have an effective patch management solution, and are actually updating systems in a reasonable operational timeframe. Attackers are using more tools which allow common weaponization of relatively new vulnerabilities. But, they are tools which have defined capabilities. If you can patch the vulnerabilities that the tools attempt to exploit, you can cull out many of the more common attacks you may otherwise face.
- Ensure you are using good internal network segregation and protecting your more sensitive/valuable information. This does not mean just “network segmentation”, but segmentation supported by additional security controls like internal firewalls, ACLs, enhanced authentication and other such security controls. Many attacks rely on the attacker’s ability to move around internal networks and, if you can cripple that, or sometimes even just slow it down, you can reduce your potential exposure.
- Ensure you have a well-defined and tested incident response plan. Before an incident occurs, define how you will react when that incident does occur. Understanding your rules of engagement beforehand can save valuable reaction time and ensure you have tools and processes in place to maximize the effectiveness of that response.
Based on continued analysis, NTT Security sees no reason financial organizations should expect a dramatic change in the threat landscape anytime soon – attacks against finance will continue.
Manager, Threat Intelligence Communication Team