Sharing threat intelligence is challenging the industry, but it’s the only way forward
Protecting your banking infrastructure from cybercriminals is one of the toughest IT challenges in banking. It keeps getting harder, even though banks are working tirelessly to protect both customers and assets. Attacks are growing in size, and new developments such as the Internet of Things mean attack surfaces are growing, as well as the number of endpoints that can be used to launch attacks, writes Rich Bolstridge.
It’s not just the size or frequency of attacks, but the speed with which they can be launched. The tools are available to allow a novice to launch an attack if they wish, not just from their machine, but from compromised servers across the Internet giving an attack huge scale with little technical knowledge.
Attack styles are also changing, almost like fashion. Reflection attacks are not new, but they are back in fashion, with new ways to be executed and billions of new connected devices on the Internet each year to be exploited. There is also a new wave of vulnerabilities being discovered that are so severe it will take a long time patch all the affected hardware on the web, leaving backdoors for cybercriminals that will persist for a long time. Heartbleed and Shellshock are perfect examples of this problem, and we should expect to see more in the future.
Hackers attack for a number of reasons, but more often than not the prize is not simply bringing a bank website to its knees. Several banks have confirmed with me that they have observed fraudulent money movements occur during DDoS attacks. DDoS attacks are also used to create a diversion while customer data is downloaded and then sold on the black market to aid financial fraud and identity theft. These data breaches are hugely damaging to brands and their customers and there are already too many public examples to point to.
Is information sharing the answer?
With so much at stake and the banking industry seemingly centred in the crosshairs of hackers across the globe, it’s clear that acting in isolation is not a successful strategy for banking institutions. After all, the hackers are sharing time, resources and knowledge all the time.
Sharing information is the obvious answer, but it is more complex than it sounds. For example, the idea of sharing information is not universally accepted in the industry. In some countries, like the US, it is advanced and commonplace, but there are regions and countries in the world where threat intelligence is still regarded as a sensitive and competitive issue. Speaking with banking executives in some countries, I have been told they are three plus years behind the more advanced countries in terms of threat intelligence sharing. There are legal uncertainties to consider too regarding privacy and liabilities associated with disclosing sensitive information.
When you do commit to information sharing for the wellbeing and security of the industry, it needs to be effective. Nobody wants to be the boy who cried wolf, and spotting an attack is not always easy.
Attacks are not always obvious. If your public website is suddenly unavailable, and customers are going crazy on social media, is that an attack, a problem with your systems, or a problem with your service provider?
Of course if an attack is volumetric, it will be easy to spot, but a data breach can be difficult to see, either because it is disguised by a DDoS attack, or it fails to trigger an alert. Even when an alert is triggered, there are several possibilities that need to be investigated before sharing information: is it an attempted breach? Is it a legitimate penetration test by your own IT group? Or is it a harmless (or otherwise) scan by a third party?
Having absolute certainly is critical when sharing information with the industry if the mechanism is to be trusted and effective. Finally, what if you are attacked, and your security solution successfully defends against it? There is an industry debate to be had about whether that should be shared outside of legal requirements, and positions vary around the world.
Stand shoulder to shoulder
There are challenges to making it effective, but threat intelligence sharing in the financial services sector works. I hear examples of it frequently when speaking with our customers, but there are public examples of its success too. You may remember, or have the scars from Operation Ababil in 2012 and 2013. These DoS attacks were launched at US financial institutions and at its peak over 20 banks per week were being indiscriminately attacked on a daily basis. The banks fought back by not only raising their defences, but by sharing information with each other, and the part this element played cannot be over-estimated.
Threat intelligence sharing is the future, and the manual processes being used today are being replaced by machine-to-machine systems. The DTCC and FS-ISAC have been working on a system called Soltra Edge for a couple years, that is an open standards based threat intelligence ecosystem to pool knowledge and accelerate the speed at which it can be shared. It is gathering momentum and rightly so.
The truth is that there are no real barriers to sharing threat intelligence. Your peers are already doing this, and if you don’t you will find yourself weaker in the fight against cybercriminals. If we all share information, then all banks are stronger. The next threat is never far away, and it will be bigger. Better that we stand shoulder to shoulder don’t you think?