By Carolyn Crandall
The days of Jesse James’s train and bank robberies and John Dillinger kicking down doors with his trademark Tommy gun may be long gone, but bank heists are alive and well in the 21st century — albeit with a new flair. Instead of dramatic physical robberies, today’s criminals have shifted the battleground to cybersecurity, infiltrating the networks of financial institutions globally to steal money and personal information. The attacks remain staggering. Back in 2012, individuals and businesses are believed to have lost approximately $78 million during Operation High Roller. Fast forward to today, and the hacking group known as Bandidos Revolution Team is reported to have stolen hundreds of millions of pesos by infiltrating interbank payment systems and hacking into ATMs. Notably, this group is not believed to be connected to another, separate 300-million-peso heist from five banks last year.
Financial institutions are clearly a prime target for cybersecurity attacks. They are hit 300 times more frequently than businesses in other industries — in fact, PayPal CEO Dan Schulman estimates that businesses in the financial services arena are attacked more than 1 billion times each year. All told, banks lost $16.8 billion to cyberattacks in 2017 — and this is before factoring in reputation damage or potential damage to customers caused by compromised information.
FIs are diligent in their cybersecurity; however, as attackers get more sophisticated and begin to leverage artificial intelligence and enhanced computing power, it is becoming increasingly difficult to prevent them from getting a foothold in the network. The battlefield has moved inside the network, and a new approach is needed. In addition to behavioral and traffic analysis — which can be challenging, given the complexity of these networks and the volume of attacks — financial institutions are employing proven tactics of deception.
Turning a beloved method of attackers against them, an environment is created in which attackers cannot tell real from fake. This forces them to slow their attack and operate without making any mistakes — or risk revealing their presence. Derailing an attack is executed at multiple levels, starting with creating mirror images of production “safes”, “crown jewels” and mimicked application connections so the attacker is attracted into a trap. The next step involves leaving codes and access paths to the “safe” through the use of deceptive credentials, lures and maps. The third deception option is to deploy “dye packs” with decoy documents that will alert and send a geo-location ping when opened.
Collectively, these tools provide defenders with “eyes-inside-the-network” visibility to attacker access and activity. An advanced deception platform aids financial defenders with additional benefits, such as visibility into exposed credentials and the paths an attacker can take based upon them. It can also deliver the ability to gather forensic evidence, indicators of compromise and information on the tools and techniques of an attacker. This adversary intelligence is incredibly useful in stopping an attack, hunting and removing back doors and ultimately preventing the attacker from returning and continuing their attack. Deception provides a powerful tool for early detection of both external and internal threats, including those involving an employee or supplier. In addition to catching malicious external activity, a deception environment can alert on policy violations and misconfigurations, which are often indications of an attack in progress or a vulnerability that could be exploited if not addressed.
As The Art of War says, it is important to know thy enemy. Deception provides a critical function in derailing attacks but also in gathering intelligence. Each time an attacker enters a network, they learn and gather information to advance their attack. Now, with deception technology, the power is shifted to the defender. With each attack, intelligence is now gathered for fortifying defenses and applying landmines that will ultimately increase an attacker’s cost and challenge their ability to be successful.
Carolyn Crandall is a technology executive with more than 25 years of experience in building emerging technology markets in security, networking and storage industries. Her current focus is on breach risk mitigation by teaching organizations how to shift from a prevention-based security infrastructure to one of an adaptive security defense delivered through deception-based threat detection. Crandall is the chief deception officer at Attivo Networks, as well as an active speaker, writer, and blogger.