According to the Prime Minister, David Cameron, eight out of 10 of the larger companies in Britain have suffered a cyberattack. The financial sector is often targeted, with cyberattacks coming from every tier of hostile actor – including organised crime, nation states and terrorists. In order to protect that which criminals are after, it is essential to consider the motivations of the attackers. Stories of data breaches in the financial sector and beyond are uncovered almost every week; it’s clear safety cannot be guaranteed, no matter how big or strong an organisation may appear.
So what are the incentives for attacking financial institutions? What can the industry do to combat the threat?
To defend, first you must understand
The most obvious incentive to attack a financial institution is financial motivation. Commercial assets held by banks are highly valuable and some actors seek to compromise funds directly. Yet there is also money to be made from customer data and transactional information; all of which can be sold online to the highest bidder or used to facilitate crime or extortion.
An attacker could also be seeking information from the institution’s networks. By this I mean data about potential acquisitions or intellectual property, which gives attackers insider knowledge. One example could be details of an impending merger being sought by an organisation either trading with, or perhaps hoping to purchase, one of the organisations involved. Alternatively, threat actors might focus on reputational damage as a means to create delays, trigger defaults or erode confidence and trust.
Attacks can also be motivated by envy. Namely a nation may be seeking to build a thriving financial sector like that of the UK, so targets the confidential data and software that administers it. It is believed that this software has previously been targeted by attackers linked to nation states.
Another often-overlooked incentive for attacking a financial institution is the potential for political pressure to be applied in light of compromised critical national infrastructure (CNI). Firstly, an attack as a show of force could intimidate a government or impact policy. Additionally, as the financial sector is host to companies that represent and manage CNI, a destructive attack on the financial sector could potentially cause widespread harm, if it is able to destabilise the assets of companies that provide energy, transport and other services to the public.
Lastly, there are attacks on the financial sector which are simply motivated by causing destruction or chaos; perhaps leading to an inability for the system to process trades, bill payments or withdrawals. The damage to the fabric of society could be very serious, especially in large financial centres like London and New York.
It’s clear that there are numerous reasons a cyber attack may target a bank or similar institution. So what can financial institutions do about this?
What strong defenders have in common
The majority of financial institutions focus their cyber defence spending on outdated attack methods, failing to address the changing trends in attackers’ tools and techniques. This means that security teams often provide over-optimistic and unintentionally false reassurance to boards. However, not all fall into this trap.
Organisations that have successfully defended against targeted attacks have five key characteristics in common. They are:
1. They have a good understanding of the motives of the attacking groups likely to target them. By knowing who poses a threat and what they’re after, institutions have a means of getting ahead of the game.
2. They have undertaken an extensive programme to identify their information assets. Knowing what you’ve got to lose is just as important as who’s looking to take it from you.
3. They have undertaken an extensive project to identify all the attack paths connected to these assets. Knowing what’s valuable and what routes attackers will use allows you to shore up defences and minimise risks to the organisation and all affiliated with it – stockholders, customers and employees alike.
4. They have justified the costs of removing these attack paths and/or consolidating the assets to reduce the attack surface area. You don’t want costly security measures to bleed money and give no return on investment. It’s essential to find a proportional and relevant security structure.
5. They have greatly augmented their attack monitoring and response, so that attacks can be efficiently curtailed in the early phases. Knowing what is happening across the network is essential.
An organisation that focuses purely on financially motivated attacks risks overlooking some of the greater threats, in which an actor might seek to cripple the organisation’s function – not for any specific theft, but simply to cause harm to the wider system.
A holistic approach – underpinned by an in-depth understanding of the motivation for these threats – is essential. Only in this way can a financial organisation effectively limit its vulnerability, build and secure its systemic resilience, and mitigate cyber attacks.
Samuel Higgins, security analyst, MWR InfoSecurity
Image Credit: Shutterstock/GlebStock