Concealed cyber-attackers inside financial services organisations
Matt Walmsley, EMEA director at Vectra talks about the dangers of hidden tunnels – one of the key attack vectors for bad actors targeting the financial sector
Findings from the Vectra 2018 Security Spotlight Report on the financial service sector identified vulnerabilities posed to financial services organisations by attackers using hidden tunnels to surreptitiously access and steal data. These attacker techniques played a significant role in the widely reported breach at Equifax.
What are hidden tunnels
Firstly, let’s define what is actually meant by hidden tunnels. Tunnels are simply communications that share data within networks or between applications by using pre-existing protocols or services – for example the HTTP or HTTPS protocols that websites use. They often serve as an easy mode of communication that bypasses security controls for greater efficiency. For instance, it’s common that web access (HTTP, HTTPS) is available but other services may be blocked, so many applications “tunnel” their communications through these web protocols to ensure they can communicate with the outside world. In the financial world, examples of legitimate use of this tunnelling technique could be for stock ticker feeds, internal financial management services, third-party financial analytics tools and other cloud-based financial applications.
But while they do have their advantages, hidden tunnels are also used by cyber-attackers as means to hide within these legitimate communications protocols and services. They use these tunnels as an access point to a network from where they are able to exert control and steal critical data and personal information. As they are technically inside legitimate protocols, these tunnels allow attackers to undetectably orchestrate attacks with “Command and Control” (C2) signals, but they also allow them to sneakily “Exfiltrate” data out too. These C2 and Exfiltration behaviours are part of a wider set of steps ― including Reconnaissance, and Lateral Movement ― that advanced targeted attacks invariably exhibit. These steps combine to form links in the “Kill Chain” of an attack’s lifecycle.
Why financial services are more susceptible to hidden tunnel attacks
Given that financial services organisations have the largest non-government cybersecurity budgets in the world, if money alone could buy security, these would be the safest places in the world. This points to one painful truth ― the largest enterprise organisations in the world remain lucrative targets for sophisticated cyber-attackers, and with resources, skill and persistence, the attackers can still win.
While financial services firms do not experience the same volume of breaches as other industries, the ones that do happen have caused exponential damage along with far-reaching consequences and public scrutiny. All defences are imperfect so despite monumental efforts to fortify security infrastructure, cyberattacks and breaches still occur. If we think back to Equifax, it had the budget, manpower and a sophisticated security operations centre. Nonetheless, 145.5 million Social Security numbers, around 17.6 million driver’s licence numbers, 20.3 million phone numbers, and 1.8 million email addresses were stolen. Hidden tunnels were a key tactic employed in the Equifax attack. Ironically this is because most financial services organisations have robust cybersecurity defences in place which forces attackers to utilise legitimate services and communications protocols in an attempt to hide in plain sight within hidden tunnels.
An AI light at the end of the tunnel
As sophisticated cyber-attackers automate and increase the efficiencies of their own technology, there is an urgent need to automate information security detection and response tools to stop threats faster. Because hidden tunnels carry traffic from legitimate applications, simple anomaly detection systems struggle to discern normal traffic from attacker communications that are concealed among them. At the same time, there remains a global shortage of highly-skilled cybersecurity professionals to handle detection and response to cyber-attacks at a reasonable speed.
This is where the application of AI can have a marked impact by augmenting existing technical and human capabilities. To find these advanced hidden threats, sophisticated machine learning algorithms have now been developed to identify hidden tunnels within legitimate communications. Although the traffic is normal, there are subtle abnormalities, such as slight delays or unusual patterns in requests and responses that indicate the presence of covert communications. As a result, the use of AI is becoming essential to empowering existing cybersecurity teams, so they can detect and respond to threats faster and stay well ahead of attackers, especially when attackers use hidden tunnels.