FireEye CTO explains what plagues banking security in India

Banking sector in India is still recovering from a massive malware attack. Bryce Boland, CTO – APAC at FireEye believes hunting down adversaries is the way to go.

Bryce Boland Oct 27th 2016

Indian banks are massively under-invested in the technology required to detect and respond to attacks.

Businesses should be investing more on technology, intelligence, and training the people. Ensuring that people have access to the right tools and have the information effective for their job is critical.

Impetus on training: A lot of organizations have a lot of people who are experts on how to run a piece of technology, or how to run a particular process. But they are often not trained in  identifying and hunting down attackers who are already working within their environment.

As a result, they may not know how to respond when there is a breach, or understand everything that the attacker did and quickly remove the attacker from the environment. 

Gearing up on-board expertise: From my own experience, I can say that there are very talented people in India in the security space. But the challenge is that often people are focused on wrong activities, like compliance and paper work, rather than hunting for hackers. And that's where we really need to see the change.

Over the last 20 years, I have observed a fairly complacent security culture in many parts of the world, where there is total reliance on technology to identify a threat, rather than using human intelligence and having intelligence on what the attackers are doing, and using that as an excerpt to hunt down the attackers.

Also read: Pavan Duggal, cybersecurity expert explains why RBI must tighten noose

So, what we really need to see is more banks adopting a less complacent, and a more proactive approach to hunting down attackers and training their staff accordingly. So, giving them the skills they need to have to correctively hunt for attackers, to do forensic investigations, and to treat every single potential breach as a potential disaster scenario for the business is important. Banks should thoroughly investigate it so that they should fully understand what the attacker did, and that's how you can address the problem correctly.

Arming them up: It's not just enough to train people. You have to give them the tools to be effective in that activity. The staff need to have the right tools to have the visibility and to be able to look for the signs of attack. They also need to know what the new and latest attacks look like. They need to have information about new threats, and use that intelligence to help them focus their efforts to hunt for those attackers in case they are already inside the bank.

Most of the major banks have a number of security researchers. But, security research, per se, may or may not be the same as hunting. So, it depends on what the researchers are assigned to do. Often, we see in financial services, that the security researchers may be looking at adversaries, but often they are looking at potential weaknesses and vulnerabilities in their existing systems. 

Now, that's not the same as trying to find attackers who might have found someway in already. Some of the banks we talked to in India have relatively sophisticated teams that are looking for vulnerabilities. A few have teams that are actively hunting for attackers, and this is the right kind of move.

The mechanics of a hack: One of the things we have seen, especially in the banks, is that you might get breached by some low-level piece of malware, or maybe some crime-ware that's massively propagated. But that access can also be sold to other attack groups that are focused on breaking into the financial services.

And from there on, an attacker can very rapidly leverage stolen credentials to move to other machines, establish remote access using a variety of mechanisms - not all of them using malware, and maintain access over extended periods of time to work out how they're going to conduct the next phases of the attack.

When that happens, you see some of the more sophisticated attack groups putting together attacks on payment systems, or intellectual property, or large amounts of customer data.

Hunting down adversaries: First of all, it has got to be someone's job. What I learnt from working with banks for 15 years is that if it's not your job, you're unlikely to do it. So, it's got to be somebody's job to do that kind of investigation, otherwise it will not get done.

The second thing is that you've essentially got to know what to look for. There's no good saying 'I've got these many people trying to work it out.'  It really helps to have access to threat intelligence. So, there's got to be a lot of information sharing between the banks. There are also companies like FireEye that provide access to up-to-date threat intelligence. 

Read: Indian debit card scam is a wakeup call for the banking industry

And that threat intelligence is just more than the tools of attack, it's also knowing: Who are the attackers? What are they planning? How are they going to conduct an attack? And you can actually find out the activity of attackers when they are conducting an attack in your environment. 

Then you need the tools to actually apply that intelligence to give you the visibility to use and apply that intelligence across your organization. You'll be able to identify certain instances when an attacker may have gained access. 

Things to watch out for: You're looking for credential abuse, lateral movement, and behavioral anomalies – when an attacker does something that's different to what a normal administrator does.

Once you've found a breach, you'll have to carry out an investigation that requires forensics tools, as well as ideally-trained expertise on how to do that forensic investigation, and eventually getting ahead of the attacker. 

The average time taken to detect a breach was 146 days, but in Asia, that number was 520 days. To give you some perspective, I used to do penetration-testing for some of the banks for several years. It's relatively easy to break in – ranging from minutes, to a few days of work to get in.

When some of the advanced criminal groups target an organization, they will typically break in and have access to the main administrator credentials within three days. And that's the key to the kingdom in most of the private networks. From there, you can access emails, access two-factor authentication systems, and so on. 

What we have seen is that they usually observe the normal operating processes of the bank and learn about it. They might learn how the money laundering process works, how the approval processes work for authorizing transactions, and who has got access to payment gateways. 

Now, that gives the attackers the luxury of time during which they can thoroughly gain access to the organization and are able to conduct a more effective attack. 

Bryce Boland is the CTO – APAC at FireEye, a CSO online Alliance Partner.

(As told to Soumik Ghosh)