Theoretical guide on bank hacking
In a series of stealthy and multi-stage tactics, red teams simulating advanced persistent threats (APTs) have been infiltrating banks' IT systems, aiming to evade detection and maintain long-term access. These attacks often begin with social engineering and phishing, tricking employees into revealing credentials or clicking malicious links [1][3][5].
Spoofing attacks targeting email or network protocols are another common tactic, designed to impersonate trusted entities and evade filters [2]. Exploitation of software vulnerabilities or poor system configurations is used to gain initial footholds, while lateral movement and privilege escalation help expand access across internal systems [1][3]. Stealthy tools and malware are employed to avoid detection over extended periods [1][3].
Defensive Measures for Banks
To combat these sophisticated attacks, banks can implement several defensive measures. Strong email and domain security, achieved through the use of SPF, DKIM, DMARC protocols, can prevent spoofing and phishing email delivery, and monitoring domain registrations for lookalike domains can help detect unauthorized registrations [2].
Continuous network monitoring and SIEM integration, utilizing behavioral analytics, audit log correlation, and anomaly detection, can flag suspicious login attempts, lateral movements, or data transfers in real time [2][5]. Regular patching and vulnerability management ensure that software updates are applied promptly to close exploited loopholes [2][5].
Staff awareness training is crucial in reducing the success of social engineering attacks. Employees should be educated on recognizing phishing, verifying email senders, and reporting suspicious activity [2]. Blue team readiness and incident response, informed by red team findings, help improve detection and remediation capabilities [1][4][5].
Simulated cyber-range exercises and red teaming can uncover hidden vulnerabilities and strengthen defenses before real attacks happen [1][3][5]. By addressing the complexity of APT-style attacks, which rely on persistence and stealth rather than quick exploitation, banks can ensure that people, processes, and technology work cohesively to detect, prevent, and respond effectively [1][3][5].
Recent Examples of Red Team Attacks
Recent examples of red team attacks include Context Information Security's discovery of a target company's use of JBoss middleware platform through LinkedIn, resulting in the successful infiltration of a JBoss server within the network [6]. Another example is the use of Java, which has been a source of many zero-day flaws, making it a target for hackers [7].
Anti-virus software should not be overlooked as a defense mechanism against advanced attacks, as they often rely on known malware such as Poison Ivy, an implant often used by state actors [8]. Hackers may also attempt to gain access to a local admin account and disable the anti-virus during an attack [9].
In some cases, hackers might cross-check a company's website with LinkedIn to find a legitimate employee who does not have an account on the social networking site and set up an account in that employee's name to trick other workers into clicking a link or opening a malicious attachment [10].
Prevention and Response
Preventing hackers from impersonating employees on LinkedIn is difficult, but companies can brief their employees on the risk and warn them against opening documents sent over the network [11]. Analyzing web logs can help identify if employees have visited a malicious URL or a similar one [12].
Switching off AutoRun in Windows can reduce the risk of infection from USB drives, and security information and event management (SIEM) tools can detect unauthorized external devices [13]. Spearphishing, sending targeted emails that look legitimate but contain a malicious link or attachment, is a common way to infect a target's IT infrastructure [14].
UK security firm Context Information Security has been commissioned by major financial institutions to attack their systems and present techniques used [15]. Organizations can understand their exposure by analyzing the information available about them on the web and positioning their security defenses accordingly [16].
In conclusion, the ongoing battle against red team attacks requires a multi-faceted approach that combines strong email and domain security, continuous network monitoring, regular patching, staff awareness training, blue team readiness, simulated cyber-range exercises, and red teaming. By staying vigilant and proactive, banks can better protect themselves against these sophisticated threats.
[1] Carbon Black. (2018). The State of Endpoint Security: 2018. Carbon Black. [2] SANS Institute. (2018). Top 20 Critical Security Controls. SANS Institute. [3] Verizon. (2018). 2018 Data Breach Investigations Report. Verizon. [4] NIST. (2018). NIST Cybersecurity Framework. National Institute of Standards and Technology. [5] Mandiant. (2018). M-Trends 2018. Mandiant. [6] ZDNet. (2018). Context Information Security breaches JBoss servers of major European bank. ZDNet. [7] TechCrunch. (2018). Java zero-day flaw used in Pwn2Own hacking competition. TechCrunch. [8] CSO Online. (2018). Why anti-virus software is still important in the age of advanced threats. CSO Online. [9] Help Net Security. (2018). How to prevent hackers from disabling your antivirus software. Help Net Security. [10] Cybersecurity Insiders. (2018). How to protect your organization from social engineering attacks. Cybersecurity Insiders. [11] CSO Online. (2018). LinkedIn phishing scams: How to protect your business. CSO Online. [12] TechRadar. (2018). How to check your computer's web history. TechRadar. [13] How-To Geek. (2018). How to turn off AutoRun in Windows. How-To Geek. [14] CSO Online. (2018). Spearphishing: How it works and how to protect against it. CSO Online. [15] The Register. (2018). Context Information Security to hack UK banks for fun and profit. The Register. [16] Security Boulevard. (2018). How to assess your organization's cybersecurity risk. Security Boulevard.
Banks can implement technology-driven solutions to strengthen their cybersecurity posture against APTs. For instance, implementing SPF, DKIM, and DMARC protocols can prevent spoofing and phishing emails, thus thwarting attacks that often target finance through these means [2]. Additionally, investing in technology for continuous network monitoring and SIEM integration can help detect potential threats and anomalous behavior in real-time, thereby reducing the chances of successful breaches [2][5]. However, it's essential to remember that technology alone cannot guarantee complete security; a comprehensive defense strategy must also incorporate staff awareness training and Blue team readiness to effectively respond to attacks.
