Preventive Actions in the Aftermath of A Major Bank Breach

Background

In February, stolen credentials of a Bangladesh bank were used to submit fraudulent fund transfer requests via the Society for Worldwide Interbank Financial Telecommunication (SWIFT) network. A small number of these requests was processed, and according to published reports, US$81 million was transferred to a bank in the Philippines and then disbursed across several accounts belonging to casinos, where the trail of the cyber attackers has gone cold. Malware was introduced to impair the Bangladesh bank’s ability to see evidence of the fraudulent transactions. SWIFT has maintained that the security and integrity of their messaging services are not in question, but rather local security at customer environments were compromised in this and other similar incidents in Vietnam, Ecuador, Ukraine, and Russia as well.

Achieve Greater Security and Prevent Similar Attacks

How the valid credentials for fund transfers were obtained is still unknown, but possibilities include phishing and discovery on another system after the initial compromise at this Bangladesh bank. Cybercriminals tend to move laterally within a victim’s environment in search of valuable information and other vulnerable systems. Such latitude in the Bangladesh bank’s network appeared to provide ready access to the systems for fund transfer initiation and to the related reporting systems.

Network segmentation can separate the credentials, the critical systems for fund transfers and transaction logging, from the rest of a bank network. A compromise elsewhere would not expose the resources involved in fund transfers since unexpected traffic would be prohibited into that segment. Furthermore, malware analysis and prevention at the network perimeter and internally at endpoints can stop the initial attempts to compromise systems and block malicious code from running. In combination, these practices and capabilities could be significant in future attempted breaches, constraining the lateral movement of the attackers and stopping the installation and/or execution of malware.

Palo Alto Networks Next-Generation Security Platform enables important cybersecurity best practices and threat prevention capabilities within financial institution networks. Here’s how:

• Network segmentation with our security platform restricts the lateral movement attackers use to hunt for valuable resources within the targeted institution.
• The platform’s visibility into applications, users and content provides a baseline of normal traffic patterns against which anomalies are more easily identified and specific policies, including whitelisting, can be established.
• SSL decryption by the platform enables the inspection of suspicious, encrypted communications that may otherwise conceal attacker activities.
• WildFire environment analyzes unknown malware encountered by the platform and reprograms it in as little as five minutes to block the new malware from going forward.
• Traps advanced endpoint protection stops exploits and unknown malware at servers, workstations and laptops by thwarting exploit techniques at execution and closely coordinating with WildFire on any new malware samples.

Because of their sophistication, many threats against financial services and other critical industries use numerous steps in their attack lifecycle. The Palo Alto Networks security platform provides multiple opportunities to thwart every stage of an attack and prevent successful completion. To learn more, download our Breaking the Cyber Attack Lifecycle white paper.

Further Recommendations

In addition to the best practices above, SWIFT has offered other steps to enhance cybersecurity as part of their new customer security program, which is intended to reinforce and evolve the security of global banking in the face of increasing cyberthreats. These include improved information sharing within the global financial community, hardening of SWIFT-related tools for customers, audit frameworks, increased monitoring capabilities of customer environments, best practices for fraud detection, and the investigation of tools to detect anomalies on the network.

The U.S. Federal Financial Institutions Examination Council’s (FFIEC) June statement on the Cybersecurity of Interbank Messaging and Wholesale Payment Networks did not contain any new regulatory expectations. It reinforced some risk mitigation techniques relevant for cyberattacks, vulnerability exploits and unauthorized entry, including:

• Use multiple layers of security controls.
• Conduct ongoing information security risk assessments.
• Adjust controls in response to newly identified risks and threats.
• Establish a baseline environment to detect anomalous behavior.
• Share information with other financial institutions.

The Palo Alto Networks Next-Generation Security Platform is part of a layered defense strategy used by the financial services industry today, and provides excellent visibility into normal traffic patterns. Additionally, Palo Alto Networks is committed to information sharing for the benefit of the global community. As a member of the Financial Services Information Sharing and Analysis Center (FS-ISAC), and a founding member of the Cyber Threat Alliance (CTA) to ensure the cyber security industry works together, we believe in the power of information sharing.

For more information on how Palo Alto Networks can help financial institutions prevent successful cyber breaches, please visit our website and download the Reference Blueprint for Banking or the Security Platform for Financial Services white paper.