In recent months, reports of several breaches at SWIFT (Society for Worldwide Interbank Financial Telecommunications) member banks have come to light. Across these incidents, local security was compromised, and valid credentials were stolen and used to initiate fraudulent transfers.
These attacks bear the hallmarks of an account takeover (ATO), in which a cybercriminal impersonates a valid customer. Some of the best practices to combat ATO include patching security vulnerabilities, network segmentation, and multi-factor authentication. Among financial institutions – especially the larger ones -- timely software patching has been a challenge due to rigorous testing requirements, limited change windows, and the sheer quantity and geographically dispersed nature of the laptops, desktops and servers. Although there is growing interest in network segmentation for cybersecurity, actual implementations are rare as most institutions still have flat networks. Multi-factor authentication is common for remote access to the corporate network but is atypical inside the perimeter.
Since some of the best practices to address ATO tactics are not in place at many financial institutions, another approach is to use advanced endpoint protection on the laptops, desktops and servers themselves. These devices are the focus of at least two phases of the typical cyberattack lifecycle. End users and their devices are targeted by spear-phishing, drive-by downloads and social engineering. Exploits and malware are introduced to compromise the endpoint. The cybercriminal then uses this as a beachhead to hunt for valuable information or compromise other vulnerable systems (servers) within the network. In financial institutions, antivirus solutions have been a staple for many years on endpoint devices but have proven to be ineffective in protecting them as security breaches are still on the rise.
Thanks to recent enhancements, Traps (version 3.4) now uses a multi-method prevention approach that combines the most effective, purpose-built malware and exploit prevention methods to protect endpoints from known and unknown threats. As financial institutions continue to be a favorite target for cyberattacks, improving advanced endpoint protection is well worthwhile. Traps prevents end users from inadvertently running malware or exploits that compromise their systems.
Traps multi-method prevention for malware includes the following five techniques.
For multi-method exploit prevention, Traps provides the following approaches:
Additionally, Traps is now able to quarantine malicious executable files to stop any further propagation, and allows organizations to prevent non-malicious but otherwise undesirable software (e.g., adware) from executing.
As stated earlier, software patch management of endpoints is an ongoing challenge for financial institutions. This is further exacerbated by the sheer volume of ATMs that also need to be patched. Although efforts were launched to upgrade or replace ATMs based on Windows XP, which has been unsupported since April 2014, it would not be surprising to see some of these ATMs still in service today. (As of April 2015, an estimated 75%, or 2.2 million, of the world’s ATMs still ran Windows XP.) To protect those ATMs that have yet to or won’t be upgraded, Traps can be installed as a compensating control to prevent the exploitation of both known and unknown vulnerabilities. Traps would also provide the same benefit to other systems that are behind in or no longer eligible for software patching.
In many financial institutions, ATMs are not truly segmented from the rest of the corporate network. As mentioned earlier, many financial institutions still have flat and open internal networks. Network segmentation is highly recommended and would certainly help limit the exposure in the event of a compromise. However, yet another layer of defense is advanced endpoint protection for the laptops, desktops and servers. Traps, with its multi-method prevention approach, stops the techniques at the core of these attacks, instead of focusing on the millions of unique malware and exploit samples themselves. Consequently, Traps prevents sophisticated, targeted and never-before-seen attacks from compromising an endpoint. At the end of the day, the endpoints hold the resources (e.g., confidential data, customer PII, and financial transactions) that are most interesting to the cyber attackers. Protecting the endpoints from compromise is a foundation of a sound cybersecurity policy and a cornerstone of the Palo Alto Networks Next-Generation Security Platform.
By bridging the communication gap between the endpoint and the network, and by integrating with the WildFire unknown malware analysis environment to increase visibility, Traps prevents new threats from compromising an endpoint. Traps integration with the Palo Alto Networks Next-Generation Security Platform allows organizations to continuously share the growing threat intelligence gained from thousands of enterprise customers, across both their networks and endpoints, to coordinate prevention and response. So whether your financial institution has implemented one or more of the best practices to address ATO attacks, give some further consideration to the ability of Traps to prevent endpoint cyber breaches by blocking both known and unknown threats.