Why Indian Banks are not ready for advanced and pervasive cyberattacks?

Have you ever thought why cyberattackers have chosen their way of life? Obviously, not all cyberattackers are the same as the community consists of different people like white hat attackers, black hat attackers, and hacktivists. Still, the key objective of cyberattacks is to derive financial incentive – either for a broader objective or for personal gains – through their work.

Irrespective of what the objective is, vulnerabilities in digital infrastructure are what every cyberattacker looks for. In this digital dynamics, the banking system often emerges as a sitting duck since it is the softest and most effective target. As India rides on the wave of digitization, our banking sector can be seen incorporating wide-ranging digital technologies including some of the most embryonic ones such as IoT and cloud solutions.

So, let us have a look at what the state of cybersecurity is within our banking system and is it prepared for advanced as well as pervasive cyberattacks?

‘Banking’ on digital technology: Are our banks on the right track?

Of late, our banking system has experienced significant disruption following the rise of digital technologies. This has enabled the segment to considerably improve its in-house processes, become more efficient by minimizing human interventions, and drive financial inclusion within the country. However, much like the merits that digital technologies bring with them, they also have a fair share of drawbacks. Vulnerability is one of them.

In its 2019 Data Breach Investigation Report, Verizon found out that 10% of the overall breaches were conducted on financial institutions (FIs). This is despite the fact that it is considerably easier to hack a personal device or even a private organization as compared to an FI.

Cyberattacks on the FIs are more often driven by nation-states as compared to independent hackers. Such attacks are usually conducted for catastrophic damages rather than just financial theft. According to Mr. Gulshan Rai, National Cybersecurity Coordinator at the National State Council, banks are most vulnerable to cyber threats and the Indian banking system needs to prepare itself to mitigate the associated risks. He also mentioned that nearly 22% of the attacks which took place in the country were on the banking sector and these attacks are becoming complex day by day, especially with the adoption of digital technologies in the business. Cybersecurity exploits are inevitable, more so because of the embryonic technologies which have created an open infrastructure more susceptible to cyberattacks.

In the past few years, we have seen large number of attacks on the financial institutes – including the attacks on Cosmos Bank and State Bank of Mauritius branch based in Mumbai. The primary targets which are usually compromised in cyberattacks on banks are the SWITCH and SWIFT systems. SWITCH is a group of servers that are responsible for sending approval request from the ATM to the core banking system. SWIFT, on the other hand, is a global provider of a secure inter-banking messaging solution. It is used by banks to communicate with other stakeholders and electronically wire funds between accounts. The SWITCH and SWIFT are the most sensitive components of the banking infrastructure, as they are responsible for the authorization of fund transfers. Because of increasing attacks on financial institutes, RBI has taken a holistic and integrated approach towards cybersecurity to strengthen the security framework of financial institutes.

We need to understand which vulnerabilities make cyberattacks on banks possible?

• Weak endpoint security: The lack of advanced security countermeasures to detect sophisticated malicious activities instead of relying on AV signatures, which were rendered useless due to packing and utilization of custom payloads. Today, evasive attackers are shifting to fileless attacks which conventional systems ant detect as as they rely on checking files.
• Lack of security awareness: Social engineering techniques lure employees into clicking malicious links and/or opening infected documents. It involves a form of psychological manipulation that involves impersonation, urgency, instilling fear or similar emotions in the victim, and making the victim to reveal sensitive information. According to SANS 2018 Incident Response Survey, less than 30% of analysts have experienced a ransomware incident.
• Deficient Network segmentation: The lack of defining and enforcing secure network segmentation policies for users, applications, and devices as perimeter security alone can no longer protect the network.
• Weak Internal audit controls: The movement of money between accounts, especially between countries, needs to be closely monitored and controlled. Usually, financial organizations’ processes lack automated monitoring of critical systems and manual checkpoints to review large transfers.
• Long Patching Process: The patching process is time-intensive and requires streamlining to decrease the overall turnaround time. The time to remediation, or the ‘dwell time’, enables a cyberattacker to take advantage of the vulnerability until it gets remediated.

Here are some of the strategies to protect against financial attacks:

• Better Segmentation of the network to limit the lateral movement ability of the compromised endpoint and directly reduce the attack surface. This will help in preventing the penetration attempts within the network to locate the targeted information.
• Invest in Detection Technologies: Organizations in India and other high-risk countries can improve their cybersecurity posture with more focused monitoring of critical servers and the usage of avant-garde detection technologies. They must also use advanced endpoint solutions that can detect lateral movement, proxy installations, and fileless attacks, which bypass all other lines of conventional security systems including firewalls, email security, antivirus, and so on.
• Augment Threat Hunting Capabilities (Both technologically and professional-wise): The FI SOC (Security Operations Center) needs to constantly receive feeds of IOCs (Indicators of Compromise) and pro-actively hunt similar threats inside the organization. This requires both advanced threat hunting solutions and thorough training of the security team.
• Use automation and orchestration to optimize incident response playbooks: FIs must minimize the load on their analysts by automating manual tasks, like collecting threat intelligence, sending emails, and more. This will enable them to focus on and recapturing high-priority incidents.
• Establish checkpoints for large fund transfers with manual inspection: There should be checkpoints for large fund transfers with the introduction of manual inspections. As we have seen in the case of multiple financial heists, there often a few spelling and formatting errors that could have been easily caught using manual inspection.
• Invest in Training: There is an array of challenges for security leaders to counter, which includes lack of skilled cybersecurity professionals, unprepared security operations team, and too much complexity of processes and technology. Indian FIs can implement some of the methodologies that are more inclined towards practical training approach, building a stronger security ecosystem right from academic training, and strengthening cross-functional training capabilities for incident response team alongside other measures.
• Deploy security that can run on-premises in an air-gapped environment: While cloud security systems have many advantages, they may become a security risk. There have been cases where cloud based security systems have been compromised, and malicious actors were able to intercept sensitive customer data that was sent to the cloud based security system. It becomes imperative for financial institutes to deploy security solutions which are air-gap compatible.
• Formalized patch management program: It is imperative to regularly update all the applications, software, and operating systems for keeping vulnerabilities and misconfigurations in your IT infrastructure in check. Such updates often resolve vulnerabilities and threats that were previously not known.

By Rakesh Kharwal, Managing Director, India/South Asia & ASEAN, Cyberbit