A fresh approach to security in online trading

Jouda Seghair

While it is ransomware that has held the spotlight of public attention recently, it is actually financial malware that is the greatest threat to our industry today. Research has revealed that with annual attacks numbering 1.2 million, financial malware is 2.5 times as prevalent as ransomware says Jouda Seghair

blockchain

Jouda Seghair is Director of International Marketing, Business Development UK & Ireland at Infocyte Inc. Infocyte’s post breach detection platform Infocyte Hunt is a military-grade malware hunt technology developed by former US Air Force cyber-security experts.

In the financial industry, security related products – those that purportedly protect enterprise assets – have been historically viewed as simple software investments. This has led to a general interpretation of these products as necessary operational costs that serve to allow the business to function unimpeded.

This general approach may have been appropriate in times past, however now the security field is an ever-changing threat landscape. Rates of custom created malware and financial malware in general are shockingly high, and growing rapidly.

Financial Malware 2.5 times more common than Ransomware

While it is ransomware that has held the spotlight of public attention recently, it is actually financial malware that is the greatest threat to our industry today. Research has revealed that with annual attacks numbering 1.2 million, financial malware is 2.5 times as prevalent as ransomware.

The Symantec Internet Security Threat Report (ISTR) Financial Threats Review 2017 stated that 38% of all financial threat detections were against corporations, rather than customers. While these attacks are more difficult to execute, they yield a higher profit, which is why there was 1.2 million such attacks in 2016.

Jouda Seghair

In some cases, malicious actors are launching malware attacks with the express purpose of gaining access to the inner workings of an enterprise so that behaviour can be observed and learned from, enabling the creation of custom malware designed to specifically exploit weaknesses within a given entity.

Given how the times have changed, and to what degree, what is now required is a shift in mindset, if the industry is to keep up with the threats posed and maintain the trust of the public. The old way of doing things – framing security, specifically defensive products, as costs to be borne in order to support core businesses, does not deliver the necessary engagement and vigilance required to effectively secure financial enterprises.

The malware targeting the industry today is so virulent and dangerous that it poses the risk of destroying fundamental infrastructures, whether virtual or physical, that organizations depend on.

A New Approach

Not all software investments in the industry are viewed as operational costs. Platforms such as core banking, treasury, and trades management are all understood to be integral and essential to the fundamental business goal, which is to generate profit.

As such, these banking platforms are not viewed as short term, commoditized, purchases. Rather they are viewed as long term, mission critical, investments that will yield returns.

It is time that security related purchases are viewed through the same lens – as critical investments that yield returns. A failure to adopt this view effectively equates to an institution willingly accepting unnecessary risk.

Adopting this new approach to security can, and should, be done in several ways. One element is defensive, and one focuses on post breach detection. It is virtually impossible to accomplish full security without engaging in both defensive and proactive measures.

Defence or Offence

Modern defensive measures include the adoption of endpoint detection and response (EDR), security intelligence (SI), and network and endpoint behavioural analytics. These solutions are effective in preventing threats from breaching enterprise assets and securing a foothold in the estate. However, none of these defensive solutions, even when layered, delivers complete and total security and safety from threats.

The second element that is required is post breach detection. There is no question that some malware succeeds in breaching defences and it is this that poses the greatest danger to assets. It poses the greatest danger precisely because so many enterprises purchase defensive solutions and proceed to function believing themselves protected and secure. Post breach detection is essentially hunting for malware and APTs that have breached defences and are residing undiscovered.

Post Breach Detection is Mission Critical

Solutions that offer post breach detection should be viewed in the same way as other mission critical investments like trading platforms. These are tools that allow enterprises to manage their dwell time and maintain consistent control over the threat that malware poses.

Recent research produced for Dell Secureworks has indicated that organizations that limit their dwell time to 7 days realize a reduction in business impact of 77%. Further reducing dwell time to 1 day delivers a reduction in business impact of 96%. These are significant impacts when read through the lens of asset values under management in the financial industry at large.

Post Breach Detection can be achieved today using one of four methods.

Script based hunting

There are several open-source platforms on the market that have well developed hunt methodologies – and there are two of particular note: PSHUNT and AssemblyLine. Both provide a collection of tools that administrators and it security professionals can use to quickly survey endpoints and enrich collected data using a mix of third-party commercial and open source tools. They are a good starting point for technical resources.

Indication of Compromise (IOC) Hunting

There is one viable solution currently available that detects threats using a methodology focused on IOCs – it is BSK Consulting’s ATP Thor. Hunting based on IOCs involves searching through log files, looking for typical attacker tools and anomalies in user accounts and sessions, examining error reports, dump files, network connections and more. This approach can be effective and is suitable for adoption in organisations with highly skilled technical resources that can manage and maintain the solution and the feeds required to operate it.

Incident Response Solutions repurposed to hunt

There are a number of digital forensics and incident response solutions available in the market, from commercial solutions such as Mandiant MIR to open source solutions like Google GRR. The challenge inherent in repurposing these tools to hunt malware is that they do not scale and also require highly skilled examiners to operate. This approach may be effective for small enterprises who decide to employ key expert personnel or who outsource the work of hunting.

Forensic State Analysis Hunting

There is a single solution on the market today that delivers forensic state analysis – it is Infocyte HUNT.  FSA is an automated approach to post-breach detection that assumes devices are already compromised and seeks to validate every endpoint as thoroughly as possible.

The automation inherent in FSA enables users to effectively deploy rapidly, dynamically, and at scale.

FSA operates independently from the host OS and uses dissolvable endpoint surveys to quickly collect live forensic data from both volatile and non-volatile memory. Non-memory based information is also collected to identify persistence mechanisms.

This data is then analyzed using a variety of post-breach analytics techniques, reputational, and multiple threat intelligence sources. Combining this live host forensic data and these analytic techniques, FSA determines the compromise state of endpoints.

Change the Culture for Results

Regardless of the method chosen, hunt programs need to become part of the fabric and culture of the modern financial enterprise. These are iterative processes that should be conducted with regular frequency. How frequently these can be employed will depend upon the speed and scalability of the post breach detection platform chosen.

Platforms that offer users the ability to hunt for malware should be viewed as investments similar to those made in fundamental baseline platforms that generate revenue, rather than as defensive software tools.

A failure to adopt malware hunting capabilities puts at risk the institutions’ ability to conduct business – attackers only have to succeed once in order to do damage, and they’re getting better all the time.

Read this next

Industry News

Celsius $750m insurance claims are fraud, says lawyer seeking EU crypto superfund

“It is an intentional deception in aid of a billion-dollar securities offering.”

Institutional FX

DGCX brokers authorized to provide derivatives trading and clearing services

The DFM is looking to provide multiple asset classes such as; equities, ETFs, equities’ futures, crude oil futures, etc. to meet the growing demand from its diversified base of local and international investors.

Digital Assets

EQONEX leaves “crowded crypto exchange space” amid crypto winter

“The recent extreme market volatility and declining trading volumes have added to the headwinds being felt by exchange operators. We take a realistic view that our exchange will not move the needle for us financially over the near-to-medium term.”

Digital Assets

FTX and Paradigm partner for spreads trading: lower risk, lower fees

“This structured spread trading product is the first that will enable crypto investors to utilize cash and carry trades through FTX and Paradigm.”

Industry News

SEC uncovers online retail brokerage hacking scheme

Fraudsters were able to sell their holdings at artificially high prices and reap more than $1 million in illicit proceeds, the SEC alleged. 

Executive Moves

Cornerstone FS taps James Hickman as CEO

“I see great potential in the business from its proprietary technology to its regulatory permissions. It is already delivering an exceptional service to its SME customers and the scalable platform is ideally positioned to add further product capability.”

Retail FX

FCA warns of Lite Forex Pro as crackdown on clone scams continues

The UK Financial Conduct Authority has put out a press release that warns about a new ‘clone firm’ investment scam impersonating LiteForex‎, which rebranded last year as LiteFinance.

Digital Assets

Novogratz’s Galaxy Digital backs out of $1.2 billion deal to buy BitGo

Crypto merchant bank Galaxy Digital would not move forward with its bid to buy digital-asset custodian BitGo.

Executive Moves

OctaFX elevates Nikolas Charalampous to executive director role

OctaFX has promoted its head of dealing, Nikolas Charalampous, to the role of executive director, which saw the expansion of his day-to-day responsibilities and oversight.

<