A fresh approach to security in online trading

Jouda Seghair is Director of International Marketing, Business Development UK & Ireland at Infocyte Inc. Infocyte’s post breach detection platform Infocyte Hunt is a military-grade malware hunt technology developed by former US Air Force cyber-security experts.

In the financial industry, security related products – those that purportedly protect enterprise assets – have been historically viewed as simple software investments. This has led to a general interpretation of these products as necessary operational costs that serve to allow the business to function unimpeded.

This general approach may have been appropriate in times past, however now the security field is an ever-changing threat landscape. Rates of custom created malware and financial malware in general are shockingly high, and growing rapidly.

Financial Malware 2.5 times more common than Ransomware

While it is ransomware that has held the spotlight of public attention recently, it is actually financial malware that is the greatest threat to our industry today. Research has revealed that with annual attacks numbering 1.2 million, financial malware is 2.5 times as prevalent as ransomware.

The Symantec Internet Security Threat Report (ISTR) Financial Threats Review 2017 stated that 38% of all financial threat detections were against corporations, rather than customers. While these attacks are more difficult to execute, they yield a higher profit, which is why there was 1.2 million such attacks in 2016.

In some cases, malicious actors are launching malware attacks with the express purpose of gaining access to the inner workings of an enterprise so that behaviour can be observed and learned from, enabling the creation of custom malware designed to specifically exploit weaknesses within a given entity.

Given how the times have changed, and to what degree, what is now required is a shift in mindset, if the industry is to keep up with the threats posed and maintain the trust of the public. The old way of doing things – framing security, specifically defensive products, as costs to be borne in order to support core businesses, does not deliver the necessary engagement and vigilance required to effectively secure financial enterprises.

The malware targeting the industry today is so virulent and dangerous that it poses the risk of destroying fundamental infrastructures, whether virtual or physical, that organizations depend on.

A New Approach

Not all software investments in the industry are viewed as operational costs. Platforms such as core banking, treasury, and trades management are all understood to be integral and essential to the fundamental business goal, which is to generate profit.

As such, these banking platforms are not viewed as short term, commoditized, purchases. Rather they are viewed as long term, mission critical, investments that will yield returns.

It is time that security related purchases are viewed through the same lens – as critical investments that yield returns. A failure to adopt this view effectively equates to an institution willingly accepting unnecessary risk.

Adopting this new approach to security can, and should, be done in several ways. One element is defensive, and one focuses on post breach detection. It is virtually impossible to accomplish full security without engaging in both defensive and proactive measures.

Defence or Offence

Modern defensive measures include the adoption of endpoint detection and response (EDR), security intelligence (SI), and network and endpoint behavioural analytics. These solutions are effective in preventing threats from breaching enterprise assets and securing a foothold in the estate. However, none of these defensive solutions, even when layered, delivers complete and total security and safety from threats.

The second element that is required is post breach detection. There is no question that some malware succeeds in breaching defences and it is this that poses the greatest danger to assets. It poses the greatest danger precisely because so many enterprises purchase defensive solutions and proceed to function believing themselves protected and secure. Post breach detection is essentially hunting for malware and APTs that have breached defences and are residing undiscovered.

Post Breach Detection is Mission Critical

Solutions that offer post breach detection should be viewed in the same way as other mission critical investments like trading platforms. These are tools that allow enterprises to manage their dwell time and maintain consistent control over the threat that malware poses.

Recent research produced for Dell Secureworks has indicated that organizations that limit their dwell time to 7 days realize a reduction in business impact of 77%. Further reducing dwell time to 1 day delivers a reduction in business impact of 96%. These are significant impacts when read through the lens of asset values under management in the financial industry at large.

Post Breach Detection can be achieved today using one of four methods.

Script based hunting

There are several open-source platforms on the market that have well developed hunt methodologies – and there are two of particular note: PSHUNT and AssemblyLine. Both provide a collection of tools that administrators and it security professionals can use to quickly survey endpoints and enrich collected data using a mix of third-party commercial and open source tools. They are a good starting point for technical resources.

Indication of Compromise (IOC) Hunting

There is one viable solution currently available that detects threats using a methodology focused on IOCs – it is BSK Consulting’s ATP Thor. Hunting based on IOCs involves searching through log files, looking for typical attacker tools and anomalies in user accounts and sessions, examining error reports, dump files, network connections and more. This approach can be effective and is suitable for adoption in organisations with highly skilled technical resources that can manage and maintain the solution and the feeds required to operate it.

Incident Response Solutions repurposed to hunt

There are a number of digital forensics and incident response solutions available in the market, from commercial solutions such as Mandiant MIR to open source solutions like Google GRR. The challenge inherent in repurposing these tools to hunt malware is that they do not scale and also require highly skilled examiners to operate. This approach may be effective for small enterprises who decide to employ key expert personnel or who outsource the work of hunting.

Forensic State Analysis Hunting

There is a single solution on the market today that delivers forensic state analysis – it is Infocyte HUNT.  FSA is an automated approach to post-breach detection that assumes devices are already compromised and seeks to validate every endpoint as thoroughly as possible.

The automation inherent in FSA enables users to effectively deploy rapidly, dynamically, and at scale.

FSA operates independently from the host OS and uses dissolvable endpoint surveys to quickly collect live forensic data from both volatile and non-volatile memory. Non-memory based information is also collected to identify persistence mechanisms.

This data is then analyzed using a variety of post-breach analytics techniques, reputational, and multiple threat intelligence sources. Combining this live host forensic data and these analytic techniques, FSA determines the compromise state of endpoints.

Change the Culture for Results

Regardless of the method chosen, hunt programs need to become part of the fabric and culture of the modern financial enterprise. These are iterative processes that should be conducted with regular frequency. How frequently these can be employed will depend upon the speed and scalability of the post breach detection platform chosen.

Platforms that offer users the ability to hunt for malware should be viewed as investments similar to those made in fundamental baseline platforms that generate revenue, rather than as defensive software tools.

A failure to adopt malware hunting capabilities puts at risk the institutions’ ability to conduct business – attackers only have to succeed once in order to do damage, and they’re getting better all the time.