The key to defending financial market infrastructure and shoring up confidence is to detect attacks earlier and thus shorten the "dwell time" that hackers currently enjoy.
FBI director James Comey once said there are only two types of big companies: those that have been hacked and those who don’t yet know they’ve been hacked. Indeed, cybercrime has reached epidemic proportions in the U.S. and around the world. According to Cybersecurity Ventures’ 2016 Cybercrime Report, the annual cost of worldwide cybercrime will exceed $6 trillion by 2021 – double 2015’s estimated $3 trillion global annual cybercrime costs.
In keeping with the startling rise in cybercrime, increasingly sophisticated cyber gangs are targeting financial institutions. Hacking attacks against financial institutions are increasingly the first line of entry in sophisticated fraud and financial crime. For financial institutions, there is a clear klaxon-call: the parapets are under siege, and there are few signs of abatement.
As exemplar, the February 2016 heist of $81 million from the Central Bank of Bangladesh’s account at the Federal Reserve in New York via the SWIFT network. The incursion hacked into sophisticated financial-market infrastructure to compromise, overcome, and hijack systems and protocols to exfiltrate ill-gained funds.
Cybersecurity experts focused on protecting financial institutions believe it is likely that additional financial infrastructure compromises are already underway or have already purloined funds whose loss has not yet been detected. More jarring, reported averages for cyber-attack dwell time – i.e., the time a cyber infiltrator has undetected access to surveil a compromised network – range from 80.5 to 170 days (2016 Trustwave Global Security Report: 80.5 days; 2016 Ponemon Institute Study on Malware Detection & Prevention: 170 days). Even by conservative estimates, this startling metric provides infiltrators the leverage to reconnoitre financial institution networks in detail and to develop sophisticated strategies for expropriating digital funds at their leisure.
Hackers often gain initial entry through the veritable front door by compromising employee access, for example via “phishing” attacks or by stealing credentials over public Wi-Fi. From here, hackers load pernicious tools (e.g., malware to hijack systems or spyware to conduct surveillance), study the network and user behaviors, burrow into and infect the network more deeply, and, ultimately, form a cohesive strategy for heisting funds and/or wreaking destruction. This, however, takes time.
While the best defense is to prevent incursion from inception, this runs counter to the ever-expanding vulnerabilities created by the sheer proliferation of devices and Internet traffic. In 2015, there were an estimated 16.3 billion IP-connected devices and 3 billion digital users. By 2019, those figures are projected to skyrocket to 4 billion users on 24.4 billion connected devices. Further, overall network traffic from 2015 to 2019 is projected to more than double. With the internet model of prolific connectionism exploding, no one can realistically stuff the genie back in the bottle.
The key to defending financial market infrastructure and shoring up confidence is to detect incursions earlier and thus to radically curtail the luxury of dwell time which hackers currently enjoy. As financial attacks require detailed knowledge of the internal systems and protocols used, identifying and cutting off unusual behavior quickly deprives cybercriminals of the reconnaissance time required to perpetrate an attack or exfiltrate data.
To reduce dwell time, organizations must be alerted of potential incursions in a more timely and focused manner. Currently the typical information security group is awash in false alerts and struggles to triage a veritable flood of potential incidents on a daily basis. Increasing the focus and accuracy of alerts such that they are relevant and targeted is a clear priority.
A rapidly growing marketplace of cyber services and tools has emerged to empower organizations to reduce the noise inherent in cybersecurity monitoring. Third-party cyber threat intelligence services offer streaming feeds on suspicious and malicious actors, for instance, by providing a continually updated list of threat-associated IP addresses. Software solution offerings have also emerged to improve the ability of organizations to detect unusual behavior on their own networks. This is increasingly possible through the application of sophisticated data analytics to disassociate “normal” network behavior from anomalies.
The typical institutional network is a rapidly shifting complex of machine-to-machine interconnections, an ecosystem of exchanges characterized by massive volumes and great speeds. Data analytics-based network anomaly detection must thus be big and fast data-enabled – cutting-edge data handling and analysis technology is required.
Security analytics, a new class of big data cyber monitoring solution, applies rapid data analytics to identify network behavioral anomalies soon after they occur. These solutions spawn alerts to information security incident staff, so they can shutdown incursions quickly, thus reducing dwell time. These big data platforms also typically integrate and leverage cyber threat intelligence feeds, enhancing statistical anomaly detection with alerts on known rogue actors.
Such advanced big data analytics approaches flip the much needed advantage to institutions, delivering a mechanism for pinpointing hidden anomalies in machine-to-machine interchanges by utilizing cutting-edge streaming analytics. This enables financial institutions to identify and triage credible threats efficiently, accurately, and in a timely manner which radically undercuts dwell time. Such tools and approaches put a powerful weapon into the hands of financial institutions struggling to guard against a rapidly mutating cyber landscape of persistent global threats.
Scott Mongeau is a Data Scientist and Cyber Industry Consultant at SAS.•