Expert report showcases insights learnt from forensic studies of cyber-attacks on customers around the world, illustrating the sophistication of attackers’ tactics and techniques and evidencing the positive impact of SWIFT’s Customer Security Programme
The report is based on evidence gathered through the detailed forensic work undertaken by SWIFT’s Customer Security Intelligence team together with cyber security specialists, BAE Systems, and is being distributed to SWIFT customers around the world.
Based on unique insights gained from detailed forensic examinations of a range of recent cyber-attacks on SWIFT customers, the newly published report evidences the value of threat information sharing, and showcases how the resulting findings can be used to help protect against the cyber threat.
“The inevitable criminal focus on the financial industry means that the community needs to ensure it has effective cyber defences against well-funded, motivated and organised attackers. Threat intelligence and information sharing is a critical part of that”, said Dries Watteyne, SWIFT’s Head of Customer Security Intelligence.
The inevitable criminal focus on the financial industry means that the community needs to ensure it has effective cyber defences against well-funded, motivated and organised attackers. Threat intelligence and information sharing is a critical part of that.
The report describes how there has been a significant evolution in the cyber threat facing the global financial industry over the last 18 months as adversaries have significantly advanced their knowledge.
“The adversaries have deployed increasingly sophisticated means of circumventing individual controls within users’ local environments and used ever more creative techniques to access users’ critical assets”, said BAE Systems’ Head of Threat Intelligence, Dr Adrian Nish. “These include gaining Administrator rights for operating systems, manipulating software in memory, and tampering with legitimate functionality to bypass authentication.”
The adversaries have deployed increasingly sophisticated means of circumventing individual controls within users’ local environments and used ever more creative techniques to access users’ critical assets.
The report also illustrates the chronology of a typical attack and explains how highly covert malware, designed to withstand traditional detection techniques, is being deployed in the attacks.
“In any single attack a mix of malicious files will often be used, whether that be to acquire credentials or to bypass authentication requirements; to learn how internal operations or messages work; to create distractions and delay local security teams’ responses; or to securely delete log files and other traces of the attacks”, said Karel De Kneef, SWIFT’s Security Operations Director.
In any single attack a mix of malicious files will often be used, whether that be to acquire credentials or to bypass authentication requirements; to learn how internal operations or messages work; to create distractions and delay local security teams’ responses; or to securely delete log files and other traces of the attacks.
As well as detailing the attack approaches, the report provides a useful summary of the safeguards customers need to put in place to protect against the threat – starting with basic perimeter and internal security measures, and evidences the impact and importance of SWIFT’s Customer Security Programme.
SWIFT’s Customer Security Programme, which launched in June 2016, is a dedicated initiative designed to reinforce and evolve the security of global banking, consolidating and building on existing SWIFT and industry efforts.
“While the attackers’ sophistication is clearly on the rise, in all cases, they have relied on basic security weaknesses in the targeted customers’ perimeter and internal network security’, said De Kneef. “The determination, patience and cunning the attackers are demonstrating makes it more imperative than ever that customers rapidly deploy and maintain all basic cyber hygiene tools and measures, comprehensively adhere to recommended security controls, and incorporate all the elements set out in SWIFT’s Customer Security Programme”, he added.
Under the programme, SWIFT has published a Customer Security Controls Framework, a core set of mandatory security controls that aim at enhancing customers’ security baselines. The controls have been provided to all SWIFT customers, who have until 31 December 2017 to self-attest their compliance against them. The attestation process enables users to evaluate their current cyber defences against the best practices set out in the framework, so that they can identify areas that need attention and build a project to bring their defences up to standard. This report shows quite how important it is to meet all these controls.
SWIFT has also significantly developed its customer cyber security forensics and analysis capabilities under the Programme, creating a unique information sharing initiative and establishing the dedicated Customer Security Intelligence team led by Watteyne.
Together with BAE Systems, the CSI team undertakes forensic investigations on security incidents within customer premises related to SWIFT products and services and publishes the related intelligence in a readily readable and searchable format in the ‘SWIFT Information Sharing and Analysis Centre’ (SWIFT ISAC), a global portal which is available to the SWIFT community. By feeding back this intelligence in anonymised form to the wider community, sharing it with anti-virus vendors and other information security specialists, SWIFT has been successful in helping to prevent and detect fraud in customer environments.
This joint report is a first-of-its kind and is timed to coincide with the approaching 31 December deadline for SWIFT customers to submit their self-attestations against the new Customer Security Controls Framework.