Ethical hacking is becoming standard in financial institutions, even if most banks will not admit to having hackers on their payroll. Heather McKenzie investigates how 'white hat' hackers are being used inside institutions to test their cyber defences.
Richard Lush
Ask a financial institution if it uses ethical, or ‘white hat’, hackers as part of its cybersecurity defences and you will likely get a robust ‘no comment’ by way of response. However, the concept of ethical hacking is now well established, with certification courses and other training programmes widely advertised online. Undoubtedly, many financial institutions employ ethical hackers to test for holes in their computer systems – but most would prefer that people did not know about it.
Yet protecting against cyber attacks is an imperative for banks. According to a recent Accenture report, the cost of addressing and containing cyber attacks is greater for financial services than for any other industry. The report, ‘Unlocking the value of improved cybersecurity protection’, found that the average annual cost of cyber crime in banking globally increased by 11% in 2018 to $18.4m. Only the utilities industry has seen a bigger jump in cost, at 16%.
“Banks are facing many challenges, and at the same time [there are] a lot of new opportunities around new technologies and high customer interaction rates via many different devices,” says Alberto Rosa, corporate head of security and governance at CaixaBank. “Banks need to operate in an open ecosystem, with third-party entities: providers, partners, competitors and regulators. At the same time, banks hold and protect customer-critical information, and security is one of the main concerns for us. In this context, it is important to be prepared for new threats in the cyberspace and try to anticipate the next move of the attackers.”
Pick a colour
Cybersecurity is a colourful business – along with white hat hackers there are black hats, grey hats and red and purple teams. The ethical side is composed of white hats and red and purple teams. Black hats generally hack into systems illegally for financial or other gains, while grey hats can play in both camps – sometimes good, sometimes bad.
Ethical hacking is mainly focused on penetration tests, whereby an individual will try to break into a financial institution’s systems, gaining administration privileges and running either whole systems or individual workstations. These tests, however, do not assess the full scenario of a targeted attack against an entire entity (including the complete scope of its people, processes and technologies).
This is where red team exercises come in. These tests mimic the tactics, techniques and procedures of advanced threat actors who are perceived by intelligence as posing a genuine threat to entities. The highest level of simulated hacks is intelligence-led.
In May 2018, the European Central Bank (ECB) published a guide for implementing the European framework for Threat Intelligence-based Ethical Red Teaming (Tiber-EU). The framework enables European and national authorities to work with financial infrastructures and institutions to establish a programme to test and improve their resilience against sophisticated cyber attacks.
“Over the past few years, cyber threats have become increasingly sophisticated, persistent and well resourced,” says Wiebe Ruttenberg, senior adviser, directorate general market infrastructure and payments, at the ECB. “They pose an undeniable risk to the financial system.” Tiber-EU aims to complement the cyber security programmes of banks, financial market infrastructures and other types of financial entities, he adds.
“Many of the financial entities already conduct different types of testing, such as red team testing, penetration testing, vulnerability scanning, scenario-based testing, etc. Many already use ethical hackers. Tiber-EU is considered to be the highest level of testing and can be an additional tool for financial entities to further test themselves, and for supervisors and overseers to gain assurance on the cyber maturity of these financial entities. Most regulators ask financial entities to have a full testing programme in place, and Tiber-EU does not aim to replace this, but simply complement it,” says Mr Ruttenberg.
Intelligence-led frameworks such as Tiber-EU and the Bank of England’s CBest-EU provide a “very good foundation” for financial institutions, says Richard Lush, vice-president cyber operational security, at IT specialist CGI UK. “There is a high risk to a financial institution if its systems are compromised and during the past few years, regulators have increasingly recommended the use of ethical hackers in improving and testing resilience against sophisticated attacks.”
Security evaluation
Penetration testing should be part of a broader security programme and has been identified by regulators as a key element of cybersecurity programmes, according to Stephen Scharf, chief security officer at the Depository Trust & Clearing Corporation (DTCC). “In fact, some regulators, such as the US Commodity Futures Trading Commission and New York State Department of Financial Services, specifically state that organisations must conduct penetration testing and define the frequency of testing and how this should be carried out,” he adds.
At Russia’s Sberbank, ethical hackers are part of a cybersecurity red team, says Stanislav Kuznetsov, deputy chairman of Sberbank’s executive board. The red team is a division that “follows its own plan, tests IT systems’ security and assesses the quality of Sberbank’s services in terms of cybersecurity”, adds Mr Kuznetsov. This team participates in training exercises in a variety of areas. It is tasked with detecting vulnerabilities inside Sberbank’s infrastructure and deals with them without interrupting the bank’s workflow.
In addition, Sberbank’s cybersecurity subsidiary, BI.Zone, tests the bank’s services, systems and products using the same methods as external malefactors. The combination of the red team and BI.Zone enables the bank to “fix vulnerabilities before the actual malefactors discover them”, says Mr Kuznetsov. Cybersecurity training has also helped the bank to reduce the cases of staff clicking on links in phishing e-mails from 48% to less than 2% during the past three years.
Hygiene levels
Defence against cyber attacks occurs on multiple levels. Stuart Criddle, cyber director at PwC, says elements range from an audit or review of an infrastructure (which includes assessments of whether updates have been installed in a timely manner and whether anything is missing), through to the intelligence-led red team and further into a purple team, which consists of people acting in defence and attack roles.
The main objective of all tests is to identify vulnerabilities within an infrastructure. Like Mr Lush, Mr Criddle believes financial institutions are mature users of cybersecurity tools, having been among the first organisations to undertake penetration testing. While internet and mobile banking mean bank systems are more open to the potential of cyber attack, Mr Criddle says banks are good at managing the changes at the front end with the required cybersecurity processes in back-end legacy systems.
Laurie Mercer, security engineer at cybersecurity company HackerOne, says financial institutions should check whether legacy systems are patched and up to date; and, if a critical security vulnerability is found, whether it can be fixed in a short timeframe. If the answer to either of these questions is no, then the system is more vulnerable to cyber attacks than other systems that are patched and actively maintained, he adds.
Such systems should be replaced or switched off. “To stay ahead of cyber criminals, all systems should be patched and actively maintained,” says Mr Mercer. “This includes software that is built and bought. Every fixed vulnerability and vulnerable system that is updated or switched off represents a risk reduction and another step ahead of cyber criminals.”
Maintaining system patches is part of good cyber security 'hygiene', which Mr Ruttenberg says is an important element in this area. “Financial entities must ensure that they implement a holistic cyber resilience framework, which encompasses the full spectrum of controls around identification, protection, detection and response and recovery. One of the key observations is that financial entities still need to address basic cyber hygiene,” he adds.
Stronger together
Financial entities are also having to enhance their ‘situational awareness’, which means having a detailed understanding of their threat landscape, the threat actors that may target them and the modus operandi that will be used against them, according to Mr Ruttenberg. “Having sound situational awareness enhances the financial entities’ ability to protect themselves and to design controls to prevent cyber criminals exploiting them," he says.
“Cyber is borderless and non-competitive – financial entities need to work together with all stakeholders to stay ahead of the criminals,” adds Mr Ruttenberg. “Most importantly, financial entities need to have senior management and board-level buy-in for their programme. It is important that the culture from the top takes this threat seriously, and the subsequent actions are able to trickle down through the organisation, in the form of strategic decisions, investment and approach.”
Mr Rosa agrees that collaboration within the industry is crucial to protecting the financial system, which is why companies and policy-makers are fostering the creation of security hubs to share knowledge and capabilities. CaixaBank is collaborating with different European innovation programmes, including Project Concordia, which assesses cyber risks and threats to intelligence in the finance sector. The project is focused on the need to share threat-related information within the industry. “Strength is found in numbers,” adds Mr Rosa.
CaixaBank has also taken a lead role in an alliance of companies, governments, security forces and universities to form the European arm of the Anti-Phishing Working Group (APWG). Originally created in the US, it now numbers 3200 members worldwide. “As the European chapter of the APWG, we share the collaborative work model and the mission to combat cyber crime, adapting all of this to the legal framework and the conditions of the European market,” says Mr Rosa.
Tapping the community
Most financial institutions use a combination of internal and external ethical hackers. PwC, CGI and HackerOne are among many companies that offer penetration testing services. HackerOne’s Mr Mercer believes that harnessing the power of the global hacking community is the most powerful way to create a safe internet.
However, ethical hackers are distributed globally, difficult to schedule and a diverse community. “The most effective way to engage with ethical hackers is to run a bug bounty programme,” says Mr Mercer. This involves inviting external hackers to test your systems to find the vulnerabilities your own team cannot. He adds: “All security breaches are caused by people, so it should be no surprise that the most effective counter-defence is people who find security loopholes before criminals have a chance to find them.”
Many may be hard-pressed to envision a world where a teenager in Argentina can protect a multinational bank, but this is happening today across the globe, says Mr Mercer. These hackers – 90% of whom are under the age of 35 – are protecting organisations, saving them from data breaches that could cause millions of dollars in damages.
Automated tools are a core fundamental in defending against cyber threats; however, to counteract sophisticated cyber attacks, Mr Scharf says financial institutions need human beings, including ethical hackers who can “act, think and behave like real-world hackers in areas such as penetration testing”. In particular, penetration testers can find previously unknown ways to exploit systems and look for new vulnerabilities and scenarios where individual issues or vulnerabilities may be combined or linked to create a more damaging result than they do individually, also called toxic combinations.
“Ethical hackers can provide a vision of the strength of your security that can be difficult to achieve from a more traditional point of view,” adds Mr Rosa.
The hybrid approach
For broad security programmes, most small and medium-sized enterprises do not have the resources to employ in-house staff; therefore, outside services will be employed, according to DTCC’s Mr Scharf. Larger companies tend to adopt a combination of in-house resources and external consultancy services.
This ‘hybrid’ approach is a preferred model as internal staff understand how an organisation operates and are therefore better placed to advise on how best to conduct internal testing, he says, while external consultancies are better resourced to build up tool sets and to educate penetration testers continuously to ensure they stay ahead of new threats.
“Furthermore, companies should employ a variety of external providers that can conduct different tests to ensure as many threats as possible are identified, since using the same providers may result in the same issues being identified. In short, the optimal model is a blend of in-house resources with several external firms that conduct penetration testing to counter more sophisticated attacks,” says Mr Scharf.
While humans are considered to be an essential element in penetration testing, they are also one of the weakest links in cybersecurity, says Alissa Knight, a senior analyst with Aite Group’s cybersecurity practice. Formerly a white hat hacker, Ms Knight says most financial institutions are aware their systems will be breached but are often surprised at how quickly an ethical hacker can gain access to and control of their systems. “I could often get admin privileges within four to five minutes,” she says.
One of the themes in the cybersecurity vendor community is to develop systems that remove humans from processes. The theory is that humans can miss signals amid a lot of noise that artificial intelligence and machine learning systems will pick up. Another reason is that organisations struggle to hire the human talent required.
Mr Lush adds that “more often than not” a vulnerability identified in a penetration test will be caused by misconfiguration of systems, badly written code or badly followed processes. “That all boils down to people – they set up [systems], write the code, etc. Misconfiguration and bad security practices can go unnoticed for a long time,” he says.
