Rogue Actor Detection: Monitoring for Internal Threats to Your Institution’s Network
While financial institutions are aware of the importance of protecting their network from adversaries and possible outside attacks, many are not investing in protecting themselves against breaches coming from internal threats. These rogue actors could be an employee, an outside attacker, or another unauthorized user trying to access valuable data.
Within the last few years, several major breaches have been perpetrated by attackers exploiting a weak point within an organization and then scanning the network to gather information. While cybercriminals have certainly realized the benefits of targeting financial institutions, community banks and credit unions have been slower to realize the importance of monitoring for rogue actors and reacting to this danger.
As an example, a previously undetected hacker group, now known as the MoneyTaker group, has netted approximately $10 million in ATM network heists from at least 20 companies, including U.S. banks and credit unions, by targeting the networks banks use to transfer money. According to Group-IB, a global leader in preventing and investigating high-tech crimes and online fraud, the attackers used a form of malware that is stored in the memory of the computer, which makes them extremely hard to detect by traditional antivirus defenses. This also makes it very difficult for organizations to know they have even been hacked since all traces of the invasion are destroyed each time the machine is rebooted. On average, it can take an organization more than 200 days to discover that their network has been compromised.
Setting Out Bait
Security experts agree that a missing piece in many institutions’ security strategy is identifying unusual activity and having solid reconnaissance protection in place. One of the few ways to do this is to deploy what is known as decoy data and services onto the network. This technology serves as a trap for someone who is looking to gain illegal access to the network. Remediation processes can begin immediately once an attacker accesses the “bait” or “decoy.” Any unusual activity on these areas will trigger an alarm, since no there are no legitimate reasons to access the decoys.
Examples of decoy information placed on networks typically include items like port scan sensors, remote desktop protocols, SMB shares, FTP and/or SQL.
Protection for Community Financial Institutions
Many organizations that recently experienced breaches would have benefitted from implementing a solution to effectively monitor and detect unusual activity on its internal network. For community banks and credit unions, perimeter defenses can only do so much to protect their institution and customer information. Cybercriminals will continue to develop sophisticated forms of malware and carry out targeted attacks to compromise their networks. To be truly protected, it is important for financial organizations to monitor for internal threats and stop unauthorized network users before they strike.