- Rising cyber fraud and insider threat cases continue to plague the financial industry growing the need to secure SWIFT networks
- Leveraging behavioral analyses, IBM Security ReaQta’s Detection Strategies enables banks to fully customize unique sets of detections to guard access to SWIFT networks
As SWIFT cyber fraud rises in recent years, financial institutions today face a devastating aftermath: having their sensitive data exfiltrated and money stolen as attackers infiltrate banks in a targeted, calculated manner while utilizing sophisticated malware.
What is the SWIFT network? It allows banks and other financial institutions to securely send and receive information about financial transactions.
One of the most prominent cyber attacks relating to SWIFT took place in 2014, perpetrated by the Carbanak group, which resulted in more than $900 million USD stolen from several banks1. In the years after that, a slew of other bank heists was also undertaken globally by different threat actors. Victims of such attacks include Bangladesh’s Central Bank, Far Eastern International Bank in Taiwan2, Banco de Chile amongst other financial institutions.
Today, the financial sector remains as a prime target for cyber criminals, as the latest Verizon Data Breach Report3 confirms. Most attackers have one ultimate goal: Compromise the SWIFT network so as to create seemingly ‘legitimate’ messages (transactions) to move money outside of organizations.
Compromised Identities
The 2016 Bangladesh Bank Robbery4, also dubbed the Bangladesh Bank cyber heist, was an epic $81 million cyber fraud that headlined the news. Using the SWIFT credentials of Bangladesh central bank employees, more than three dozen fraudulent money transfer requests were sent to the Federal Reserve Bank of New York asking the bank to transfer millions of the Bangladesh Bank’s funds to bank accounts in the Philippines, Sri Lanka and other parts of Asia.
In the wake of such attacks, significant concerns have been raised about the SWIFT network, as well as the urgency to have effective security measures in place. In response, SWIFT released specific guidelines aimed at strengthening the security posture of all organizations that are connected to the SWIFT network.
The challenge remains: How can companies monitor and protect access to the SWIFT network so that their network is safe?
Zero Trust
Coined by John Kindervag during his tenure at Forrester, Zero Trust5 is a security framework that “centres on the belief that trust is a vulnerability” and eliminates the idea of a trusted network inside corporate perimeters. Instead, it emphasizes the need to “never trust, always verify” while “assuming breach”.
In 2020, Tesla became a target of an attempted ransomware attack. A Tesla employee was offered a $1 million bribe to install ransomware on Tesla’s Nevada-based Gigafactory, which could have meant millions in extortion and damages if the attack had succeeded. While the attack was eventually thwarted, it leads us to wonder, “What if the employee had installed the ransomware?”
In an alternate reality, a disgruntled employee or one motivated by the ‘opportunity’ to make fast money might just succumb to the lure. According to Verizon, 34% of data breaches in 2019 were insider attacks, with 71% of data breaches motivated by money. Should the Tesla employee have chosen the route of deploying a ransomware, as a trusted insider, he might have been successful as it would simply have been routine work with the appropriate access and credentials.
As the above example shows, insider threats are an industry-wide phenomenon. Read on for a finance case study that draws a similar picture.
How can one then keep these attackers at bay? IBM Security ReaQta augments the zero-trust concept through Detection Strategies (Destra) by leaving nothing to chance, even within ‘rightful’ perimeters.
DeStra Creation
IBM Security ReaQta’s Detection Strategies for SWIFT– DeStra
ReaQta provides a unique feature called Detection Strategies (DeStra) specifically created to support advanced teams in the detection of highly sophisticated threat actors (APTs) and to create highly-customized detection scenarios, tailor-fitted to any organization’s security needs.
All DeStra run in real-time on the endpoint and are capable of identifying and responding to a new behavior as-it-happens. Once a DeStra is created, it is immediately activated across the entire organization within minutes, without any intervention or downtime. Unlike traditional post-processing rules, DeStra playbooks react immediately to any threat, leaving little room for movement for an attacker.
DESTRA, PURPOSE-BUILT FOR BANKS
With cyber adversaries becoming even more skilled and relentless, attackers today may find a way into the SWIFT network with the help of insiders or via stolen credentials gathered during a traditional attack targeting the IT network. Users with rightful access and permissions to the platform may still act maliciously, disgruntled employees that may pose significant security risks to the entire organization.
To prevent such threats, banks can now create custom-built DeStra on the IBM Security ReaQta platform to detect potential exploits and safeguard against potential deviations from the defined norm from a user or process behaviour.
CASE STUDY: BANK IN ASIA
ReaQta managed to stop an attempted breach into a SWIFT network.
During this hacking attempt, a malicious insider (Alice) tried to mask her tracks via the usage of unauthorized scripts that were not native to compromised devices to execute powershell. The powershell scripts were designed to create a backdoor which would allow perpetrators to gain elevated access to the bank’s SWIFT network remotely. Leaving nothing to chance, ReaQta’s DeStra detected the breach right from the beginning.
The first detection shows a user (Alice) first seen accessing the SWIFT network outside of regular working hours on a public holiday in an attempt to compromise the system. Her activity was automatically detected as unusual due to a DeStra violation: Account Logon Outside Of Working Hours.
DeStra Detection: Alice logging to the SWIFT Network Outside Of Working Hours
DeStra Details: DeStra script shows the detection parameters
In the visual above, DeStra is customized to detect deviations from the defined norm – such as, regular working hours, including the dates, timings and public holidays pertaining to that specific geography. Such parameters can be easily amended and effective on the console without reboots or updates to the endpoint.
Alice then executed a powershell script via unauthorized applications in the hopes that her activity might not be logged and there would be no one monitoring it. Considering Alice’s credentials as an employee, it was well within her means to do so. But ReaQta’s DeStra left nothing to chance.
DeStra Detection: Powershell script executed
Upon detecting Alice’s unusual account activity in real-time, the endpoint was automatically moved into deep-monitoring mode, making sure that all events surrounding the device were captured. With the information gathered in this mode of extensive monitoring, the behavioural tree re-constructs all processes and behaviours in a chronological sequence, making it easy for analysts to quickly identify anything out of the ordinary by simply looking at the graphical representation.
Data fields contain the following: application/process name, Size, Privilege Level, User, Hash, Signer, CmdLine, Mitre Events, Time, Tactic, Technique, Events. An interactive alert was automatically triggered and sent to the IT security team to notify of potential unusual access to SWIFT endpoints.
Behavioural tree exhibiting the processes and behaviours as a result of the powershell execution
Should Alice’s activity had gone unnoticed, the attacker would have gained unwarranted access and control to the platform, an action which might have led to serious damages – data exfiltration, stolen information, financial loss etc.
ReaQta monitors SWIFT networks in real-time, protecting its users from such use-cases by detecting user behaviour that goes against predefined parameters.
Examples of such events include changes of account privileges, user access outside normal working hours, bruteforce events, new user creation and many more.
With ReaQta, finance institutions are able to augment Zero-Trust to their SWIFT environments, via the flexibility of creating customized detection scenarios via its proprietary DeStra technology.
IBM Security ReaQta covers both external and insider threats attempting to execute actions on a highly sensitive network, leaving nothing to chance.
Financial institutions that are connected to the SWIFT network now have the weapons in hand to defend their networks from both external and insider threats.
To learn more about how IBM Security ReaQta can help organizations protect access to the SWIFT network so that their network is safe, read more here.