Stemming the Tide: How to Identify and Mitigate Pandemic-Era Cyber Threats

COVID-19 has set structural and technological changes in motion, creating new cyber risk and security challenges that will likely endure even after the pandemic ends. There is no shortage of cyber-threat actors attempting to take advantage of this situation, and the majority of cyberattacks continue to be financially motivated.

What's more, there is no end in sight, with damages from cybercrime projected to reach $6 trillion globally in 2021. Unsurprisingly, the banking industry has remained a particular target, with recent research showing that two-thirds of financial services firms suffered cyberattacks last year. What are the most prevalent threats they are facing, and what steps can they take to mitigate these risks?

The COVID-19 Cyber Threat Landscape “New Reality”

While the financial services industry has seen strong progress over the last decade in terms of threat information sharing and cyber resilience measures, the fact of the matter is that it is still easier to attack than defend in cyberspace. Every year, cybercrime becomes cheaper, easier and faster, making a variety of companies - including banks - more vulnerable to attacks than ever before.

2020, of course, was no exception. Most financial institutions' risk frameworks and security architectures were built for a pre-COVID-19 cyber threat landscape. As firms seek to reassess these threats and eventually adapt to meet post-pandemic cyber challenges, they must take stock of the complex and varying type of cyberattacks they faced in 2020.

Last year, massive downtime costs and large troves of highly sensitive data made the financial services sector particularly vulnerable to ransomware, supply chain compromise, distributed-denial-of-service (DDoS) and data breach attacks. As cybercriminals devised new ways to profit, such attacks grew in volume, sophistication and impact.

“DDoS extortions,” where attackers extort companies by threatening DDoS attacks, made a resurgence in 2020, with MoneyGram, PayPal and the New Zealand stock exchange (NZX) among financial institutions targeted. The potential impact from DDoS attacks has grown immensely: Amazon Web Services, for instance, suffered a record-setting attack last February that peaked at 2.3 TB per second.

While previous DDoS extortionists targeted victim's public websites, attacks this year targeted operational infrastructure, API endpoints and DNS servers. These new tactics are more complex and much harder to mitigate, and can result in severe and prolonged outages; the NZX website, for example, remained offline for almost a whole week.

However, while DDoS attacks have caused significant problems, ransomware dominated the headlines last year. In fact, compared to 2019, we saw seven times the number of ransomware attacks in 2020. It's far from just a volume issue, though, with ransomware operators regularly thinking of new and innovative attack strategies - driven by profit.

Attackers now almost always steal sensitive data before its protected with encryption, and either extort victims by threatening to publish data online - so-called “double-extortion” ransomware - or auction off victim's data on the dark web. Among companies that experienced double-extortion ransomware attacks last year were Banco de Costa Rica and a trio of and financial technology providers: Cognizant, Finastra and Pitney Bowes. We have, moreover, seen a staggering growth in the ransomware-as-a-service (RaaS) market, with Intel 471 tracking 18 new RaaS groups this year.

The U.S. Securities and Exchange Commission (SEC) has issued multiple alerts warning of increasingly advanced ransomware attacks on financial institutions, as well as their third-party service providers. However, as the massive SolarWinds breach starkly highlighted, even entities with relatively robust cyber defenses are still vulnerable to attacks through third-party suppliers.

Sophisticated attackers recognize this, and are increasingly devoting attention and resources to target supply-chain companies that allow them to compromise many networks at once. Indeed, companies everywhere need to pay more attention to supply-chain vulnerabilities as potential attack vectors for data breaches, ransomware and other cyberattacks.

Ransomware presents a particular threat to financial institutions in terms of business disruption and system availability, especially if malware infects backup and restoration platforms. A financial institution's worth depends on its ability to deliver key transactional services - e.g., deposits, loans, investments and trades - reliably and securely. Successful ransomware attacks not only incur huge downtime costs to financial institutions but also have an adverse effect on business reputations, regulatory implications and contractual relationships.

Ransomware threats also present a unique defense challenge because, once malware is running on a user's system, the ransomware effectively is the user - at least, from an operating system standpoint. User accounts, moreover, can be compromised in a variety of ways, including business e-mail compromise (BEC), phishing, spoofing and more.

The SEC has warned of an increase in credential compromises and the FS-ISAC has reported that average monthly fraud cases increased by 82% in 2020. A company's defenses against ransomware attacks are therefore critically reliant on good cyber awareness and hygiene from employees. But, with the new normal of a distributed workforce, proper cyber awareness and hygiene training presents an even bigger challenge.

Obstacles to Securing a Distributed Workforce

The shift to remote work has been a particular challenge for the banking industry, which has strong in-office norms. Employees working from home are using more devices and more applications (e.g. Zoom, Slack), connecting to company infrastructure over home networks that are often poorly secured. This situation creates multiple challenges to securing enterprise networks .

Increases in endpoints, operating systems and applications have caused the cyberattack surface - i.e., the number of possible ways an attacker can get into a network - to expand significantly. Each of these new endpoints and tools also result in new security data streams that operations teams must process and track to look for threats. Security teams are facing an incredible volume of complex data streams - data that are often in vendor-specific formats that reduce effectiveness of security tools.

Cyber defenses today are much more distributed, and most companies have not implemented new controls to fill gaps. Moreover, compared to on-site operations, security teams now have much less oversight and visibility into employee actions on home networks.

Moreover, many employees working from home are forced to juggle the demands of work, childcare and general stress over pandemic uncertainty. Distracted employees paying less attention to security are much more susceptible to clicking on malicious links and social engineering attacks. The threat of this is exacerbated by spikes in such attacks, with global phishing attacks growing by 600 percent in the first quarter of 2020.

These factors create a situation where attackers can gain footholds in networks through negligence, careless mistakes and poor personal cyber hygiene. Subsequently, attackers can move laterally through enterprise networks to perform a variety of cyberattacks, from data breaches to ransomware.

Improving Cyber Defenses: Quantifying and Mitigating Exposure

While there is no one-size-fits-all solution, there are specific defensive investments that financial institutions can implement to mitigate risk from costly cyberattacks.

The first step in improving cyber defenses is to know what needs protection by quantifying cyber risk exposure. Boards, senior business executives and CISOs require a comprehensive understanding of their cyber exposure and ability to recover.

This analysis sets the foundation for making strategic investments in defensive measures. When undergoing a cyber risk analysis, companies must conduct a 360-degree review across the enterprise that includes external exposures, such as service providers.

Indeed, managing supply-chain risk from service providers has become an essential part of corporate risk management. Since supply-chain attacks leverage an existing trust relationship between vendors and customers, they can be incredibly difficult to prevent and detect - but companies must at least include the possibility of such attacks in their risk assessments and threat models. Today, unfortunately, many companies remain underinvested in this area.

Of course, companies should ideally try to evaluate the cyber risk exposure of prospective service providers before engaging them as trusted third-party partners, and one way to achieve this is through security ratings. These ratings, from vendors like SecurityScorecard, provide a standardized snapshot and ongoing monitoring of companies' cybersecurity capabilities, helping them make strategic risk decisions.

Advanced companies can also use security ratings alongside strategic risk metrics to (1) align cyber scenarios with material business exposure; (2) rollup cyber risks with financial exposure to inform risk management decisions (transfer, manage, accept); and (3) measure improvement of cyber risk reduction over time.

Companies must also ensure sound technology hygiene. A large part of this is implementing proactive vulnerability, secure coding and patch-management programs. But it also includes managing supply-chain exposure, integrating enterprise-wide security, performing regular risk assessment evaluations and implementing incident response exercises.

Operational Resilience, Training and Cyber Culture

Given how ensuring business service continuity is mission critical for financial institutions, organizations must also build operationally resilient platforms - to guarantee that core business transactions can still take place in the event of a cyberattack. This can involve not only network segmentation measures but also physical separation of back-up and primary data environments.

What's more, companies must relentlessly develop, test and train for incident and crisis management plans, so that employees know what initial response steps need to be taken to contain the “blast radius,” if an attack were to occur. Part of this includes knowing who to engage in the broader cyber ecosystem for intelligence gathering and containment strategies to mitigate the effects of an attack.

Lastly, with employees continuing to work from home for the foreseeable future, companies should take steps to improve cyber awareness and to implement a good cyber culture across the company. One component of this is implementing cyber training programs, like phishing exercises and cyber awareness courses, to educate employees on the different types of cyberattack threats and the key initial response actions.

Christopher Hetner currently serves as both a special advisor of cyber risk to the National Association of Corporate Directors (NACD) and an expert advisor to the Institute for Defense Analyses (U.S. Department of the Treasury). Previously, he served as the senior cybersecurity advisor to the chair of the SEC. He can be reached at chetner10@gmail.com.