bobsguide spoke to Neil Haskins, Director of IOActive’s advisory services in EMEA and Middle East. With over 27 years worth of industry experience, Neil was delighted to talk reporter Dave Beach, through a simulation of a hack on a model Tier One Bank.
Imagine you are a bad actor. Give us a step by step account of how you would hack and breach a tier one bank.
The first thing I’d do is perform reconnaissance on the target. I can do that physically by visiting a branch or headquarters, or remotely, I can look into Open Source Intelligence (OSINT) i.e. what is already known about this particular bank. I could also look on social media as well as the About page to identify key employees and their access level.
I would also use the deep, dark web to determine if any other hacker had already succeeded in breaching the outer defences and if any credentials or information are for sale. It’s almost like a hostile takeover, with external due diligence as well as reconnaissance of the internal banking environment of the target.
Once I have all of this information, I’d look at how to get in.
If I’m in the same location, I might perform a USB drop. Quite simply, I would leave a USB stick preloaded with malware in the bank’s carpark or near a teller’s desk with the hopes someone will pick it up and plug it into an internal computer, banking that the bank does not have restrictions. You would be surprised how many organisations allow this to happen. A friend of mine was contracted by the US Marines to combat this very problem; the only way to stop personnel using USBs was to physically glue the ports. Once I’ve successfully spoofed a bank employee to insert the USB, my malware is now in the banking environment.
If this doesn’t work, I might use the intel I gathered on employees. If I see an Instagram post of an employee at the latest Cisco conference I can be pretty sure you’re a network engineer and that your credentials are worth stealing. One way to approach you may be to connect with that employee on LinkedIn and send them a message about a bogus Cisco report with a malware attachment.
A bad actor won’t just resort to online tactics either. Another tactic is voice phishing; the actor spoofs a bank phone operator into resetting a password from within the bank’s environment, again by using social media to find the customers who readily use Twitter to complain about account problems.
Finally, if none of these methods work, I’d target third party suppliers. One of these might be an HR company which won’t have as robust defences. I’d be able to infiltrate into their environment, patiently learn their interactions with the bank and slip in a malware attachment to a non-descript spreadsheet coming from the HR company; you trust this company so why would you not open it?
Once I’ve gained access to the internal network environment I’d lie low, traversing the bank’s network to find the crown jewels, be it funds, a list of customers or credit cards; it’s not necessarily a smash and grab to drain the vault, but to patiently siphon data and sell on the dark web. Once I’ve found what I’m looking for, I’d move laterally and quietly whilst tentatively probing at the internal countermeasure system to learn about the environment.
Quite often the bad actors know more about a bank’s network than its own network engineers do. By feeling my way around the network, I can build a bigger picture - if the bank uses Symantec or RSA, I can build or buy malware to bypass these systems based on known vulnerabilities. In this way, I’d be able to map the network layout, almost signposting your crown jewels as well as devising carefully considered exit strategies.
Once I’m firmly entrenched and confident I know the bank’s network like the back of my hand, I can start to monetise operations. Initially, and depending on my window of opportunity, this might be jackpotting the ATM network - where the machine empties its content for an awaiting accompolice.
Realistically though, this will draw attention and it would be much more profitable to wait. I may look at ways to draw money into my own accounts or to attack the cryptocurrency environment; I can do this either by stealing or piggybacking your computer power to mine cryptocurrency for me. I might also look to steal customer data to be sold on the black market; I can hide regular extraction of data by masking it in an outgoing email with the data hidden in an image within an attachment. Similarly, I can mask my own activity by deleting my digital footprint using the admin credentials I acquired during reconnaissance.
Even after covering up my tracks I’d still maintain remote access so that I can revisit the same ‘hole in the fence’ at a later date. If the bank still doesn’t notice my presence, I can do it all over again; this is where it gets lucrative.
Another thing that we’re beginning to see is a concerted effort to use ransomware on financial services. Everyone is all too aware of this type of attack but, in essence, this is where the initial infiltration spreads a virus that encrypts sensitive files and a ransom is demanded to release them. The C-board dilemma becomes a question of paying the ransom which, in the eyes of some law enforcement, constitutes a crime in itself as you would be supporting organised crime. At this point you may be on the phone to your cyber insurer if you have one, or, if you do decide to pay the ransom, how can you be sure I won’t come back in three months time and do it all again?
I call this dynamic multi-vector attacks, and it’s a real nightmare for banks; I keep my attack moving all the time and in different places, constantly probing and assessing your internal alert system. In this way, I’d keep a low profile and regularly withdraw small amounts of data and money. This is what current bad actors are doing.
What are the most effective countermeasures?
a) You need a dedicated security programme. Often there’ll be a blurring of job titles between the network team and the security team; your security team should be separate and able to think like the bad actors - a world apart from the network engineers.
b) Get rid of low hanging fruit. Think like bad actors and reduce the number of entry points. If only three employees need to use USBs, consider banning them.
c) Don’t just tick the audit boxes. It’s tempting just to pass the auditor’s report, but realistically this won’t grant you a very robust defence and it’ll make you an easier target for hackers. There’s also a trade-off between the regulatory fines being cheaper than investing in security. The more you hold off investment in security, the bigger target you become and eventually you’ll lose more money in spectacular hacking fashion.
d) Changes need to come from the top. The people from the very top have to believe that security is important and worth investing time and resources.
e) Culture change. You also have to initiate a culture change from the top-down whereby you educate your workforce to be more aware of phishing and other techniques; do a hacking fire drill to test your employees by sending around a phishing email. I’ve also seen some companies promote that change in their employees’ personal lives as well with complimentary endpoint protection for their home computers.
f) The CISO needs to be listened to. It immensely frustrates me when I see the chief marketing or product officer placed higher on the ‘About’ of a company’s website. Without the CISO you have no product to sell. The CISO should be right up there with the CIO and have a voice on the board.
g) Controls need to be in place. Assess your own defences, what you’d like them to be and, from there, implement a full defence in stages, in a controlled way. You just have to be better than the average because the bad guys will always opt for the easier target. Don’t leap in at the deep end with all the fancy software; take a measured approach and build up the defensive layers.
h) IT and CIO is accountable and responsible. After the security team tests and identifies the weak points, the CIO is accountable and responsible for embedding the technology to strengthen the defence; you cannot have a disjoint between security and the C-board.
i) Crisis management. A good crisis management team will hit the ground running with a predetermined response that will free up other departments to limit the breach.
j) Test constantly. This is where you need ethical hackers who take swings at your defences. We can simulate various scenarios or go in cold as if ‘in the wild’ to test your company’s response.
Could a certain immutable ‘ledger’ help?
Blockchain in theory gives you assurance that the transaction is valid. In order to engage in a decentralised blockchain platform, I need to validate who I am and you need to validate who you are before the system executes. There’s still a degree of trust that you have genuinely validated yourself and are who you say you are behind the screen. Anyone who works in cybersecurity will have seed-addresses and accounts, so it’s not unimaginable that they could spoof a blockchain verification process; not fake, but falsify.
In short, you may be paying a validated Joe Bloggs account, but there’s no guarantee or way of proving that it is Joe Bloggs behind the screen. The processes within blockchain and Bitcoin in particular, have already been compromised by fraud - not the transactions per se, but components of the blockchain transaction supply chain. If I hack your computer, steal your Bitcoin credentials, I can make perfectly valid transactions (in the eyes of the blockchain) to whomsoever I please.
Cyber criminals always go for the weakest point in the chain so they won’t try and hack blockchain transactions in process. They’ll more likely compromise the security behind the crypto wallets or, as we saw recently, gunmen can physically enter a crypto exchange and demand the access keys. For criminals, crypto is an attractive target as it is effectively lawless (i.e. no institutional response) and the anonymity covers the bad guys’ tracks; they might as well be riding into a wild west town in a bandana taking off before the Sheriff arrives from civilisation.
Whilst many think that blockchain is better than SWIFT, you’re simply moving the hacking task to a different technology. There’s still a lot of work that needs to be done on blockchain but it’s a step in the right direction.
It’ll be interesting to see how banks approach the adoption of blockchain. Evidently, they’ll want control over it and take away the decentralised nature. Likewise, as the Bitcoin blockchain becomes harder to mine (programmed to be 88.8% harder each time) mining factories set up shop and need incremental resources to continue to mine. Eventually these massive companies will have de facto control over the blockchain - will the investment behind them be the banks?
When banks and governments get on board, that’s when blockchain will truly become the immutable and governed secure platform that it promises to be.