The security tools and strategies financial services organizations use to protect their data could be leveraged by cybercriminals who sneak in undetected via "hidden tunnels" to conceal their theft, according to a new report published by Vectra.
Ironically, financial firms have the biggest non-government security budgets in the world, Vectra says. Bank of America invests more than $600 million in cybersecurity each year, while JPMorgan Chase spends $500 million. Equifax, while smaller than both, spends an annual $85 million on security.
Yet, in Equifax's case – despite budget, staff, and a security operations center – in 2017 it took 78 days for it to detect a massive breach of its network, in which attackers accessed 145.5 million Social Security numbers, 17.6 million driver's license numbers, 20.3 million phone numbers, and 1.8 million email addresses.
The question of how attackers were able to exfiltrate so much data, and whether the same thing could happen at another financial firm, prompted Vectra researchers to take a closer look at exactly what happened.
A Review of the Equifacts
Equifax's breach started when a Web server was exploited to access the corporate network. The attackers avoided using tools that would alert the company's security team, instead building command-and-control (C&C) tunnels into Equifax. They installed more than 30 Web shells with different addresses to burrow into Equifax and, once inside the network, customized their hacking tools to exploit Equifax software, evade firewalls, and exfiltrate information.
For six months following the Equifax breach, Vectra researchers combed metadata from 246 opt-in customers and more than 4.5 million devices to learn more about attacker behaviors and network trends. They found the same activity that led to the Equifax breach is prevalent throughout the financial services industry.
What stood out most is the use of hidden tunnels in HTTP, HTTPS, and DNS traffic, which threat actors use to get into networks protected with strong access controls. These tunnels have been used for about three to four years, says Chris Morales, head of security analytics at Vectra, where researchers had been looking into this tactic long before Equifax was hit.
"Attackers don't use hidden tunnels unless they have to," he explains. When enterprise security defenses are strong, threat actors have to seek new ways to break through them.
Tunneling Into Financial Services
Financial firms have stronger security than most, securing Web applications with layers upon layers of access controls. Because apps are locked down, data has to be sent through "hidden tunnels" to move across an organization. There are legitimate use cases for this: Specific stock-tickers commercial apps and internal financial services use tunnels to communicate.
The high volume of traffic flowing to and from enterprise Web applications creates an ideal place for attackers to hide, Morales says. Hidden tunnels are tough to detect because communications are hidden within connections that use normal, permitted protocols. Messages can be embedded as text in headers, cookies, and other fields, researchers say.
Morales breaks down how an attack might work: A threat actor might start with an entry point as simple as a phishing campaign. With a foothold in the organization, the attactor can use reconnaissance techniques to learn the network – the number of devices and how he can make his footprint more durable and infect more machines.
"As he does all those things, he'll need to find ways to look like normal traffic," Morales explains. "Maybe he'll find a network scanning machine and perform recon from there because it'll look more normal." Once a tunnel is established, the hacker passes data in small chunks so it isn't picked up by anomaly detection systems.
Attackers could leverage tools purchased on the Dark Web to exfiltrate data and bypass access controls. "The tools are out there, and attackers have a great ecosystem for sharing them," says Mike Banic, vice president of marketing at Vectra. "In some cases, their ecosystem could be better than the defenders."
Compared with the industry average, there are fewer C&C behaviors in financial services, and HTTP C&C communications are lower overall, the report states. However, there are significantly more tunnels per 10,000 devices in financial services than all other industries combined.
Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.