Abstract: --------- This is the ongoing fairytale of securing financial institutions. So many banks in so little time. We should expect cyber attacks on financial institutions because it's just so much easier to pillage online than to coordinate a get-away car, guns and comfortable ski masks. Over the past year, exploits against banks have seriously upped the game: jackpotting ATMs, DDoS, messing with trusted messengers. The recent attacks on Polish banks initially went unnoticed. That's a mistake we can't afford to make, but the attackers are banking on it. When source code revealed that a much bigger player was involved, everyone jumped in. But that was days later. What are we missing because we choose to see what we expect, instead of what is really there? After last year's massive breaches, and some significant financial attacks, financial organizations need to be prepared. The attackers aren't just going after the money. They want the data too. Outline: -------- Intro: Understanding the future threat through the past . There are lessons here. What we keep missing After the past year, I felt the need to pick up where we left off when talking about the state of security - make that insecurity - in our esteemed financial organizations. Were we wrong to expect change given the attempt made on Bangladesh fell short of the 1 billion payout, and the revelations around the actual security setup for SWIFT, the trusted messengering system used by banks worldwide So, let me reprise what I said one year ago. We assume that banks take better care of our money than anyone. Heck, the service fees alone tell us that. We assume that these institutions understand security at a higher level than almost anyone because of all that money. So our expectation is that there are effective security processes in place to safeguard our assets. If anyone should know how to do security well, it's a bank. Right? Heads in the Sand: Attitude is everything Like everyone else, Financial services has had to respond to the call for innovation and disruption. Couple that with the increasing convergence of information technology and operational technology has age-old battle of convenience over security, enhanced by the IoT. And while improved operational efficiency may reduce operating costs, we all know that uptime does not mean security. Online banking heightens risk and exposure through data, yet a recent Capgemini study shows 71% of banks don't have adequate data privacy practices nor a solid security strategy to meet emerging threats. More than other businesses, financial organizations must build and maintain their trust with customers and stakeholders. As well, they need to establish compliance with regulators, and be accountable to stakeholders and boards. Within our increasingly connected world, the expectation to share data in the digital economy heightens the risk of exposure and breaches. According to Capgemini, one in five bank execs are "highly confident" in their ability to detect a breach, never mind defend themselves against it. Yet "83% of consumers believe their banks are secure from cyber attack". They put their trust, and their money, in these venerable institutions. How about this? One in four banks report they've been attacked, but only 3% of consumers believe their bank has suffered a breach. Never mind the money. How about the data? The numbers are not good. Roughly 40% of banking and insurance companies have automated security intelligence capabilities for proactive threat detection The Big Kids on the Block: Carbanak, Dridex, the Lazarus Group and the art of the Pivot It's like that song says: Everything old is new again. In order to really understand these attackers, we need to know their history to appreciate the pivots. By finding the context in their past pursuits, we can get a sense of where they may be headed now. This is why we need to stay vigilant. Dridex was declared dead, then came back with a renewed sense of purpose in Switzerland. Shiny new attack methods prompt the question "What should we be looking for?" And yes, Virginia, it really was the Lazarus Group, in North Korea, with a poisoned well. Their name reflects their tendency to act, die down, then "rise from the dead". They are somewhat nebulous. But their ability to pivot and shift shows us why we need to be connecting the dots, and using the context to build from. SWIFT Redux: It's easy to blame someone else. That switch was a mirror held up for us to see our reflection. SWIFT told member banks last November that "attacks on its systems have only become more sophisticated in their strategies". "The threat is very persistent, adaptive and sophisticated - and it is here to stay". This is despite the work by regulators globally to toughen bank security measures. And the word is that "a fifth of them are hitting paydirt for the attackers", per Stephen Gilderdale, head of SWIFT's Customer Security Programme. And then there was the recent dump by the ShadowBrokers. What is the legacy of those Equation Group Exploits and spooky monitoring? What is happening now: Fileless malware attacks in Europe. The numbers tell the story. 140 enterprises in 40 countries were hit. And the thing with fileless malware is this: that no malware files were needed to successfully exfiltrate data from the network, and the use of legitimate and open source utilities made attribution almost impossible. Using the Polish bank attacks as our base, I will show how a few banks in a small country can teach us all very big lessons about security. A series of targeted malware attacks against Polish banks went unnoticed in the initial stages, even though the Polish security researchers were crying "Wolf" as loudly as they could. In this case, the attackers went after the data, not the money. They left an interesting trail of traffic to exotic locations, encrypted executables nobody knew of, and unauthorized files on key machines in the the networks. Not until a group of commercial banks were all declaring infection did people realize there was a problem, and it led to a poisoned well - the webserver of the Polish financial sector regulatory body. Let's look at Southeast Asia as a training ground: ATM jackpotting, over and above the Bangladesh bank heists. ATMs were dispensing money on demand for hackers in the Cobalt siege that covered a wide swath including the UK, Spain, Russia, Romania, the Netherlands, Malaysia and much of Eastern Europe. Jackpotting has been dubbed "the new model of organized crime" and the FBI issued warnings to US banks after similar attacks in Taiwan and Thailand. Malware attacks in third world happen for a reason. DDoS Extortion attempts on banks in Taiwan and Lloyd's of London. What does the future hold? Ola Brazil! Let's look at this epicenter of banking malware. Who's paying attention to this dark horse? I'll show you why we need to. And then let's descend into the "Heart of Darkness" and go on a safari of fraud and corruption in African Banking. Forget Nigerian princes. You have no idea ... Talk Type: ---------- 50 min talk What you expect from attendees?: -------------------------------- I continued researching this topic area since I gave my talk "How to Rob a Bank" last year. This past year we have seen we've seen some interesting pivots and renewed interest by established players like Carbanak, compounded by the release of a cache of older but still highly volatile exploits via the ShadowBrokers. Attendees, not just those in finance, will broaden their frame of reference when looking at potential threats, and understand new pivots and areas of attack.