Using Threat Intelligence to Tackle Cyber Security Challenges in the BFSI sector

By Sanjai Gangadharan

The current scenario
With cyber-attacks growing more sophisticated by the day, cyber security is definitely a challenge to every organisation, including the BFSIs. Recently, a massive cyber attack on one of India’s oldest banks – Cosmos Cooperative Bank Ltd., resulted in a loss of around INR 94 crores. India operations of State Bank of Mauritius (SBM), was also attacked by cybercriminals, potentially causing a loss of $14 million1. This shows that these attacks are not restricted to company size or geographies.

As more and more financial institutions race towards their digital transformation goals, we will inevitably see the proliferation of web applications which adds to complexity and vulnerabilities.
Demonetisation and proliferation of online financial services has made huge volumes of money a target for cyber criminals. Although penetration of online transactions in tier 2 and 3 cities in developing economies like India is not significant, the lack of awareness of cyber security particularly in the BFSI sector, makes the situation challenging. Experts are of the opinion that Indian BFSI organisations are underprepared for the scale of attacks that they face. Most organisations are not proactive in their cyber defense strategy and end up looking for a solution after they have been stricken with a massive attack. As more organisations in the BFSI sector are offering personalised solutions and being almost omnipresent – through mobile apps, ATMs, automated kiosks etc., customers have the liberty to do banking from anywhere, anytime. It is imperative that strong controls are put in place for banking applications as their data is more vulnerable to being hacked. Interestingly, India has faced this challenge before. In 2016, there was an incident where over 30 lakh debit cards issued by multiple public or private banks were exposed to a potential risk of data breach.

Therefore, this is a major threat that has to be addressed by the Indian BFSI sector in a more cognizant manner. Also, with the whole digital shift in the ecosystem, the traditional banking security infrastructure does not always help, and financial institutions must consider a pro-active, multi layered approach when it comes to defense strategies.

Traditional vulnerabilities
One can never overplay the importance of keeping the BFSI IT and network infrastructure safe from cyber attacks. The huge rewards involved with a bank robbery in the cyber space lures hackers and probably even motivates them to improve their attacks, despite the risks involved. The fact that organisations from the financial sector falls prey to cyber attacks 300 times more frequently as compared to any other business, is proof.

Traditionally, for any bad actor with an intention of taking down a BFSI organisation online, the modus operandi would be to launch a malware and infiltrate the bank’s system, inorder to gain access to get consumer data and transaction data initiating unauthorised transactions and similar malpractices.

What is new in the cyber space is the multi-vector attacks that form shape through connected networks. With a network of connected devices of about 1.2 billion devices being enabled by IoT, the vulnerabilities in one’s network are going to have even more exposure to cyber threats.
Cyber attackers also launch DDoS attacks to overwhelm the bank’s servers with huge volumes of illegitimate traffic with the intent of slowing down their services. DDoS attacks are always initiated in a distributed fashion, and the attack tools, infected botnets and vulnerable exposed servers, are repeatedly used in multiple DDoS campaigns. But now, the attackers have become cleverer and more insidious, and have started using a “low and slow” approach, of planting encrypted malware slowly into networks in low volumes so that they go unnoticed by the security checks. Later on, over time when these get decrypted, the server goes down, officially completing a DDoS attack.

Networks also get taken down by malware from individual devices, that could have been infected through USBs. When this happens in devices that handle heavy financial information regularly, hackers could identify a weak spot and launch an attack.

The government’s role
As a country that is making huge leaps in its digital transformation journey, Govt. of India is working on making the security of BFSI sector stronger. The Union Finance Minister had proposed a dedicated wing of the Indian Computer Emergency Response Team (Cert-In)  to cater exclusively to the cyber security needs of the BFSI sector, during the FY2017-18 Union Budget speech. Although this hasn’t gone live yet, it is evident that the government is well aware of the need of being extra cautious with the security of BFSI organisations in the cyber space.

It is also quite encouraging to notice that the RBI is being proactive to protect the BFSI sector, considering they clearly state in their annual report, that the 2018-19 agenda12 will primarily involve effective steps to “further enhance” the level of protection against cyber risks. The central bank is also making corrective measures in this fiscal as a part of its attempts to tackle organised cyber-crimes against organisations operating in the Indian BFSI space. With India’s digital economy expected to cross $1trillion by FY2022, it is imperative that as a nation, we be prepared for all kinds of challenges, and amp up our cyber ammunition with the right weapons.

However, it is only the government’s responsibility but also that of the enterprises’ to keep a nation’s cyber space safe. This is because there is a lot of traffic that passes through servers of enterprises alone, and as much rules and regulations the government can bring about protecting it, organisations also have to be always on the watch as to what is happening through their network. Only a joint-responsibility from enterprises and government will make and maintain the cyber space a safe arena.

Visibility, Threat Recognition and Response Time
For every organisation, it is important for them be aware of the cyber threats that they are exposed to, inorder to be able to prevent them from striking and causing a menace. With old DDoS attacks coming in new formats, organisations need to focus on understanding the objective of the attackers and protect the vulnerabilities. Although DDoS attacks are growing in frequency, intensity and sophistication, what have remained constant over the years are the delivery methods of using infected botnets and vulnerable open servers to create crushing scale attacks against unwitting targets. As Internet of Things (IoT) is enabling connected networks, the attack on one of the devices in the network could trigger malfunction of the rest and will lead to the whole network being knocked down. This way, when connected networks are attacked, the consequences are massive.

According to a Ponemon Institute survey, 41 percent of all cyberattacks are concealed in encrypted traffic yet 64 percent of respondents say they cannot detect malicious SSL traffic. The three key reasons cited for not inspecting SSL traffic were lack of enabling security tools, insufficient resources and concerns about performance degradation. Although encryption has been proven to protect data privacy, as more traffic is encrypted, more threats can also hide under the same guard. Attackers use IP masking and similar covers to infiltrate security solutions and gain access to networks. They also wrap malware and other nefarious files inside encrypted traffic to infect networks and steal data.

Hence, such encrypted malware has to be first detected and then decrypted to be identified as threats. This visibility will then help protect the networks from similar attacks later, thereby mitigating the threat. To be proactive in the face of today’s cyber attacks, security solutions need to have precision, automation and scalability capabilities. A high-precision solution will help in differentiating legitimate users from those that are not. This ensures that services are protected and available for actual users at all times, saving down-time costs. Automation is required for the ability to auto-detect, mitigate and profile incoming traffic, ensuring operations are simplified, and speed response time is amplified. Scalability is another important factor that needs to go with a security solution. Scalability allows the solution to mitigate and defend against attacks of all sizes. A security solution that has these characteristics will help BFSI CIOs to refine the security of their organisation online by keeping bad actors at bay.

Upcoming regulations
Earlier this year, government of India proposed a Data Protection Bill17 that requires any technology and digital services company that does business in India, to store “at least one serving copy” of personal data on a server or data centre located in India. The bill also allows the government to exempt certain categories from this regulation, as well as issue a mandate for certain other categories of data be stored only in India, because of their “critical” nature.

Organisations in India are handling this in multiple ways, as suited to the company and its nature. Certain organisations19 are structuring dedicated departments to handle the security of data the existing framework of their business while certain others are exploring ways to re-align their functions to comply to the new set of regulations. In both cases, the primary need is to keep in utmost safety, the data that the organisation is entrusted with. Because this will serve the objective of the Data Privacy Regulations Bill as envisioned by the government, of keeping law enforcement authorities well-informed at all times with sufficient data, to ensure national security.

What organisations can also do is to add the ability to create a secure decrypt zone in their network, decrypting and inspecting encrypted traffic, to protect against data loss, without any hindrance in gaining visibility into encrypted traffic. This will keep the organisations safe, well within the compliance required to abide by the proposed Data Protection Bill.

Way forward
It goes without saying that cyber attacks of all kinds are a threat to the online security of individuals and organizations who utilize any kind of internet service. One of the most significant challenges that organizations face on the cyber security front is Distributed Denial of Service (DDoS) attacks. A DDoS attack is an attempt intended at making an online service unavailable, by directing massive amounts of traffic to it from multiple sources. Launching DDoS attacks have become simple and low cost, making multi-vector attacks the order of the day. Protecting the applications against such attacks is getting very challenging for enterprises.
Encrypted attacks are no less of a threat, now that it has become a more cunning way of plugging malware into a network. Attacks are launched through encrypted formats, using the need for data privacy as a cover. The fact that enterprises themselves sometimes do not inspect encrypted data carried through their own networks of the fear of a breach reveal gives more confidence to bad actors to utilise encryption as a safety mechanism to go undetected.

To grasp the scale of these threat agents, organizations need threat intelligence solutions that can gather intel and identify the geolocation of millions of IP addresses that are commonly used, or potential attack-agents to help pre-empt future attacks. The threat intelligence is an added benefit that provides organizations with a means to strengthen their existing DDoS defenses based on real-time data. However, Threat Intelligence data is useless unless it is converted into actionable insights. Organizations need to couple threat intelligence with modern DDoS mitigation solutions for a proactive DDoS defense strategy.

While dedicated security devices provide in-depth inspection and analysis of network traffic, they are not designed to decrypt and encrypt traffic at high speeds. In fact, many security products do not have the ability to decrypt traffic at all. A10’s Thunder SSLi eliminates the blind spot introduced by SSL encryption by offloading CPU-intensive SSL decryption and encryption functions from third-party security devices, while ensuring compliance with privacy standards. It also boosts the performance of the security infrastructure by decrypting traffic and forwarding it to one or more third-party security devices, such as a firewall for deep packet inspection (DPI).

Simultaneously, A10’s Threat Intelligence Service provides customers an actionable list of known bad actors on the Internet. A10’s application networking and security solutions benefit from these lists, by blocking traffic from and to these bad destinations without the need to involve validation techniques. This offloads the platform’s CPUs and increases security efficacy.

The author of the article is the Regional Director – SAARC at A10 Networks.