cyber payment fraud threat landscape - six · cyber payment fraud threat landscape cyber defense...
TRANSCRIPT
May 17th, 2017
Swiss Banking Operations Forum Zürich, Switzerland
Cyber Payment Fraud Threat Landscape Cyber Defense Measures for Banking Operations
UBS AG
Carlo Hopstaken
Group Information Security Office
1
Agenda
Cyber Fraud – Setting the scene
Cyber Threat Landscape and Risk Scenarios
Cyber Fraud – Threat Actors and Modus Operandi
Cyber Fraud – APT Defense Measures
Banking Operations – Payment Progressing View
Recommendation
Conclusion
2
Cyber Fraud – Setting the scene
Announced Financial Institution Cyber Fraud case Loss Event Date
Dec 2014 –
Feb 2015
Russia, United
States, Germany,
China and Ukraine
Unauthorized access to steal money
(online banking, e-payment systems, ATMs,
alter databases to pump up balances)
USD
500 mn –
USD 1 bn
Undisclosed
10 Mar
2016
Bank of Bangladesh
Central bank's computer systems
compromised and used to submit payment
instructions via Swift
USD
81 mn
4 Feb 2016
13 May 2016 Tien Phong Bank
(Vietnam)
Similar as Bank of Bangladesh, but
reconciliation identified bogus transfers. In
malware, used other banks were identified
USD
1,2 mn
(blocked)
Dec 2015
20 May 2016
Banco del Austro
(Ecuador)
Fraudulent transfers executed by hacker,
via Swift, through Wells Fargo
USD
12 mn
Jan
2015
26 May 2016
Sonali Bank
Fraudulent transfer requests similar to Bank
of Bangladesh case (keyloggers used)
USD
250 K
2013
27 Jun 2016 Ukrainian Bank
Compromise the bank's security in similar
way they hacked Bangladesh central bank
USD
10 mn
Undisclosed
02 Dec 2016 Russian Central
Bank
Hackers managed to access the electronic
system that gives clients access to third-
party correspondent accounts at the bank
by faking certain client credentials, and then
attempting to steal USD 45 million
(USD 26 mn recovered)
USD
19 mn
2016
Undisclosed
3
Cyber Threat Landscape and Risk Scenarios
Threat Actors Cyber Risk Scenarios Threat Landscape
Cyber Threats Risks
Cyber Fraud – unauthorized
transactions and fraudulent activities
using stolen or manipulated data
e.g. e-banking, payment systems or
cards
Driven by economical,
political and governmental
interests.
Threats are continuously
evolving at an increasing
pace.
Our employees, clients and
third-parties are targets for
cyber criminals.
An underground market for
cyber tools has emerged.
Script Kiddies
Hacktivists
Organized Crime
Terrorists
Intelligence Agencies
Nation States
Sophis
tication a
nd m
eans
Opport
unis
tic
Targ
ete
d
Data Theft – theft of large volume of
information e.g. client data,
intellectual property, business
related information
Disruption of Service – disrupting
a financial institution's information
technology infrastructure through
external attacks, malware infection
or disgruntled internal employees
Threat Intelligence
News / Alerts
Incidents
Cyber Fraud impacting Banking Operations
Enacting fraudulent payments or transfer of assets from a firm or its
client accounts by means of direct hacking into the firms payment
infrastructure (e-banking / e-channel fraud excluded).
4
Cyber Fraud – Threat Actors and Modus Operandi
Cyber Threat Actors Motivation
Intelligence Agencies
Nation States
Organized Crime
Financial gain
(fraudulent
payments, ATM
cash-out, etc.)
Phishing / Social
Engineering Persist & Conceal
Elevate Access &
Lateral spread
Modus Operandi (APT Cyber Payment Fraud)
Monitor & Prepare Heist / Pay-out
• Select targets
(reconnaissance)
• Phish targets (e-mail
with malicious
content / link)
• In some cases
physical devices can
be implanted
• Setup external
communication
channel
• Push customized
malware / tools
• Remotely control
end-point
• Attempt to elevate
access rights or
obtain credentials
with required
accesses
• Move within internal
banking
infrastructure to find
target systems.
• Once required
access obtained of
targeted systems,
monitor end-users
and processes (for
example how
transactions are
inputted, approved
and processed)
• Transfer money out
(for example via
compromised
transaction / ATM
systems)
• Use money-mules to
process stolen funds
• Hide or delete
evidences / tracks
Compromise
internal
banking and
payment
applications
Objective
Advanced Persistent Threat (APT), targeting
end-users (or 3rd parties) using tailored tools
and social engineering techniques.
Furthermore, total time spent from prepara-
tion to final heist can take months if not
longer
Means
5
Cyber Fraud – APT Defense Measures
Internet & Social Media Monitoring
Network Intrusion Detection
Traffic Inspection
Anti-Virus & Advanced Malware Protection
Strong Password Controls &
Authentication
Secure Network Architecture
Fraud Incident Handling
Access Rights Management
Internet Traffic Filtering / Blocking
Network Protection
Application Security / Firewall
User Behaviour Analytics
Sinkholing Rogue Service Takedown
Forensic Investigations
Crisis Response Plan
Endpoint Protection
Phishing / Social
Engineering Persist & Conceal Heist / Pay-out
Awareness Training
Technical Human Processes
Periodic assessment of implemented controls including resilience testing
Anomaly detection
Filtering controls / suspension
Entitlement reviews
Security logging and Monitoring
Reconciliation
4-eyes principle (marker / checker)
Payment activity monitoring
Patch management
Privileged Access Controls
Cyber Threat Intelligence (gathering / sharing)
Counterparty management
Physical Security
Sandboxing
Elevate Access & Lateral
spread Monitor & Prepare
Network Analytics
Cyber / Computer Fraud
insurance
6
Banking Operations – Payment Progressing View
Market Channels
Input Channels
Core Processing
Messaging & Screening
AML
controls
Payments
Engine
Message
Routing
Halt of Business
Messages
Message
Monitoring
Paper client
channels
Electronic
client
channels
Market input
channels Internal
Systems
Markets
Accounting & Reporting
Interaction systems
Compliance
Filtering
Static data
Manual
interventions
Clearing Correspondent
Bank
Scope
• End-user devices
• Infrastructure
• Payment applications
• Payment gateways
• Middleware messaging
• HSM (PKI)
• Third parties
• Employees
7
Recommendations
Periodically perform the following actions
Threats / Risks
Attack methods
Defence measures
Critical applications
Gap analysis
Remediate & Test
Assess your threats and define your risk scenarios.
Understand attack methods being applied using reliable threat
intelligence.
Dissect attack path and determine required measures
(technical, processes, behavior, testing and practice).
Determine your critical asset moving applications, the users and
the underlying supporting infrastructure.
Assess potential gaps or areas for improvements
Fix gaps and test defense measures, like with red team testing
8
Conclusion
Resources and knowledge of Cyber criminals will continue to
grow and cyber fraud related attacks will become more
sophisticated.
Reliable cyber threat intelligence is crucial to understand
threats and to determine effective measures.
Don't assume that cyber threats can be defended by technical
measures only, but measures need to be in place in
different layers of control.
It is not a question of "if", but "when", so ensure have incident
response plans in place and practice regularly.
Best way to test your defense, is to use red team testers, who
will simulate cyber threat actors.
9
Q&A
Q&A