Threat Intelligence for Financial Services

Four Challenges and Four Solutions to Improve Resilience

It’s no secret that cyber threat actors are hungry for customer data. According to IBM, data theft and leak was the most common impact for organizations that suffered an attack. In addition, a report from Delinea found that data exfiltration was the most prominent motivation for ransomware attacks today.

There are few industries that handle more valuable customer data than the financial services industry. Thus there are few targets more attractive to a threat actor.

Many financial services organizations have substantial amounts of money and assets, which can make them attractive to ransomware attackers keen on going after “big game” targets. And the interconnected nature of the financial sector means that compromising one institution or commonly used product can lead to broader impacts across the entire industry.

In Recorded Future’s recent fireside chat webinar, Navigating Risk: How Threat Intelligence Is Transforming Financial Services, Citizens Bank Cyber Threat Intelligence Manager Lea Cure summed up the complex nature of financial services cybersecurity:

“As a financial institution, we have money, we have people’s information. Thinking about how we protect that information is very different from other organizations. The technologies we use and the technologies we use to move money are critical. If those go down, what will we do? What are our playbooks?”

In this blog we’ll cover the challenges financial services organizations face, and how — for each challenge — threat intelligence provides critical context to help defenders be faster, more efficient, and more effective at preventing nefarious actors from stealing their customer data and impacting business operations.

Challenge #1: Supply Chain Attacks

On numerous occasions, prospects and clients across industries have told us that supply chain attacks are a top concern. In our fireside chat, both our client panelists said they felt the same way.

Their concern is certainly warranted, as there’s often little that can be done to prevent a supply chain attack. A Gartner survey found that 45% of organizations experienced third-party-related business interruptions over the past couple years.

“Outside of the financial industry there’s a lot less regulation, especially in the technology service providers area,” said Christopher Martinkus, a Threat Intelligence Manager for a North American commercial bank. “That’s where you see a lot of these breaches occurring. I know for us, we’ve seen way more attacks on our third-party service providers than we’ve seen targeting us specifically.”

As an example, threat actors like the ransomware group CL0P focus on exploiting vulnerabilities in file transfer software from Accellion, SolarWinds, and MOVEit. By gaining unauthorized access to files being transferred, CL0P has been able to steal sensitive information, encrypt files for ransom, and use the compromised files for other malicious activities.

It’s becoming even more challenging to reduce risk across the supply chain in the “as-a-service” era. Zachary Smith, Senior Principal of Research at Gartner, said, “Cybersecurity teams struggle to build resilience against third-party-related disruptions and to influence third-party-related business decisions.”

Solution: Mitigate Supply Chain Risk

Can threat intelligence help organizations be more proactive in identifying risks that stem from their partners and vendors? Recorded Future client Christopher Martinkus thinks it’s possible to mitigate supply chain risk.

“We've actually had it where an alert came through that a third party of ours was listed on a ransomware extortion site,” he said, “and we were notifying that vendor before they even knew that they were listed there.”

Recorded Future’s ransomware victim metadata analysis identifies a number of companies and organizations that are most likely to be victims (direct or indirect) of a ransomware incident based on patterns found in the file metadata.

Another financial services company was able to identify malicious network activity during the procurement process for a new vendor. In this instance, the company was able to flag the vendor as high risk and make sure to take a deeper look before onboarding.

With supply chain attacks, minutes and hours really matter. Decisions need to be made and steps need to be taken to keep the business secure. Threat intelligence can provide real-time threat monitoring and assessment to help you overcome current challenges and ensure that your organization has the context needed to stay ahead of supply chain threats.

Challenge #2: Ransomware

While law enforcement’s disruption of the infamous ransomware group LockBit was a win in the short term, in all likelihood ransomware will continue to be a major concern for financial services organizations. We’ve already seen other disrupted ransomware groups bounce back.

“I don’t think ransomware is going to stop,” said Lea Cure. “I think that it’s going to continue and continue to be a problem.”

Christopher Martinkus added, “They’re going to stand up other variants that are similar to LockBit, and it’s kind of like the hydra theory — you cut off one head, you end up with two.”

2023 was a banner year for ransomware groups. Ransomware payments doubled to more than $1.1 billion (The Record), and high-profile attacks received extensive media attention. Of organizations that suffered an attack, 62% lost revenue, 48% experienced reputation damage, and 48% lost customers (Delinea’s State of Ransomware 2024).

Despite a dip in the number of victims posted to ransomware extortion sites in the new year (The Record - Ransomware Tracker), it’s likely that numbers will increase. Financial services organizations should use the respite to enhance their defenses.

Solution: Proactive Ransomware Mitigation

To mitigate ransomware attacks, your financial institution needs proactive insights. One way to shift left is to focus on attackers that have a high intent to target the industry.

What are the tools, tactics, and procedures (TTPs) associated with these groups? What are their motivations? Are there hunting packages available to preemptively detect malicious infrastructure in your environment?

We’ve seen numerous cases where financial services clients have bolstered their defenses with helpful insights from Recorded Future.

One client has used the T-codes from the Ransomware MITRE Map in Recorded Future’s Ransomware Dashboard to stay informed of potential ransomware TTPs. As a result, the client has saved time and enhanced their threat profiling.

Other clients have set up alerts to monitor for threat actors targeting their industry peers, helping them to prioritize the most pertinent threats to their business.

The Recorded Future Ransomware Dashboard displaying key information pertaining to financial institutions. Users can also access a Ransomware MITRE Map to identify attack patterns and tactics based on the MITRE ATT&CK Framework.

Challenge #3: Digital Risks

In 2023, the top three initial access vectors in the MITRE ATT&CK Matrix, according to the IBM X-Force Threat Intelligence Index, were Valid Accounts (T1078), Phishing (T1566), and Exploit Public-Facing Application (T1190). They were the top vectors by a wide margin.

In fact, according to the report there was a 71% increase year over year in the volume of attacks using legitimate credentials, which can likely be attributed to the 266% upsurge in use of infostealers. According to Recorded Future’s 2023 Adversary Infrastructure Report, RedLine Stealer and Raccoon Stealer were the most popular infostealers, based on the number of unique C2 servers observed.

Why are infostealer malware and compromised credentials so valuable to threat actors? Recorded Future Product Manager Director Dmitry Smilyanets writes in his blog post Session Hijacking and MFA Bypass, “Cybercriminals can use stolen sessions to authenticate to web applications and services, allowing them to bypass multi-factor authentication (MFA) checkpoints.”

Despite no longer being the top initial access vector, phishing is still prevalent. According to a brand protection report from Mimecast, brand impersonations have risen by more than 360% since 2020. This is likely due to cybercriminals using domains, corporate names, slogans, logos, and executive impersonation to create communications that look like they’re coming from legitimate financial services organizations.

As organizations continue to grow their digital channels and embrace the advantages of cloud-based resources, their external attack surfaces are in a constant state of change and growth. An explosion of new internet-facing assets, numerous cloud environments, and more entry points for a remote workforce all lead to visibility challenges that can increase the risk of exploitation. According to an Enterprise Strategy Group report, 76% of organizations have suffered a cyberattack that started with the exploit of an unknown, unmanaged, or poorly managed internet-facing asset.

Solution: Digital Risk Protection and Exposure Management

Preventing digital risks requires improving visibility into digital blind spots. Whether you’re concerned with compromised credentials, typosquat domains, or vulnerable assets, visibility is essential to monitoring, prioritizing, and remediating risks to your enterprise.

Considering the popularity of valid credentials and infostealer malware among cybercriminals, it’s critical to find and remediate compromised credentials before they can be used. When one employee’s personal computer was infected with infostealer malware, Toyota Motors North America used Recorded Future to gain advanced warning about the compromised credentials and proactively secure the employee’s account before threat actors made a large number of attempts to use the stolen credentials.

The homepage for Recorded Future’s Identity Intelligence module helps financial institutions identify where credentials are being stolen, what technologies are exposed, and the infostealer malware used.

Monitoring for typosquat domains and fake login pages can help reduce the chances your employees, customers, or partners fall for a phishing campaign. Depending on the name of your organization, there may be dozens or hundreds of domains that could count as typo- or cyber squatting. One way to cut through the noise is by using image optical character recognition (OCR) to scan a web page as it’s being created or updated, looking for your company’s logo and/or a login page. For example, a UK bank received a domain abuse alert to help uncover a potential phishing site with a fake login screen, enabling the security team to take down the site before it could sow confusion.

The best way to defend your external attack surface is to understand the exposures you’re susceptible to, and which ones are being actively exploited by threat actors. By understanding what CVEs, misconfigurations, and additional risks are active for your company, you can be more proactive versus reactive. In an interview with Recorded Future, Matt Bittick of Cummins said that a successful attack surface risk management program requires visibility, asset inventory, and mapping. “To be successful,” he said, “you need to not only know what your problems are, but also how to deal with them.”

Challenge #4: Payment Fraud

Credit card fraud is a significant threat to financial institutions. According to Recorded Future’s Annual Payment Fraud Intelligence Report: 2023, fraudsters posted more than 119 million payment cards for free or for sale on the dark web and other sources. 2022 saw a dip in stolen cards being sold on the dark web, likely due to a cybercrime crackdown and the invasion of Ukraine, but 2023 has seen a significant rebound.

In addition, the main methods for stealing payment cards shifted during the Covid-19 pandemic from card-present (CP) transactions that were made at ATMs, gas stations, merchants, and more to card-not-present (CNP) transactions made online. In 2021, 65% of stolen payment cards were compromised during CNP transactions, and that percentage has now risen to around 75%.

According to research from Recorded Future, 2023 was a year when threat actors continued to refine their tactics for stealing cards from unsuspecting online shoppers. New tactics include:

• Multiple logical paths within e-skimmer code to complicate reverse engineering
• Loader scripts receiving e-skimmer from relay URLs
• Trojanized Google Tag Manager containers in a chain-loading structure
• Obfuscated object-based e-skimmer infrastructure
• Abuse of Telegram bots to relay e-skimmers and stolen data

Solution: Proactive Payment Fraud Prevention

“One of the big things we're focused on is working in the fraud space,” said Christopher Martinkus. “We're actually moving forward with the Payment Fraud module in Recorded Future. That's one of the big wins that I was able to get into our budget, and we’re working towards getting more partial PANs (primary account numbers), full PAN data, and then working with our fraud team on risk-rating those cards and that leaked data to either reissue or do a risk scoring.”

By partnering to take a holistic approach to looking at the compromised payment card lifecycle, fraud and cyber threat intelligence teams can proactively block fraudulent transactions and reduce false positives.

From diagnosing when a merchant has become compromised, to determining that stolen card data is being posted and sold on the dark web, to identifying that fraudsters are testing the validity of a card through tester merchants, threat intelligence can help financial institutions gain greater visibility into fraud risks.

Threat intelligence can also be used to thwart additional types of payment fraud. For example, checks being stolen to commit payment fraud have been on the rise, as noted in a recent FinCen post. Recorded Future sources these stolen check images from the cybercrime ecosystem before they are used to commit fraud. Using optical character recognition (OCR), Recorded Future is able to produce a high quality feed of fraudulent checks.

You can use this intelligence to identify customer accounts whose checks have been stolen as well as deposits that have been made using stolen checks. This enables you to prevent the funds from leaving the victimized customer’s account, and stop fraudsters from stealing funds made available before the deposited stolen check is eventually flagged as fraudulent. For example, a North American financial institution was able to proactively identify a fraudulent check on a Telegram channel, before it could be used.

A CTI director at a large North American financial institution has said, “Recorded Future has truly helped us to mitigate fraud, and many different stakeholders who have different missions and don’t always communicate very frequently, they can all come to an agreement that the intelligence provided has been really worthwhile for us.”

Recorded Future Payment Fraud Intelligence helps fraud and cyber threat intelligence teams take proactive action to reduce financial losses from compromised payments cards.

Protecting Financial Institutions with Threat Intelligence

“I think threat intelligence is the same across industries,” Christopher Martinkus said. “The thing that varies is the actors that are targeting you and the motives behind it. We all have vulnerabilities. We all have technologies and our own brand and reputation to maintain. I think at the end of the day we all have the same threat focus. It’s just what threats we’re focused on might change.”

For financial services organizations, threat intelligence can help security teams anticipate threats, respond to attacks faster, and make better decisions to reduce risk. By exposing unknown threats, informing better decisions, and driving a shared understanding to accelerate risk reduction across the organization, you can be resilient in the face of supply chain attacks, ransomware, digital risks, and payment fraud.

For more information on how Recorded Future can elevate your security defenses, request a demo. Already a Recorded Future client and want to learn more about the latest product updates, request a free consultation.