How a Breach and Attack Simulation (BAS) Platform Can Help Financial Organizations to Be Better Protected
Financial institutions are attractive targets for cybercriminals. To illustrate, UniCredit SpA, Italy’s largest bank, was hacked last year, and biographical and loan data from 400,000 client accounts was stolen. In June 2017, 80 Ukrainian lenders were compromised during a global ransomware attack. In February this year, hackers stole 339.5 million rubles ($6 million, €4.8 million) from a Russian bank using a flaw in the global payment network SWIFT.
Depending on the sort of attack, consequences include denial of service (DDoS) which prevents customers to bank online, stolen money that cannot be retrieved, mined customer information that is sold or abused later on, and brand damage which could also result in churn.
Cybercriminals have a whole arsenal of crime tools at their disposal for wielding their attacks, ranging from spreading their malware using e.g., ransomware, worms and Trojans, to Business Email Compromise (BEC) using e.g., phishing, spear phishing, and whaling. Other favorites for spreading malware are drive-by and watering hole attacks by infecting legitimate websites that people or specific targeted groups visit.
To check their security posture, financial institutions conduct a penetration test (pentest). This simple method tests the vulnerability of the organization without replicating threat behavior. Research Company Gartner predicts that the “vanilla pentest” will soon become obsolete. Another popular method is Red Teaming, which replicates the approach and methods of real threats.
Both these methods use a defender perspective, as do the security solutions (e.g. AV) in place. Paraphrasing an old saying, “it takes a thief to catch a thief”, a better option is an attacker approach. This allows an organization to see itself as a target through the eyes of a cybercriminal who exploits weaknesses to attack. That’s where the BAS platform comes in.
A BAS platform attacks an organization’s network with real attacks to find out where the weak spots are by trying to steal data and phish employees to get real-time data and suggestions for mitigation. Cymulate’s BAS platform offers six attack vectors to test the organization’s security posture:
(1) email attacks by testing if emails with a malicious link or attachment would slip through the mail filters, and if employees would click on it (phishing)
(2), web browser testing to find out if malware, exploits, malicious scripts, etc. could expose the organization via legitimate browsing of mainstream websites,
(3) WAF testing to check if the organization’s Web Application Firewall stands up against web payload and if the web apps are protected
(4) hopper testing by checking how easy it is for the hopper to make its way from computer to computer using different methods to hop and extract data
(5) data exfiltration (DLP) testing to validate that the organization’s outbound flows do not include information assets that should remain inside the organization at all costs
(6) endpoint testing to check if the organization is protected against the latest attack vectors.
To recap, financial organizations are prime targets – now and in the future. That’s why they are allocating substantial resources in time and money for cybersecurity.
Investments exceeded $80 billion at the end of 2016, and Gartner expects the highest growth in the next few years to come from security testing including investments in new services to help them to assess the effectiveness of their security procedures, infrastructure, vulnerabilities and techniques by using breach and attack simulation platform.
Such a Software-as-a-Service (SaaS) BAS platform simulates multi-vector, internal or external attacks by targeting the latest vulnerabilities, including those that are in the wild. These simulated attacks expose vulnerability gaps which allows the organization to determine if its security architecture provides the right protection and if its configurations are properly implemented.
Overall, a BAS platform is a powerful tool in the arsenal of the financial organization’s security team.