Today’s Vectra 2018 Spotlight Report on financial services finds that cyber attackers are using hidden “tunnels” to break into networks and exfiltrate PII from financial institutions, while remaining largely undetected. Among key findings:
- More than 2x command and control tunnels for data exfiltration were found per 10,000 devices in financial services than in all other industries combined;
- For every 10,000 devices across all industries, 11 hidden exfiltration tunnels disguised as encrypted web traffic were detected on average, but in financial services, that number more than doubled to 23.
In response, experts with OneSpan, Prevoty and NuData Security, a Mastercard company, offer perspective.
Robert Capps at NuData Security:
“Bad actors continue to dig tunnels to access private data, but the real concern is: What are they doing with that data? Account takeover is the main outcome of stealing personal data, so being able to protect users beyond their credentials is key to block post-breach damage.
“Financial institutions are increasingly joining retailers, eCommerce organizations and merchants of all kinds using multi-layered solutions with passive biometrics and behavioral analytics to ensure that previously-stolen data cannot be used to either log into someone else’s account or to be incorporated into a synthetic identity for conducting fraudulent transactions.
“Many global merchants have successfully incorporated passive and active biometrics and behavioral analytics to verify customer identities through the real-time analysis of hundreds of indicators derived from the user’s online behavior. This approach isn’t solely reliant on static data such as passwords and challenge questions, and it obfuscates much of what would attract bad actors seeking to steal and sell or reuse consumer data.”
Will LaSala, Director Security Solutions, Security Evangelist at OneSpan:
“Hidden tunnels should be protected at all times. Many app developers put holes through firewalls to make services easier to access from their apps, but these same holes can be exploited by hackers. Using the proper development tools, app developers can properly encrypt and shape the data being passed through these holes.
“Sometimes developers are at a rush to implement a new feature to maintain customers or to increase business, and this often leads to situations where a hidden tunnel is created and not secured. By leveraging development tools that create an end to end secure communications whenever a hidden tunnel is needed, developers can start with a solid foundation of security before hackers attack. Secure communication API’s allow for a developer to encrypt their data within their application before the network layer is applied, which often protects apps from the injection of a malicious backdoor. Applying further Application Shielding techniques can often harden the application from attack even further.
“Taking a layered security approach to applications can not only stop current attacks, such as the malicious hidden tunnel, but can often prevent new ones from being attempted against a protected app.”
Chris Prevost, Vice President, Solutions at Prevoty:
How do these systems “hidden tunnels” become viable in the first place? The attacker must be able to get a toehold (malware, shell) in the target’s environment. That may be accomplished via social engineering or more technical attack vectors such Remote Command Injection. Last year, we saw some very interesting RCI exploit payloads targeting web applications / web services that relied on old, vulnerable versions of the Struts 2 framework to execute unwanted commands on the victims’ web servers. Preventing attacks on web applications / web services often boils down to the basics – make sure the code that you deploy is free from security bugs. Unfortunately, that’s a much more difficult proposition than it sounds – today’s web site is extremely complex and comprised of layers upon layers of software that was written by someone else.
So in addition to doing the right things while developing the web site through tasks such as code review and security testing, additional security controls such as Web Application Firewalls (WAF) and Runtime Application Self-Protection (RASP) technologies that provide protection and visibility while the site is running must be employed. A multi-layered, defense-in-depth strategy targeting attacker reconnaissance, ingress, lateral movement and exfiltration is the best practice and really the only way to lower the risk of a serious breach.