What we learned from the Cyber Financial Crime Summit: Hacker attack data should inform AML risk
Thursday, October 15, 2015
Posted by: Brian Monroe
Criminal hacking groups are more aggressively attacking a wider universe of institutions, from banks, to data aggregators, to third-party outsourcers such as human resources and legal services, and are actively sharing information on what tools work and vulnerabilities remain outstanding.
According to public and private experts at the ACFCS 2015 Cyber Summit, companies, government organizations and academia desperately need to follow suit, and be equally forthright in sharing information. This includes sharing between financial crime departments – such as cybersecurity and anti-money laundering – and with law enforcement and quasi-government groups to aid in blocking future attacks, uncovering current intrusions and capturing the groups responsible.
The ACFCS 2015 Cyber Financial Crime Summit, a unique event coinciding with National Cybersecurity Awareness month, was a rare chance to unite financial crime professionals with experts and top leaders in the cyber realm to define common challenges and mount a more effective response.
Summit speakers and keynotes elicited a number of key themes and surprising insights during the Summit, from emerging attack patterns to heightened regulatory expectations. Below is our effort to capture just a few of the Summit’s highlights. To read part one of our coverage of last week’s summit, please click here.
Cybercrime moves up the financial institution examiner’s agenda
“From the regulatory perspective, Comptroller [Thomas] Curry has established cybersecurity as a key priority for the OCC,” said Patrick Kelly, critical infrastructure policy analyst in the operational risk division of the OCC, during a panel at the summit in National Harbor, MD.
The regulator has done this by establishing a critical infrastructure working group to better coordinate with law enforcement domestically and internationally to identify and analyze the ongoing cybersecurity issues examiners are seeing and communicate possible solutions to the financial sector through reports, updated guidance, outreach programs and other alerts, he said.
The agency has also buttressed the cybersecurity training for staff and examiners, Kelly said, adding that from internal and external analyses, the regulator has seen a rise in hackers using ransomware, to the point that some groups sell such software to novices, so that if they can send an email, they can engage in such an attack.
As well, “existing vulnerabilities continue to be exploited,” he said, adding that some 90 percent of cyber attacks exploit a known vulnerability that has been out for three months to a year or more and have had appropriate mitigations or patches available to them, but “nonetheless are still being exploited.”
Cyber ‘maturity’ of firms to be graded
The decisions around and resources devoted to thwarting cyber thieves have taken on increased importance as these groups in the last two years have infiltrated some of the largest banks and retailers in the United States, including JPMorgan, Home Depot, Target and also perforated choice government data nodes, such as the Office of Personnel Management.
As a result, regulators, including the US Treasury’s Office of the Comptroller of the Currency, have stated they are making cybersecurity, resilience and cyber “maturity” more of a focus while other regulatory bodies, including the Federal Trade Commission, have already taken formal legal actions against companies telling customers they employed stout cyber protections, but didn’t.
There are also new platforms that have created opportunities for cyber criminals, including in mobile devices, cloud computing and alliances between cyber criminals, hackers and nation state cyber espionage, Kelly said, making it more difficult for authorities to determine “who was behind the attack.” Business email compromise attacks are also surging.
Last year, the OCC also engaged in an exercise to grade the cybersecurity programs of some 500 institutions, and then earlier this year creating and releasing a voluntary cybersecurity assessment tool that will help banks better understand their cyber risks, awareness and general “maturity level,” in critical areas, he said.
As for the assessment tool, by the end of the year “we will incorporate it into our examination process,” Kelly said. “The tool itself is voluntary, but if you filled it out, we may ask for it. There is no expectation that you filled it out. We would ask you for it as we would any risk management document that you would do for an examination.”
To better prepare for the eventuality of an assault, experts urge banks and other firms to create a “Cyber Incident Preparedness Checklist,” which would include actions to be undertaken before, during and after an attack:
Before a Cyber Attack or Intrusion:
- Identify mission critical data and assets (i.e., your “Crown Jewels”) and institute tiered
security measures to appropriately protect those assets.
- Review and adopt risk management practices found in guidance such as the National
Institute of Standards and Technology Cybersecurity Framework.
- Create an actionable incident response plan. Test the plan with exercises and keep it up-to-date to reflect changes in personnel and structure.
- Have the technology in place (or ensure that it is easily obtainable) that will be used to
address an incident.
- Have procedures in place that will permit lawful network monitoring.
- Have legal counsel that is familiar with legal issues associated with cyber incidents.
- Align other policies (e.g., human resources and personnel policies) with your incident
- Develop proactive relationships with relevant law enforcement agencies, outside counsel,
public relations firms, and investigative and cybersecurity firms that you may require in
the event of an incident.
During a Cyber Attack or Intrusion:
- Make an initial assessment of the scope and nature of the incident, particularly whether it
is a malicious act or a technological glitch.
- Minimize continuing damage consistent with your cyber incident response plan.
- Collect and preserve data related to the incident. This would include to: Image” the network, keep all logs, notes, and other records of any ongoing attacks.
- Consistent with your incident response plan, notify: law enforcement, other possible victims and the Department of Homeland Security.
- Do not: Use compromised systems to communicate or attempt to “hack back” or intrude upon another network.
After Recovering from a Cyber Attack or Intrusion:
- Continue monitoring the network for any anomalous activity to make sure the intruder
has been expelled and you have regained control of your network.
- Conduct a post-incident review to identify deficiencies in planning and execution of your
incident response plan.
Begin with the end, recovery, in mind
Even before attacks occur, however, institutions should be thinking about how they can safeguard certain data in a way that would more quickly foster recovery, said Brian Peretti, director of the Office of Critical Infrastructure Protection and Compliance Policy at the US Treasury.
“We know bad things are going to happen,” he said. “We know intrusions are going to occur. We know things are going to break. The challenge then is how do we bounce back from that. These companies focus so much on prevention, they don’t know how to respond when things break. You must figure out how you are going to recover from these instances to bounce back from things in a much quicker manner.”
In addition, while companies may be loath to do it, or feel it would be embarrassing or used against them by a competitor, sharing information with law enforcement and industry watchdog groups, like FSISAC, is vital, Peretti said, adding that can help law enforcement determine the “fingerprint” of an attacker and see if it’s being used by the same individual or group in other attacks.
At the same time, by sharing these attack patterns with multiple banks, they can determine the severity of the threat, in some cases quickly transmuting what was thought to be a low level alert, to a high level alert and even get it pushed out by federal law enforcement in a broader bulletin to get banks to shore up a certain exploit or identify illicit groups currently probing multiple systems, he said.
Cyber and AML powers combined
Sharing should also be going on across bank departments, including AML and cybersecurity, said Vincent D’Agostino, associate managing director, in the cyber investigations and incident response division of K2 intelligence and formerly one of the most senior special agents within the Cyber Branch of the Federal Bureau of Investigation's (FBI) New York Office.
“When cyberattacks happen, there will be anonymous transactions occurring in those accounts,” he said. “There will be accounts opened using those people’s stolen information and will be activities in those accounts noticeably different than their normal activities,” which are key red flag and risk indicators for AML transactions analysts.
But in recent years, during the occurrences “there was no communication between those two groups and I think that’s a mistake,” D’Agostino said. “And I think that is something that is going to change very quickly in financial institutions going forward.”
“We always have to be partnering with our AML partners in looking at behavioral activities of an institution, organization, account or entity that doesn’t fit the entity,” said John Walsh Chief Executive Officer of Sightspan, a consultancy, adding that future bank financial crime teams may have cyber experts “embedded” with fraud and AML teams to improve outcomes.
That’s because, currently, there is no answer to the launders and hackers attacking banks right now.
“That is why everyone needs to share information at a financial crimes level, at an illicit money transmission level,” Walsh said.
“So If you have an AML department, a corporate security department, a fraud department, all of these various silos, which still exist by the way, even though we have been asking them to be broken down for the past 15 years,” they can find aberrant activity, potentially hacked accounts and more quickly act in a unified way across the bank to prevent further intrusions and freeze potentially tainted accounts.
Cyber SARs a key component
Getting the information about a criminal hacking group to law enforcement, though, could be challenging because few banks, if any, know how to craft a finely tuned, cyber-related suspicious activity report, Walsh said.
Here are some things that should be analyzed or included when capturing data on a potential cyber attack to share within the bank or in the creation of a suspicious activity report:
- Business email compromise – Victims provide copy of phishing email
- Malware compromise– IP address, device ID, geolocation data
- ATM skimming rings – video capture/photos of suspect
- Terrorist financing – IP address, device ID, geolocation data
- Wire transfers – IP address, device ID, geolocation data
- Tax refund fraud/account takeover – IP address, device ID, geolocation data
But in order for banks to pay attention to this, they have to see cybersecurity as less a technical cost issue, and more as a large scale operational risk, Peretti said.
“We are trying to raise the issue of [cybersecurity as an] operational risk to get more attention to this issue and understanding that this is a risk like every other risk you have to deal with,” he said. “Banks are talking about reputational risk, interest rate risk and capital risk. But [cyber risk] is not on the front line. It’s very complicated. It’s not a value generator. But if a system crashes, it may put a company out of business and it may never recover.”