Rakesh Asthana

rakeshasthana@worldinformatix.com

www.worldinformatixcs.com

KEY LESSONS LEARNED FROM RECENT CYBER-ATTACKS ON GLOBAL BANKS

Central Bank of Bangladesh Heist

Case Study

World Informatix Cyber Security explains the ongoing threat faced by the

financial sector and global banks from continuing Cyber-Attacks along with a

detailed guide on best practices to protect your company, based on its firsthand

experience in responding to the crisis.

August 2018

1 | P a g e W o r l d I n f o r m a t i x C y b e r S e c u r i t y - C o n f i d e n t i a l

WHITEPAPER

Abstract

World Informatix Cyber Security presents a compelling case that Banks and Financial

Institutions around the world are under persistent threat from anonymous cyber hackers who

specifically target users of the SWIFT financial messaging systems. In the past few years there have

been a continuum of large-scale cyber heists on banks around the world, stealing millions in assets

and compromising the integrity of financial institutions and often the countries they represent.

Within the paper, we present a brief history of SWIFT-based cyber-attacks on the banking

sector, along with our 10 Key Findings from the lessons learned in responding to the largest and most

damaging of those attacks. These findings should be considered a list of Best Management Practices

for banks looking to strengthen their cyber security posture against potential cyber-attacks.

World Informatix Cyber Security (WICS) is a leading provider of cyber security services and a

trusted partner of global financial institutions and banks. Our clients include The United Nations and

Central Banks around the world. WICS was engaged by the Central Bank of Bangladesh in 2016 for

emergency incident response and remediation to what has become the largest cyber heist in history.

This is our story.

World Informatix Cyber Security offers its Flagship Service; SWIFT Payment Systems

Assurance. WICS is an official SWIFT partner listed in the director of 3rd party cyber security

providers. Our service can be used to provide annual attestation to SWIFTs mandatory security

guidelines. Our comprehensive review utilizes a combination of technical penetration testing with a

controls review, leveraging our proprietary checklist with 272+ detailed controls to ensure

organizations using SWIFT systems have minimized vulnerabilities and strengthened their cyber

security posture.

2 | P a g e W o r l d I n f o r m a t i x C y b e r S e c u r i t y - C o n f i d e n t i a l

Contents Abstract ................................................................................................................................................................. 1

A Brief Overview of Cyber-Heists targeting SWIFT Banks ..................................................................................... 3

Cyber Heist 101: Profile of the Largest Cyber Heist to Date ................................................................................. 4

Attack Pattern Assessment: .................................................................................................................................. 5

10 Key Lessons Learned ........................................................................................................................................ 6

Why Select World Informatix Cyber Security? ................................................................................................... 15

3 | P a g e W o r l d I n f o r m a t i x C y b e r S e c u r i t y - C o n f i d e n t i a l

A Brief Overview of Cyber-Heists targeting SWIFT Banks

In 2016, a large-scale cyber-attack on the Central Bank of Bangladesh rocked the financial

sector and the entire world with its staggering scale. While this was not the first cyber-attack of its

kind to target banks and in particular users of the SWIFT systems, this example received worldwide

media attention and seemed to be the start of a new era of cyber heists. Since then the rate of cyber-

attacks on global banks has increased, sparking a flurry of protective action from SWIFT and banks

around the world, as many of the recent attacks have used similar tactics and malware.

According to information that has been available to the media, there have been at least 10

reported cyber heists starting in 2015. SWIFT officials have unofficially reported that even more

institutions have been compromised, yet no information has been made public regarding these

attacks.

The sophistication and intensity of cyber attacks have increased since 2015. Hackers are

using increasingly complex methods to bypass a networks security measures while taking advantage

of weaknesses in the users’ network security. Constantly evolving malware (using zero-day malware)

has been used to acquire credentials and often administrator privileges on the network in carefully

orchestrated attacks that sometimes are planned for years. Through gaining access to sensitive

credentials and authentications, hackers have initiating fraudulent transfer requests into foreign bank

accounts which are followed by complex money laundering schemes.

4 | P a g e W o r l d I n f o r m a t i x C y b e r S e c u r i t y - C o n f i d e n t i a l

Cyber Heist 101: Profile of the Largest Cyber Heist to Date

1. Sophisticated malware was deployed by the attacker that specifically targets servers running

SWIFT Alliance Access (SAA) applications. Attack was designed to process SWIFT

transactions with legitimate harvested credentials

2. Complex malwares have been identified with advanced features of harvesting of credentials

and to securely erase all traces of activity after accomplishing its task. Complementary malware

was used to sustain the attack - such as keys loggers and attacker utilities for post attack

cleanup. World Informatix Cyber Security is the only company in possession of binary strings

from Malware used in this heist.

3. Defeats normal Cyber security measures - Attacker was capable of penetrating normal cyber

security defenses. All the tools employed by the attacker were custom-made and bypassed the

deployed anti-virus solutions, including 2-factor authentication.

4. Send Fraudulent Transfer Requests at Opportunistic Times – Hackers were able to send

authentic transfer requests from the host bank, thereby initiating a transfer of funds into

foreign accounts. Hackers timed this transfer to happen at the end of the work week and prior

to a public holiday, ensuring that any possible response would be muted.

5. Covering up the Evidence – Attackers were able to use customized tools to erase any record

or evidence of their activity through modifying registry files

5 | P a g e W o r l d I n f o r m a t i x C y b e r S e c u r i t y - C o n f i d e n t i a l

Attack Pattern Assessment:

Attacker Activity Details

Gain entry/Reconnaissance

Attackers use automated scanners and

exploit vulnerabilities to gain entry to the

network. Once inside, the attacker looks to

pivot into other hosts using a variety of

reconnaissance techniques.

Lateral movement

The attacker harvests credentials of users by

using keystroke logger or other utilities. With

harvested credentials, attacker logs into

SWIFT and other business systems in the

environment with legitimate but

compromised credentials.

Process unauthorized business transactions

or Data theft

Once attacker has legitimate credentials and

access to business systems, they are set to

either process unauthorized transactions or

steal confidential data

Reverse shells/Persistent backdoors

The attacker places persistent backdoors on

systems to maintain access to compromised

environment

Cleanup and Delay detection

Attackers with good knowledge of systems

usually will cleanup by deleting log files or

tampering with databases and systems to

delay discovery allowing them more time to

process stolen information or funds.

6 | P a g e W o r l d I n f o r m a t i x C y b e r S e c u r i t y - C o n f i d e n t i a l

10 Key Lessons Learned

#1- Establish a Cyber Security Governance and

Culture

Cyber security governance and culture is a shared

responsibility across several stakeholders at any

institution. A clear chain of command and decision-

making authority quickly highlights cyber risks and

actions required to mitigate or accept the risk.

Following stakeholders have a responsibility in a best

practice approach:

Board level visibility of cyber security risks and

periodic review of risk profiles is essential to

maintaining a strong cyber security posture and

protecting the institution. Management is responsible

for ensuring proper risk reviews and presenting to the

Board cyber security risks with plans for mitigation or

acceptance of the risks. The Board is responsible for

ensuring that sufficient resources are allocated towards

mitigating risks as desired by their risk tolerance levels

and monitoring progress of remediation plans related to

cyber security.

Management should establish an independent CISO

organization that is responsible for enterprise wide

security risks and has the authority to act as a ‘gate

keeper’ for introduction of new technology and to

shutdown vulnerable or compromised IT assets. The

CISO is also responsible for fostering an enterprise-

wide security awareness program that would

complement technology controls. To ensure an

independent view and authority the CISO organization

reporting lines should be independent of IT

7 | P a g e W o r l d I n f o r m a t i x C y b e r S e c u r i t y - C o n f i d e n t i a l

management possibly to a separate risk management function with a dotted line reporting relationship

to the Board.

Internal and External auditors must conduct periodic cyber security audits and provide an

independent view of cyber risks to management and the Board. Auditors have a responsibility to assess

and report on emerging risks and to conduct specific audits especially when new technology is being

introduced.

#2- Strengthen Financial System Controls

• Review and align account privileges to the

principle of ‘least privilege’ or entitlement to

business functions.

• Ensure segregation of duties (i.e. Maker-

checker-approver) are enforced.

• Ensure processing limits based on threshold

value of transactions such as maximum value

per transaction, maximum limit per operator

or per day limits.

• Ensure account deletion on termination or

transfer of employee.

• Use multi-factor authentication for remote

access at the network perimeter and for

sensitive and high value transactions

organizations.

• Ensure privileged account access is

controlled and its use is logged, monitored

and reviewed regularly.

#3- Enhance system logging and monitoring.

Enhanced system logging of device activity improves security team’s ability to detect malicious

activity. Logs are indispensable in determining how the attacker gained access and moved laterally

within the IT environment.

8 | P a g e W o r l d I n f o r m a t i x C y b e r S e c u r i t y - C o n f i d e n t i a l

The following devices and servers are in scope of system monitoring:

1. Firewall logs—acceptances and denials

2. Domain Name Servers (DNS) server logs

3. Dynamic Host Configuration protocol (DHCP) logs – maps dynamic IP address

4. Microsoft Windows or other server event audit logs

5. External webmail access logs

6. Internal web proxy logs

7. Virtual private network (VPN) logs

8. Network Flow metadata

9. Servers running critical applications

#4- Maintain an Effective Vulnerability Management Program

A vulnerability management program is an important aspect of continuously monitoring IT assets

for vulnerabilities. Many companies conduct an annual vulnerability assessment but fail to conduct

periodic checks and miss emerging vulnerabilities and threats during the year. Vulnerabilities are

introduced throughout the year due to implementation of new applications or changes to

infrastructure components or simply new vulnerabilities in existing products are discovered requiring

immediate system patches. Management should institute an ongoing vulnerability management

program that looks for vulnerabilities, assigns severities and ensures remediation of these

vulnerabilities in a timely manner. The following are focus areas:

a. External facing websites are known to be a prime attack vector and prone to constant probing

by malicious actors. Many companies have an uncontrolled proliferation of websites and these

websites may not adhere to safe coding standards and may contain vulnerabilities that could

be exploited. It takes only one door to open for a determined attacker to gain access to your

network and IT assets.

b. Email attachments are a prime source of

malware deployed on workstations.

Luring victims to click on email

attachments is hackers preferred

method to deliver malicious payloads

because hackers can send out a large

number of broadcast emails with

various subject lines or inducements to

a victim organization. Organizations

must deploy spam filters and be able to

9 | P a g e W o r l d I n f o r m a t i x C y b e r S e c u r i t y - C o n f i d e n t i a l

scan and quarantine infected attachments

c. Website downloads with malware are another favorite of hackers to deploy payload. Victims

are lured into visiting the website through innocent or legitimate looking fake websites. All

downloads must go through web filter to identify malware

d. Vulnerability Assessment of Servers and End-points is a must since they are the first line of

defense in intrusion detection and prevention. It is important to follow good practices of

configuration and patch management and automated synchronization of anti-virus database.

An efficient program to assess new patch releases and ensuring compliance with a baseline

standard for servers and end point is essential for good protection.

#5- Establish a Robust Network Security Plan

Network Security has several aspects which must be incorporated into a cyber security risk plan.

1. Ensure you have full host and network visibility so that you have a complete picture of

everything that is in your environment: specifically, endpoints and network assets. This gives

insight into what needs to be monitored as well as insight into the broader implications of any

security incident.

2. Ensure that network is segmented into logical segments with different risk profiles. Financial

systems with higher risk profile may be clustered into one secure network segment that

requires a multi-factor authentication and has strict firewall rules and application whitelists.

Ensure that websites that are not critical to core business functions or carry publicly available

data are cordoned off or even hosted on a separate external environment.

3. While deploying IPS and IDS systems it is important remember that several signature based

IPS/IDS and anti-virus cannot identify zero day and APT malware. You may need to deploy

additional technology that is specially designed for such zero day and APT detection and

eradication.

4. Ensure 24x7 monitoring of alerts from all your security technology (IPS, IDS, anti-virus, DLP,

SIEM) so that someone is always watching your network alerts even while rest of the

organization sleeps. Remember that most cyber-attacks are carefully planned for night hours

and weekends to escape or delay detection.

10 | P a g e W o r l d I n f o r m a t i x C y b e r S e c u r i t y - C o n f i d e n t i a l

#6 – Develop an Incident Response Plan

Prepare for an incident by clearly defining roles and responsibilities during the incident response to

avoid chaos and confusion during the early stages of a security incident. Having clearly defined roles

and responsibilities for those involved in incident response minimizes confusion, prevents duplication

of work, and avoids critical gaps in the response. Preventive activities based on the results of risk

assessments can lower the number of incidents, but not all incidents can be prevented. An incident

response capability is therefore necessary for rapidly detecting incidents, minimizing loss and

destruction, mitigating the weaknesses that were exploited, and restoring IT services. Key elements of

an Incident Response Plan include:

Preparation – Incident response methodologies typically emphasize preparation in establishing an

incident response capability. These include incident communication and facilities (contact lists, on-

call lists, escalation procedures, issue tracking systems, digital forensic workstations, network analysis

resources (port lists, network diagrams, asset lists, cryptographic hashes of critical files etc.), incident

mitigation resources (clean OS and golden copies for restoring OS, server images etc.). Lack of

preparation and an active Incident Response Plan will hamper your efforts to manage the incident and fall out of the

security incident.

Detection & Analysis – Detection includes Identification of common attack vectors for (Web,

email, impersonation, phishing, removable media, brute force attacks, social engineering attacks and

loss of equipment). For many organizations, the most challenging part of the incident response

process is accurately detecting and assessing possible incidents—determining whether an incident

has occurred and, if so, the type, extent, and magnitude of the problem. Signs of an incident fall into

one of two categories: precursors and indicators. A precursor is a sign that an incident may occur in

the future. An indicator is a sign that an incident may have occurred or may be occurring now.

Detection is typically from alerts (IDP, IPS, SIEMs, anti-virus, 3rd Party monitoring service) or logs

(OS, server logs, network device logs, network flows) or anomalies noticed by people (users noticing

abnormal transactions or access, system administrators noticing logins, and from external sources).

Analysis is often complicated because indicators may be false positives and needed to be reviewed

carefully against normal behavior. Typical analysis is aided by profiling of network activity of

expected behaviors, retention of extended log data, event correlation and external source data.

11 | P a g e W o r l d I n f o r m a t i x C y b e r S e c u r i t y - C o n f i d e n t i a l

Incident Notification - When an incident is analyzed and prioritized, the incident response team

needs to notify the appropriate individuals so that all who need to be involved will play their roles.

Incident response policies should include provisions concerning incident reporting—at a minimum,

what must be reported to whom and at what times (e.g., initial notification, regular status updates).

The exact reporting requirements vary among organizations, but parties that are typically notified

include:

1. CIO, Head of information security, management (i.e. CISO) and the Board

2. Other incident response teams within the organization, external incident response teams

(if appropriate)

3. Business owners and Human resources (for cases involving insider threats)

4. Public affairs (for incidents that may generate publicity)

5. Legal department (for incidents with potential legal ramifications)

6. Country level reporting requirement for security incident and law enforcement (if

appropriate)

12 | P a g e W o r l d I n f o r m a t i x C y b e r S e c u r i t y - C o n f i d e n t i a l

Containment Eradication and Recovery - Containment is important before an incident

overwhelms resources or increases damage. Containment provides time for developing a tailored

remediation strategy. An essential part of containment is decision-making (e.g., shut down a system,

disconnect it from a network, disable certain functions). Such decisions are much easier to make if

there are predetermined strategies and procedures for containing the incident. Organizations should

define acceptable risks in dealing with incidents and develop strategies accordingly.

#7 – Maintain Adequate Levels of Cyber Insurance

Cyber insurance is a means of protecting against effect of catastrophic cyber-crimes or liability due

to major attack and transferring some risk to an insurance company. Companies should conduct a

periodic analysis of the adequacy of the cyber insurance coverage provided in connection with the

firm’s risk assessment process to determine if the policy and its coverage align with the firm’s risk

acceptance and ability to bear losses.

#8 – Establish a Vendor Risk Management Program

Vendor risk management is a process to support

firms to manage cyber security risk that can arise

across the lifecycle of vendor relationships using a

risk-based approach. Effective practices to manage

vendor risk include:

• performing existing and pre-contract due

diligence on external outsourced service providers.

• establishing contractual terms appropriate to

the sensitivity of information and systems to which

the vendor may have access and which govern both

the ongoing relationship with the vendor and the

vendor’s obligations after the relationship ends, and

• Ongoing monitoring of the vendor to ensure

compliance with contractual terms.

13 | P a g e W o r l d I n f o r m a t i x C y b e r S e c u r i t y - C o n f i d e n t i a l

#9- Implement a Security Awareness Program

Implement a security awareness training that is mandatory for all staff. Effective practices for

cybersecurity training include:

• Defining cybersecurity training needs

• Identifying appropriate cybersecurity training update cycles

• Mandatory security awareness training program using a standard computer-based training

module with progress monitoring

• Information security training for IT staff including safe coding standards

• Information security training for business staff to ensure any information system acquired

or modified is reviewed through the prism of information security

• An occasional security ‘tips & tricks’ for security

• Periodic social engineering tests through phishing and physical security tests

14 | P a g e W o r l d I n f o r m a t i x C y b e r S e c u r i t y - C o n f i d e n t i a l

#10 – Maintain Strong SWIFT Security Controls

SWIFT security is an integral part of a secure payment system. If you use the SWIFT Alliance Access

(SAA) for payment system then it is your responsibility to ensure that the SWIFT servers,

workstation and network access meets SWIFT security guidelines and are protected from

sophisticated and targeted attacks. It is noted that recent attacks at a Central Bank bore the signatures

of a similar attack at other banks. These hackers have figured out the weakness in the model and are

able to attack poorly protected SWIFT environments, many of them in developing countries, where

cyber security has not been a priority.

SWIFT builds on security practices established by the customer itself and therefore it is imperative

that in the wake of the central bank attack, customers using SWIFT Alliance Access (SAA) must

strengthen their cyber security posture and conduct an independent health check of payment

systems to prevent similar attacks. SWIFT organization provides security guidelines but essentially

you are on your own to ensure security of these critical systems.

For more information and to download the SWIFT CSP framework, please visit the following:

SWIFT CSP Website

https://www.swift.com/myswift/customer-security-programme-csp

15 | P a g e W o r l d I n f o r m a t i x C y b e r S e c u r i t y - C o n f i d e n t i a l

Why Select World Informatix Cyber Security?

✓ Official SWIFT partner (#2162549) and certified provider of SWIFT security

reviews and CSP attestation.

✓ Special focus on SWIFT/Payment System health check service.

✓ Provider of cyber security services for Cloud & Mobile applications.

✓ Unique vantage point - leading incident response & remediation for the largest

cyber-crime in history.

✓ Full understanding of attack pattern and malware seen in multiple large scale

global heists.

See Next Page for Contact Information

US Company Founded in 2012

A Trusted Global Company

Key Clients include:

❖ Central Banks of Bangladesh

❖ Central Bank of Yemen

❖ Central Bank of Trinidad & Tobago

❖ Central Bank of Nigeria.

❖ United Nations: o International Fund for Agriculture Development (IFAD) o Food and Agriculture Organization (FAO) o World Food Programme (WFP)

❖ Mass Mutual Fund, USA

Rakesh Asthana (Ash)

Managing Director & CEO, World Informatix Cyber Security

(Former Director IT, Office of Information Security, World Bank)

World Informatix Cyber Security

1552 SE Ballantrae Ct., Port St. Lucie, FL, 34952, USA

Email: rakeshasthana@worldinformatix.com

Website: www.worldinformatixCS.com

Office: +1-703-635-2794

Mobile: +1-703-501-1199