Cyberthreat intelligence, or CTI, can give bankers a deeper understanding of the potential threats that face their business.
Whether it is knowing your enemy or learning about the latest malware, CTI provides information that can help executives make prudent, risk-based decisions. This information comes from the open internet as well as closed sources, including the darknet and dark web. Analyzing this CTI can produce insights and identify signs of a potential breach, leaked data or pending attacks.
The darknet is the part of the internet that is not accessible through conventional browsers and requires specific software or configurations; the deep web is the part of the internet that is not accessible through search engines. Some nation states, cybercriminal gangs and threat actors thrive in this underground economy through illegal activity that includes the sale of personal information, financial goods and illicit services. For bank’s CTI, the deep web and darknet are a treasure trove of breached information and threat indicators.
A vast majority of these cyberthreat intelligence sources contain goods and sensitive data stolen from the financial services industry. Potential financial gain drives bad actors to maintain a thriving marketplace built on illicit items, including debit and credit card numbers, identity theft services and banking malware.
While no tool or service can completely eliminate the risk of a data breach, integrating CTI into a bank’s cybersecurity program can make it more difficult to target and lower the likelihood of a breach. To get value from CTI, a bank can:
- Identify the threat actors that are leveraging potential vulnerabilities in systems used by the financial sector;
- Understand whether a particular organization or client is being targeted directly;
- Detect active malware campaigns that could target the bank;
- Learn where its customer and employee information may exist;
- Find breached credit or debit cards on deep web or darknet marketplaces; and
- Understand emerging trends regarding data theft.
There are a variety of ways that financial institutions can leverage, and directly benefit from, CTI. Some examples include:
- Incorporating technical indicators of compromise into the company’s security information and event management system;
- Briefing high-level executives on industry trends and providing intelligence on potential future attacks;
- Providing intelligence briefings to security operation centers (SOCs), increasing the situational awareness of technical campaigns and bad actors;
- Developing incident response scenarios;
- Achieving timely integration with fraud teams to deactivate stolen credit or debit cards;
- Working with law enforcement to remove stolen credit, debit or other financial information from the deep or dark web;
- Segregating and limiting internal access to systems if an individual’s credentials are exposed;
- Communicating with social media and marketing teams about exposed data; and
- Implementing patches for known vulnerabilities that are discovered on external-facing systems and applications.
What does a successful CTI program look like at financial institutions?
Deep analytical CTI is usually not possible at small- to medium-sized financial institutions using the internal resources of their existing security teams, and is often outsourced to a vendor or third party. Outsourcing can provide some value-added actions, such as:
- Identifying breached credit and debit cards or other financial information;
- Monitoring chatter about C-suite executives;
- Assisting in fraud prevention through credential theft;
- Thwarting attacks planned by adversaries that uses new financial theft malware, ransomware or Trojans;
- Examining reputational damage or brand-related chatter for an organization;
- Identifying large credential data dumps or breaches;
- Identifying or ascertaining stolen or fraudulent goods like blueprints, skimmers and physical devices, or sensitive data such as tax forms, personally identifiable information and protected health information.
CTI can provide a variety of actionable information that executives can use to make better cybersecurity decisions and assess their risk appetite. With CTI, bankers can prioritize initiatives, address budgets and create business strategies for securing customer, employee and client data. A deeper understanding of the threats they face gives companies a firmer grasp of the tumultuous cyber landscape and a clearer vision of how to prevent problems.