Simon Mullis, Chief Technology Officer at Venari Security
The past few years have seen a marked increase in geo-political tensions and emerging cyberattacks, keeping security teams on their toes. One of the most significant security threats however, is already hiding in plain sight – remaining undetected within encrypted traffic. A major target for these attacks is the UK’s Critical National Infrastructure (CNI), and defending against them should be an urgent priority for the finance industry.
The National Cyber Security Centre’s UK CNI comprise of 13 sectors – the essential systems, processes, people and information needed for the country’s infrastructure. Importantly, the loss or compromise of each organisation could result in damaging and extensive impacts to the economy or to society. Although the first ‘essential system’s that come to mind may be power grids or water supplies, the finance sector also includes many organisations which provide essential services. Whether it be cash withdrawals and deposits, digital wire transfers, loan applications or investments, they are all relied on daily and must be treated in the same way. This results in a real responsibility for banks and financial institutions to ensure their systems are secure, with equally real consequences for failing to do so.
If attacks on CNI are only increasing, what does this mean for financial institutions, and more importantly, how can they ensure they are guarding against them? Let’s consider the risks cyberattacks pose to CNI, as well as the actions the finance sector can take to protect its customers, their data, and financial assets.
The cybersecurity risks to CNI
One of the most recent high-profile CNI attacks that the finance industry must analyse and ensure is guarding against is the Colonial Pipeline ransomware incident, which took place in May 2021. The pipeline operator reported that a cyberattack had forced the company to temporarily shut down all business functions.
What is particularly significant about this attack is that it was simply an exposed username/password that allowed the attackers to gain access. Once in, their activity was end-to-end encrypted – just like all the other traffic. Vast swathes of the US were affected – with 45% of the East Coast’s fuel operations halted as a result.
In this case, despite the organisation protecting its data with strong encryption standards, attackers were able to enter the network through a legitimate, encrypted path and thus rendered many of the counter measures ineffective. With the operators unaware of any anomalous activity on their networks, the intruders had all the time they needed to assess the system and get organised.
This presents a dilemma for CNI sectors, especially finance, where interactions and operations have to be encrypted.
Encryption is no longer enough
As happened in the Colonial Pipeline incident, the use of end-to-end encryption enabled attackers to conceal themselves in legitimate traffic. While critical to support data privacy and security in the event of breaches, end-to-end encryption renders many established means of detection ineffective.
Most defence methods still rely heavily on decryption and relatively rudimentary analysis to detect when traffic might be “known-bad” or deviating from expected patterns. The volume and speed of encrypted data now passing across networks means that it is impossible to detect everything with processes and techniques requiring this type of inspection.
And indeed, this is not a cutting-edge approach by cybercriminals. In the first three quarters of 2021 alone, threats over encrypted channels increased by 314% on the previous year. If organisations continue to use the same inadequate detection techniques to uncover malicious activity on their network, the rate of attacks using encrypted traffic will continue to grow at this rate or higher.
The security industry has long understood that breaches are “not if, but when” scenarios. And the current global climate, sparking a rise in nation-state attacks, undoubtedly increases the threat level further for CNI – and especially for sensitive sectors such as finance.
Going beyond decryption to gain visibility
Financial institutions must strike a careful balance when it comes to security. On the one hand, it is vital they gain back visibility of their networks that end-to-end encryption might be at risk of concealing; on the other, it’s a necessity that they maintain a level of encryption in the first place.
Decryption is a too cumbersome and time-consuming approach now that our entire networks are encrypted – both data-at-rest and in motion – and organisations can only hope to keep up if they monitor for aberrant behaviour and malicious activity in their traffic without having to rely on decryption.
The solution? Security teams need to look towards using behavioural analytics to detect what is happening within encrypted traffic flows. A combination of machine learning and artificial intelligence, behavioural analytics can analyse encrypted traffic in near real-time without decryption. By accurately understanding the abnormalities between normal and anomalous behaviour, it significantly increases the rate and speed at which malicious activity concealed in encrypted traffic can be detected, whilst ensuring data remains private.
Security teams can then react immediately to contain the threats it identifies – rather than responding after the fact, when banks might only realise that an attack has taken place after a customer has experienced a breach.
Not a threat, but a reality
As the geo-political landscape becomes more treacherous, and society, even more interconnected, critical infrastructure attacks will only increase, with financial services a major target.
Security teams can no longer bury their head in the sand, as these attacks may not be a looming threat, but an existing issue, hidden by the very encryption they’ve relied on. Acting now is key, otherwise the risks posed by an attacker will only increase.