Rakesh Asthana
www.worldinformatixcs.com
KEY LESSONS LEARNED FROM RECENT CYBER-ATTACKS ON GLOBAL BANKS
Central Bank of Bangladesh Heist
Case Study
World Informatix Cyber Security explains the ongoing threat faced by the
financial sector and global banks from continuing Cyber-Attacks along with a
detailed guide on best practices to protect your company, based on its firsthand
experience in responding to the crisis.
August 2018
1 | P a g e W o r l d I n f o r m a t i x C y b e r S e c u r i t y - C o n f i d e n t i a l
WHITEPAPER
Abstract
World Informatix Cyber Security presents a compelling case that Banks and Financial
Institutions around the world are under persistent threat from anonymous cyber hackers who
specifically target users of the SWIFT financial messaging systems. In the past few years there have
been a continuum of large-scale cyber heists on banks around the world, stealing millions in assets
and compromising the integrity of financial institutions and often the countries they represent.
Within the paper, we present a brief history of SWIFT-based cyber-attacks on the banking
sector, along with our 10 Key Findings from the lessons learned in responding to the largest and most
damaging of those attacks. These findings should be considered a list of Best Management Practices
for banks looking to strengthen their cyber security posture against potential cyber-attacks.
World Informatix Cyber Security (WICS) is a leading provider of cyber security services and a
trusted partner of global financial institutions and banks. Our clients include The United Nations and
Central Banks around the world. WICS was engaged by the Central Bank of Bangladesh in 2016 for
emergency incident response and remediation to what has become the largest cyber heist in history.
This is our story.
World Informatix Cyber Security offers its Flagship Service; SWIFT Payment Systems
Assurance. WICS is an official SWIFT partner listed in the director of 3rd party cyber security
providers. Our service can be used to provide annual attestation to SWIFTs mandatory security
guidelines. Our comprehensive review utilizes a combination of technical penetration testing with a
controls review, leveraging our proprietary checklist with 272+ detailed controls to ensure
organizations using SWIFT systems have minimized vulnerabilities and strengthened their cyber
security posture.
2 | P a g e W o r l d I n f o r m a t i x C y b e r S e c u r i t y - C o n f i d e n t i a l
Contents Abstract ................................................................................................................................................................. 1
A Brief Overview of Cyber-Heists targeting SWIFT Banks ..................................................................................... 3
Cyber Heist 101: Profile of the Largest Cyber Heist to Date ................................................................................. 4
Attack Pattern Assessment: .................................................................................................................................. 5
10 Key Lessons Learned ........................................................................................................................................ 6
Why Select World Informatix Cyber Security? ................................................................................................... 15
3 | P a g e W o r l d I n f o r m a t i x C y b e r S e c u r i t y - C o n f i d e n t i a l
A Brief Overview of Cyber-Heists targeting SWIFT Banks
In 2016, a large-scale cyber-attack on the Central Bank of Bangladesh rocked the financial
sector and the entire world with its staggering scale. While this was not the first cyber-attack of its
kind to target banks and in particular users of the SWIFT systems, this example received worldwide
media attention and seemed to be the start of a new era of cyber heists. Since then the rate of cyber-
attacks on global banks has increased, sparking a flurry of protective action from SWIFT and banks
around the world, as many of the recent attacks have used similar tactics and malware.
According to information that has been available to the media, there have been at least 10
reported cyber heists starting in 2015. SWIFT officials have unofficially reported that even more
institutions have been compromised, yet no information has been made public regarding these
attacks.
The sophistication and intensity of cyber attacks have increased since 2015. Hackers are
using increasingly complex methods to bypass a networks security measures while taking advantage
of weaknesses in the users’ network security. Constantly evolving malware (using zero-day malware)
has been used to acquire credentials and often administrator privileges on the network in carefully
orchestrated attacks that sometimes are planned for years. Through gaining access to sensitive
credentials and authentications, hackers have initiating fraudulent transfer requests into foreign bank
accounts which are followed by complex money laundering schemes.
4 | P a g e W o r l d I n f o r m a t i x C y b e r S e c u r i t y - C o n f i d e n t i a l
Cyber Heist 101: Profile of the Largest Cyber Heist to Date
1. Sophisticated malware was deployed by the attacker that specifically targets servers running
SWIFT Alliance Access (SAA) applications. Attack was designed to process SWIFT
transactions with legitimate harvested credentials
2. Complex malwares have been identified with advanced features of harvesting of credentials
and to securely erase all traces of activity after accomplishing its task. Complementary malware
was used to sustain the attack - such as keys loggers and attacker utilities for post attack
cleanup. World Informatix Cyber Security is the only company in possession of binary strings
from Malware used in this heist.
3. Defeats normal Cyber security measures - Attacker was capable of penetrating normal cyber
security defenses. All the tools employed by the attacker were custom-made and bypassed the
deployed anti-virus solutions, including 2-factor authentication.
4. Send Fraudulent Transfer Requests at Opportunistic Times – Hackers were able to send
authentic transfer requests from the host bank, thereby initiating a transfer of funds into
foreign accounts. Hackers timed this transfer to happen at the end of the work week and prior
to a public holiday, ensuring that any possible response would be muted.
5. Covering up the Evidence – Attackers were able to use customized tools to erase any record
or evidence of their activity through modifying registry files
5 | P a g e W o r l d I n f o r m a t i x C y b e r S e c u r i t y - C o n f i d e n t i a l
Attack Pattern Assessment:
Attacker Activity Details
Gain entry/Reconnaissance
Attackers use automated scanners and
exploit vulnerabilities to gain entry to the
network. Once inside, the attacker looks to
pivot into other hosts using a variety of
reconnaissance techniques.
Lateral movement
The attacker harvests credentials of users by
using keystroke logger or other utilities. With
harvested credentials, attacker logs into
SWIFT and other business systems in the
environment with legitimate but
compromised credentials.
Process unauthorized business transactions
or Data theft
Once attacker has legitimate credentials and
access to business systems, they are set to
either process unauthorized transactions or
steal confidential data
Reverse shells/Persistent backdoors
The attacker places persistent backdoors on
systems to maintain access to compromised
environment
Cleanup and Delay detection
Attackers with good knowledge of systems
usually will cleanup by deleting log files or
tampering with databases and systems to
delay discovery allowing them more time to
process stolen information or funds.
6 | P a g e W o r l d I n f o r m a t i x C y b e r S e c u r i t y - C o n f i d e n t i a l
10 Key Lessons Learned
#1- Establish a Cyber Security Governance and
Culture
Cyber security governance and culture is a shared
responsibility across several stakeholders at any
institution. A clear chain of command and decision-
making authority quickly highlights cyber risks and
actions required to mitigate or accept the risk.
Following stakeholders have a responsibility in a best
practice approach:
Board level visibility of cyber security risks and
periodic review of risk profiles is essential to
maintaining a strong cyber security posture and
protecting the institution. Management is responsible
for ensuring proper risk reviews and presenting to the
Board cyber security risks with plans for mitigation or
acceptance of the risks. The Board is responsible for
ensuring that sufficient resources are allocated towards
mitigating risks as desired by their risk tolerance levels
and monitoring progress of remediation plans related to
cyber security.
Management should establish an independent CISO
organization that is responsible for enterprise wide
security risks and has the authority to act as a ‘gate
keeper’ for introduction of new technology and to
shutdown vulnerable or compromised IT assets. The
CISO is also responsible for fostering an enterprise-
wide security awareness program that would
complement technology controls. To ensure an
independent view and authority the CISO organization
reporting lines should be independent of IT
7 | P a g e W o r l d I n f o r m a t i x C y b e r S e c u r i t y - C o n f i d e n t i a l
management possibly to a separate risk management function with a dotted line reporting relationship
to the Board.
Internal and External auditors must conduct periodic cyber security audits and provide an
independent view of cyber risks to management and the Board. Auditors have a responsibility to assess
and report on emerging risks and to conduct specific audits especially when new technology is being
introduced.
#2- Strengthen Financial System Controls
• Review and align account privileges to the
principle of ‘least privilege’ or entitlement to
business functions.
• Ensure segregation of duties (i.e. Maker-
checker-approver) are enforced.
• Ensure processing limits based on threshold
value of transactions such as maximum value
per transaction, maximum limit per operator
or per day limits.
• Ensure account deletion on termination or
transfer of employee.
• Use multi-factor authentication for remote
access at the network perimeter and for
sensitive and high value transactions
organizations.
• Ensure privileged account access is
controlled and its use is logged, monitored
and reviewed regularly.
#3- Enhance system logging and monitoring.
Enhanced system logging of device activity improves security team’s ability to detect malicious
activity. Logs are indispensable in determining how the attacker gained access and moved laterally
within the IT environment.
8 | P a g e W o r l d I n f o r m a t i x C y b e r S e c u r i t y - C o n f i d e n t i a l
The following devices and servers are in scope of system monitoring:
1. Firewall logs—acceptances and denials
2. Domain Name Servers (DNS) server logs
3. Dynamic Host Configuration protocol (DHCP) logs – maps dynamic IP address
4. Microsoft Windows or other server event audit logs
5. External webmail access logs
6. Internal web proxy logs
7. Virtual private network (VPN) logs
8. Network Flow metadata
9. Servers running critical applications
#4- Maintain an Effective Vulnerability Management Program
A vulnerability management program is an important aspect of continuously monitoring IT assets
for vulnerabilities. Many companies conduct an annual vulnerability assessment but fail to conduct
periodic checks and miss emerging vulnerabilities and threats during the year. Vulnerabilities are
introduced throughout the year due to implementation of new applications or changes to
infrastructure components or simply new vulnerabilities in existing products are discovered requiring
immediate system patches. Management should institute an ongoing vulnerability management
program that looks for vulnerabilities, assigns severities and ensures remediation of these
vulnerabilities in a timely manner. The following are focus areas:
a. External facing websites are known to be a prime attack vector and prone to constant probing
by malicious actors. Many companies have an uncontrolled proliferation of websites and these
websites may not adhere to safe coding standards and may contain vulnerabilities that could
be exploited. It takes only one door to open for a determined attacker to gain access to your
network and IT assets.
b. Email attachments are a prime source of
malware deployed on workstations.
Luring victims to click on email
attachments is hackers preferred
method to deliver malicious payloads
because hackers can send out a large
number of broadcast emails with
various subject lines or inducements to
a victim organization. Organizations
must deploy spam filters and be able to
9 | P a g e W o r l d I n f o r m a t i x C y b e r S e c u r i t y - C o n f i d e n t i a l
scan and quarantine infected attachments
c. Website downloads with malware are another favorite of hackers to deploy payload. Victims
are lured into visiting the website through innocent or legitimate looking fake websites. All
downloads must go through web filter to identify malware
d. Vulnerability Assessment of Servers and End-points is a must since they are the first line of
defense in intrusion detection and prevention. It is important to follow good practices of
configuration and patch management and automated synchronization of anti-virus database.
An efficient program to assess new patch releases and ensuring compliance with a baseline
standard for servers and end point is essential for good protection.
#5- Establish a Robust Network Security Plan
Network Security has several aspects which must be incorporated into a cyber security risk plan.
1. Ensure you have full host and network visibility so that you have a complete picture of
everything that is in your environment: specifically, endpoints and network assets. This gives
insight into what needs to be monitored as well as insight into the broader implications of any
security incident.
2. Ensure that network is segmented into logical segments with different risk profiles. Financial
systems with higher risk profile may be clustered into one secure network segment that
requires a multi-factor authentication and has strict firewall rules and application whitelists.
Ensure that websites that are not critical to core business functions or carry publicly available
data are cordoned off or even hosted on a separate external environment.
3. While deploying IPS and IDS systems it is important remember that several signature based
IPS/IDS and anti-virus cannot identify zero day and APT malware. You may need to deploy
additional technology that is specially designed for such zero day and APT detection and
eradication.
4. Ensure 24x7 monitoring of alerts from all your security technology (IPS, IDS, anti-virus, DLP,
SIEM) so that someone is always watching your network alerts even while rest of the
organization sleeps. Remember that most cyber-attacks are carefully planned for night hours
and weekends to escape or delay detection.
10 | P a g e W o r l d I n f o r m a t i x C y b e r S e c u r i t y - C o n f i d e n t i a l
#6 – Develop an Incident Response Plan
Prepare for an incident by clearly defining roles and responsibilities during the incident response to
avoid chaos and confusion during the early stages of a security incident. Having clearly defined roles
and responsibilities for those involved in incident response minimizes confusion, prevents duplication
of work, and avoids critical gaps in the response. Preventive activities based on the results of risk
assessments can lower the number of incidents, but not all incidents can be prevented. An incident
response capability is therefore necessary for rapidly detecting incidents, minimizing loss and
destruction, mitigating the weaknesses that were exploited, and restoring IT services. Key elements of
an Incident Response Plan include:
Preparation – Incident response methodologies typically emphasize preparation in establishing an
incident response capability. These include incident communication and facilities (contact lists, on-
call lists, escalation procedures, issue tracking systems, digital forensic workstations, network analysis
resources (port lists, network diagrams, asset lists, cryptographic hashes of critical files etc.), incident
mitigation resources (clean OS and golden copies for restoring OS, server images etc.). Lack of
preparation and an active Incident Response Plan will hamper your efforts to manage the incident and fall out of the
security incident.
Detection & Analysis – Detection includes Identification of common attack vectors for (Web,
email, impersonation, phishing, removable media, brute force attacks, social engineering attacks and
loss of equipment). For many organizations, the most challenging part of the incident response
process is accurately detecting and assessing possible incidents—determining whether an incident
has occurred and, if so, the type, extent, and magnitude of the problem. Signs of an incident fall into
one of two categories: precursors and indicators. A precursor is a sign that an incident may occur in
the future. An indicator is a sign that an incident may have occurred or may be occurring now.
Detection is typically from alerts (IDP, IPS, SIEMs, anti-virus, 3rd Party monitoring service) or logs
(OS, server logs, network device logs, network flows) or anomalies noticed by people (users noticing
abnormal transactions or access, system administrators noticing logins, and from external sources).
Analysis is often complicated because indicators may be false positives and needed to be reviewed
carefully against normal behavior. Typical analysis is aided by profiling of network activity of
expected behaviors, retention of extended log data, event correlation and external source data.
11 | P a g e W o r l d I n f o r m a t i x C y b e r S e c u r i t y - C o n f i d e n t i a l
Incident Notification - When an incident is analyzed and prioritized, the incident response team
needs to notify the appropriate individuals so that all who need to be involved will play their roles.
Incident response policies should include provisions concerning incident reporting—at a minimum,
what must be reported to whom and at what times (e.g., initial notification, regular status updates).
The exact reporting requirements vary among organizations, but parties that are typically notified
include:
1. CIO, Head of information security, management (i.e. CISO) and the Board
2. Other incident response teams within the organization, external incident response teams
(if appropriate)
3. Business owners and Human resources (for cases involving insider threats)
4. Public affairs (for incidents that may generate publicity)
5. Legal department (for incidents with potential legal ramifications)
6. Country level reporting requirement for security incident and law enforcement (if
appropriate)
12 | P a g e W o r l d I n f o r m a t i x C y b e r S e c u r i t y - C o n f i d e n t i a l
Containment Eradication and Recovery - Containment is important before an incident
overwhelms resources or increases damage. Containment provides time for developing a tailored
remediation strategy. An essential part of containment is decision-making (e.g., shut down a system,
disconnect it from a network, disable certain functions). Such decisions are much easier to make if
there are predetermined strategies and procedures for containing the incident. Organizations should
define acceptable risks in dealing with incidents and develop strategies accordingly.
#7 – Maintain Adequate Levels of Cyber Insurance
Cyber insurance is a means of protecting against effect of catastrophic cyber-crimes or liability due
to major attack and transferring some risk to an insurance company. Companies should conduct a
periodic analysis of the adequacy of the cyber insurance coverage provided in connection with the
firm’s risk assessment process to determine if the policy and its coverage align with the firm’s risk
acceptance and ability to bear losses.
#8 – Establish a Vendor Risk Management Program
Vendor risk management is a process to support
firms to manage cyber security risk that can arise
across the lifecycle of vendor relationships using a
risk-based approach. Effective practices to manage
vendor risk include:
• performing existing and pre-contract due
diligence on external outsourced service providers.
• establishing contractual terms appropriate to
the sensitivity of information and systems to which
the vendor may have access and which govern both
the ongoing relationship with the vendor and the
vendor’s obligations after the relationship ends, and
• Ongoing monitoring of the vendor to ensure
compliance with contractual terms.
13 | P a g e W o r l d I n f o r m a t i x C y b e r S e c u r i t y - C o n f i d e n t i a l
#9- Implement a Security Awareness Program
Implement a security awareness training that is mandatory for all staff. Effective practices for
cybersecurity training include:
• Defining cybersecurity training needs
• Identifying appropriate cybersecurity training update cycles
• Mandatory security awareness training program using a standard computer-based training
module with progress monitoring
• Information security training for IT staff including safe coding standards
• Information security training for business staff to ensure any information system acquired
or modified is reviewed through the prism of information security
• An occasional security ‘tips & tricks’ for security
• Periodic social engineering tests through phishing and physical security tests
14 | P a g e W o r l d I n f o r m a t i x C y b e r S e c u r i t y - C o n f i d e n t i a l
#10 – Maintain Strong SWIFT Security Controls
SWIFT security is an integral part of a secure payment system. If you use the SWIFT Alliance Access
(SAA) for payment system then it is your responsibility to ensure that the SWIFT servers,
workstation and network access meets SWIFT security guidelines and are protected from
sophisticated and targeted attacks. It is noted that recent attacks at a Central Bank bore the signatures
of a similar attack at other banks. These hackers have figured out the weakness in the model and are
able to attack poorly protected SWIFT environments, many of them in developing countries, where
cyber security has not been a priority.
SWIFT builds on security practices established by the customer itself and therefore it is imperative
that in the wake of the central bank attack, customers using SWIFT Alliance Access (SAA) must
strengthen their cyber security posture and conduct an independent health check of payment
systems to prevent similar attacks. SWIFT organization provides security guidelines but essentially
you are on your own to ensure security of these critical systems.
For more information and to download the SWIFT CSP framework, please visit the following:
SWIFT CSP Website
https://www.swift.com/myswift/customer-security-programme-csp
15 | P a g e W o r l d I n f o r m a t i x C y b e r S e c u r i t y - C o n f i d e n t i a l
Why Select World Informatix Cyber Security?
✓ Official SWIFT partner (#2162549) and certified provider of SWIFT security
reviews and CSP attestation.
✓ Special focus on SWIFT/Payment System health check service.
✓ Provider of cyber security services for Cloud & Mobile applications.
✓ Unique vantage point - leading incident response & remediation for the largest
cyber-crime in history.
✓ Full understanding of attack pattern and malware seen in multiple large scale
global heists.
See Next Page for Contact Information
US Company Founded in 2012
A Trusted Global Company
Key Clients include:
❖ Central Banks of Bangladesh
❖ Central Bank of Yemen
❖ Central Bank of Trinidad & Tobago
❖ Central Bank of Nigeria.
❖ United Nations: o International Fund for Agriculture Development (IFAD) o Food and Agriculture Organization (FAO) o World Food Programme (WFP)
❖ Mass Mutual Fund, USA
Rakesh Asthana (Ash)
Managing Director & CEO, World Informatix Cyber Security
(Former Director IT, Office of Information Security, World Bank)
World Informatix Cyber Security
1552 SE Ballantrae Ct., Port St. Lucie, FL, 34952, USA
Email: [email protected]
Website: www.worldinformatixCS.com
Office: +1-703-635-2794
Mobile: +1-703-501-1199