FFIEC Issues Extortion Attack AlertExperts Asssess Regulators' Call for Risk Mitigation
The Federal Financial Institutions Examination Council has issued an alert calling on financial institutions to take specific risk mitigation steps in light of an increase in the frequency and severity of cyberattacks involving extortion.
Fraud experts say the FFIEC statement, issued Nov. 3, likely was prompted by recent news reports of distributed denial-of-service attacks tied to extortion, such as those by the group known as DD4BC (see DDoS for Extortion: How to Fight Back). They also note that ransomware attacks have been on the rise. And they urge banks to take heed of the risk mitigation recommendations contained in the statement.
"One can only assume that there must have been a sufficient or worrisome number of unpublished incidents that FFIEC felt compelled them to notify financial institutions of the risk," says a risk management expert at a large East Coast bank, who asked not to be identified. "This message is aimed at the board, not the security professionals who are well aware of this risk."
Valerie Abend, senior critical infrastructure officer at the Office of the Comptroller of the Currency, an FFIEC member agency, tells Information Security Media Group: "The FFIEC member agencies issued the joint statement to increase awareness among its institutions on the trend of cyberattacks involving extortion. The FFIEC member agencies update guidance and examination processes to address evolving cybersecurity risks and threats, and statements are issued to provide industry with the most current risk management and control expectations."
Abend declined to say if any specific incidents prompted the statement or whether the FFIEC plans to issue more formal guidance on mitigating the risk of these cyberattacks.
"Financial institutions should develop programs to ensure the institutions are able to identify, protect, detect, respond to and recover from these types of attacks," the FFIEC statement notes. "Cyber criminals and activists use a variety of tactics, such as ransomware, denial-of-service [attacks] and theft of sensitive business and customer information to extort payment or other concessions from victims. In some cases, these attacks have caused significant impacts on businesses' access to data and ability to provide services. Other businesses have incurred serious damage through the release of sensitive information."
The FFIEC recommends that banks take the following steps:
- Conduct ongoing information security risk assessments;
- Securely configure systems and services;
- Protect against unauthorized access;
- Perform security monitoring, prevention and risk mitigation;
- Update information security awareness and training programs, as necessary, to include cyberattacks involving extortion;
- Implement and regularly test controls around critical systems;
- Review, update and test incident response and business continuity plans periodically;
- Participate in industry information-sharing forums.
Roland Dobbins of Arbor Networks' security engineering and response team says the FFIEC's statement could cause confusion because it calls attention to DDOS attacks tied to extortion, as well as the growing use of ransomware, such as Cryptolocker. "This may be confusing to some, as these are quite different scenarios," he says.
Earlier this year, Avivah Litan, a financial fraud expert who's an analyst at the consultancy Gartner, predicted that extortion would be the biggest cybersecurity trend facing banks in 2015 (see Gartner's Litan: Top New Threats to Banks). Commenting on FFIEC's alert, she notes: "It's really not news to financial institutions, but it's news to the public and a sign of how bad things have gotten."
But Tom Kellermann, chief cybersecurity officer at the security firm Trend Micro, says the timing of the announcement makes sense, given the Angler and Nuclear zero-day malware exploit kits now in widespread use. "I was at the [Oct. 25-28] FS-ISAC Fall Summit, and I think the presentations woke up regulators," he says.
Cause for Concern
Banks need to be worried about the rise in extortion-related attacks because cyber criminals typically install malware throughout a network before making it operational, fraud experts say. These exploits often hang around and are difficult to get rid of because they are so hard to pinpoint, Litan notes.
And the damage can go well beyond the initial incursion, Kellermann says. Paying a ransom is foolish, he argues, because it does not guarantee that the hackers who perpetrated the crime have left a bank's network or will quit doing damage.
"Secondary infections are the biggest problem," he says. "Hackers can get into your website and use your Web pages as 'watering holes' to distribute cryptoware that can infect others who use and trust your website."
The FFIEC's latest statement illustrates its shift from a reactive to a proactive stance on fighting cybercrime, Litan argues.
"They're moving forward in the right direction," she says. "FFIEC is providing a framework that helps banks assess the maturity and efficacy of their risk mitigation plans."
In addition to the steps the FFIEC recommends, Litan urges financial institutions to leverage technologies based on machine learning to improve detection of attacks.
"Although it's hard to turn those big ships around, you want to make sure your organization stays agile enough to act proactively. Don't be a sitting duck," she says. "And of course, it's important to educate your employees and customers. People are your best first line of defense because social engineering almost always is used to initially penetrate the network and get malware in."
Kellerman recommends updating endpoint security solutions with the latest capabilities that halt lateral movement of malware that could infect other parts of a network.
Most banks will now be looking at their desktop hygiene, file server security and anti-phishing awareness campaigns "to make sure they are doing all they can," the risk management expert at the East Coast bank says. The expert recommends that banks monitor actions of third-party vendors and consider new contract clauses related to liability for the impact of malware.
"Ransomware leverages systems that aren't patched and other vulnerabilities," says Richard Stiennon, principal at TrueBit CyberPartners and author of There Will Be Cyberwar. "Storage backup and disaster recovery is a tried and true technology, and these latest exploits should be a wake-up call to do exactly that."
The risk management expert at the East Coast bank echoes Stiennon's recommendations. "Planning for a potential incident should also prompt [banks] to reconsider backup/restore capabilities, with offline storage, especially for critical file shares."