Banking Compliance, Risk, and Regulatory Requirements: Playbook for the Attacker

Mike Morris, CTO, root9B

The multitude of compliance, risk, and regulatory requirements for financial institutions continues to increase – leading to additional costs and complexities. Because of these costs, complexities, and often times organizational structure, it is extremely difficult to satisfy business operations, new security initiatives, and regulatory requirements. As a result, financial institutions, and organizations maintaining financial information, often limit their focus to satisfying regulatory compliance. Recent events would suggest that the corporate structure is turning to security through legally driven cybersecurity adherence, e.g. PCI Compliance.

While any security process that can be used as a baseline for industries to harden networks against attackers would provide value, we must be honest with ourselves and realize that using regulatory compliance as the sole approach to cybersecurity is not working. This has been made abundantly clear by the numerous media reports of recent cyber events and breaches. The damage caused by these events affects not just the banking and financial industry but every business sector.

Meanwhile, at the time of the breach these victims have adhered to the regulatory requirements and implemented industry accepted best standards. These efforts have had no impact on the adversary’s ability to successfully breach targeted networks. As a result, many organizations remain compromised in excess of 140 days before recognizing the network breach. This sobering metric is a testament to the challenges passive security technologies face against a human adversary.

​  Organizations need to understand that cybersecurity risks have to be considered, evaluated and addressed at the earliest stages of the process  

Don’t misunderstand this position as slander against the victims. Given the current landscape of targeted network breaches, cyber victims are not necessarily negligent or unsophisticated. In most cases, victims adhere to all compliance, regulatory, and industry standard practices. While these security measures are important, they are inadequate, especially when pitted against a patient, well-resourced Advanced Persistent Threat (APT) whose sophisticated techniques far outpace standard automated solutions. The issue is less about the organization’s cyber investment, capability, or security infrastructure than it is about the current practices used for their cyber defense. Security is being implemented as an after-thought to business strategies, whereas companies should recognize that cybersecurity is a governance and risk issue, not just an IT issue. Implementation of a comprehensive cybersecurity program at the C-Suite and board level is a necessity and must be integrated across the entire business.

To date, organizations have positioned security teams to rely on traditional passive technologies and automation. The current state of today’s cybersecurity programs reflects the learned best practices developed through dealing with antiquated attack tools and techniques. Those responsible for cybersecurity have developed these best practices to try to deal with the ever-changing panoply of network worms, viruses, and malicious code. These solutions are necessary to deal with some of these attack tools and techniques, but are not sufficient when facing an actively engaged adversary targeting a network with motive and purpose.

The current cybersecurity play-book is an inherently passive model. It is passive in that it relies on static hardening of the organizations’ infrastructure and deployment of monitoring sensors around its network boundary to detect malicious activity and intent. These security sensors are configured to identify known artifacts or other predefined adversary indicators. Guidance on how to implement this cybersecurity structure abounds. Current cybersecurity best practices guide cybersecurity professionals on how to harden their infrastructure and what their passive technologies should monitor. A broad assortment of organizations, industry forums, and even security vendors publish supplemental cybersecurity standards and best practices. However, all of the best practices contain essentially the same three elements: reducing the organization’s attack surface, identification and neutralization of malicious code, and the detection of anomalous behavior.

The reality is that defensive postures have been predominantly focused on the newest security hardware and software that best satisfies the regulatory compliance. Unfortunately, these published standards and practices also provide the adversary with a play-book of what they can expect from their target network. Through experience, the adversary also has a reasonable expectation that it will not face an active human defender in a network filled with automated technologies, published standards, antiquated best practices, and compliance requirements. They know that if they breach the network’s boundary, they will most likely have freedom of movement within the victim’s uncontested network interior.

A static security posture will always lag behind an active attacker in processing situational information. It is inevitable. As the cyber attacker adapts in real- or near real-time to the tools, techniques, and procedures employed by static security measures, the attacker will always prevail. The only effective counter to a skilled, thinking, active attacker is a well-informed, thinking active cyber defender who stands in opposition to the adversary’s malicious activities. A defensive strategy that incorporates an active cyber defender to proactively hunt for, and preemptively engage the adversary within the organization’s proprietary network is needed to counter the evolving cyber threat. This trained and equipped defender must serve as the centerpiece of the organization’s cyber defense strategy. This approach – Manned Information Security or HUNT – pits an active, thinking defender against an active, thinking attacker.

This requires a significant shift in current cybersecurity requirements, protocols, and approach. Having regulatory requirements that are focused on ensuring a minimum-level of security is not a sufficient mechanism to deter an active adversary. While it holds organizations accountable to a minimum-level of applied security, it does not ensure a secure network. It also does not achieve the desired effect of deterrence. Our Nation and its regulatory leadership must recognize that both current and new cyber policy will not protect companies, shareholders, depositories, or critical infrastructure. We must change our approach. There must be a defense-in-depth strategy that integrates passive security applications and automated technologies, with active cyber defense, focused threat intelligence, and adversary pursuit (HUNT). This approach brings the human defender back to the center of cyber defense while leveraging advanced technology to meet and defeat the human adversary.

In summary, relying on passive assessments, compliance, regulation and industry best practice as an implementation for security and safety of the network is not sufficient. The adversary understands these same requirements and will use them as a playbook to compromise the network. The adversary understands that organizations are more focused on execution of business strategies and therefore will only meet the minimum regulatory standards to secure their network. Organizations need to understand that cybersecurity risks have to be considered, evaluated and addressed at the earliest stages of the process. This model must ensure it takes into account business-context driven threats, active adversary pursuit and the vulnerabilities or weaknesses that currently exist.