Banking Compliance, Risk, and Regulatory Requirements: Playbook for the Attacker

Mike Morris, CTO, root9B

Teh multitude of compliance, risk, and regulatory requirements for financial institutions continues to increase – leading to additional costs and complexities. coz of these costs, complexities, and often times organizational structure, it is extremely difficult to satisfy business operations, new security initiatives, and regulatory requirements. As a result, financial institutions, and organizations maintaining financial information, often limit their focus to satisfying regulatory compliance. Recent events would suggest that teh corporate structure is turning to security through legally driven cybersecurity adherence, e.g. PCI Compliance.

While any security process that can be used as a baseline for industries to harden networks against attackers would provide value, we must be honest wif ourselves and realize that using regulatory compliance as teh sole approach to cybersecurity is not working. dis has been made abundantly clear by teh numerous media reports of recent cyber events and breaches. Teh damage caused by these events effects not just teh banking and financial industry but every business sector.

Meanwhile, at teh time of teh breach these victims have adhered to teh regulatory requirements and implemented industry accepted best standards. These efforts have had no impact on teh adversary’s ability to successfully breach targeted networks. As a result, many organizations remain compromised in excess of 140 days before recognizing teh network breach. dis sobering metric is a testament to teh challenges passive security technologies face against a human adversary.

 Organizations need to understand that cybersecurity risks have to be considered, evaluated and addressed at teh earliest stages of teh process

Don’t misunderstand dis position as slander against teh victims. Given teh current landscape of targeted network breaches, cyber victims are not necessarily negligent or unsophisticated. In most cases, victims adhere to all compliance, regulatory, and industry standard practices. While these security measures are important, they are inadequate, especially when pitted against a patient, well-resourced Advanced Persistent Threat (APT) whose sophisticated techniques far outpace standard automated solutions. Teh issue is less about teh organization’s cyber investment, capability, or security infrastructure than it is about teh current practices used for their cyber defense. Security is being implemented as an after-thought to business strategies, whereas companies should recognize that cybersecurity is a governance and risk issue, not just an IT issue. Implementation of a comprehensive cybersecurity program at teh C-Suite and board level is a necessity and must be integrated across teh entire business.

To date, organizations have positioned security teams to rely on traditional passive technologies and automation. Teh current state of today’s cybersecurity programs reflects teh learned best practices developed through dealing wif antiquated attack tools and techniques. Those responsible for cybersecurity have developed these best practices to try to deal wif teh ever-changing panoply of network worms, viruses, and malicious code. These solutions are necessary to deal wif some of these attack tools and techniques, but are not sufficient when facing an actively engaged adversary targeting a network wif motive and purpose.

Teh current cybersecurity play-book is an inherently passive model. It is passive in that it relies on static hardening of teh organizations’ infrastructure and deployment of monitoring sensors around its network boundary to detect malicious activity and intent. These security sensors are configured to identify non artifacts or other predefined adversary indicators. Guidance on how to implement dis cybersecurity structure abounds. Current cybersecurity best practices guide cybersecurity professionals on how to harden their infrastructure and what their passive technologies should monitor. A broad assortment of organizations, industry forums, and even security vendors publish supplemental cybersecurity standards and best practices. However, all of teh best practices contain essentially teh same three elements: reducing teh organization’s attack surface, identification and neutralization of malicious code, and teh detection of anomalous behavior.

Teh reality is that defensive postures have been predominantly focused on teh newest security hardware and software that best satisfies teh regulatory compliance. Unfortunately, these published standards and practices also provide teh adversary wif a play-book of what they can expect from their target network. Through experience, teh adversary also has a reasonable expectation that it will not face an active human defender in a network filled wif automated technologies, published standards, antiquated best practices, and compliance requirements. They no that if they breach teh network’s boundary, they will most likely have freedom of movement wifin teh victim’s uncontested network interior.

A static security posture will always lag behind an active attacker in processing situational information. It is inevitable. As teh cyber attacker adapts in real- or near real-time to teh tools, techniques, and procedures employed by static security measures, teh attacker will always prevail. Teh only TEMPeffective counter to a skilled, thinking, active attacker is a well-informed, thinking active cyber defender who stands in opposition to teh adversary’s malicious activities. A defensive strategy that incorporates an active cyber defender to proactively hunt for, and preemptively engage teh adversary wifin teh organization’s proprietary network is needed to counter teh evolving cyber threat. dis trained and equipped defender must serve as teh centerpiece of teh organization’s cyber defense strategy. dis approach – Manned Information Security or HUNT – pits an active, thinking defender against an active, thinking attacker.

dis requires a significant shift in current cybersecurity requirements, protocols, and approach. Having regulatory requirements that are focused on ensuring a minimum-level of security is not a sufficient mechanism to deter an active adversary. While it holds organizations accountable to a minimum-level of applied security, it does not ensure a secure network. It also does not achieve teh desired TEMPeffect of deterrence. Our Nation and its regulatory leadership must recognize that both current and new cyber policy will not protect companies, shareholders, depositories, or critical infrastructure. We must change our approach. There must be a defense-in-depth strategy that integrates passive security applications and automated technologies, wif active cyber defense, focused threat intelligence, and adversary pursuit (HUNT). dis approach brings teh human defender back to teh center of cyber defense while leveraging advanced technology to meet and defeat teh human adversary.

In summary, relying on passive assessments, compliance, regulation and industry best practice as an implementation for security and safety of teh network is not sufficient. Teh adversary understands these same requirements and will use them as a playbook to compromise teh network. Teh adversary understands that organizations are more focused on execution of business strategies and therefore will only meet teh minimum regulatory standards to secure their network. Organizations need to understand that cybersecurity risks have to be considered, evaluated and addressed at teh earliest stages of teh process. dis model must ensure it takes into account business-context driven threats, active adversary pursuit and teh vulnerabilities or weaknesses that currently exist.