Vectra finds increase in hidden tunnel cyberattacks against financial services firms

A new report from Vectra finds financial services organizations worldwide are facing more and more cyberattacks by sophisticated hackers who use hidden tunnels to burrow into corporate networks and remotely siphon off valuable data. Vectra’s 2018 Spotlight Report “Could an Equifax-sized data breach happen again?” charts a rise in security breaches across industries, including financial services, despite the fact that firms are spending heavily on cybersecurity.

For six months, Vectra’s Cognito cyberattack-detection platform collected metadata covering millions of individual devices in addition to cloud workloads from data center and enterprise environments. The Vectra study found hackers are continuing to pursue weaknesses that led to the Equifax data breach last year.

Financial services firms were at a significantly higher risk of facing hidden command-and-control tunnels than all other industries combined, with more than twice as many hidden data-exfiltration tunnels per 10,000 devices in financial services as other industries. For every 10,000 devices in a financial services firm, Vectra found 23 tunnels masquerading as encrypted web traffic.

Upon the release of the report, SmartBrief caught up with Chris Morales, head of security analytics at Vectra, to learn more about what the findings mean for financial services firms:

Why are there so many more hidden tunnels at financial services firms than in other industries?

Tunnels are used to create a network link between an internal system and an external host when network connectivity is restricted due to the use of firewalls, network address translation and strict access control. These are all technologies highly adopted inside financial institutions who enforce strict control on the movement of data applications inside and outside of the organization. Tunnels provide a method for which applications can communicate and by which data can be transferred unhindered in these controlled environments.

Tunneling can also allow communication using a protocol that normally wouldn’t be supported on the restricted network. Hidden tunnels are difficult to detect because communications are concealed within multiple connections that use normal, commonly allowed protocols. For example, communications can be embedded as text in HTTP-GET requests, as well as in headers, cookies and other fields. The requests and responses are hidden among messages within the allowed protocol.

Why are there fewer suspicious HTTP command-and-control communications in financial services?

Suspicious HTTP occurs when software on an internal host is initiating one or more unapproved web requests to a malicious web domain, which form a pattern typically observed in command and control communications to a bad actor.

Financial services companies generally have strong security access controls and network perimeter monitoring capabilities able to detect suspicious HTTP communication, such as firewalls with IP reputation lists of known bad websites and perimeter sandbox technology looking for malicious communication in and out of the organization based on previously seen malware. Most of this suspicious communication is blocked at the perimeter. These technologies will not catch every suspicious connection, but they do significantly reduce the total volume of malicious connections.

From a lessons-learned perspective, the Equifax breach seems to be the gift that keeps on giving for cybersecurity professionals. What do you think was the biggest lesson-learned?

The biggest lesson is that despite best efforts to prevent attacks, attackers are still able to successfully infiltrate networks. It is important to detect and respond to attacks when they do happen, before they cause damage. Detecting attacks as they occur requires the ability to monitor the entire attack lifecycle after the initial infection, including command and control, reconnaissance, lateral movement, and data exfiltration attacker behaviors.

Hidden tunnels are present across all financial industry customers we sampled as these hidden tunnels are used by legitimate applications in day to day business. These applications need to be well understood and mapped out by the organization. If legitimate applications are able to bypass enterprise firewalls, then it is very easy for an attacker to do the same and to hide that attack in normal traffic to avoid detection. Financial institutions should map out the use of applications and how those work. Organizations should also monitor their encrypted traffic (as well as unencrypted traffic) to identify the misuse of traffic by malicious actors and the presence of hidden tunnels.