2022 is shaping up to be a tough year for Chief Information Security Officers (CISOs) at UK financial services firms.  User and device sprawl brought on by changing working practises during the pandemic, is still very much an issue for security teams; made more challenging still with a return to office working.  Many firms are yet to establish exactly what their long-term hybrid working culture will look like, and CISOs are facing the herculean task of mitigating cybersecurity risks in an increasingly complex IT environment.  If circumstances were not challenging enough for CISOs leading the charge in financial services, the prospect of what can only be described as a ‘cyberwar’ over Ukraine, is significantly elevating threat levels in the industry.

Indeed, a joint advisory published by cybersecurity authorities in the United States, United Kingdom and Australia, recently warned of an ‘increase in sophisticated high-impact ransomware incidents’, and encouraged business leadership teams to take steps to increase resilience to attacks.  The joint advisory states that the UK’s National Cyber Security Centre (NCSC) recognises ransomware as the biggest cyber threat facing the United Kingdom.  

The UK’s financial regulator has also officially warned large banks and other financial services organisations with operations in the UK, over the heightened risk of Russian-sponsored cyber-attacks.  The Financial Conduct Authority (FCA) warned financial services was a potential target for retaliatory attacks, should an invasion of Ukraine lead to sanctions being placed on Russian organisations.  The European Central Bank issued a similar warning in the face of ‘the potential worsening of global tensions’. 

Assessing the Ransomware Threat to UK Financial Services

The ‘technical details’ section in the joint US, UK and Australian advisory statement – “2021 Trends Show Increased Globalised Threat of Ransomware” – describes specific behaviours and trends the combined cybersecurity authorities observed among cyber criminals in 2021. Any CISO operating in the financial services sector should be carefully considering these observations, to identify how mature their organisation is in mitigating these threats, and where there may be gaps in their security posture. 

Top of the list – and likely of no surprise to any CISO – are the most frequently observed attack vectors for ransomware incidents: phishing emails, stolen Remote Desktop Protocol (RDP) credentials, brute force attacks and vulnerability exploitation. The statement also points out that continued hybrid working practises and an expanded attack surface, mean these attack vectors are likely to remain popular with threat actors.  With location still a fluid notion in many organisations, CISOs should focus on compiling an in-depth and ongoing view of their IT estate.  For security controls to be applied effectively across an organisation, assets must first be identified and located.  At the same time, employee awareness and education is critical.  The threat of cyber-attack should be front of mind for every employee across the organisation.

This statement also highlights the now well-established services nature of cybercrime.  Ransomware as a service (RaaS) is a revenue share business model that recruits affiliates to distribute ransomware variants.  With RaaS providers offering end-to-end support services to their clients, criminals with minimal technical abilities can launch their own sophisticated cyber-attacks.  The NCSC points out that it has observed some ransomware threat actors offering a “24/7 help centre to expedite ransom payment”. While RaaS lowers the barrier of entry for cybercriminals looking to carry out ransomware attacks, the complexity and severity of the threat remains the same. For example, despite paying a $2.3 million ransom, when foreign exchange services provider Travelex, fell victim to the RaaS group known as REvil in late 2019, the ultimate result was corporate fatality. The company cited the attack as a key factor in its administration announcement.     

Preparations for Big Game Hunting

Authorities in all three countries cited Big Game Hunting as a key factor in the ransomware threat landscape. Big Game Hunting refers to attackers targeting organisations with sophisticated, bespoke attacks designed for maximum impact. Attackers choose their victim carefully, often targeting larger organisations, where the potential for financial return is much greater. Attackers spend time selecting and studying their target, before conducting any form of attack.  

While the United States, which has experienced some of the most high-profile Big Game attacks in recent years, such as the Colonial Pipeline attack, suggested threat actors are increasingly redirecting efforts to mid-sized companies, the NCSC observed attacks targeting organisations of every size – including Big Game victims.

CISOs in financial services need to prepare their organisations for these sophisticated attacks, which are likely to increase significantly in the event of escalating geopolitical tension. Leaders must review the tools and processes their organisation has in place, ensuring they have a comprehensive security strategy from the ground up. The organisation’s cyber defence strategy should encompass the assets and data that need to be protected, the specific threats to those assets, and the security tools and processes needed to deal with these threats.  

The tactics, techniques, and procedures (TTPs) employed in Big Game attacks, are those typically associated with attacks targeting complex environments – from reconnaissance and initial access, through to privilege escalation and lateral movement.  Attackers may be present in an organisation’s network for months before deploying a payload. The attacker will likely have visibility into their victim’s backup and disaster recovery capabilities, making this form of attack extremely difficult to defend against.  

Start With the Basics

Getting the basics right first might seem obvious, but often this is both the most effective and overlooked aspect of an organisation’s defence strategy. In the days following the Colonial Pipeline attack, it emerged that the company had not implemented organisation-wide multi-factor authentication (MFA). One compromised password was used to gain access to the organisation, which had appeared in a list of leaked credentials published on the Dark Web.  Had the organisation taken the basic step of ensuring MFA was in place, the attackers would likely have been unsuccessful.  

While MFA offers a last line of defence, it is still crucial that passwords are updated regularly. A recent study found less than half of users change their passwords after a breach – for those organisations that haven’t yet found themselves in the crosshairs of cyber criminals, the figures will undoubtedly paint a more worrying picture still. 

The ability for cyber criminals to monetise attacks means it’s virtually certain ransomware will be the attack method of choice, if retaliatory cyber attacks increase in the coming months. Ransomware attacks have generated almost $1.3 billion in cryptocurrency payments over the last two years, with average payment sizes increasing significantly due to Big Game Hunting. However, ransom payments represent only a small proportion of the wider financial, reputational, and technological damage a successful attack can result in. The message for the industry is clear – and is being shouted from the rooftops at the highest levels of Government. Prepare and protect before it’s too late.