Let’s Get Physical – Why It Isn’t Always Just About The Online Threats
The bank heist has evolved. While the days of balaclavas and sawn-off shot guns have mostly been consigned to the past, many would be forgiven for thinking that it is now all a virtual threat.
Sure, there will be cyber criminals testing out the digital defences of financial institutions’ IT operations, probing to see where any potential weaknesses lie without any human interaction. However, to improve their chances of success, many threat actors also exploit real-world vulnerabilities, including employees and physical infrastructure, such as ATMs.
The human factor
The average bank has thousands of people working for it, anyone of whom could be a weak link that a threat actor could use to break into the corporate network. Using sophisticated phishing scams, threat actors try to force employees into mistakenly revealing their credentials. This enables them to gain a foothold in the network, from where they can then carry out lateral movement and privilege escalation.
Such tactics are now considered more effective thanks to the isolation brought about by the remote working requirements of COVID-19 lockdowns. Staff working by themselves can no longer quickly check with their colleagues that an email is genuine as they could when in the office.
More audacious cyber criminals will target a bank’s physical assets to infiltrate its IT systems. ATMs are a prime target as they are often remote and accessible 24/7. Unlike the heavily defended cash boxes within them, ATMs generally have poorly protected components that threat actors can easily access to set up their attacks. One of our penetration test experts discovered that one bank was using 4G routers in its ATMs to enable them to communicate. It would not take much for a threat actor to physically remove this and use it to access the ATM network.
Branches and offices are just as vulnerable. Although well defended against armed robbery, few are prepared for more subtle infiltrations in which threat actors lay the groundwork for future attacks. For instance, using just a cover story and fake ID our red teams are often able to get into restricted areas of bank buildings. This has even stretched to security guards buzzing us through despite having a faulty RFID card, and another time being allowed to stay in the office once all staff had left, giving us free run.
Once inside a restricted area, threat actors can leave behind a hidden drop box that will enable them to get onto the corporate network whenever and wherever they like.
Combatting virtual and physical threats
Aside from more advanced physical pen test tactics, cyber criminals of course hone what they do best and are always upping their game when it comes to their digital tactics and techniques. For instance, they are increasingly using automation to detect zero day vulnerabilities and are creating and repurposing sophisticated malware and ransomware strains to circumvent banks’ defences.
In response to a vast attack surface covering both physical and virtual threats, banks need to deploy a combination of IT and human defences. Automated defences will be able to detect and mitigate standard risks, but to defend against more sophisticated attacks requires human intervention. Ethical hackers will be able to think like the attackers and consider more physical tactics such as those mentioned.
These defences need to be fully tested by no-holds-barred red teaming exercises to ensure that whatever the cyber criminals think of, the banks’ security team thought of it first.
Want to put your organisation through its paces and make sure its secure? Drop us a line to discover how A&O can help enhance your cyber security