SOCRadar® Cyber Intelligence Inc. | Top Threat Intelligence Use Cases for the Finance Sector-I


Sep 28, 2020
8 Mins Read

Top Threat Intelligence Use Cases for the Finance Sector-I

Security departments in the financial industry are facing a daunting mission. They have to defend the company from an immense amount of indiscriminate attacks, which is the price of simply being an online enterprise. At the same time, they still have to ensure that their planned business activities are as robust as possible. Security experts in the financial industry are trying to reclaim the effort to collect threat intelligence to detect and prevent threats more efficiently than ever before while defending the integrity of their company and corporate life. However, it can be a struggle to decide which solution to choose. A comparison of threat intelligence products can help these professionals by providing the most reliable and productive way to manage their time and money.

What are the biggest cyber challenges for the financial industry?

The financial services market is one of the most focused on organized crimes, which tries to pillage confidential details that are monetized rapidly.

One of the biggest cyber challenges in the financial services industry is the theft of personally identifiable information (PII) by mostly organized crime groups, who infiltrate networks to rapidly monetize the data that they steal. They threaten not only business networks, but also individuals by going after their identities, usernames, and passwords for account takeovers.

What are the cyber threat intelligence use-cases for the finance industry?

Dark web monitoring

The dark web is where deception and crime organizations are found. It is the latest business risk hotbed. Regular search engines such as Google or Bing do not index the dark web. Financial data like stolen payment cards, credit and debit cards, or account credentials can be found all over the dark web. Sometimes massive information including both usernames and passwords, called combo lists, are on-sale or given for free on the dark web.

At the beginning of 2020, the records of nearly half a million payment cards of Indian banks have been found on sale on the dark web. The records showed card numbers, expiry dates, CVV/CVC codes, and some additional details including full cardholder names and email addresses. Its estimated value is more than $4.2 million. Increased data protection can be accomplished by leveraging knowledge from hacker groups such as the dark web. Such information on risks should be made accessible to a vast range of organizations to facilitate protection measures and to secure their facilities more and more efficiently. The path to future advancement in this field is ongoing innovation and automation. CTI can find breached credit or debit cards on deep web or darknet marketplaces immediately and warn related financial institutions right away to be able to limit the damage.

Compromised account detection

Credential stuffing is a controlled injection of compromised username/password pairs to obtaining fraudulent access to user accounts. This is a subset of the brute force attacks: a large number of compromised credentials are tried in login pages using automation to find a combination that works.

In one case, a major Canadian bank, whose annual revenue exceeds $20 million, suffered a credential stuffing attack that lasted for months on its website and smartphone apps. Malicious hackers targeted all imaginable outlets for credential stuffing: Canadian and American websites, smartphone applications, and even OFX API endpoints. The attacks not only took resulted in account takeovers but also greatly hampered the bank’s networks with the sheer number of attacks.

To gather information such as documents, data leakage, sensitive information, vulnerabilities related to the business in real-time, CTI continuously misconfigurations, monitors the internet, deep web, and obscure sites.

Threat actor tracking

Financial services are the most targeted business. Threat actors in this industry have different capabilities, TTPs, and goals. They focus on data theft, ATM burglarizing, transfers by using Fast mechanisms, and intranet penetration by banking malware.

The Lazarus Group, a North Korea based APT known for targeting financial organizations, allegedly robbed the Banco del Austro in Ecuador of 12 million US dollars, and the Tien Phong Bank in Vietnam of 1 million U.S. dollars in 2015. They also attacked Polish and Mexican banks. They stole $81 million from the Bangladesh Bank in 2016.

CTI provides information on malicious actors, their tools, and their infrastructure to be able to prevent or minimize the risks against such threats. The knowledge of the risks actors’ tactics, techniques, and procedures helps in detecting their presence in a network. Furthermore, by providing an understanding of the threat actors’ purposes and capacity, CTI analysts will improve incident response services including minimizing the damage in case of a compromise.

Social media risks

Social networking has been an influential way for corporations to connect with their clients. The integration of these innovations has profoundly changed the complexity of customer interactions, marketing, and organizational communications in many industries. Executives who are concerned about security-related threats resulting from social media implementations in an organization should consider how their companies are handling cases of data exposure and malware infections, which may be due to human errors, phishing attacks, or sophisticated attacks., due to human error, phishing attacks, advanced attackers and identity, exposes and organizational networks and applications to viruses and malware are handling danger of unauthorized disclosure, misuse or stealing of knowledge.

For example, a cybercriminal took over the Twitter account of the Bank of Melbourne to disseminate phishing links to its followers. Bank customers were first told of the damage when a tweet was sent shortly after the attack. Some of the bank customers unknowingly clicked the malicious links posted during the attack and gave away their credentials.

Gathering actionable cyber threat intelligence from large-scale channels such as social networks can be complicated and impossible to do manually. CTI provides organizations with an in-depth understanding of their threat landscape by analyzing information collected from social media about cyber threats. It allows businesses to be aware of who may be targeting their systems.

Code repository leakage

Every day, thousands of new APIs or encryption keys leak via Github. As this sort of leakage is getting so common, it would have been so difficult for organizations to train all the developers involved. CTI plays an important role in detecting such leaks.

Scotiabank source code and credentials found exposed on GitHub. According to the Scotiabank report, the GitHub repositories were compromised and left accessible to the public. The passwords and keyboard connections to certain bank back-end systems and utilities around the globe are among hundreds of documents and code files that are allegedly created by developers working on variants of Scotiabank’s smartphone applications for Central and South America.

Cyber threat intelligence solutions not only use the GitHub Search API but also dig the Google BigQuery database’s GitHub directory snapshots for sensitive data. These solutions create alerts in the case of Github leaks.

VIP protection

Company executives are more likely to be the target of cyberattacks since they have more privileges within the organization.

In 2013, Anonymous launched its Project Last Resort hacking a government website and releasing credentials and private information of more than 4000 American bank executives. Many executives are unable to defend themselves without protection and assistance since they have too many things to pay attention to. CTI defends VIP accounts against account takeovers, spear-phishing, ransomware, abuse risks, and misrepresentation by monitoring the surface, deep, and dark web.

How threat intelligence can help the finance industry?

The finance industry should give CTI (cyber threat intelligence) a better view of their market challenges. CTI offers actionable intelligence that can help executives make well-grounded strategic decisions. CTI monitors the public internet, deep web, and dark web for sensitive data exposure and imminent cyber-attacks.

In a nutshell, cyber threat intelligence can help the finance sector as follows;

  • CTI lets organizations rapidly identify digital risks and concentrate their resources and energy where it’s most required, thus discarding others that are unimportant. Alert fatigue and SOC are the weakest possible choice for the financial sector. The rapid denial of false-positive warnings, which may otherwise waste thousands of analysts’ hours in one year, is one of the main roles of SOC analyst threat-intelligence.
  • CTI improves vulnerability management by allowing SOC teams to prioritize tasks.
  • Threat intelligence assists security leaders in determining whom they need to recruit, what security technology to procure, and where to spend their resources to reduce cyber risk.

SOCRadar helps financial services by providing unified threat intelligence solutions

SOCRadar provides the actionable and timely intelligence context you need to support financial services with external attack surface management, digital risk protection, and threat intelligence capabilities modules.

SOCRadar’s Threat Fusion provides actionable insights into future cybersecurity threats with a big data-powered threat investigation module to assist in searching deeper context, real-time threat investigation, and analysis.

SOCRadar’s RiskPrime builds on industry-leading instant phishing domain identification, credit card monitoring, customers’ PII protecting, and compromised credential detection technologies by aggregating and correlating massive data points into actionable intelligence alerts.

SOCRadar’s AttackMapper provides insight and visibility into these assets to discover and monitor everything related to your organization on the Internet to bring the enormous scale of your attack surface into focus.

Discover SOCRadar® Community Edition for free

With SOCRadar® Community Edition, you’ll be able to:

  • Discover your unknown hacker-exposed assets
  • Check if your IP addresses tagged as malicious
  • Monitor your domain name on hacked websites and phishing databases
  • Get notified when a critical zero-day vulnerability is disclosed

Free for 12 months for 1 corporate domain and 100 auto-discovered digital assets.