Indian bank looks to protect from cyber attacks using deception

You are reading it here first: A bank in India is looking to acquire a ‘deception’ infrastructure that will act as a fail-safe in case hackers try to access its valuable information. Telecommunication Consultants of India (TCIL) has floated the tender for an unnamed bank and the solution will be installed in its data centre. TCIL, in the tender, said that the deception solution should be able to provide decoy firewalls, decoy web application firewalls (WAF), decoy demilitarised zone (DMZ), and so on. According to SearchSecurity, computer networks, a DMZ, or demilitarized zone, is a physical or logical subnet that separates a local area network (LAN) from other untrusted networks.

The tender said that the deception solution should support 4 stages of attack:

  • Before the attack: Pre-emption. The deception solution should have the ability to monitor an organisation’s attack surface.
  • During the attack: Detection. The solution should be able to create and deploy authentic deceptions across all endpoints.
  • After the attack: Response. The solution should collect forensic intelligence and the context needed to understand and act on an incident.
  • Stop the attacker movement: Mitigation. For this stage, the tender said that the solution should be able to integrate into the existing security ecosystem and that it should provide in-depth logs to help Security Operations Center mitigate cyber security risks.

How would it work?

The decoys should be scientifically placed in multiple subnets, so the hackers will encounter them in the process of trying to find valuable information. When the hackers try to access the decoys, a silent alert should be raised, and full forensics related to the attack should be collected. Decoy should be able to capture details such as attack vector used, attack methodology, tools used for attack, source of the attack, etc — TCIL tender (emphasis ours)

There has been an increase in bank-specific cyber attacks recently. According to a Financial Express report, Kaspersky Antivirus discovered that increased online payments have paralleled the rise of banking Trojans in the Asia Pacific region. In fact, recently the National Bank of Pakistan reported a cyber security-related incident but informed that no financial loss or data breach has been observed.

A look into what the Deception solution should be able to do

TCIL has given a wide range of requirements that the bidder has to comply with. The solution should create software that acts as a decoy for various banking components such as —

  • Servers
  • Desktops
  • Files
  • User accounts
  • Internet banking
  • Mobile banking
  • Loan
  • ATM switch
  • Browsers
  • Share drives
  • Emails
  • Windows credentials
  • Cloud
  • Network devices
  • IoT devices

When cyber attackers target these above-mentioned components of the banking infrastructure, the solution should be able to identify —

  • Attack signature
  • IP info like geolocation, reputation
  • Behaviour patterns
  • Networking scanning attempts
  • Web application vulnerability exploitation
  • Operating system scan

Apart from that, the solution should also create “file decoys”  which when accessed, would trigger alerts silently. “The solution should have ability to trigger alarm if unknown/suspicious/malicious type of files are created/dropped/loaded on the decoys by the attacker,” it said. All these activities have to take place in a sandboxed environment setup virtually so that the real infrastructure does not get affected.

Required solution should cover entire Mitre Att&k framework

The solution should cover and identify the entire Cyber kill chain stages / MITRE ATTACK framework mapping from recon – lateral movement – exfiltration. Also it should replay attacks as they happen to check what is working and what is not (sic) — TCIL tender

Mitre Att&k, is a set of techniques used by adversaries to accomplish a specific objective, according to a blog by McAfee. Those objectives are categorised as tactics in the ATT&CK Matrix, the blog read. The objectives are presented linearly from the point of reconnaissance to the final goal of exfiltration or “impact”, it added.

Advertisement. Scroll to continue reading.

Additionally, the tender made mention of specific cybersecurity threats that target the banking sector, which include —

  • CobaltStrike: Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”.
  • Empire: Empire is an open source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub.
  • SilentTrinity: Another open source cyber attack framework available on GitHub, SilentTrinity is described as a “modern, asynchronous, multiplayer & multiserver C2/post-exploitation framework powered by Python 3 and .NETs DLR”.

System should not be open source: Tender

TCIL said that the bank which has floated the requirement for the tender has said that the base operating system of the solution should not be free open-source software. “But should be hardened enterprise edition (be it Windows or Unix). The bidder has to ensure patches/updates are timely installed and no end of support is there,” it said.

Apart from that, the bidder is required to —

  • Provide centralised management and real-time monitoring console with dashboard and role-based admin/read-only access
  • Impart training to bank personnel or security operations center on the product architecture, functionality, and solution design
  • Ensure hardware sizing such that CPU memory utilisation does not exceed 70%, storage space utilisation does not exceed 80%.

RBI’s Cybersecurity Framework 2016 highlights need for ‘deception’

Deception solutions also known as Honeypot services find a mention in the Reserve Bank of India’s Cyber Security Framework in Banks. RBI said that Honeypot is among the many other features that banks need to put in place as part of the Cyber Security Operations Center. Others include —

  • Methods to identify the root cause of attacks, classify them into identified categories, and come out with solutions to contain further attacks of similar types
  • Incident investigation, forensics, and deep packet analysis
  • Dynamic behaviour analysis
  • Analytics with a good dashboard

Cyber Security Operations Center | Source ReBIT

Also read

Have something to add? Post your comment and gift someone a MediaNama subscription.

Source link