Combating threats with UEBA: Money matters 

Log360 | October 18, 2019 | 4 min read

In this four-part series, we explore hypothetical cyberattacks inspired by real-life events in four different industries: healthcare, finance, manufacturing, and education. We’ll take a look at unforeseen security attack scenarios, and discover how user and entity behavior analytics (UEBA) can be leveraged to safeguard organizations.

In this second post of the series, we’ll examine cyberattacks that threaten the financial sector.

With rapid development in networking technologies, the world has become an increasingly connected place. While enabling instant access to almost everything with the swipe of a finger has undoubtedly been convenient for most, technologies that offer convenience may also expose organizations and individuals to both generic and targeted cyberattacks. Money is one of the primary driving forces behind most  cybercrimes, so what better target than an organization in the financial services industry?

Equipped with advanced technologies, criminals are shifting their focus from low risk-low profit individual bank customers to the banking service providers themselves; the risks involved with high-profile targets like these are far greater, but so is the reward.

So what can IT admins in the financial industry do to combat security threats? Let’s take a look at how UEBA can help IT admins in this industry make some crucial security decisions.

The non-existent borrowers

It was just another day at work for Margaret Harper, marketing manager at Alpha Financial Inc. She was expecting a quote for a proposed television campaign from an advertising agency. As anticipated, an email notification popped up on her screen, and she quickly skimmed through the content and downloaded the attachment. She didn’t realize that she had fallen prey to a spear phishing attempt.

With a from address that closely resembled the ad agency’s and relevant mail content, Margaret can’t really be blamed. Once she opened the word document, the macro in the document began running multiple commands in PowerShell to withdraw the customer database by copying and mailing it to the hackers. The stolen data can then be used to perform synthetic identity fraud.

Since the customer database is a rich repository of personally identifiable information (PII), attackers can utilize it to open a credit card using any of these customers’ details, and max it out before vanishing without a trace. Synthetic identity fraud has the most direct impact on banks, as they’re left to bear the brunt of the financial loss. The below figure describes how a synthetic identity is generated by combining PII of various legitimate users.

Making of a synthetic identity

Fortunately, in this case, the attack was subdued. Before the data could be wired to the hacker via email, Alpha Financial’s UEBA solution flagged the execution of multiple commandlets in PowerShell and the accessing and copying of numerous folders in a short span of time as atypical behaviors. Once Margaret’s risk score shot up, the IT administrator noticed and promptly secluded the system from the internet and the company’s network to prevent lateral movement inside the bank’s network and outward data transmission.

Denial doesn’t help

In today’s world, even 99 percent availability won’t suffice, as customers expect banking services to remain available around the clock and across the globe. Thanks to the proliferation of social media, public reaction to service unavailability is instantaneous. The response from dissatisfied customers can go viral in a matter of seconds, tarnishing the reputation of the bank. For the financial services industry where customer trust is the key to success, a service outage due to a distributed denial of service (DDoS) attack can contribute to massive customer churn and prove to be costly.

A hacker could gain access into the organization’s network through a well meditated account compromise. They could gain a foothold by remaining undetected for some time to observe the characteristics of devices connected to the network; by doing this, attackers can assess any existing device vulnerabilities, and initiate attacks on these network devices to convert them into a botnet. The interconnected devices, which are now controlled by the threat actor, can then be used to launch a full fledged DDoS attack on critical bank servers at crucial hours to do the most damage. So how does UEBA come into the picture?

UEBA can identify and expose anomalous behavior in not just user profiles, but also in the various entities like routers, printers, servers, networking devices, storage components, mobile devices, etc. that are connected to the bank’s IT infrastructure. UEBA creates a baseline profile for each entity and compares it constantly with present behavior to diagnose anomalies real time. This is how UEBA helps protect the components of the network from being hacked and converted into bots. UEBA can also detect an unusually high volume of traffic or requests made to the bank’s servers and alert IT admins so they can take immediate corrective actions.

Spotting the insider smurf 

Andrew Chase is a highly sought after financial adviser employed in the private wealth management division of Goldguard Holdings. Goldguard Holdings uses a relational database management system, Oracle Database, to consolidate client information. Fueled by greed, Andrew decides to launder money.

Andrew’s money laundering plan:

  • Identify bank accounts that have been dormant for a while

  • Disable notifications to owners of these accounts, so they remain unaware of their account transactions

  • Deposit the illegally obtained money in small amounts into the victims’ accounts

  • Redirect the money back to the originating account

  • Delete transaction traces

  • Repeat the process at safe intervals that won’t arouse suspicion

Money laundering is a major threat for financial institutions

His plan looks impressive, but unfortunately it quickly flopped, landing him behind the bars. Andrew didn’t know that Golgguard Holdings had a UEBA solution in place to monitor its IT infrastructure.

Andrew had permission to access the database of all the customers of the bank. However, he generally accessed only the details of his clientele. Once he started performing several queries on the customer database to identify accounts that have been idle for one year, the UEBA solution detected a count anomaly. Following this, when he shortlisted scapegoats and began altering account notification permissions, it detected a pattern anomaly.

In response, Andrew’s risk score shot up, alerting the system administrator of a potential breach. The administrator was able to investigate and uncover Andrew’s illicit activity. Had its UEBA solution not reported Andrew’s malicious activities, Goldguard Holdings would have been on the hook for an anti-money laundering (AML) compliance violation and subject to legal and financial repercussions.

The silver lining

On the brighter side, the financial services industry emerges as a top performer in overall cybersecurity according to SecurityScorecard ranks. This implies that many organizations in the financial sector realize how important cybersecurity is, which is a positive sign. However, with the increasing number of attacks targeting organizations in this sector, organizations need to remain vigilant, and UEBA can help.

Stay tuned as we probe into the cyberthreats that lurk in the manufacturing industry in the next blog in our Combating threats with UEBA series. Until then, be vigilant and stay secure. We don’t want you to become inspiration for our next post.