Dr Gareth Owenson, Co-Founder and CTO, Searchlight Cyber
The financial sector has a deserved reputation for taking cyber security seriously, but that hasn’t stopped cyber criminals keeping the industry in their cross hairs. In fact, with highly sensitive data and huge sums of money as the potential reward – the average cost of a data breach in the financial sector is $5.9 million – threat actors are constantly evolving their methods of attack. With so much at stake, it is vital organisations equip themselves with the intelligence and capability to defend themselves against impending attacks.
Many of these cyberattacks originate on the dark web – this secretive corner of the internet where company data is sought and sold to the highest bidder. This is where the foundations are laid by criminals to create the next generation of cyberattacks. Targets are named, malware is bought and sold, and weak spots to attack are identified.
Shining a light on the dark web
To combat cybercriminals operating on the dark web, it is important to understand how it works. The dark web cannot be accessed by conventional browsers and does not show up in typical search engine searches. The dark web requires specialist software to gain access to, and provides a high level of anonymity to users. Combined with the anonymity of cryptocurrency, cybercriminals use the dark web to buy and sell sensitive information, exploits, and cybercriminal tools in the belief they can act with impunity.
However, it is possible for security teams to monitor activity across the dark web’s ecosystem of forums, marketplaces, and websites. This turns it from a shadowy world of unknowns into a source of intelligence for early warning of imminent cyberattacks and, ultimately, can help organisations to prevent their network being breached.
So, how are cybercriminals on the dark web targeting the financial sector? And how can knowledge of this activity be used to an organisation’s advantage?
The rise of the Initial Access Broker
The majority of dark web activity against financial institutions involves posts from what are called ‘Initial Access Brokers’. These are people who use hacking forums like Exploit, XSS, and BreachForums to sell access to company infrastructure via exploits like remote network access or SQL injections. Other criminals, like ransomware groups, then use this access as the starting point for their attacks. Below is an example of an Initial Access Broker post, and the type of information cybercriminals provide:
Monitoring for this activity can provide invaluable pre-attack intelligence and alert organisations to when cybercriminals are targeting them. If they match the profile of the Initial Access Broker advert, they can launch an investigation to see if their internal technology – which the cybercriminal lists – is compromised.
Recruiting employees
Dark web messaging forums are also where cyber criminals look to recruit people from within an organisation to commit malicious activity. Often, when posting, they will relinquish information about the target organisation and type of data or access they are looking for.
This information can be used to identify insider threat activity within your own organisation and keeping track of all aliases associated with a specific poster can also help determine their capabilities and any potential risk.
Infrastructure reconnaissance
Infrastructure reconnaissance is when attackers gather information on a potential victim organisation – for instance, on the network topology, operating systems and applications, and user accounts. It is their way of trying to pinpoint a potential weak spot and way in.
The discussion of this reconnaissance is another dark web activity that, if spotted at an early stage, can help security teams stop a breach before it happens. Organisations can take the data shared by cybercriminals in the planning stage, and use it to their advantage: for example, to patch systems that have been called out as vulnerabilities.
Supply chains
It is all well and good having a robust cyber security policy in-house. But if your suppliers and partners have not invested the same time and money – and are identified on the dark web because of these vulnerabilities – it leaves you open to attack. 62% of system intrusions in 2022 involved the supply chain. And, recent research shows that only 28% of CISOs in the finance industry currently collecting dark web data are using it to monitor for their suppliers being targeted on the dark web.
This lack of visibility can leave organisation exposed, especially given the complex supply chain ecosystem within the financial sector. Monitoring when details of key suppliers appear on the dark web can identity when a supplier (and, as a result, you) are under threat. This allows to inform the supplier to take action and, ultimately, close off a potential avenue for attack in your supply chain.
Leveraging dark web intelligence
Given the type of activity taking place there, incorporating dark web threat intelligence into threat modelling allows businesses to be better protected and crack down on cyber threats when they’re still in their preliminary stages. Greater insights into dark web activity can quantify potential threats and determine where to allocate time, money, and attention.
Threat models leveraging dark web insights can help financial sector organisations:
- Identify assets that could be targeted.
- Analyse weaknesses and countermeasures against threat actors.
- Understand trigger events that may lead to an attack.
- Create a comprehensive view of their threat landscape.
Turning the unknown into the known
The dark web has become the go-to place for cyber criminals and malicious insiders to lay the groundwork for cyber attacks against organisations in the financial industry.
But it can be turned from a challenge into an opportunity. Organisations can harness its power to stay one step ahead. Monitoring dark web forums, marketplaces and sites can shine a light on Initial Access Brokers, cybercriminals targeting employees, and infrastructure reconnaissance to help organisations take a proactive approach to securing their assets and data.
The financial sector has long pursued top-class cyber security measures but to ensure defences are capable of withstanding the evolving threat landscape, organisations must remain vigilant and innovate.