Hacking is typically a very roundabout endeavor. First, cybercriminals need to find a way to orchestrate a data breach, a process that tends to involve a lot of research and strategy. Next, they have to go through the motions to execute the attack. Once on the network, they need to find the data they're looking for as quickly as possible. If it's encrypted, they'll likely have to brute force it to get anything meaningful from it. After all of this hard work, they might be left with a list of credit cards, Social Security numbers and contact information. They typically then have to sell this information on the dark Web. Finally, they get paid.
Alternatively, they can just break into a bank's network, snoop around for the loot and quietly siphon a bunch of money into a foreign account somewhere. This is how legendary bank robber John Dillinger would do it if he were a hacker, and it's how an increasing number of cybercriminals are doing it in the 21st century.
A waiting game
Robbing a bank digitally is significantly safer for the bandit than armed robbery. As illustrated in several recent cyber heists, it's also far more effective.
Last month, an unknown hacking organization attempted to steal nearly $1 billion from Bangladesh Bank. According to the BBC, they fell well short of their target, managing to escape with about $80 million. This amount is nothing to thumb your nose at. In fact, it's one of the largest bank robberies in history.
More frightening is the fact that the thieves probably would have made off with the full amount if they hadn't misspelled the word "foundation" in one of their transfers. Once a routing bank noticed the typo, the jig was up.
This isn't the first time that hackers have robbed a bank, nor is it necessarily a complete mystery to officials how they might have pulled it off. In 2013, The New York Times wrote a piece about how a multi-national group of hackers had managed to steal a confirmed value of $300 million from banks all over the world, and a possible unconfirmed total of over $900 million.
It's believed that the hackers responsible were able to achieve this by first finding a way into the network, most likely through a phishing scam, and then using surveillance malware to track activity. This allowed them to figure out how they'd transfer the money they were after, and how they could do it inconspicuously.
In other words, the hackers basically lived in the network, unnoticed, for a prolonged period of time. As a result of their patience, many of them are probably millionaires. Or maybe, it has nothing to do with their patience, and everything to do with a severe lack of vigilance from the banks.
What can the financial sector learn from these hackers?
The lesson here appears to be that the best hackers are not launching missiles at firewalls, so to speak. They're silently infiltrating the network, and sneaking around – sometimes for months or even years – opening and closing the virtual file cabinets when they think no one is looking in search of the data, or money, they're after. This is how they rob banks, and it's also how they steal personally identifiable data. They simply stake out the network until the moment is right.
"Sometimes the only way to fight hackers is by beating them at their own game."
The problem is, with each new data breach, organizations tend to look at how the bad guys got in. Sometimes, it was through a code exploit or a flaw in their perimeter defense. But more often than not, the hackers used a combination of social engineering tactics such as phishing and other forms of trickery that prey upon insiders. A firewall can't address this problem, and it certainly can't do anything once the cybercriminals manage to get inside the network.
But a security operation center can. Sort of like video surveillance in a private compound, a SOC perpetually scouts the entire network for unusual or suspicious activity during all hours of the day and night. For instance, if there is activity in the middle of the night from an IP address traced to a foreign nation, and there are no business stakeholders in that country, it could be a sign of infiltration. With SOC-as-a-Service, a security engineer logs this activity for the organization, immediately notifies them of the incident and discusses response strategies.
Sometimes the only way to fight hackers is by beating them at their own game. If you want a defense that spies on the spies, a cyber-SOC is the solution for you.