Info@NationalCyberSecurity
Info@NationalCyberSecurity

Inside the secret Accenture team trying to hack the banks | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker


The police officer made a few checks and ended the call. Ford was off the hook. And his testing of banking staff continues across the sector.

Offensive security

Ford could lay claim to having one of the edgiest jobs in financial services. He leads a team of 11 “white hat” hackers at Accenture, also known in the cyber scene as “red teams”. Avoiding colour-related monikers, Ford prefers to describe his work as “offensive security”.

“When I’m asked what I do, I say I break things for a living,” he says. “Banks hire people like me to find the weaknesses before the bad guys do.”

Accenture has been accredited by the Council of Financial Regulators – the peak finance sector regulatory group comprising the Reserve Bank, the Australian Prudential Regulation Authority, the Australian Securities and Investments Commission and Treasury – to hack banks as part of CORIE. This stands for Cyber Operational Resilience Intelligence-led Exercises.

Jason Ford: “When I’m asked at a party what I do, I say I break things for a living.” Louie Douvis

The program, which operates in the shadows, was initiated in 2019 to improve the cyber resilience of the financial services sector. So far, 15 financial institutions have participated. This is the first time details of the CORIE project have been publicly disclosed.

At its core, the project simulates what a real-life cyberattack may entail, using the latest tricks by real criminal groups. The tests have been forcing banks, insurance companies and superannuation funds to think beyond creating shields around their IT systems – and to consider that staff members could be their weakest link in the global war against cyber crime.

Ford provided insight into how his secret team operates. It starts by gathering “threat intelligence” on the latest criminal tactics, garnered from various web forums used by nefarious actors.

The malware-infected thumb drive replicating the keyboard sent to the Australian bank (which he refuses to disclose citing client confidentiality) was a technique deployed by FIN7. Wired magazine has described this group, which includes Russians and Ukrainians, as “one of the most sophisticated, and aggressive, financially motivated hacking organisations in the world”.

Between 2015 and 2018, FIN7 stole data for more than 16 million payment cards in the United States; many were sold on the dark web. To get inside some insurers, FIN7 has mailed packages containing USB sticks infected by malware impersonating Amazon and the US Department of Health and Human Services officials.

This let FIN7 infiltrate systems to remotely send commands, receive data, and move laterally through networks, according to the Justice Department. It has surveilled employees and secretly stolen credentials and other network information.

Outside banking, infected USB drives were used to release the infamous Stuxnet worm, penetrating a nuclear facility in Iran in 2010 by targeting contractors. The malware – built by the US and Israel intelligence services (although both countries deny it was them) – infected computer boxes running motors for centrifuges that separated nuclear material; the program spun them so fast that they were physically destroyed. It was the first known example of the use of an offensive cyber weapon.

Ford is using similar techniques to get access to bank systems. Once inside, he conducts reconnaissance on the internal IT environment and seeks to exploit weaknesses. Services accounts can be created; administration access can be gained. He stops before wreaking havoc.

But the lessons from the early rounds of CORIE exercises point to cybersecurity not only being about the latest malware, or the trouble a computer geek can cause inside a network. Cybersecurity is also about psychology. Successful hackers target human foibles, often by trying to pump up the dopamine of unaware workers.

Targeting ego

“We are always looking at ways we can bring a human element in, to make people not think,” Ford says. “Defences can be like Swiss cheese: they might be firm on the outside, but inside, they are full of holes.”

Given bank cyber training, many staff members are sceptical about mysterious USB drives arriving in the mail. This makes well-researched messages to entice the recipient to actually plug in the device important; the Workhuman letter was such an example.

Ford’s note to Justin was deliberately designed to appeal to his ego. Ford had researched the banker was likely to be a high achiever, due to active and boosterish posts on his LinkedIn profile. The idea was he would feel deserving of the gifts if he had received them.

Ford’s team use many additional techniques. One has involved sending emails from the HR department, deliberately getting the recipient’s name wrong and attaching another staff member’s payslip. This is more likely to result in a click on the malware file because colleagues are typically keen to sneak a peek at someone else’s pay packet.

Executives’ families have also been targeted. One project (outside the banking sector) involved researching a C-suite’s family members through public, social media feeds, which determined one of their teenage kids liked a particular computer game. A package was sent with an update for the game, which the executive brought home. This infiltrated the executive’s smart TV, and the red team attempted to get onto a work device when it connected onto the same home Wi-Fi network used by the TV.

Hackers can also appeal to simple human desires to be helpful to a person in need. Ford has gained access to various companies and professional services firms by tailgating staff into buildings.

Once, he arrived with computer equipment on a trolley with a high-vis vest and scanning device. A guard signed him in. Another time, he made a fake swipe card and copy of company’s lanyards after a trip to Officeworks. He appeared in the foyer, dressed in work gear holding banana bread and balancing a coffee, and pretended the card wasn’t working. He was swiped in by a member of staff.

When not trying to trick staff into inserting malicious thumb drives, he has tried to do it himself. Ford says he once appeared at a check-in desk announcing he was a new consultant working with an actual banker he knew was on leave. He was taken to a meeting room, and was left unattended for two minutes.

This would have been enough time to plug a “raspberry pie” box into the TV on the wall. But the plug had been covered up by the IT department. The concierge soon returned denying him further entry when the banker couldn’t be found. When Ford was kicked out, he said the room was swept for bugs.

“The general level of maturity at the big banks is quite high,” Ford says. “But for smaller organisations, and in other verticals like superannuation, they are less well resourced.”

Australia’s CORIE exercises are on the radar of global cybersecurity law enforcers, who say they will protect institutions from rising threats, and help boards to get ready for inevitable attacks.

“These simulated exercises are crucial,” says Craig Jones, director of cybercrime at Interpol. “If you are a company with shareholders and customers, you are responsible for keeping the data safe. When a vulnerability is brought in front of the board, and demonstrated very clearly in a safe space, that is preferable to being presented with a data breach on a Friday night and being totally unprepared for it.”

Another member of Accenture’s CORIE team is Jacqui Kernot, who spent 25 years in Australian intelligence and four years as head of cyber at Telstra. “CORIE is a necessary evolution from regulatory frameworks to testing frameworks. We need to move from a compliance checkbox to a living process,” she says.

“The old ways of doing things are not workable going forward. We need to use threat-led intelligence models, and test from the outside to look for ways that the bad guys might find things.

“Banks can’t just look at compliance inside the network. They must look from outside, for warnings they aren’t as secure as they think. And the more we see other industries move towards CORIE, the better off we will be.”

——————————————————–


Click Here For The Original Story From This Source.

National Cyber Security

FREE
VIEW