Protecting SWIFT Financial Networks with DeceptionGrid€¦ · This white paper provides an overview of targeted attacks on the SWIFT network and the in-creasing risk for financial

WHITE PAPER : SWIFT Networks | 1

©2016 TrapX Security. All Rights Reserved.

Protecting SWIFT® Financial Networks with DeceptionGrid™

WHITE PAPER

2 | WHITE PAPER : SWIFT Networks




Contents

Notice .............................................................................................................................................................. 4Disclaimer ....................................................................................................................................................... 5Executive Summary ...................................................................................................................................... 6State of the Union - Escalating Attacks ........................................................................................................ 7

January 2015 - Ecuador Banco del Austro .............................................................................................................................8February 2016 - Bangladesh Central Bank .............................................................................................................................8May 2016 - Philippines Bank ....................................................................................................................................................8May 2016 - Tien Phong Bank, Vietnam....................................................................................................................................8June 2016 - Ukrainian Bank .....................................................................................................................................................9

SWIFT Financial Networks .......................................................................................................................... 9SWIFT Message Formats ...........................................................................................................................................................9Figure 1 - SWIFT Financial Network Access Architecture ....................................................................................................9SWIFT Alliance Gateway (SAG) ..............................................................................................................................................10SWIFT Alliance Access (SAA) ..................................................................................................................................................10SWIFT Alliance Web Platform .................................................................................................................................................10SWIFT Security..........................................................................................................................................................................10

SWIFT - Recreating The Attack .................................................................................................................. 11Figure 2 - Typical Attack Vector Against SWIFT Assets........................................................................................................11

A Deception Architecture to Protect your SWIFT Assets ........................................................................ 13Figure 3 - DeceptionGrid™ Surrounds SWIFT Assets in a Virtual Blanket of Protection ..............................................13DeceptionGrid Deceives and Detects SWIFT Attackers .....................................................................................................14Full Automated Forensics ......................................................................................................................................................14Integrated Event Management and Threat Intelligence ....................................................................................................14Deploy In The Cloud or On-Premise ....................................................................................................................................14Deception Technology Brings High Accuracy ......................................................................................................................15Broad Protection For All Critical Financial Applications ......................................................................................................15

Deception Brings Strong Benefits to SWIFT Users .................................................................................. 16Table 1 - Financial Institution Challenges and SWIFT Deception Architecture Benefits .................................................17

Deception Technology - Industry Analyst Support ................................................................................. 18Deception - Expanding Market to Meet Escalating Cyber Threats ...................................................................................18

Conclusions and Recommendations ....................................................................................................... 19



Notice

TrapX Security reports, white papers, and legal updates are made available for educational purpos-es only. It is our intent to provide general information only. Although the information in our reports, white papers, and updates is intended to be current and accurate, the information presented herein may not reflect the most current developments or research.

Please note that these materials may be changed, improved, or updated without notice. TrapX Security is not responsible for any errors or omissions in the content of this report or for damages arising from the use of this report under any circumstances.



Disclaimer

The identification of the SWIFT® network and its products mentioned within the report is a testi-mony to its popularity and good reputation within the financial community.

Vulnerabilities that allow attackers to exploit SWIFT depend heavily on exploiting weakness across financial networks that host SWIFT application components and do not indicate vulnerabil-ity of the SWIFT software or systems.

We have worked in strict confidence with financial institutions to better understand the SWIFT attack vector and build our strategy for meeting and defeating attacks. Minimal information is released solely to illustrate the attack vector along with the new technology and recommended best practices to mitigate this attack successfully.

New best practices that employ advanced-threat-detection techniques such as deception tech-nology are relatively new to financial institutions, and emulations necessary to protect unique systems, such as the SWIFT financial network, have only recently been made available for com-mercial deployment to bolster the security of these systems.

TrapX Labs personnel involved with the cyber security initiatives described herein have specific hands-on experience using SWIFT network applications and infrastructure.



Executive Summary

In the past year, the Society for Worldwide Interbank Financial Telecommunication (SWIFT) network has come under focused and persistent cyber-attacks, resulting in the theft of more than $100 million dollars from banks worldwide. The banks that were identified are located in Ecuador, Ukraine, the Philippines, Vietnam, and Bangladesh. It appears that dozens of additional financial institutions in the Ukraine and Russia may also have been impacted, with potential losses in the hundreds of millions of dollars. This information was attributed to the ISACA1 branch in Ukraine that was investigating the breach. 2

These examples are just the beginning. Attacks on financial networks will continue to escalate, and SWIFT will remain a high-value target for cyber attackers.3 This latest round of attacks against SWIFT highlights the need for better security within financial institutions’ SWIFT infrastructures.

SWIFT has now begun conducting security audits and reporting the results to regulators and SWIFT members. Member financial institutions that do not pass the audit risk disruption to their access to the SWIFT financial network. Hence, this is now a business risk to ongoing operations as well as a security risk.

This white paper provides an overview of targeted attacks on the SWIFT network and the in-creasing risk for financial institutions. We will share data on the evolution of the attackers and the sophisticated attacks they use to compromise financial networks and SWIFT. We will introduce new, innovative solutions that use deception technology to detect cyber thieves’ activities and shut down their attacks decisively so that banking institutions can resume normal operations. Finally, we will share our recommendations for financial institutions to prevent SWIFT attacks and better protect other critical financial infrastructure systems.

1 http://www.isaca.org/about-isaca/Pages/default.aspx

2 http://thehackernews.com/2016/06/ukrainian-bank-swift-hack.html

3 http://www.computerweekly.com/news/4500272926/Financial-institutions-on-high-alert-for-major-cyber-attack



State of the Union - Escalating Attacks

Visibility into the escalating attacks on the SWIFT financial network has grown over the past twelve months. The cyber attackers demonstrate broad knowledge of bank operations and are combining it with sophisticated attacker tools and techniques to penetrate target bank networks. The attackers have been able to operate unnoticed for months prior to detection, often after the damage is already done. Attackers may include malicious insiders and/or well-funded organized crime networks.

Sophisticated attacks on financial network are happening worldwide, and the distances across the Internet work to the advantage of the attackers. They can attack banks far on the other side of the globe, knowing that intervention by local authorities is unlikely. It’s a perfect storm of opportunity for the attackers and a significant challenge for financial institutions.



January 2015 - Ecuador Banco del AustroEcuador Banco del Austro lost $9 million in an attack that was documented in a lawsuit filed in 2016. The anatomy of this attack is similar to the attempt in February 2016 to steal $951 million from the central bank of Bangladesh. In that attack, as with the Ecuadorean attack, hackers suc-ceeded in penetrating the bank’s network and obtaining the bank’s codes for using the SWIFT financial network.4 According to the lawsuit filings, Bangladesh Bank recovered approximately $2.8 million dollars. The bank documented activity in Hong Kong as part of its efforts to recover addi-tional funds. Other portions of the stolen funds were transferred to bank accounts in Los Angeles and Dubai.

February 2016 - Bangladesh Central BankIn early 2016, $951 million5 in fraudulent transactions from Bangladesh Bank, the central bank of Bangladesh, were issued by the SWIFT network. The Federal Reserve Bank of New York processed five transactions, worth approximately $101 million, of which the bulk, about $81 million, was transferred to the Philippines, where most of it disappeared; $20 million was traced to Sri Lanka and subsequently recovered. Fortunately, the Federal Reserve Bank halted the other transactions and prevented the fraudulent transfer of nearly $1 billion.

May 2016 - Philippines BankIn May 2016, Symantec announced that it had discovered malware in a Philippines bank, the same malware that had been used in other attacks in Asia.6 Symantec noted evidence that the bank network had been compromised; however, it was unclear that any funds were successfully appro-priated by the cyber attackers.7

May 2016 - Tien Phong Bank, VietnamTien Phong Bank in Vietnam announced that it interrupted the attempted cyber theft of approxi-mately $1 million. The Bank8 said that it had discovered and halted transactions that used fraudu-lent SWIFT financial network messages. The fraudulent requests were discovered in Q4 of 2015 by bank personnel and denied per the bank’s operational procedures.

4 http://www.wsj.com/articles/lawsuit-claims-another-global-banking-hack-1463695820

5 https://en.wikipedia.org/wiki/2016_Bangladesh_Bank_heist

6 http://www.reuters.com/article/cyber-heist-swift-symantec-idUSL2N18N1U9

7 http://money.cnn.com/2016/05/26/technology/swift-bank-hack-philippines-lazarus/

8 http://www.cnbc.com/2016/05/15/vietnams-tien-phong-bank-says-it-was-second-bank-hit-by-swift-cyber-attack.html



June 2016 - Ukrainian Bank Cyber attackers appear to have withdrawn approximately $10 million from a bank in the Ukraine. The Kyiv office of ISACA, the Information Systems Audit and Control Association, noted that the fraud was perpetrated using the SWIFT network. Members of ISACA Kyiv were hired to audit, investigate, and document the attack. The investigators noted that dozens of banks in the Ukraine and Russia appear to have been similarly compromised, with estimated losses exceeding hundreds of millions of dollars.9

SWIFT Financial Networks

The Society for Worldwide Interbank Financial Telecommunication (SWIFT) provides its customers with a secure global network for sharing financial-transaction information among member organizations, along with a variety of software and sup-port services. SWIFT financial transactions approve many billions of dollars of transfer annually, making it one of the largest, most visible targets in the financial world.

SWIFT Message FormatsUUsing the SWIFT network, the organiza-tion’s 10,000-plus members share millions of messages daily. SWIFT-supported message formats are well documented, including SWIFT MT, ISO 15022 MT, and ISO 20022 (replacing ISO 15022). SWIFT MT messages follow a standard format: five blocks of data, including three head-ers, message content, and a trailer. The message formats and application program interfaces (API) used by SWIFT integrators are well documented and accessible to the public.

9 https://www.kyivpost.com/article/content/ukraine-politics/hackers-steal-10-million-from-a-ukrainian-bank-through-swift-loophole-417202.html

Figure 1 - SWIFT Financial Network Access Architecture



SWIFT Alliance Gateway (SAG)The SWIFT Alliance Gateway (SAG) receives messages from other applications and transmits them through the SWIFT network. These messages flow through host adapters. The WebSphere MQ host adapter enables business applications to send messages using the SWIFT network; it consists of a message concentrator, taking one interface to the SWIFT network, and passing and managing messages from multiple sources.

SWIFT Alliance Access (SAA)SWIFT Alliance Access (SAA) is software that creates messages for FIN messages and also supports routing and monitoring for both FIN and MX messages. The main interfaces include automated file transfers (FTA)10 and MQSA, which is a Websphere MQ interface.

SWIFT Alliance Web PlatformThe SWIFT Alliance Web Platform is a thin-browser-based client that provides access to the SWIFT system. The SWIFT Alliance Web Platform SE gives users browser-based access to the Alliance Gateway, Alliance Access, Alliance Entry, and Alliance Integration Platform (IPLA).

SWIFT SecurityTThe messaging infrastructure appears secure and has received substantial attention from SWIFT engineering teams. Encrypted data flows are used when practical, along with two-factor authen-tication. Use of two-factor authentication will continue to expand, and we expect this to happen rapidly. SWIFT will also provide audit frameworks, standards, and related certification, and will create a baseline with which to compare bank-compliance levels. The SWIFT network will also likely implement increased control over payment patterns. Finally, SWIFT is evaluating new tools to enable faster recall of fraudulent payment messages so that fraudulent transactions can be halted quickly and easily. 11

There is a common theme regarding security that this white paper will highlight repeatedly. If an attacker can penetrate a financial network, establish a “backdoor,” and observe and map network assets undetected for long periods of time, they will learn operating procedures and, ultimately, compromise the targeted systems. Over time, attackers will be able to access and capture authenti-cation traffic and, ultimately, escalate their permissions, often to the administrator level.

There are interface points where the SWIFT system interfaces with other application systems, often implemented by third parties or in-house application developers. Depending on how the interface points are implemented and secured, they may provide opportunities for attackers to penetrate networks and intercept and/or modify messages. This does not indicate weaknesses in the SWIFT infrastructure; rather, it speaks to overall network cyber security issues within the member financial institution.

10 Note these file transfers are not file transfer protocol (FTP).

11 http://www.theregister.co.uk/2016/05/28/swift_finally_pushes_twofactor_auth/



SWIFT Security Audits SWIFT has introduced mandatory security requirements. Beginning in January 2018, SWIFT will begin to determine compliance from its customers and confirm it through assurance procedures that may require audit. Member financial institutions that do not pass the audit risk disruptions to their access to the SWIFT network. Therefore, potential SWIFT network vulnerabilities are now a business risk to ongoing operations as well as a security risk.

SWIFT - Recreating The Attack

SWIFT network attacks follow a com-mon theme. First, cyber attackers use advanced techniques to penetrate a financial institution’s local networks. Then the attackers establish command and control and route communications through a “backdoor” to their hidden locations. Once inside the financial institution’s networks, the attackers move laterally to identify key financial applications such as the SWIFT mes-saging network applications.

Once they have identified the SWIFT applications, attackers analyze the communication flow and gather authentications. They look for the SWIFT Alliance Gateway (SAG), SWIFT Alliance Access (SAA), and SWIFT Alliance Web Platform, searching for assets with the requisite SWIFT attributes, including ports, Internet protocol addresses, certificates, Web pages, and files.

Once reconnaissance is complete, the attack plan is created, using information gained about the financial institution’s process flow, authentica-tions, server distribution, and location of SWIFT application components.

Figure 2 - Typical Attack Vector Against SWIFT Assets



At this point, the attackers can initiate fraudulent messages or modify existing messages to authorize cash transfers to accounts that they control. Once the money is in these accounts, it is transferred almost immediately, essentially disappearing. Ultimately, the deposits are converted to cash and withdrawn or converted to bitcoin, at which point the evidence trail usually ends. These transactions are typically executed at night and around holidays, to minimize the potential for scrutiny.

At a deeper level, there are several areas to exploit in the SWIFT transaction flow. The middleware links between the business applications and the SAA may provide opportunities for access to passwords, message injection, or other tampering. Such compromises have more to do with the fact that the cyber attacker has penetrated the network and is in a position to observe and access just about everything with escalated permissions, and less to do with any specific weakness in the SWIFT network. Once a determined and sophisticated attacker has penetrated the host financial network undetected, it is only a matter of time before they can compromise nearly any system within that network.

SWIFT is similar in many ways to ATM networks and the financial applications that support them, or any other major financial application. The application itself may be secure, but if an attacker has penetrated the network and can observe traffic and capture authentication data, application securi-ty is irrelevant. Once an attacker is within the network and can observe network traffic undetected, all applications on that network become vulnerable.

Next, we will describe the new deception-technology-based cyber defense architecture, which can anticipate and detect cyber attacks and help security operations center (SOC) teams defeat them decisively.



A Deception Architecture to Protect your SWIFT Assets

DeceptionGrid™ automates deployment of a network of camouflaged Traps (decoys) and Tokens (lures). Traps consist of emulated systems, camouflaged to look like a variety of actual SWIFT infor-mation technology assets, including SWIFT Alliance SAG, SWIFT Alliance SAA, and SWIFT Alliance Web Platforms, for both Linux and Windows. The Traps are deployed throughout a customer’s network, surrounding actual SWIFT assets, thereby confusing would-be attackers.

When attackers successfully comprise real endpoints, they are presented with deception tokens, such as fake administration of Remote Desktop Protocol (RDP), browser history/bookmarks to Alliance Web Platform, SWIFT messages, and SWIFT credentials, all of which lead attackers back to traps, making them seem real while diverting them away from the actual assets.

By surrounding real SWIFT assets with a blanket of deception, attackers will find attractive SWIFT assets and authentications that look relatively undefended anywhere they go. Providing both Traps and Tokens ensures comprehensive protection for your SWIFT network assets.

Figure 3 - DeceptionGrid™ Surrounds SWIFT Assets in a Virtual Blanket of Protection



DeceptionGrid Deceives and Detects SWIFT AttackersAny communication with a Trap, from a simple ping to full interaction, sets off a high-confidence ALERT. Real-time automation isolates the source of the attacker and captures their software tools and techniques. This comprehensive intelligence is sent directly to your security-operations center (SOC) for immediate remediation. Human attacker activity is analyzed and presented in a graphical kill-chain, allowing unique insights into cyber adversaries’ techniques, tactics, and procedures (TTPs). Artifacts from infected endpoints are collected automatically and analyzed, providing a clear path to remediating the threat.

Our multi-layered approach to deception is designed to expose, divert, and confuse SWIFT cyber adversaries at various phases of the attack. This powerful combination reduces time to breach detection, authoritatively identifies SWIFT attackers within networks, and enables SOC teams to defend the enterprise aggressively.

Full Automated Forensics Real-time automation isolates detected malware used by attackers and can forward it to advanced malware-analysis systems. Malware analysis can be achieved using your existing sandbox platform (based on our existing ecosystem integrations), or a TrapX can provide a cloud-based analysis option. The additional threat intelligence gained from this analysis is combined with the Trap activity, and a comprehensive assessment is delivered to your SOC team. An additional Network Intelligence Sensor (NIS) capability, included with DeceptionGrid, performs analysis of outgoing communications, which can be combined with intelligence gathered from Trap activity, building a complete picture of the compromised assets and the attacker’s external activity.

Detailed forensic analysis of suspect endpoints is also performed by an additional Automated Incident Response (AIR) module as part of the DeceptionGrid platform. Memory and other compo-nents within suspect endpoints is loaded and analyzed and results summarized, and then all of this data is delivered to the SOC team in a comprehensive report.

Integrated Event Management and Threat Intelligence Integrated event management and threat intelligence information from the automated analysis is pulled into the management system, tagged with a unique ID, and then stored within the inte-grated event-management database. The business-intelligence engine combines this information with threat-intelligence data to prevent future attacks. The Network Intelligence Center monitors outbound activity on real hosts, based on information on malicious activity spotted within decoy systems.

Deploy In The Cloud or On-Premise DeceptionGrid is designed to deploy rapidly to support the requirements of the largest enterprise. Our automation enables your IT team to complete deployment rapidly. No changes to your net-work topology are required to support this rapid deployment.



Deception Technology Brings High AccuracyTraditional cyber-defense technologies, such as firewalls and endpoint security, generate numer-ous alerts. In a large enterprise, the alert volume can reach thousands, hundreds of thousands or, in some cases, even millions of alerts per day, thereby inundating security operations personnel. Unfortunately, it only takes one successful penetration to compromise an entire SWIFT network.

DeceptionGrid ALERTS are the end product of a binary process, not probabilistic. Probability is all but reduced to two values: 0% and 100%. Any party that seeks to identify, ping, enter, or view any of our SWIFT emulated Traps or utilize the endpoint Tokens is immediately identified as an attacker. Any activity on a SWIFT trap is by definition a violation, as our Traps are designed to be decoys. There is either a misconfigured endpoint or someone exploring the assets, which is typically the beginning phase of an attack. Therefore, Traps are a significant advantage over heuristics and probability-based approaches and their many thousands of extraneous alerts.

Broad Protection For All Critical Financial ApplicationsDeceptionGrid emulates other key financial network assets and can appear as financial worksta-tions, servers, databases, Web servers, switches, routers, and VoIP, along with specialized equip-ment such as automated teller machines (ATMs), point-of-sale (POS) devices, and more.

Your investment in deception technology can help you meet your security and compliance goals, for SWIFT and other important financial-application systems, and, more importantly, identify attack-ers before any damage can be done.



Deception Brings Strong Benefits to SWIFT Users

The value proposition for a SWIFT deception architecture is powerful. Challenges that financial firms face in defending their SWIFT networks, and the benefits that a deception architecture brings to these challenges, are as follows:

Financial Institution Challenge DeceptionGrid for SWIFT Benefits

TARGET AND STOP SWIFT ATTACKERS. Many cyber defenses do not address the unpredictable actions of a cyber attacker seeking to compromise your SWIFT network.

Our traps look exactly like instances of the SWIFT Alliance Gateway (SAG), SWIFT Alliance Access (SAA), and SWIFT Alliance Web Platform software compo-nents. We present the attackers with tempting traps for the assets they seek and scatter them throughout your network. Attackers are eager to exploit these traps and lures, enabling you to detect them quickly and then distract them so that your security operations team can end the attack.

NEED A COMPREHENSIVE PLAN TO SPECIFICALLY ADDRESS SWIFT FINANCIAL NETWORK AUDITS. SWIFT has now begun conducting security audits and reporting the results to regulators and other SWIFT members. Member financial institutions that do not pass the audit risk being denied access to the SWIFT financial network.

This is now a business risk to ongoing operations as well as a security risk. TrapX DeceptionGrid offers new capabilities to deceive, detect, and defeat attackers targeting your SWIFT financial network assets. Security teams gain valuable insights when SWIFT audits are active and can track many of the audit tests against resources.

POOR VISIBILITY INTO INTERNAL VLANS. The current defense-in-depth strategy for financial networks does not provide sufficient visibility into the internal networks, including VLANs. Attackers penetrate the perimeter and then move within the VLANs.

Deception technology provides exceptional situational awareness of activity within the internal networks and VLANs. Deception technology is designed to catch sophisticated attackers that have already penetrated the perimeter defenses, by attracting them to assets that appear valuable, but are in fact Traps.

LONG TIME TO BREACH DETECTION. Time to breach detection is too long. Attackers can gain access to financial networks, monitor SWIFT operations, gather credentials, and plan their attacks for many months with little-to-no risk of detection.

Deception technology reduces the time to breach detection to days or even hours. This reduces the time the attacker has available to monitor operations in the network, thereby reducing or completely eliminating potential organizational losses. As soon as an attacker starts their reconnaissance or interrogates SWIFT systems, DeceptionGrid will alert your security team with detailed intelligence, including the source of the attack.



Financial Institution Challenge DeceptionGrid for SWIFT Benefits

ALERTS FATIGUE. Existing heuristics, analytics, and behavior-intru-sion-detection systems rely on probability. Typically, the requirements for triggering an alert are too broad, resulting in thousands of “false alarms” and critical alerts being missed. Or, the requirements may be too restrictive, and a single attacker can get past the safeguards. It only takes one successful attack to compromise the SWIFT network.

Deception is binary: 0% or 100%. No one should be touching the Traps or Tokens . Hence, false positives are rare-to-nonexistent. This saves security operations teams time and eliminates potential losses due to missed alerts or, worse, failure to alert. They work in concert with your existing cyber-defense solutions to build a comprehensive set of defenses.

TOO MANY MANUAL PROCESSES. Sifting through thousands of alerts and follow-up manual processes burns up critical time for your security operations team. This costs time and money, and it distracts them from the high-probability alerts that they need to focus on.

Deception technology automates the analysis of captured attacker tools, performing the complete static and dynamic analysis of attacker binaries that are caught in the Traps. Moreover, suspect endpoints that have shown indications of compromise (IOCs) are also analyzed automatically by the AIR module in DeceptionGrid. This automation shortens the time to deliver valid, actionable data to security operations so they can move rapidly to contain the threat and return to normal operations.

DIFFICULT DEPLOYMENT. Many cyber defense tools, with less efficacy, require complex, time-consuming deployment. Also, many re-quire network topology changes across the enterprise.

Deception technology brings automation that gets installation done quickly. Moreover, deception archi-tectures fit into your existing network topology with no changes.

VULNERABLE IoT DEVICES. Attackers’ early toolsets seek hidden locations, such as Internet of things (IoT) devices, where they can open a “backdoor” from which to download additional attack-er tools and exploit the surrounding networks.

Deception architectures for SWIFT financial networks can detect and alert upon attacker movement to and from IoT devices or embedded processors. We can emulate any IoT device, furthering the deception and eliminating safe harbors from which they can compro-mise your SWIFT network.

NO INTEGRATED THREAT INTELLIGENCE. Many products do not contribute to integrating the overall threat intelligence being developed by the products within your enterprise. Data is disparate and disconnected. All of this slows down your security operations center. It takes time to connect key informa-tion assets, which delays discovery of attacker activity.

Deception technology is complementary to your existing cyber defense. Our actionable intelligence (NIS) integrates with other vendors, such as Cisco and Intel (McAfee), to best leverage the benefits of threat intelligence across the financial enterprise.

Table 1 - Financial Institution Challenges and SWIFT Deception Architecture Benefits



Deception Technology - Industry Analyst Support

IA CSO Online12 article published in August 2016 quotes Gartner analyst Lawrence Pingree: “In a deception system, the alerts you get are very minimal, and any alert you get says that something is awry. It’s an almost zero false positive solution. That’s a huge win for security professionals.”

Pingree goes on to say that, “Those kind of algorithms tend to have a lot more false positives than other approaches. I’ve sat in front of a SIEM with 5,000 alerts an hour, and I’ve had to triage that. That’s an overwhelming data set.”

Gartner also predicts that, by 2018, 10 percent of enterprises will use “deception tools and tactics, and actively participate in deception operations against attackers.”13 Gartner notes that, “More forward-thinking organizations should leverage deception in-depth as a new strategy for compre-hensive threat defense against the onslaught of advanced attackers and attack techniques. This is especially true of larger organizations under constant threat—for example, those in the financial services, healthcare, government, and software verticals.”

Deception - Expanding Market to Meet Escalating Cyber ThreatsAGartner analyst Lawrence Pingree estimated that today’s deception vendors are seeing between $25 million and $50 million in annual revenues and that this amount is growing by the double digits. “It will be between $80 million and $100 million globally in the next year or two,” according to Pingree.

Other sources estimate a $1.33 billion to $1.7 billion market by 2020 to 2021. According to a report released in August by research firm Technavio,14 the deception technology market is growing at a compound annual rate of 9 percent and is predicted to reach $1.33 billion by 2020. The technology includes not only the traditional honeypots, but also a new class of multi-layered, distributed endpoint decoys, according to Technavio analyst Amrita Choudhury.

Another research firm, TechSci Research,15 predicts a market size of $1.7 billion by 2021, with a CAGR of over 10 percent.

12 http://www.csoonline.com/article/3113055/security/deception-technology-grows-and-evolves.html

13 http://www.gartner.com/smarterwithgartner/deception-wave/

14 http://www.technavio.com/pressrelease/rising-adoption-byod-policy-fuel-demand-deception-technology

15 https://www.techsciresearch.com/report/global-deception-technology-market-by-deception-stack-endpoint-application-data-network-by-end-user-bfsi-it-telecom-energy-power-retail-oth-

ers-by-region-americas-europe-asia-pacific-middle-east-opportunities-and-forecast-2011-2021/656.html

“In a deception system, the alerts you get are very minimal, and any alert you get says

that something is awry,” he said. “It’s an almost zero false positive solution. That’s a

huge win for security professionals.”

Lawrence Pingree, Gartner Group

http://www.csoonline.com/article/3113055/security/deception-technology-grows-and-evolves.html



Conclusions and Recommendations

It is important to understand that successful SWIFT cyber attacks are enabled by the same vulner-abilities that exist in all financial networks. These vulnerabilities create opportunities for a wide variety of attacks targeting ATM networks, point-of-sale systems, card processor networks, and more.

Conventional defenses are no longer enough to stop sophisticated, persistent cyber attackers. These attackers are well funded by organized crime networks, and they are very persistent. Relying too heavily on perimeter defenses to keep attackers out will ultimately fail, as will probability-based defenses. Recent history tells us conclusively that these technologies alone do not work well against sophisticated and persistent attackers.

Deception technology is a rapidly growing segment of cyber defense and is now being used to meet the SWIFT cyber threat. Deception is one of the few technologies that can identify a sophisticated and persistent cyber attacker hidden within your networks quickly and effectively. DeceptionGrid Traps and Tokens are designed to entice and lure attackers. Presented with Traps for the precise assets they seek, scattered throughout your network, attackers end up “running in circles,” eager to exploit the Traps and Tokens. DeceptionGrid introduces large numbers of Traps, and even one look (ping) of the TCP IP address of a single Trap reveals the presence of an attacker immediately. Anticipating the actions of SWIFT attackers enables fast detection and effective distraction, enabling your security operations team to end the attacks. Moreover, DeceptionGrid is complementary to your existing cyber defense and supports rapid, low-cost deployment.

TrapX Security has global experience with financial institutions across a broad spectrum of appli-cations. We will be happy to design and implement a SWIFT emulated deception architecture for you, which we can also use to protect your other financial systems and infrastructure. If you are currently investigating potential compromise, you may be able to identify the attackers rapidly by installing deception technology.

Finally, as noted earlier, the SWIFT financial network has now begun conducting security audits and reporting the results to regulators and other SWIFT financial network members. Member financial institutions that do not pass the audit risk disruption to their access to the SWIFT financial network. Hence, a vulnerable SWIFT network is now a business risk to ongoing operations as well as a secu-rity risk. TrapX DeceptionGrid offers powerful capabilities to deceive, detect, and defeat attackers targeting your SWIFT financial network assets.

Let us know how we can support you. Contact us at [email protected].



About TrapX SecurityTrapX has created a new generation of deception technology that provides real-time breach detection and prevention. Our field proven solution deceives would-be attackers with turn-key decoys (traps) that “imitate” your true assets. Hundreds or thousands of traps can be deployed with little effort, creating a virtual mine field for cyberattacks, alerting you to any malicious activity with actionable intelligence immediately. Our solutions enable our customers to rapidly isolate, finger-print and disable new zero day attacks and APTs in real-time. Uniquely our automation, innovative protection for your core and extreme accuracy enable us to provide complete and deep insight into malware and malicious activity unseen by other types of cyber defense. TrapX Security has many thousands of government and Global 2000 users around the world, servicing customers in defense, healthcare, finance, energy, consumer products and other key industries.

Contact UsTrapX Security, Inc., 1875 S. Grant St. Suite 570 San Mateo, CA 94402 +1–855–249–4453

www.trapx.comFor sales: [email protected] partners: [email protected] For support: [email protected]

Trademarks and CopyrightTrapX Security, DeceptionGrid and CryptoTrap are trademarks or registered trademarks of TrapX Security in the United States and other countries. SWIFT® and S.W.I.F.T.® are trademarks of S.W.I.F.T. SCRL, Avenue Adèle 1, 1310 La Hulpe, Belgium. Other trademarks used in this white paper are the property of their respective owners.”


Protecting SWIFT Financial Networks with DeceptionGrid€¦ · This white paper provides an overview of targeted attacks on the SWIFT network and the in-creasing risk for financial

Documents