Financial security systems need to be among the most robust in the world. Since most cyberattacks are financially motivated, the industry presents a tantalizing and obvious target for both advanced nation-state attackers and low-level crooks .
What Is Red Teaming for Financial Institutions?
Red teaming goes a step beyond pen testing alone, subjecting the financial firm to a simulated real-world attack and long-term embedded threat actor. This challenges blue teams (defenders) and puts the organization under the kind of pressure it could only face against an actual adversary. The point is to comprehensively ferret out weaknesses across the organization, not simply identify vulnerabilities.
Attack vectors can include everything seen below and more.
The better the red team’s tools, the more varied and sophisticated (or “realistic”) the attack will be. Consequently, the best toolkits can result in the best level of preparedness for financial enterprises. Fortra’s Cobalt Strike has long been the industry standard tool for offensive security and red team engagements, with its flexibility and extensibility. And with Fortra’s Outflank Security Tooling (OST), red teams can further enhance engagements, leveraging a broad set of evasive tools for every step of the attacker kill chain.
Why Invest in Offensive Security Tools for Finance Now?
Rapid shifts from brick-and-mortar to entirely digital businesses have moved the needle forward to a digital point of no return. Today’s financial institutions are coping with the consequences, and that means a widely expanded attack surface, an abundance of cloud-hosted data and integrated cloud technologies, and complex internal architecture that’s difficult to secure.
Additionally, financial technology (FinTech) today leverages more cutting-edge technology than ever before, and for good reason. Digital convenience has become paramount in this and nearly every industry, and financial institutions large and small want to be able to offer their customers the ease and convenience of online banking, automated transfers, and integrated finance applications. However, in their complexity, these technologies have also left themselves increasingly open to exploitation.
The abundance of personal identifiable information (PII) and other sensitive information stored within financial institutions makes them perennial targets for crime, and the exponential improvement of AI capabilities heightens the threat even more.
All those factors combine to create a perfect storm of problems which financial security systems are left to face.
What Are the Cybersecurity Challenges Specific to Finance?
With financial institutions losing between $4.64 and $5.11 million per ransomware attack, not having the proper cybersecurity in place quickly becomes more costly than the alternative.
Additional Costs Include:
Reputational damage
Legal fees
Compliance fines (FINRA, PCI DSS, SOX)
Possible loss of licensure
PR costs
Customer reparations like free credit monitoring
Possible paid ransoms
And more, including the loss of high-level (and low-level) jobs in the aftermath following a costly and public financial breach. Dark Reading cites that 37% of organizations reported that cyberattacks resulted in dismissals.
With so much at stake, it is far worth the investment for financial institutions to maximize the potential of their financial security systems by using offensive security in addition to defensive measures. In the fallout of a breach even cost-motivated decisions to cut security corners will be hard to justify.
Top Cybersecurity Threats in Finance
Attackers will try anything to infiltrate financial institutions — or their affiliates. Here are just a few of the most common attack vectors you’ll find exploited as cybercriminals seek to undermine the financial services sector.
Definition/ Relevance:
Phishing is the act of sending malicious emails with the intent of deploying malware, stealing credentials, or otherwise illicitly obtaining sensitive information through social engineering techniques.
Impact/ Statistics:
The financial services industry was the third most targeted for phishing attacks according to the most recent research by both Statista and the Anti-Phishing Working Group (APWG).
Specific Details:
Additionally, financial institutions find themselves impersonated in phishing scams more often than most; 62% of domains associated with (at least ‘supposed’) financial institutions were found to be linked to phishing attacks.
Ransomware is one of the heaviest-hitting attack vectors for the financial industry at large.
Impact/ Statistics:
In 2024, 65% of financial institutions experienced a ransomware attack, up from 34% in 2021. The IBM 2024 Cost of a Data Breach report puts the cost of the average ransomware attack in 2024 at $5.37 million, and that’s not including ransom payments.
Specific Details:
Financial institutions are being hit by ransomware attacks in various formats as attackers expand their techniques. Ransomware threat actors are resorting to tactics such as double extortion (threatening to publish the data in addition to encrypting it), as well as threats to delete the data if the ransom is not paid. Triple extortion threatens the victims, employees, and customers themselves, and in more cases, threat actors are using compliance regulations to apply additional pressure.
Notes the ABA Banking Journal, “Criminals have been known to [notify] a regulator of the breach before the victim can report the incident themselves. This can force a victim’s hand on regulatory filings and public statements.
Malware attacks obviously encompass more than just ransomware, although where the financial services industry is concerned (and most others), ransomware is the primary one. Other forms of malware can include:
Trojans
Viruses
Worms
Keyloggers
Botnets
Rootkits
Fileless malware
Cryptojacking
Spyware
Specific Details:
Particularly, polymorphic malware has emerged in recent years as a serious concern. This type of malware not only obfuscates its code but can alter it as it winds through a network, evading the detection of signature-based detection tools that are still looking for its previous form. Shylock is a type of polymorphic financial malware with the ability to “almost completely avoid detection by antivirus scanners after installation.”
Injection attacks are another common adversary of financial institutions. Research shows that local file injection (LFI) attacks have become one of the main attack vectors in the financial services sector, recently growing by 53%.
Impact/ Statistics:
A file injection attack occurs when web page inputs such as forms have not been properly sterilized (protected), allowing threat actors to manipulate the output with malicious scripts and gain unauthorized access to files within the company’s database. For instance, a simple “fill out your name” form on a financial advisor’s website could be co-opted to pull out a list of all previous clients and their financial information, if the right vulnerability existed. Often, they do.
Specific Details:
Types of injection attacks include:
SQL Injection
Command Injection
Code Injection
LDAP injection
XML injection
And more. The financial services sector can prevent injection attacks by leaning into financial cybersecurity solutions that test for SQL injection (SQLi) attacks.
A distributed denial of service (DDOS) attack occurs when attackers flood an organization’s server with traffic in order to overwhelm its ability to respond, effectively shutting it down and taking it offline. In a financial institution, this looks like downtime, potentially on a global scale.
Impact/ Statistics:
Last year, security researchers observed a sharp increase in DDOS attacks on the financial services industry, making it the most frequently targeted sector in 2023. Those same researchers found that FinServ-targeted DDOS attempts rose by 154% year over year, with the industry accounting for 35% of all DDOS attacks overall. Additionally, Cloudflare reported a 49% quarter-over-quarter increase in DDOS finance attacks for Q3 of 2024, supporting the trend.
Financial services is widely believed to have one of the highest rates of insider threats of any other industry. It may be no surprise, given that financial gain remains the highest motivating factor behind such attacks, and who is more familiar with the digital architecture that guards institutions’ finances than the employees who interact with it every day?
Impact/ Statistics:
Industry research reveals that insider threats have increased by 47% since 2018, and a surprising 83% of organizations experienced at least one insider attack in the past year, according to Cybersecurity Insider’s 2024 Insider Threat Report.
Specific Details:
The threat of insider attacks is real for the financial services sector, with creative types including:
Digital sabotage
Financial fraud
Embezzlement through elevated privileges
And of course, data theft leading to public and damaging data breaches.
Nation-state actors favor advanced persistent threats (APTs) when targeting the underpinnings of a society or economy. Inevitably, those underpinnings include the financial sector.
Impact/ Statistics:
These “low and slow” attacks infiltrate a network unnoticed, usually via sophisticated malware or social engineering scams, and remain undetected for weeks, even months, as they silently siphon out data, create backdoors, and wreak more havoc. In some cases, the APTs are so complex that whole teams are required to maintain the compromised network they attained.
As FinTech grows, the financial sector widens its attack surface and becomes ever-more vulnerable to stealthy APT attacks. Advanced offensive security solutions and red teaming toolkits that mimic the methods of advanced persistent threat actors are one of the best ways financial firms can prepare.
Man-in-the-middle (MitM) attacks have accounted for up to 19% of successful breaches a year and are especially dangerous for digital financial communication.
Impact/ Statistics:
These attacks, which consist of a threat actor secretly intercepting online communication between two parties, can be detrimental if the data is not encrypted. For years, financial institutions have leaned on platforms like SWIFT (Society for Worldwide Interbank Financial Telecommunications) to enable secure sending, but as the digital landscape has evolved, more of those security responsibilities are up to the sender (financial organizations).
Social engineering is one of the top risks to any industry today, finance included. Thanks to advancements in AI, these attacks can take the shape of perfectly crafted phishing messages in any language or Business Email Compromise (BEC) scams that are convincingly from your ‘boss’.
Impact/ Statistics:
AI models can scrape social networking sites for personal information to make malicious emails even more convincing, and a good social engineering email can slip past traditional email defenses because it bears no signature; its bite is in getting victims to take the bait and click a (safe) URL redirect to an (unsafe) phishing link. Or any variety of creative tactics.
Just under a third (27%) of phishing attacks worldwide targeted financial services in 2023, and BEC attacks against the financial sector increased by 21%. To top that off, a 2024 Agari Global Insights Report noted that US banks were the primary target of choice for wire scammers in the month of September.
The Solution: Cobalt Strike
Cobalt Strike provides the red team tools that empowers your team to get out in front of the situation by engaging SOCs in simulated real-world attacks.
In a red teaming engagement, the gloves come off and financial organizations are exposed to the full-force of real-world exploits like:
Polymorphic malware
Sophisticated social engineering
Above-and-beyond reconnaissance
AI-driven attacks
Obfuscated code
Robust red team engagements, which can use both Cobalt Strike and Outflank Security Tooling, can give more than fair warning into latent vulnerabilities and critical weaknesses before they’re exploited, allowing financial security systems to fill defensive security gaps and squash small cracks before they become massive security issues - potentially in the very near future.
