Cb Connect 2018 | Power of You | Register Now

Excerpts from Modern Bank Heists – Threat Hunting Teams & CIR

Rick McElroy
June 21, 2018 / Tom Kellermann , Rick McElroy

Carbon Black recently published a report on the newest threats facing the financial world, and how to counteract them. For more information about how Cb Defense, Carbon Black’s NGAV + EDR solution, helps enterprises address their endpoint security challenges, check out our weekly Cb Defense Live Demo, every Wednesday at 2PM EST, 11AM PST.

Modern Bank Heists

Cyberattacks & Lateral Movements in the Financial Sector

Threat Hunting Teams & Critical Incident Response

Only 37% of financial organizations have established threat hunting teams. Active threat hunting is an important step for organizations with mature security programs. It puts defenders “on the offensive” rather than simply reacting to the deluge of daily alerts.

Threat hunting aims to find abnormal activity on servers and endpoints that may be signs of compromise, intrusion or exfiltration of data. Though the concept of threat hunting isn’t new, for many organizations the very idea of threat hunting is.

The common mindset regarding intrusions is to simply wait until you know they’re there. Typically, though, this approach means that an organization will be waiting an average of 220 days between the intrusion and the first time they hear about it. And even then, it’s typically an external party such as law enforcement or a credit card company that’s telling you.

With threat hunting, defenders are deployed to go out and “find the bad” versus waiting for technology to alert you. Successful threat hunting teams proactively chase down signs that intruders are present or were present in the recent past. They look for anomalies – things that don’t usually happen.

1 in 4 financial institution CISOs reported experiencing counter incident response. This figure is concerning. It means cybercriminals are increasingly reacting and adapting to defenders’ response efforts. Cybercriminals realize there are humans on the other end actively countering their techniques. They realize that teams are, in some cases, instrumented to detect and respond to their activities. They also realize that teams have specific IR playbooks for these types of scenarios.



Attackers are able to go off their scripts while defenders are sticking to manual and automated playbooks. These playbooks are generally based off simple indicators of compromise (IoCs). As a result, security teams are often left thinking they have disrupted the attacker, but with counter incident response, attackers maintain the upper hand. This problem is compounded with secondary command and control (C2) present in several victims (1 in 10, according to our survey). We forecast this will become a more prevalent tactical shift in the coming months.

As SOC and IR teams begin to react, attackers are doing a number of things to counter the defenders.

  • Changing code to evade new technology
  • Targeting security analysts and engineers in separate but coordinated attacks
  • Deleting logs from endpoints to hide nefarious behavior
  • Executing DDoS attacks on applications and systems critical for defenders and/or the business

Cyber defense is evolving into a high-stakes game of digital chess where opponents are responding to every move made on the board. Teams should be prepared to throw out the IR playbook when necessary.

Nearly half (44%) of financial institution CISOs said they are concerned with the security posture of their Technology Service Providers (TSPs). These TSPs are regularly targeted by cybercriminals. As evidenced by the FDIC’s own inspector general: “The FDIC’s oversight process used for identifying, monitoring, and prioritizing TSPs for examination coverage needs improvement.” Island hopping via information supply chains is growing. Our recommendation is for threat hunt teams and defenders to closely assess TSP security posture.

Given that 63% of financial institutions have yet to establish threat hunting teams, there should be concern regarding limited visibility into exposure created by TSPs. Cyberspace is fluid and exposure may become systemic.



Listen to our security experts at Carbon Black and Network Security Engineer Christopher St. Amand at PeoplesBank during a recent webinar where we discussed the benefits of cloud-based security platforms and how they apply to your specific needs.

Watch Now

Thanks for joining us as we explored “Modern Bank Heists,” our report on the changing landscape of cybercrime in the financial sector and how to arm your institution against a breach. You can click here to get a copy of the full report. Join us next week as we continue to profile this report.

TAGS: Cb Defense / Excerpts / threat hunting / threat research