How bank CISOs can respond to a digital hostage scenario

An image of CISO Hostages, Fintech, How bank CISOs can respond to a digital hostage scenario

Drawing from VMware’s annual Modern Bank Heist report, Tom Kellermann, Head of Cybersecurity Strategy at VMware, shares his best practices to defend against modern bank heists.

Trust has always been the cornerstone of the banking industry. Without customer confidence that their assets are secure, banks cannot function. A reputation for having the strongest vaults with the thickest walls and unpickable locks is fundamental. But, as the means of protecting financial assets has moved from the physical to the digital realm, the role of custodian of customer trust has shifted inexorably onto the shoulders of CISOs. Now, cybersecurity is not just essential to preventing criminals from theft, it has become a brand protection imperative.

VMware’s annual Modern Bank Heist report has identified critical escalations in the sophistication and coordination of attacks against the financial services sector. Cybercriminals and nation-state actors are capitalising on the dual disruptions of the global pandemic and banks’ ongoing digital transformation programmes to broaden and deepen their attack techniques. They are no longer focused simply on direct monetary gain through wire transfer fraud but on hijacking, the digital transformation of a financial institution through island hopping and holding them hostage to the threat of destructive attacks.

Island hopping escalates as attackers hijack banks

38 percent of the financial institutions surveyed in the study said they had encountered island hopping, representing a 13 percent increase over 2020 (respondents were asked to exclude the SolarWinds campaign from their response).

Island hopping has become the attack vector of choice because, as banks have digitised and their supplier ecosystem has grown, the attack surface has expanded correspondingly; there is quite simply more opportunity now than ever before. And to capitalise on it, cybercrime cartels have taken the guesswork out of the game by studying the interdependencies of financial institutions. They have identified entities such as the Managed Service Providers and outside Counsels used by their target companies. These businesses have become the prime target for infiltration as a stepping stone into the target network. What might previously have constituted a “lucky hit” for a cybercriminal campaign is now a well-researched route to a valuable payoff.

Another commonly reported form of island hopping is watering hole attacks. Here, adversaries hijack websites or mobile apps used by customers for digital banking. This has a direct brand impact where customer’s trust in the visual assets they associate with the bank is hijacked to steal credentials or money. The reputational damage caused by these attacks is immense.

CISOs’ respond to increased attacks

Faced with these escalating and stealth-focused tactics, what should CISOs be doing in response? The financial institutions we surveyed are committing budget to the battle, with eight in ten planning to ramp up spending by between 10-20%.

In terms of where spending will be focused, investment priorities include: Extended detection and response (XDR); threat intelligence; workload security and container security. These priorities paint a picture both of how attacks have evolved and the new cloud-based infrastructure that has become the target.

Particularly encouraging is the frequency and impact of threat hunting. 48% of surveyed institutions conduct weekly threat hunts and, as programmes become more mature and hunters gain more understanding of their environment, they are driving change at a process and technology level. We are seeing more use of data science, machine learning and artificial intelligence to determine what normal looks like and spot anomalies. This is driving a true partnership between human-led hunting and automation.

Best practices to defend against modern bank heists

Adversaries are focusing on gaining undetected access to networks and this means that incident response must be conducted under the assumption that the network has been compromised. The following best practices are advised for defence teams:

  1. Deploy honey tokens or deception grids, especially on attack paths that cannot be hardened.
  2. Apply just-in-time administration.
  3. Integrate your network detection and response with your endpoint detection platform.
  4. Deploy workload security.
  5. Conduct weekly threat hunting.
  6. Stand up a secondary line of secure communications to discuss ongoing incidents without risk of interception and compromise. This channel should allow for talk, text and file transfer.
  7. When responding to an incident- Assume the adversary has multiple means of gaining access to the environment and avoid alerting them that you know they’re there. Watch and wait before taking action – don’t start blocking malware or terminating C2 systems until you are sure you understand all possible avenues of re-entry.
  8. Deploy agents in monitor-only mode. If you begin blocking or impeding their activities, they will change tactics, potentially leaving you blind to their additional means of re-entry. Rename agents to something innocuous.

On top of these tactical activities, we need to see a strategic shift. Three quarters of CISOs at financial institutions still report to CIOs, yet the landscape has changed dramatically over the past year. The switch to work from anywhere has put cybersecurity and CISOs at the centre of business continuity and resilience. CISOs should be promoted to a true C-level to ensure they have the strategic influence they need to discharge their role effectively. As custodians of a financial institution’s greatest asset – customer trust – their position should be elevated accordingly.


Financial institutions are unquestionably facing new and more pernicious threats but, by leveraging advanced tools and intelligence, they can successfully hunt out and suppress cyber cartels preying on the extended ecosystem. Trust and confidence will depend on vigilant digital transformation.

For more news from Top Business Tech, don’t forget to subscribe to our daily bulletin!

Follow us on LinkedIn and Twitter

An image of CISO Hostages, Fintech, How bank CISOs can respond to a digital hostage scenario

Luke Conrad

Technology & Marketing Enthusiast

Hacking Cyber Security’s battle for workers

Andrew Marsh • 30th September 2022

Cyber attacks are increasing exponentially, cyber professionals are quitting, and ultimately, no one is replacing them. Worldwide, the cyber workforce shortfall is approximately 3.5 million people. We have a mountain to climb. While there are rising numbers of people with security degrees and qualifications, this falls way short of industry demand.

Getac becomes British Touring Car Championship official technology partner

Chris Gibbs • 29th September 2022

In competitive motorsports, the smallest detail can be the difference between winning and losing. Getac is the official technology partner to the British Touring Car Championships (BTCC) helping it achieve its digital transformation goals, putting a wealth of information at the fingertips of both race officials and teams alike, and helping deliver incredibly exciting racing.

The Time is Now for Digital Transformation

Paul Waddilove • 29th September 2022

According to a McKinsey research report, 70% of enterprises that had taken on digital transformation reported in 2020 that their momentum had stalled. It is worth understanding the reasons–culture or scale for example–causing the slowdown as the payoffs from digital transformation can be impressive. It can lead to more efficient operations, with enterprises enjoying autonomy...

Addressing the environmental impact of the data centre

David Watkins • 29th September 2022

David Watkins, solutions director at VIRTUS Data Centres , share how you may have seen the recent news that Thames Water has launched a probe into the impact of data centres on water supplies in and around London, as it imposed a hosepipe ban on its 15 million customers in a drought-hit area. Ensuring that...

How Can Businesses Ensure Efficient Management of COSU Devices

Nadav Avni • 29th September 2022

Nadav Avni, Chief Marketing Officer at Radix Technologies, shares how when it comes to speeding up queues and providing instant information, nothing beats corporate-owned, single-use (COSU) devices. When put in kiosk mode, these devices become efficient digital assistants that collect and share information.

The Cloud – Debunking the Myth

Guy Parry Williams • 26th September 2022

Mid-sized businesses are head down, wrestling with constantly evolving operational challenges, from skills shortages to supply chain delays and raging inflation. Management teams lack the time and often confidence to explore technology innovation and, as a result, too many companies are missing vital opportunities to cut costs, boost efficiency and reach new customers.