Financial security systems need to be among the most robust in the world. Since most cyberattacks are financially motivated, the industry presents a tantalizing and obvious target for both advanced nation-state attackers and low-level crooks .
One of the best ways to increase the strength of financial cybersecurity systems is to put their security defenses to the test; that means participating in offensive security red team engagements.
What Is Red Teaming for Financial Institutions?
Red teaming goes a step beyond pen testing alone, subjecting the financial firm to a simulated real-world attack and long-term embedded threat actor. This challenges blue teams (defenders) and puts the organization under the kind of pressure it could only face against an actual adversary. The point is to comprehensively ferret out weaknesses across the organization, not simply identify vulnerabilities. Attack vectors can include social engineering, zero-day threats, advanced persistent threats (APTs), phishing, polymorphic malware, and more.
The better the red team’s tools, the more varied and sophisticated (or “realistic”) the attack will be. Consequently, the best toolkits can result in the best level of preparedness for financial enterprises. Fortra’s Cobalt Strike has long been the industry standard tool for offensive security and red team engagements, with its flexibility and extensibility. And with Fortra’s Outflank Security Tooling (OST), red teams can further enhance engagements, leveraging a broad set of evasive tools for every step of the attacker kill chain.
Why Invest in Offensive Security Tools for Finance Now?
Rapid shifts from brick-and-mortar to entirely digital businesses have moved the needle forward to a digital point of no return. Today’s financial institutions are coping with the consequences, and that means a widely expanded attack surface, an abundance of cloud-hosted data and integrated cloud technologies, and complex internal architecture that’s difficult to secure.
Additionally, financial technology (FinTech) today leverages more cutting-edge technology than ever before, and for good reason. Digital convenience has become paramount in this and nearly every industry, and financial institutions large and small want to be able to offer their customers the ease and convenience of online banking, automated transfers, and integrated finance applications. However, in their complexity, these technologies have also left themselves increasingly open to exploitation.
The abundance of personal identifiable information (PII) and other sensitive information stored within financial institutions makes them perennial targets for crime, and the exponential improvement of AI capabilities heightens the threat even more.
All those factors combine to create a perfect storm of problems which financial security systems are left to face.
What Are the Cybersecurity Challenges Specific to Finance?
Every year for the past four years, at least a third of the global financial services industry has been hit by a ransomware attack, with the number rising to over two-thirds in 2024, according to Statista. The number of cybersecurity attacks on financial institutions in the US has been rising as well, experiencing a 430% increase between 2020 and 2023 alone.
With financial institutions losing between $4.64 and $5.11 million per ransomware attack, not having the proper cybersecurity in place quickly becomes more costly than the alternative. Not to mention the additional costs incurred due to:
- Reputational damage
- Legal fees
- Compliance fines (FINRA, PCI DSS, SOX)
- Possible loss of licensure
- PR costs
- Customer reparations like free credit monitoring
- Possible paid ransoms
And more, including the loss of high-level (and low-level) jobs in the aftermath following a costly and public financial breach. Dark Reading cites that 37% of organizations reported that cyberattacks resulted in dismissals.
With so much at stake, it is far worth the investment for financial institutions to maximize the potential of their financial security systems by using offensive security in addition to defensive measures. In the fallout of a breach even cost-motivated decisions to cut security corners will be hard to justify.
Top Cybersecurity Threats in Finance
Attackers will try anything to infiltrate financial institutions — or their affiliates. Here are just a few of the most common attack vectors you’ll find exploited as cybercriminals seek to undermine the financial services sector.
Phishing is the act of sending malicious emails with the intent of deploying malware, stealing credentials, or otherwise illicitly obtaining sensitive information through social engineering techniques.
The financial services industry was the third most targeted for phishing attacks according to the most recent research by both Statista and the Anti-Phishing Working Group (APWG). Additionally, financial institutions find themselves impersonated in phishing scams more often than most; 62% of domains associated with (at least ‘supposed’) financial institutions were found to be linked to phishing attacks.
Ransomware is one of the heaviest-hitting attack vectors for the financial industry at large. In 2024, 65% of financial institutions experienced a ransomware attack, up from 34% in 2021. The IBM 2024 Cost of a Data Breach report puts the cost of the average ransomware attack in 2024 at $5.37 million, and that’s not including ransom payments.
Financial institutions are being hit by ransomware attacks in various formats as attackers expand their techniques. Ransomware threat actors are resorting to tactics such as double extortion (threatening to publish the data in addition to encrypting it), as well as threats to delete the data if the ransom is not paid. Triple extortion threatens the victims, employees, and customers themselves, and in more cases, threat actors are using compliance regulations to apply additional pressure.
Notes the ABA Banking Journal, “Criminals have been known to [notify] a regulator of the breach before the victim can report the incident themselves. This can force a victim’s hand on regulatory filings and public statements.
Malware attacks obviously encompass more than just ransomware, although where the financial services industry is concerned (and most others), ransomware is the primary one. Other forms of malware can include:
- Trojans
- Viruses
- Worms
- Keyloggers
- Botnets
- Rootkits
- Fileless malware
- Cryptojacking
- Spyware
Particularly, polymorphic malware has emerged in recent years as a serious concern. This type of malware not only obfuscates its code but can alter it as it winds through a network, evading the detection of signature-based detection tools that are still looking for its previous form. Shylock is a type of polymorphic financial malware with the ability to “almost completely avoid detection by antivirus scanners after installation.”
Injection attacks are another common adversary of financial institutions. Research shows that local file injection (LFI) attacks have become one of the main attack vectors in the financial services sector, recently growing by 53%.
A file injection attack occurs when web page inputs such as forms have not been properly sterilized (protected), allowing threat actors to manipulate the output with malicious scripts and gain unauthorized access to files within the company’s database. For instance, a simple “fill out your name” form on a financial advisor’s website could be co-opted to pull out a list of all previous clients and their financial information, if the right vulnerability existed. Often, they do.
Types of injection attacks include:
- SQL Injection
- Command Injection
- Code Injection
- LDAP injection
- XML injection
And more. The financial services sector can prevent injection attacks by leaning into financial cybersecurity solutions that test for SQL injection (SQLi) attacks.
A distributed denial of service (DDOS) attack occurs when attackers flood an organization’s server with traffic in order to overwhelm its ability to respond, effectively shutting it down and taking it offline. In a financial institution, this looks like downtime, potentially on a global scale.
Last year, security researchers observed a sharp increase in DDOS attacks on the financial services industry, making it the most frequently targeted sector in 2023. Those same researchers found that FinServ-targeted DDOS attempts rose by 154% year over year, with the industry accounting for 35% of all DDOS attacks overall. Additionally, Cloudflare reported a 49% quarter-over-quarter increase in DDOS finance attacks for Q3 of 2024, supporting the trend.
Financial services is widely believed to have one of the highest rates of insider threats of any other industry. It may be no surprise, given that financial gain remains the highest motivating factor behind such attacks, and who is more familiar with the digital architecture that guards institutions’ finances than the employees who interact with it every day?
Industry research reveals that insider threats have increased by 47% since 2018, and a surprising 83% of organizations experienced at least one insider attack in the past year, according to Cybersecurity Insider’s 2024 Insider Threat Report.
The threat of insider attacks is real for the financial services sector, with creative types including:
- Digital sabotage
- Financial fraud
- Embezzlement through elevated privileges
And of course, data theft leading to public and damaging data breaches.
Nation-state actors favor advanced persistent threats (APTs) when targeting the underpinnings of a society or economy. Inevitably, those underpinnings include the financial sector.
These “low and slow” attacks infiltrate a network unnoticed, usually via sophisticated malware or social engineering scams, and remain undetected for weeks, even months, as they silently siphon out data, create backdoors, and wreak more havoc. In some cases, the APTs are so complex that whole teams are required to maintain the compromised network they attained.
As FinTech grows, the financial sector widens its attack surface and becomes ever-more vulnerable to stealthy APT attacks. Advanced offensive security solutions and red teaming toolkits that mimic the methods of advanced persistent threat actors are one of the best ways financial firms can prepare.
Man-in-the-middle (MitM) attacks have accounted for up to 19% of successful breaches a year and are especially dangerous for digital financial communication.
These attacks, which consist of a threat actor secretly intercepting online communication between two parties, can be detrimental if the data is not encrypted. For years, financial institutions have leaned on platforms like SWIFT (Society for Worldwide Interbank Financial Telecommunications) to enable secure sending, but as the digital landscape has evolved, more of those security responsibilities are up to the sender (financial organizations).
Social engineering is one of the top risks to any industry today, finance included. Thanks to advancements in AI, these attacks can take the shape of perfectly crafted phishing messages in any language or Business Email Compromise (BEC) scams that are convincingly from your ‘boss’.
AI models can scrape social networking sites for personal information to make malicious emails even more convincing, and a good social engineering email can slip past traditional email defenses because it bears no signature; its bite is in getting victims to take the bait and click a (safe) URL redirect to an (unsafe) phishing link. Or any variety of creative tactics.
Just under a third (27%) of phishing attacks worldwide targeted financial services in 2023, and BEC attacks against the financial sector increased by 21%. To top that off, a 2024 Agari Global Insights Report noted that US banks were the primary target of choice for wire scammers in the month of September.
The Solution: Cobalt Strike
Red Team tools like Cobalt Strike empower your red team to get out in front of the situation by engaging SOCs in an anything-goes, all-out-war against an unknown adversary with non-street-legal capabilities; just like in a real-world attack. In a red teaming engagement, the gloves come off and financial organizations are exposed to the full-force of real-world exploits like:
- Polymorphic malware
- Sophisticated social engineering
- Above-and-beyond reconnaissance
- AI-driven attacks
- Obfuscated code
Robust red team engagements, which can use both Cobalt Strike and Outflank Security Tooling, can give more than fair warning into latent vulnerabilities and critical weaknesses before they’re exploited, allowing financial security systems to fill defensive security gaps and squash small cracks before they become massive security issues - potentially in the very near future.