Thinking Like the Enemy: Banks Conduct “Self-Hacks” to Strengthen Defense Against Cyberattacks

Sometimes you have to think like the enemy in order to stay one step ahead of them, at least according to the American Bankers Association. As cybersecurity experts strengthen their defense against increasing security breaches, cybercriminals continue to improve their own capabilities. The solution? “Self-hack” their own systems to determine key vulnerabilities in order to find a way to eliminate them. 

“I could compare it to an arms race,” says Nicholas Antill, Senior Vice President and Senior Security Manager at PNC Bank. Antill draws this comparison based on the constant skill and technology improvement on both ends, which results in a continuous power struggle between hacker groups and cybersecurity teams. Many of the 300 banks hacked in December of 2019 by the Russia-based hacker group Evil Corp are conducting their own hacks to prevent future breaches. Many are relying on in-house teams and contracting third-party vendors to act like hackers and test their systems for weak points. Some, however, are taking more extreme measures an enlisting real, non-criminal hacker groups called “white hat hackers” for a more realistic simulation. Regardless of the approach, each self-hack method aims to achieve the same thing: to get inside the mind of a cybercriminal.

Another factor to consider, in addition to who will be conducting the test, is which kind of test will be conducted. There are several types of testing, each with different factors used to produce different results.

Penetration Testing

Penetration testing, otherwise known as “pentesting” is the most common type of self-hack. Pentesting involves hacking an individual network or application to detect any vulnerabilities not covered by other security measures. Caroline Wong, chief strategy officer at the security testing firm Cobalt.io recommends starting with this method to find where weaknesses lie, such as in mobile apps or cloud infrastructure. 

Under the umbrella of penetration testing, there are three different types to consider.

Black-Box Testing

In a black-box test, the hacker has no knowledge of the system it is attacking. This approach more realistically simulates an actual attack, as the average malicious hacker would not have inside knowledge of the system’s operations.

White-Box Testing

White-box testing is conducted by someone with a comprehensive understanding of the system. White-box testing is very thorough because the tester is familiar with the nuances of the system’s security, and therefore knows where to look for vulnerabilities.

Gray-Box Testing

Gray-box testing is conducted by someone who has some understanding of the system’s inner workings, but not extensive knowledge. This method combines the benefits of black-box and white-box testing and may emulate a hacker who may have been able to obtain some knowledge of the system prior to the attack.

Red Team Testing

Red team testing is a more formal, experiment-like, test in which the “red team” acts like actual hackers and launches an attack on the company’s “blue team”. Red-team tests are conducted on a wider scale and often use specific tactics used by known security threats. The target and objective of a red team test are specific and narrowly focused compared to those of a penetrative test. Wong recommends starting with pentesting for a more broad overview of the security system and a general understanding of where vulnerabilities lie. Red team testing is typically conducted by companies with a higher security level that are looking to fine-tune specific weaknesses. Red team testing aims to accurately simulate a real attack, so they typically last two to six months. The tests target both software and human-related weaknesses and threats. 

The benefit of carrying out a “self-hack” rather than simply using scanning software to detect vulnerabilities is the human element involved. “If we were bad guys, you know, what would we use to get in?”, says Aaron Shilts, president, and COO of vulnerability assessment firm NetSPI. Once weaknesses are detected, it’s up to leadership to reevaluate security across all channels and personnel. 

As more and more companies around the world are hiring hackers to test their defenses, questions of standardization are raised. The European Central Bank has released the European Framework for Threat Intelligence-based Ethical Teaming, or TIBER-EU, which lays out standardized practices for institutions that execute self-hacks. Tyler Leet, Director of Risk, Information Security, and Compliance Services at core banking and cybersecurity provider CSI, warns to only use these tests to “actively look to learn from the results” and to avoid pointing blame at employees. 

When done right, self-hacks prove to be very helpful for banks and financial institutions looking to find gaps in their network security. The best way to beat hackers and their rapidly improving capabilities is to stay one step ahead of them, which means thinking like them and constantly hunting for weaknesses they could exploit. 

Cybersecurity Innovation Starts Here

Digital Transformation involves ongoing exploration by today’s leaders, and our best advice is to not trek the journey alone. Our Transformational CISO West Assembly coming this August in Las Vegas is set to be an inspiring event featuring some of cybersecurity’s top C-Suite executives.

We know what you’re thinking…

This isn’t Your Run-of-the-Mill Conference or Summit.

Our Founders, like many C-Suite executives today, became disillusioned by the slew of retail conferences, summits and events on the market today that promised “world class networking” opportunities with leading industry decision-makers. In reality, they found that these events had antiquated discussion topics presented in an impersonal format, and quite frankly, it seemed like just about anyone could attend the event.

What Makes a Millennium Assembly Different? 

We’re dedicated to creating the greatest think tank of today’s executives from some of the most prominent companies today. Our invite-only events consist of 55 carefully selected leaders holding C-Suite, EVP, and SVP positions from Fortune 500 companies.

These attendees are provided the opportunity to intimately connect in workshops & roundtables with fewer than 25 people, with interactive networking opportunities at our cocktail hour and Gala Keynote Dinner and personalized 1:1 meetings. This is an experience like no other, all taking place at some of the most beautiful hotel and resort venues in the country.

We’re serious about executive education. Our Assembly Agendas are data-driven and curated from our industry-expert Advisory Board, a group of 26 industry movers and shakers with a proven record of digitally transforming organizations from the ground-up. The prevailing topics and trends discussed at this assembly will cover the most poignant challenges affecting leaders today.

The Millennium Alliance’s goal is to change the way leaders look at executive education, and you won’t find this level of content, discussion, and networking anywhere else. We’re on the journey to digitally transform the marketing industry with you.

Join the Assembly

Want to find out if you qualify? Millennium Membership >>

Are you a Solution Provider interested in Sponsorship Opportunities? Learn More >>