Thinking Like the Enemy: Banks Conduct “Self-Hacks” to Strengthen Defense Against Cyberattacks

  • By Elizabeth Radziul
  • in
  • on March 19, 2020

Sometimes you have to think like the enemy in order to stay one step ahead of them, at least according to the American Bankers Association. As cybersecurity experts strengthen their defense against increasing security breaches, cybercriminals continue to improve their own capabilities. The solution? “Self-hack” their own systems to determine key vulnerabilities in order to find a way to eliminate them. 

“I could compare it to an arms race,” says Nicholas Antill, Senior Vice President and Senior Security Manager at PNC Bank. Antill draws this comparison based on the constant skill and technology improvement on both ends, which results in a continuous power struggle between hacker groups and cybersecurity teams. Many of the 300 banks hacked in December of 2019 by the Russia-based hacker group Evil Corp are conducting their own hacks to prevent future breaches. Many are relying on in-house teams and contracting third-party vendors to act like hackers and test their systems for weak points. Some, however, are taking more extreme measures an enlisting real, non-criminal hacker groups called “white hat hackers” for a more realistic simulation. Regardless of the approach, each self-hack method aims to achieve the same thing: to get inside the mind of a cybercriminal.

Another factor to consider, in addition to who will be conducting the test, is which kind of test will be conducted. There are several types of testing, each with different factors used to produce different results.

Penetration Testing

Penetration testing, otherwise known as “pentesting” is the most common type of self-hack. Pentesting involves hacking an individual network or application to detect any vulnerabilities not covered by other security measures. Caroline Wong, chief strategy officer at the security testing firm Cobalt.io recommends starting with this method to find where weaknesses lie, such as in mobile apps or cloud infrastructure. 

Under the umbrella of penetration testing, there are three different types to consider.

Black-Box Testing

In a black-box test, the hacker has no knowledge of the system it is attacking. This approach more realistically simulates an actual attack, as the average malicious hacker would not have inside knowledge of the system’s operations.

White-Box Testing

White-box testing is conducted by someone with a comprehensive understanding of the system. White-box testing is very thorough because the tester is familiar with the nuances of the system’s security, and therefore knows where to look for vulnerabilities.

Gray-Box Testing

Gray-box testing is conducted by someone who has some understanding of the system’s inner workings, but not extensive knowledge. This method combines the benefits of black-box and white-box testing and may emulate a hacker who may have been able to obtain some knowledge of the system prior to the attack.

Red Team Testing

Red team testing is a more formal, experiment-like, test in which the “red team” acts like actual hackers and launches an attack on the company’s “blue team”. Red-team tests are conducted on a wider scale and often use specific tactics used by known security threats. The target and objective of a red team test are specific and narrowly focused compared to those of a penetrative test. Wong recommends starting with pentesting for a more broad overview of the security system and a general understanding of where vulnerabilities lie. Red team testing is typically conducted by companies with a higher security level that are looking to fine-tune specific weaknesses. Red team testing aims to accurately simulate a real attack, so they typically last two to six months. The tests target both software and human-related weaknesses and threats. 

The benefit of carrying out a “self-hack” rather than simply using scanning software to detect vulnerabilities is the human element involved. “If we were bad guys, you know, what would we use to get in?”, says Aaron Shilts, president, and COO of vulnerability assessment firm NetSPI. Once weaknesses are detected, it’s up to leadership to reevaluate security across all channels and personnel. 

As more and more companies around the world are hiring hackers to test their defenses, questions of standardization are raised. The European Central Bank has released the European Framework for Threat Intelligence-based Ethical Teaming, or TIBER-EU, which lays out standardized practices for institutions that execute self-hacks. Tyler Leet, Director of Risk, Information Security, and Compliance Services at core banking and cybersecurity provider CSI, warns to only use these tests to “actively look to learn from the results” and to avoid pointing blame at employees. 

When done right, self-hacks prove to be very helpful for banks and financial institutions looking to find gaps in their network security. The best way to beat hackers and their rapidly improving capabilities is to stay one step ahead of them, which means thinking like them and constantly hunting for weaknesses they could exploit. 

Cybersecurity Innovation Starts HereCISO WEST AUGUST

Digital Transformation involves ongoing exploration by today’s leaders, and our best advice is to not trek the journey alone. Our Transformational CISO West Assembly coming this August in Las Vegas is set to be an inspiring event featuring some of cybersecurity’s top C-Suite executives.

We know what you’re thinking…

This isn’t Your Run-of-the-Mill Conference or Summit.

Our Founders, like many C-Suite executives today, became disillusioned by the slew of retail conferences, summits and events on the market today that promised “world class networking” opportunities with leading industry decision-makers. In reality, they found that these events had antiquated discussion topics presented in an impersonal format, and quite frankly, it seemed like just about anyone could attend the event.

What Makes a Millennium Assembly Different? 

We’re dedicated to creating the greatest think tank of today’s executives from some of the most prominent companies today. Our invite-only events consist of 55 carefully selected leaders holding C-Suite, EVP, and SVP positions from Fortune 500 companies.

These attendees are provided the opportunity to intimately connect in workshops & roundtables with fewer than 25 people, with interactive networking opportunities at our cocktail hour and Gala Keynote Dinner and personalized 1:1 meetings. This is an experience like no other, all taking place at some of the most beautiful hotel and resort venues in the country.

We’re serious about executive education. Our Assembly Agendas are data-driven and curated from our industry-expert Advisory Board, a group of 26 industry movers and shakers with a proven record of digitally transforming organizations from the ground-up. The prevailing topics and trends discussed at this assembly will cover the most poignant challenges affecting leaders today.

The Millennium Alliance’s goal is to change the way leaders look at executive education, and you won’t find this level of content, discussion, and networking anywhere else. We’re on the journey to digitally transform the marketing industry with you.

Join the Assembly

Want to find out if you qualify? Millennium Membership >>

Are you a Solution Provider interested in Sponsorship Opportunities? Learn More >>

Leave a Reply

PUBLISHED BY Elizabeth Radziul

View all posts by Elizabeth Radziul

Related Posts

DarkTrace Cyber AI Analyst: Augmenting Your Security Team with AI-Driven Investigations

The myriad of security tools used by businesses today creates massive quantities of data and surfaces too many alerts for analysts to effectively manage. As threats become increasingly sophisticated and the cyber security industry continues to face a skills shortage, over-worked and under-resourced teams urgently need augmentation. Cyber AI Analyst, the product of a research initiative […]

News

The Pivot Project: Crowdsourcing Solutions to COVID-19 Problems 

The overwhelming implications of COVID-19 have defined a generation, but despite the hardships Americans are facing today, it’s shown us that social media is a momentous tool for building awareness & delivering aid to those in need. The Pivot Project, co-founded by our Advisory Board member, Cynthia Johnson, is set to do just that: utilize […]

#MillenniumLive Keynote Series: John Carlin, Author of “Dawn of the Code War”

The Millennium Alliance was honored to have John Carlin as the virtual Transformational CISO Assembly’s opening keynote speaker. He is the former Assistant Attorney General for the DOJ’s National Security Division. John currently chairs the Global Risk & Crisis Management Practice Group and the National Security Practice Group at Morrison & Foerster & hosts the […]

Technology

Bill Murphy Keynotes Upcoming Data and Technology Virtual Assembly!

It’s almost time for our Digital Enterprise CIO and Data Transformation Virtual Assembly, and we have some very exciting news to share. Bill Murphy, Former Senior Managing Director and CTO at Blackstone, is set to kick off the event as our Featured Keynote Speaker! Bill Murphy is a true technology expert who led Blackstone’s Innovations […]

Lovin’ Digital Diary?

Premium content to our readers interested in all things business.

Check Us Out!

Millennium Membership offers Fortune 1000 C-Level executives, leading public sector/government officials, and thought leaders across a variety of disciplines unique and exclusive opportunities to meet their peers, understand industry developments, and receive introductions to new technology and service advancements to help grow their career and overall company value.

About Millenium Alliance Next

About Digital Diary

Created to provide premium content to our readers interested in all things business.

Launched in 2017, Digital Diary was created to provide premium content to our readers interested in all things business. With our blogs catered to deliver the top news stories, trends, and interviews from across all industries.

Read all story Next

Interested in Millennium Membership?
Find out if you qualify here.

arrow