Thinking Like the Enemy: Banks Conduct “Self-Hacks” to Strengthen Defense Against Cyberattacks

  • By Elizabeth Radziul
  • in
  • on March 19, 2020

Sometimes you have to think like the enemy in order to stay one step ahead of them, at least according to the American Bankers Association. As cybersecurity experts strengthen their defense against increasing security breaches, cybercriminals continue to improve their own capabilities. The solution? “Self-hack” their own systems to determine key vulnerabilities in order to find a way to eliminate them. 

“I could compare it to an arms race,” says Nicholas Antill, Senior Vice President and Senior Security Manager at PNC Bank. Antill draws this comparison based on the constant skill and technology improvement on both ends, which results in a continuous power struggle between hacker groups and cybersecurity teams. Many of the 300 banks hacked in December of 2019 by the Russia-based hacker group Evil Corp are conducting their own hacks to prevent future breaches. Many are relying on in-house teams and contracting third-party vendors to act like hackers and test their systems for weak points. Some, however, are taking more extreme measures an enlisting real, non-criminal hacker groups called “white hat hackers” for a more realistic simulation. Regardless of the approach, each self-hack method aims to achieve the same thing: to get inside the mind of a cybercriminal.

Another factor to consider, in addition to who will be conducting the test, is which kind of test will be conducted. There are several types of testing, each with different factors used to produce different results.

Penetration Testing

Penetration testing, otherwise known as “pentesting” is the most common type of self-hack. Pentesting involves hacking an individual network or application to detect any vulnerabilities not covered by other security measures. Caroline Wong, chief strategy officer at the security testing firm Cobalt.io recommends starting with this method to find where weaknesses lie, such as in mobile apps or cloud infrastructure. 

Under the umbrella of penetration testing, there are three different types to consider.

Black-Box Testing

In a black-box test, the hacker has no knowledge of the system it is attacking. This approach more realistically simulates an actual attack, as the average malicious hacker would not have inside knowledge of the system’s operations.

White-Box Testing

White-box testing is conducted by someone with a comprehensive understanding of the system. White-box testing is very thorough because the tester is familiar with the nuances of the system’s security, and therefore knows where to look for vulnerabilities.

Gray-Box Testing

Gray-box testing is conducted by someone who has some understanding of the system’s inner workings, but not extensive knowledge. This method combines the benefits of black-box and white-box testing and may emulate a hacker who may have been able to obtain some knowledge of the system prior to the attack.

Red Team Testing

Red team testing is a more formal, experiment-like, test in which the “red team” acts like actual hackers and launches an attack on the company’s “blue team”. Red-team tests are conducted on a wider scale and often use specific tactics used by known security threats. The target and objective of a red team test are specific and narrowly focused compared to those of a penetrative test. Wong recommends starting with pentesting for a more broad overview of the security system and a general understanding of where vulnerabilities lie. Red team testing is typically conducted by companies with a higher security level that are looking to fine-tune specific weaknesses. Red team testing aims to accurately simulate a real attack, so they typically last two to six months. The tests target both software and human-related weaknesses and threats. 

The benefit of carrying out a “self-hack” rather than simply using scanning software to detect vulnerabilities is the human element involved. “If we were bad guys, you know, what would we use to get in?”, says Aaron Shilts, president, and COO of vulnerability assessment firm NetSPI. Once weaknesses are detected, it’s up to leadership to reevaluate security across all channels and personnel. 

As more and more companies around the world are hiring hackers to test their defenses, questions of standardization are raised. The European Central Bank has released the European Framework for Threat Intelligence-based Ethical Teaming, or TIBER-EU, which lays out standardized practices for institutions that execute self-hacks. Tyler Leet, Director of Risk, Information Security, and Compliance Services at core banking and cybersecurity provider CSI, warns to only use these tests to “actively look to learn from the results” and to avoid pointing blame at employees. 

When done right, self-hacks prove to be very helpful for banks and financial institutions looking to find gaps in their network security. The best way to beat hackers and their rapidly improving capabilities is to stay one step ahead of them, which means thinking like them and constantly hunting for weaknesses they could exploit. 

Cybersecurity Innovation Starts HereCISO WEST AUGUST

Digital Transformation involves ongoing exploration by today’s leaders, and our best advice is to not trek the journey alone. Our Transformational CISO West Assembly coming this August in Las Vegas is set to be an inspiring event featuring some of cybersecurity’s top C-Suite executives.

We know what you’re thinking…

This isn’t Your Run-of-the-Mill Conference or Summit.

Our Founders, like many C-Suite executives today, became disillusioned by the slew of retail conferences, summits and events on the market today that promised “world class networking” opportunities with leading industry decision-makers. In reality, they found that these events had antiquated discussion topics presented in an impersonal format, and quite frankly, it seemed like just about anyone could attend the event.

What Makes a Millennium Assembly Different? 

We’re dedicated to creating the greatest think tank of today’s executives from some of the most prominent companies today. Our invite-only events consist of 55 carefully selected leaders holding C-Suite, EVP, and SVP positions from Fortune 500 companies.

These attendees are provided the opportunity to intimately connect in workshops & roundtables with fewer than 25 people, with interactive networking opportunities at our cocktail hour and Gala Keynote Dinner and personalized 1:1 meetings. This is an experience like no other, all taking place at some of the most beautiful hotel and resort venues in the country.

We’re serious about executive education. Our Assembly Agendas are data-driven and curated from our industry-expert Advisory Board, a group of 26 industry movers and shakers with a proven record of digitally transforming organizations from the ground-up. The prevailing topics and trends discussed at this assembly will cover the most poignant challenges affecting leaders today.

The Millennium Alliance’s goal is to change the way leaders look at executive education, and you won’t find this level of content, discussion, and networking anywhere else. We’re on the journey to digitally transform the marketing industry with you.

Join the Assembly

Want to find out if you qualify? Millennium Membership >>

Are you a Solution Provider interested in Sponsorship Opportunities? Learn More >>

Leave a Reply

PUBLISHED BY Elizabeth Radziul

View all posts by Elizabeth Radziul

Related Posts

Technology

ZOOM into the New Reality…and What Really Matters

As originally published by David Sable on Linkedin. Make no mistake…this too shall pass (I, for one, have just graduated from social isolation to social distancing), and by the end of it, we will be stronger (hopefully), knowing that we got through it. We will be smarter (I pray), knowing that we can no longer […]

CISO’s Guide to ShieldX and Zero Trust Networking

With the onset of cloud computing, perimeters dissolved due to fragmented data centers. Suddenly, data and applications went from nicely confined rooms with a handful of doors and windows to virtualized environments with no perimeters. It was back to the Wild West, which meant security and compliance were quickly downgraded—and the increased interest in Zero […]

#MillenniumLive , Marketing , Retail

#MillenniumLive Talks DTC, Customer Loyalty & Attribution with Mark Friedman

Mark Friedman’s vanguard insights hail from his experience with a number of top retail companies, like Steve Madden and Brooks Brothers. He is now the President of Details Interactive and recently launched his own podcast, The Marketing Playbook Podcast. In this week’s episode, Mark shares his wisdom on a number of topics, including the shakeout […]

Digital , Marketing

How to Value a Company by Analyzing Its Customers

As originally published by our Marketing Thought Leader, Daniel McCarthy & Peter Fader on HBR.com. In the weeks leading up to the initial public offering of apparel retailer Revolve Group, in June 2019, investors struggled to come up with a fair valuation. Several recent IPOs—most notably those of the ride-hailing firms Uber and Lyft—had been […]

Lovin’ Digital Diary?

Premium content to our readers interested in all things business.

Check Us Out!

Millennium Membership offers Fortune 1000 C-Level executives, leading public sector/government officials, and thought leaders across a variety of disciplines unique and exclusive opportunities to meet their peers, understand industry developments, and receive introductions to new technology and service advancements to help grow their career and overall company value.

About Millenium Alliance Next

About Digital Diary

Created to provide premium content to our readers interested in all things business.

Launched in 2017, Digital Diary was created to provide premium content to our readers interested in all things business. With our blogs catered to deliver the top news stories, trends, and interviews from across all industries.

Read all story Next

Interested in Millennium Membership?
Find out if you qualify here.

arrow