How lessons from the FBI email hack can stop businesses banking on the wrong strategy
Last year, we saw a rise in new, innovative cyber-attacks on a global scale – criminals hit everywhere from T-Mobile and JBS to Facebook and the Colonial Pipeline.
The occurrence of attacks, like ransomware, have exploded alongside the continued wave of digital transformation in recent months.
The Federal Bureau of Investigation (FBI) also experienced a cyber-attack late last year. During the FBI email cyber-attack, someone managed to commandeer a legitimate FBI email account, associated with the Law Enforcement Enterprise Portal (LEEP), to send a hoax message to over 100,000 recipients.
In the message, they warned that an attacker had infiltrated their system and stolen data.
The FBI said at the time a “software misconfiguration” had “temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake emails”.
It added: “While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate email service. No actor was able to access or compromise any data or PII on the FBI’s network.
“Once we learned of the incident, we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks.”
The scariest part of the attack on the FBI though is the organisation’s reputation for its security, technology and privacy. In this attack, it is clear that the criminals wanted to weaponise that reputation and use it to cause harm. The attack is a poignant reminder to all organisations, no matter their size, of the need to up their preparedness for cyber invasions.
Despite the FBI hacker not using the email to distribute malware, it certainly sent a clear message. Much like the FBI, banks are highly regulated and trustworthy organisations, thus also making them an attractive target to hackers. Therefore, banks have much to learn from this attack for the future, and we will be running through three of the most important lessons they can take from this.
Carefully select partners
The FBI has numerous departments they work with that help them achieve their goals, and with that, it only takes one partner with misaligned objectives to put a spanner in their investigation.
For banks, bringing on partners is inevitable – at least for those wanting to transact and interact on an international scale. However, the more partners a bank brings in, the more risk it invites. The nature of banks as secure financial institutions means that they are of course highly regulated, so it is crucial that they only partner with organisations that have the same trust model as they do.
As such, partnerships need to be smart and purposeful, with the need to approach potential partners with a great deal of due diligence. This would ideally involve some level of evaluation in order to make sure they are compatible.
These partnerships are an essential puzzle piece in bolstering their cybersecurity strategies. Ensuring that banks have a multifaceted approach in place is going to be a balancing act of these partnerships and regulatory considerations.
Pay attention to outbound comms, not just inbound
Across all movie genres, most audiences are aware that the classic jump scares always come when the main character is focused on the wrong place – sometimes they are so focused on protecting themselves from potential attacks at the front door that they forget about the open window in the upstairs bedroom. Banks need to think the same way about protecting themselves from all sides.
In order to survive, banks need to be more wary about how their outbound messages are being communicated and perceived, not just their inbound ones. It has become more commonplace to monitor systems for traces of harmful inbound activity, but such vigilance is rarely taken on the monitoring of messages going out.
This kind of diligence also needs to extend to communications that aren’t being created by banks. For instance, they should be thinking about what is being said about the brand on social media feeds as well. With this dual approach to their protection, they can help ensure that their comms doesn’t become a successful vessel for future attacks.
There are countless ways hackers could monetise your brand
Cyber-attackers won’t wait for institutions to catch up with their methods and every month they continue to evolve. These days, banks don’t even need to be the direct target of an attack for their customers to be put at risk.
Often, organisations don’t focus enough on the potential variation of these invasions – they could be to do with malware, phishing, Man-in-the-Middle, Denial-of-Service, SQL Injections, rootkits and more. With this in mind, it doesn’t make sense to just focus on one type of fraud – they need to be ready to think outside the box to stay ahead of bad actors, so that they can continue to focus on providing their customers with great service.
There are countless ways hackers could monetise your brand. It’s not always something as obvious as ransomware or data theft. What if the hacker is looking to impact the financial markets and profit off of a drop in share value? Or to pump some stocks by hijacking the pedestal (email, social media, website etc.) of a reputable authority?
Preparing for the unexpected is hard, but regular brainstorming with non-security teams like marketing or finance can help provide some interesting scenarios that can then be mitigated against.