Kevin Townsend wrote an interesting post about New Product Uses Deception to Protect SWIFT-connected Banks that I would like to share.
“Following a series of high profile high value attacks against a number of banks using the SWIFT interbank financial messaging system, Illusive Networks has announced SWIFT Guard, described by the company as cyber deception technology designed to protect SWIFT-connected banks from cyber criminals.
Deception as a technique for locating hidden threats is already widely used by enterprises. The concept is very simple: false locations are established on the networks with exactly the same characteristics as the genuine locations. Any activity in or against these false locations is automatic evidence of an intruder trying to locate genuine credentials or genuine data – and remediation can be commenced against an unsuspecting culprit.
Its weakness is twofold: it depends upon the attacker being fooled by the deception, and it requires a degree of skilled resources to establish and maintain it. There is no guarantee that it will work; and where it doesn’t work, there is no indication that it has failed.
One of the weaknesses for the SWIFT system is that many of its smaller banks in smaller countries simply do not have the cyber resources of the primary western reserve banks. It is these smaller banks, such as Bangladesh and Ecuador, that have so far been hacked. They have been compromised to allow the hacker to deliver apparently genuine instructions to the major reserve banks via the SWIFT network in order to syphon off large amounts of cash.
The purpose of Illusive Networks’ SWIFT Guard is to allow these smaller banks to install deception security ready-made.
SWIFT itself is going through a program of hardening security, primarily aimed at improving the security of its member banks. Two examples include trying to increase threat intelligence sharing between the different banks and the more recent announcement of its own Daily Validation Reports. One problem it has is that the member banks ‘own’ SWIFT — it is not the other way round. It is difficult, therefore, to arbitrarily impose security solutions upon the members.
It is also questionable over how much the smaller banks are willing or able to spend on third-party security solutions. The hyperbolic description of Illusive Networks’ CEO Shlomo Touboul doesn’t help: “Deception based technology is the last chance to detect and mitigate sophisticated attacks aimed at the SWIFT system.” SWIFT Guard, like any other security solution, needs to be a part of multi-layered security.
Nevertheless, it could prove a valuable part of the security armory. It works by deploying agent-less deceptions on every endpoint of the network. Since there are far more deceptions than genuine credentials, it is statistically likely that attackers will attack a decoy — and in doing so they will be detected.
One strong advantage of deception technology is that there should be no false positives. If a decoy is accessed, it is either an attacker or an over-inquisitive insider. This should appeal to smaller organizations that don’t have the skilled resources necessary to detect anomalies in log data or to distinguish false positives from genuine threats in the alerts generated by threat detection systems.
The reality is that SWIFT Guard could help SWIFT-connected banks, just as tailored deception security can help any organization. It could prove difficult, however, to persuade smaller banks to invest in this technology over and above traditional detect and prevent solutions.
Illusive Networks’ own product announcement suggests, “Many SWIFT installations use older SWIFT versions that do not meet current SWIFT security standards, and are costly and difficult to update.” If this is true, the priority must surely be to update existing versions to current standards before purchasing additional third-party security.”