How would you hack a bank? In this talk, we discuss how to improve the protection our nation’s critical private-sector cyber infrastructure, using financial services institutions as a case study, and highlight potential exploit chains and vulnerabilities in people, process, and technology. We begin with a thought experiment: if cyberwar were to break out tomorrow, how would we know? We continue by providing operational definitions for cyber warfare and critical infrastructure, and define a threat modelling framework for the different types of adversaries to banks – both now, and into the future. We then study how (and why) the “crown jewels” of your organization may be defined differently depending on who you ask – your attackers, your SOC analysts, or your board of directors – and how the approaches to capturing these assets change under different threat models. Through first-hand experience in protecting hundreds of billions of dollars in assets, we will demonstrate how to identify what and why the real crown jewels are to an attacker, how these critical components can be exploited, and how to define a meaningful end-to-end security strategy to protect them. Then, we will highlight how both traditional and emerging threat vectors – such as vulnerabilities in third-party processing systems, inadequate patch management, insecure cloud deployments, vulnerabilities in cryptographic architectures, adversarial attacks on analytics systems, and piecemeal security strategy for customer-facing digital products – could be leveraged to construct takeovers of these critical components. To conclude, we will highlight a number of recommendations to inspire our industry to think bigger – in terms of attacker resources, metrics, exploit-chain modelling, and defensive strategy.
