Banks set to do battle in mock cyberwar

The U.S. financial services industry's largest cybersecurity consortium is set to host a tournament that will pit banks' cybersecurity teams against each other — and bring them together — in responding to simulated cyber attacks based on real-world exploits.

The tournament comes after the Financial Services Information Sharing and Analysis Center recently said cyber threats were accelerating with nation-states and criminal groups converging and collaborating, and after the center led the financial sector scenario in recent exercises organized by the North Atlantic Treaty Organization. Russia's war on Ukraine has many security experts on high alert for attacks on critical U.S. infrastructure, including its financial system.

This October, which is Cybersecurity Awareness Month, FS-ISAC and tech partner Cyberbit will host a different kind of cyber exercise — a tournament they are calling the International Cyber League Financial Cup.

How it will work

In contrast with many other cybersecurity tournaments, the Financial Cup will not be organized as a capture-the-flag tournament, which can involve teams of hackers competing to exfiltrate as many flags as possible — like stealing sensitive information or passwords from synthetic computer systems.

Rather, the Financial Cup will focus strictly on defensive skills, meaning teams will be challenged to respond to attacks rather than launch them.

When a team enters a challenge during either round of the tournament, it will see a virtual network facing a simulated cyberattack based on a real exploit — perhaps a phishing campaign, botnet attack or ransomware infection. Competitors will not know what the attack is until they enter and begin the simulation.

"Our system has automatic scoring capabilities that will check if they've achieved their exact goals — if they've investigated the problem correctly, if they've mitigated the attack and remediated it correctly — and based on the scoring, we will determine the top teams," said Sharon Rosenman, chief marketing officer for Cyberbit. "It'll be a combination of both individual skills and team skills."

The team skills will be particularly important to the exercises, Rosenman said. The final round will involve new exploits the top performers might not have seen in the first round, and this time each of the finalists will join as one team to respond to the challenges.

Achieving realism

One of the key tenets of the exercises that FS-ISAC and Cyberbit provide is that they are "hyper-realistic," as Rosenman put it. Far from asking teams to solve contrived problem sets, the exercises in the Financial Cup, like the regularly scheduled exercises, involve reverse-engineered malware running in secured environments.

Rosenman said Cyberbit is an originally Israeli (now international) company that hires cybersecurity researchers to help build its platform, which the company calls a cyber range — akin to a shooting range. Israel is famously (and infamously) a cybersecurity powerhouse, and many of the cybersecurity researchers on the Cyberbit team have military backgrounds.

NATO Ministers of Defence Summit

The annual event, while not specifically tied to the war in Ukraine, could prove to be opportune for financial institutions.

April 20

Rosenman used Log4J as an example of how realistic Cyberbit's simulations are.

"Once that attack came out, our malware researchers immediately found it and were able to reverse-engineer it and add it as an exercise in our platform," Rosenman said. "Our customers — literally within a day of the Log4j attack being out — already had the option to train and prepare for it in the cyber range."

Cyberbit also has a team of training specialists who work with the cyber researchers to turn their knowledge about exploits into educational material — specifically, lessons and simulations. The combination of training specialists and cybersecurity experts, Rosenman said, ensures that the lessons and exercises Cyberbit provides are both realistic and educational.

Ongoing tests

The tournament is part of a tradition of FS-ISAC to host regular cyber exercises. The center organizes the exercises into series, including one focused on the security of payments systems (with one such exercise ongoing) and others on broader cyber threats to banks and other financial services companies.

"Exercises take a wide variety of forms, from tabletop to live-fire, and have varying levels of sophistication and focus, from the purely technical to the business impact," said Teresa Walsh, global head of intelligence for FS-ISAC.

Past participants in these exercises cite the importance of hands-on experience for their teams in responding to cyber attacks, something Cyberbit — a company that runs some exercises on FS-ISAC's behalf — prides itself on making as realistic as possible.

"As financial institutions look to operate with sound cyber resiliency to enable secure and stable operations, the FS-ISAC cyber exercises allow our teams to remain current on cyber trends to identify learnings and test our responses, while keeping our customers and colleagues safe," said Glenn Foster, chief information security officer for TD Bank Group.

These ongoing exercises can prove to be "prescient," according to Walsh, who said that a 2007 exercise following avian flu outbreaks in Asia led to the development of the financial sector's All Hazards Playbook.

This playbook was activated in January 2020 and formed the backbone of the sector's early COVID-19 pandemic response, Walsh said.

According to Walsh, the power of these exercises is also in addressing the gaps they expose, which is part of the function the Financial Cup will serve next month.

Innovative organizations […] understand that it's a lot about the people, and not just about the tools.
Sharon Rosenman, chief marketing officer for Cyberbit

Muscle memory

The tournament, regular exercises and NATO collaboration all stem from a belief FS-ISAC and Cyberbit hold about the importance of developing financial institutions' toolkits and talent to face rapidly evolving cyber threats — and that people are the most important element.

"Innovative organizations are adopting new ways to upskill their teams," Rosenman said. "They're looking at these next-generation means of skill development because they understand that it's a lot about the people, and not just about the tools."

Just as software companies constantly release security patches for software, so too must financial institutions constantly train their teams on novel security threats, according to FS-ISAC's Walsh.

"Cyber threat actor tools, techniques, and procedures constantly evolve; so too must we constantly evolve our cyber defenses," Walsh said. "It makes much more sense to figure out any vulnerabilities in cyber defenses in a simulated scenario than to have to address them in the midst of an actual incident. Sports teams practice running plays against a wide variety of potential moves by their opponents; they do not leave honing their defenses to game day."

The opening ceremonies of the International Cyber League Financial Cup are Oct. 6, and the first round of the tournament will begin five days later. The tournament is organized into two rounds, with the final round ending Oct. 25. Member banks of FS-ISAC have until Sunday, Oct. 2 ,to register their team for the tournament.

For reprint and licensing requests for this article, click here.
Cyber security Technology
MORE FROM AMERICAN BANKER