Archived News

Existence of fileless malware confirmed: What can be done?

Anne Benigsen, CISSP, Bankers’ Bank of the West (posted February 17, 2017)

There is always something looming on the horizon when it comes to information and cybersecurity. This could be the year of a highly advanced threat known as fileless malware, which was used recently to steal more than $1 billion through banks. Many industry experts believe two hacker groups, Carbanak and GCMAN, were responsible for those thefts.

The buzz began with the 2015 discovery by Kaspersky, the cybersecurity developer, of an infection of its network that was caused by a new type of malware derived from Stuxnet, a nation-state-sponsored worm. What made the malware remarkable was that it created no permanent files and left no traces on any hard drive. Instead, it resided solely in the memory (RAM) of the computer. So after the computer was shut off, there was no evidence.

Now hackers are starting to use variants of fileless malware to get a foothold into a system, and then use regular Windows tools for financial gain—by, among other things, installing legitimate products that can be used for nefarious purposes.

Kaspersky Lab discovered this variant recently and, after doing an international study, found it on 140 enterprise networks, including financial institutions in the United States. It’s reasonable to assume many more financial institutions are compromised because most are outside of the enterprise tests performed by Kaspersky.

These protective measures are recommended for financial institutions:

  • Change passwords. That means all passwords—not just into user accounts, but into firewalls, routers, switches, and other appliances.
  • Utilize two factor authentication (2FA) or multifactor authentication for more services and in-house programs or portals.
  • Maintain a high level of proficiency within your in-house or third-party experts.
  • Ensure you have detection and prevention tools that are regularly upgraded and sourced through industry leaders.
  • Make sure your in-house or third-party information and cybersecurity team understands the “indicators of compromise” for this threat.

The threat landscape has gotten more sophisticated, and we must be able understand, detect and remediate new threats, even when we cannot prevent them.

What’s InTREx?

Posted September 13, 2016

On July 1, the FDIC released the Information Technology Risk Examination program (InTREx), which replaced its IT risk management program.

Since the release, several states have adopted InTREx, and more states are likely to follow suit. One reason: InTREx is considerably smaller than most IT risk questionnaires, and it has a quantifiable ability to determine scope and resources needed for exams. Many states have modified the program to fit their needs; they also have the option of building sections to further define each exam.

At least 90 days prior to an IT exam, the bank will receive an Information Technology Profile from FDIConnect. The profile made up of 26 questions, under the categories of: Core Processing (4); Network (6); Online Banking (4); Development and Programming (1); Software and Services (2); and Other (9).

For the examination, banks will be assessed using four core analysis modules: Audit; Management; Development and Acquisition; and Support and Delivery. Two workpapers contained within InTREX—one covering information security standards and one applicable to cybersecurity—are referenced in the core analysis modules.

Also built into the document are two expanded analysis sections—one specific to management, the other pertaining to support and delivery. Examiners may opt to complete either or both expanded sections if certain procedures are not specifically addressed in the core modules, or if an examiner determines the bank needs additional analysis.

All questions and referenced materials (modules, expanded sections, workpapers) are incorporated in the downloadable InTREx document, which is posted to the FDIC website via this link:

InTREx will markedly change how a bank prepares for and conducts IT examinations and audits. The new InTREx process can help banks wanting to adopt a more proactive stance to risk while devising their IT strategy. Overall, a bank that completes the initial questions and reviews the modules and workpapers will be better prepared for an exam by the FDIC or by a state that has adopted InTREx.

InTREx is also a publicly available, examiner-approved and organized way to internally audit a bank’s IT functions with a heavy emphasis on cybersecurity.