An increasing number of banks are thinking like the people trying to breach their defenses by simulating attacks on their systems and are working with hacking communities to do the work for them, according to a risk and compliance report by the American Bankers Association (ABA).
"I could compare it to an arms race," Nicholas Antill, senior vice president and senior security manager at PNC Bank, told the ABA. "We are constantly improving what we do. And as banks become better at security, cyber criminals must improve their skill set to attack banks. It is constant on both sides."
Black, gray and white testing
One of the main forms of simulations banks are running is called penetration testing, or pentesting.
This type of testing involves attacking an application or network to hunt for weaknesses other security checks miss.
"I recommend banks perform penetration testing first, to get a baseline understanding of the types of security vulnerabilities that exist in banking applications, mobile apps, APIs, networks and cloud infrastructure," Caroline Wong, chief strategy officer at security testing firm Cobalt.io, said in the ABA report.
One type of pentesting takes diffetent forms, based on how much hackers know about the system. In a black-box test, they know nothing about it. In a gray-box test, they know some things about it, and in a white-box test, they're intimately familiar with it.
The next level of self-hack is conducted at a more enterprise level, called red team testing.
There are a few variations of the approach. In one, red-team testers adopt the tactics of a specific, known threat actor and try to achieve a specific objective against a chosen target.
Red teaming is typically done by banks that are at a higher level of security maturity overall, said Wong.
The value of penetration testing over simply using scanning software is that you're adding humans to the mix, said Aaron Shilts, president and COO of vulnerability assessment firm NetSPI.
"If we were bad guys, you know, what would we use to get in?" Shilts told ABA. "How could we get in? What do their defenses really look like? With limited information, it's kind of a good way to simulate how accessible the crown jewels are from the outside."
Common vulnerabilities include outdated code on a machine to untrained employees who are susceptible to phishing emails.
Not all banks have the resources to hire talent to do these types of testing exercises in-house, but there are crowdsourcing solutions available to them.
Some banks use a system operated by Bugcrowd, a cybersecurity firm, that lets members of ethical hacking communities attempt to compromise organizations' systems.
The ABA report points to an exercise by NWB Bank, based in the Netherlands, that tried it.
"If you happen to identify a weak spot in one of NWB Bank's ICT systems, we would like to hear from you so that any necessary measures can be taken swiftly," the bank said in its invitation.
These hacking invitations don't have to involve money. Many in the ethical hacking community are motivated by other types of rewards, including career connections, social recognition and the opportunity to learn about new systems.
It's those kinds of motivations that NWB bank counted on when it invited hackers to try to breach its systems. "This program rewards with kudos only," it said in its invitation. "No monetary disbursements for findings will be provided."