ReliaQuest is proud to announce the publication of our Finance & Insurance Sector Threat Landscape report, which provides a detailed overview of the rapidly evolving threat landscape facing these organizations. This sector is targeted by cybercriminals because of its vast sensitive data stores, its perceived ability to pay ransoms, and its susceptibility to the market-crippling or trust-eroding impact of breaches.
In this blog, we’ll summarize the key themes of the report, including analysis of the most pressing threats, common MITRE ATT&CK techniques used against this sector, ransomware trends, and dark web insights.
Top MITRE ATT&CK Techniques Targeting the Sector
The most common MITRE ATT&CK techniques observed in the last year include:
003 – Command and Scripting Interpreter: Windows Command Shell (29.18%)
002 – Account Discovery: Domain Account (19.56%)
001 – Command and Scripting Interpreter: PowerShell (17.26%)
T1207 – Rogue Domain Controller (17.25%)
T1046 – Network Service Discovery (16.76%)
Initial Access Vectors
Threat actors frequently use “exploit public-facing applications” (T1190) and “phishing via spearphishing attachments” (T1566.001) to infiltrate networks in this sector and execute malicious activities. These techniques commonly bypass initial security barriers by exploiting technical vulnerabilities and human factors.
Post-Ingress Techniques
Following ingress, attackers use tools like Windows Command Shell and PowerShell for command and scripting, and Domain Accounts for account discovery. These methods enable command execution, task automation, and privileged access, facilitating lateral movement across networks. ReliaQuest research found that PowerShell and Windows Command Shell accounted for almost 50% of observed execution techniques in true-positive customer incidents in 2023.
GreyMatter and Dark Web Insights
Below, we share key metrics that show the average SecOps performance of organizations in this sector, including mean time to resolve (MTTR) and mean time to contain (MTTC).
MTTR refers to the average time taken from the detection of an incident until its full resolution, measuring the efficiency of an organization’s incident response process in restoring normal operations, with a lower MTTR indicating faster recovery.
MTTC is the average time taken to stop a threat and prevent further damage once an incident is detected, focusing on how quickly an organization can contain and mitigate the impact of a security breach, with a lower MTTC demonstrating a faster, more effective incident containment process.
Our analysis found that:
The MTTR for Finance and Insurance customers is 3.78 days, which represents a 56.9% improvement over last year. However, this number can be further reduced with additional enhancements in AI and automation.
The finance and insurance sector’s average mean time to contain an incident is about 4 hours for organizations using manual response strategies, compared to 4 minutes for those using ReliaQuest automated response plays (ARPs).
Many CISOs hesitate to adopt automation due to concerns about false positives and regulatory compliance, contributing to longer resolution times.
MTTC often proves to be a more valuable metric than MTTR because it measures the time taken to stop a threat and prevent further damage, directly reducing the impact of an incident.
The finance and insurance sector’s average MTTC is 4 hours with manual response; this drops to 4 minutes with ReliaQuest ARPs enabled.
Signals from the Shadows: What We Are Seeing on the Dark Web
Posts targeting the finance and insurance sector are common on dark web forums. For instance, a user on the XSS forum claimed to have used AI to create a sophisticated banking trojan coded in C# that targets the Windows operating system, focusing on accessing online banking accounts and stealing user credentials.
Another XSS user revealed that they now focus on targeting banks rather than carding because “bank work” is much more successful. The user disclosed compromising bank accounts via “calls and working live panels,” indicating the use of vishing and phishing pages to obtain initial access.
Cyber Threat Forecast for Sector
In the short to medium term, all industries will likely suffer from the automation, scale, and accessibility that AI brings to cyber attacks. However, the finance and insurance sector should pay particular attention to cryptojacking, hacktivism, and advanced persistent threat (APT) groups
Cryptojacking attacks: Malware infiltrates networks to mine cryptocurrency, often spread through malicious websites, phishing emails, and exploiting vulnerabilities. With a 659% rise in global cryptojacking, both cybercriminals and nation-state-backed APT groups will pose significant threats, given the sector’s vast computational resources.
Hacktivism: Financial institutions will continue to be prime targets for hacktivist groups conducting DDoS attacks to advance political or social agendas. Worsening geopolitical conflicts in Europe and the Middle East will further heighten these risks.
APT groups: State-sponsored actors, particularly from North Korea and Iran, will aim for prolonged, undetected network persistence to circumvent sanctions, and steal money. APT groups will continue to use sophisticated tactics, including Living-off-the-Land (LotL) techniques, to remain undetected. Securing sensitive digital assets and enhancing transaction security are critical for the sector.
Key Takeaways
The finance and insurance sector faces a multifaceted threat landscape. Despite the sector’s robust security measures, its reliance on widely used consumer applications and complex interconnected systems makes it a prime target for attacks leveraging both technical vulnerabilities and human factors. The sector must prioritize strengthening defenses against these threats by leveraging advanced detection rules, adopting automation for quicker incident response.
ReliaQuest research is dedicated to equipping organizations with the critical knowledge and strategies needed to anticipate and combat cyber risks and make security possible. This commitment aligns with our mission to reduce visibility, reduce complexity, and manage risk, thereby significantly mitigating the impact of cyber threats on global security.
The information provided here is just an overview of the threats facing the finance and insurance sector. To gain a comprehensive understanding and explore the full extent of the cyber threats this industry is facing, read our full report.
