FS-ISAC makes collaboration, information-sharing easier for members

Source: FS-ISAC. Hansen.

The Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry consortium dedicated to safeguarding the global financial system by reducing cyber-risk, has accelerated its development of an information exchange platform for members against the backdrop of the COVID-19 pandemic.

As employees work from home all over the world and organisations are driven to use digital services and tools for the first time, the financial services cyberthreat landscape is being altered beyond the immediate crisis, said FS-ISAC. The need for the financial industry to stay alert, apprised and connected has escalated accordingly.

The Intelligence Exchange platform aims to enhance sector resilience among FS-ISAC's nearly 7,000 members and other industry partners in a time of reduced physical contact at events, exercises, and member meetings, and aims to:

• Facilitate the sharing and consumption of actionable cyberthreat intelligence across the financial sector

• Enable more strategic and in-depth sector analysis from FS-ISAC

• Build strength and trust of peer-to-peer networks

• Enhance the effectiveness of collective efforts to reduce cyber-risk across the global financial system

Amanda Cody, Chief Information Security Officer, FS-ISAC, said the new platform would encourage and enable collaboration and sharing of cyberthreat intelligence across the financial sector. She noted that the Intelligence Exchange would cut how long it takes to share information with the FS-ISAC and also the time taken to share the information back out to members.

“Being strong and resilient is important. Having a number of financial institutions being strong and resilient makes the industry even stronger,” she said.

Intelligence Exchange offers single signon with multifactor authentication and currently has two core digital products: Connect and Share. Connect offers members a secure chat capability so that peers and groups can request or share intelligence under a 'traffic light' system* that specifies how widely that information may be shared. The tool enables industry collaboration with dedicated discussion threads based on topics and communities of interest.

Share is expected to enable faster decision making, and will replace an existing solution called Portal. Available mid-May, Share is an information hub for disseminating threat intelligence that members can customise and embed in their institutional processes and environments. The actionable information is tagged using a taxonomy based on the MITRE Framework for easy organisation. Tag categories can include geography, attack pattern and vendor, enabling members to focus on what is most relevant to them.

“(Members can) give us indicators of compromise that we can take in to do analysis on and put back into the industry so they can consume it,” Cody said. The goal is to allow members to get quality information both from their peers and from the FS-ISAC for business decisions that will allow them to protect their organisations.

While members have always been able to share and request information, Brian Hansen, Executive Director, Asia Pacific highlighted that the Intelligence Exchange platform allows members to connect with each other and do so more quickly, with enriched data, while being able to take advantage of mobile alerts.

“Members have the ability to virtually gather intelligence about threats that are happening in other parts of the world,” he said.

“What they do share with us is shared within the traffic light protocol,” he added. “If they say it's ok to share with everybody we also honour that.”

The first group of FS-ISAC members onboarded to the Intelligence Exchange in early April was the COVID-19 group, which is using Connect for communications specific to COVID-19 related intelligence, cyberthreats and industry developments.

FS-ISAC has also shared that smaller financial institutions and credit unions are at greater risk for cyberthreats as they tend to be less well-defended compared to larger financial institutions. In Q120, member submissions of phishing campaigns to FS-ISAC’s intelligence sharing portal increased by 33%. This indicates a broader trend visible across the threat landscape as cybercriminals look to leverage the uncertainty and panic around COVID-19 to their advantage in phishing campaigns and other tactics.

FS-ISAC also analysed DomainTools’ curated list of more than 92,000 high-risk domains, using a COVID-19 theme to determine the risk to the financial sector. It found that fraudsters and cybercriminals are using these domains to take advantage of the COVID-19 crisis for financial fraud, scams, and potentially malicious activity with a financial-themed lure.

• As of early April 2020, 1,500 domains were high-risk, containing both 'COVID-19' and a financial theme

• From these domains, 44% were categorised as loans, including keywords such as 'loan', 'financing', or 'credit'

• Fourteen percent of domains included insurance, and 3% included 'bailout', 'tax relief', or 'stimulus'

• At its peak in mid- to late March, as the magnitude of the global crisis was realised, scammers and

fraudsters set up an average of 66 financially-themed COVID-19 high risk domains per day. Following a crackdown between April 6 and 13 by domain registrars, only about 200 of

these high-risk domains still exist, with an average age of 28 days. This is a total decrease of 87%,

and takedown efforts and legal action are sure to continue

The rise and fall of this tactic show how quickly cybercriminals adopt and switch strategies, which is why intelligence-sharing among firms is more important than ever, the FS-ISAC said.

“Threat actors will take advantage of whatever trend or threat happens to be (current to) conduct financial fraud, and take advantage of people who might not be aware of what those threats are,” Hansen observed, naming natural disasters, and elections as other favourite topics for cybercriminals.

US-headquartered FS-ISAC has nearly 7,000 member institutions in 70 countries. It provides actionable threat intelligence specific to the financial sector through its intelligence sharing, facilitating communities of interest, and organising resiliency exercises and events tailored for various segments of the financial sector. 

FS-ISAC set up an Asia Pacific Regional Analysis Centre in Singapore in 2017. Within the Asia Pacific region, FS-ISAC has more than 500 members in 18 countries. FS-ISAC’s CERES (CEntral Banks, REgulators, and Supervisors) includes Monetary Authority of Singapore (MAS), Bank Negara Malaysia, and Bank Indonesia as members. This forum is independent from the threat intelligence FS-ISAC provides to its members.

*The US Cybersecurity and Infrastructure Security Agency (CISA) explains the different levels under the traffic light protocol.