Why Bank Breach Info Often ConflictsDeciphering Whether Chase Breach Linked to Other Attacks
In the wake of the massive breach at JPMorgan Chase, various media reports, quoting unnamed sources, have suggested that other leading banking institutions and financial services companies were also targeted by the same hackers (see Beyond Chase: 9 More Banks Breached?).
But as Mark Clancy, managing director of technology risk management at the Depository Trust & Clearing Corp., points out, it can take several months for institutions to gather enough data to draw a clear picture of the details of a network attack.
This is why, Clancy, whose firm provides clearing and settlement services to U.S. banks, says so many reports surrounding the Chase breach and alleged links to attacks against other institutions offer conflicting details.
"The challenge that we have is attackers have varying tactics; they use different methods to go after infrastructures," Clancy says in this interview with Information Security Media Group.
Details surrounding network attacks, especially in the beginning, are often conflicting and difficult to decipher, he says. That's why it's critical for banking institutions to continually share information to help each other develop meaningful data about emerging attack trends, he contends.
"One institution sees something and says, 'Hey, this is strange," Clancy explains. "And a bunch of other institutions look and give feedback," and if they are seeing similar traffic, it likely will raise a flag, he says.
Breach Detection Challenges
But as banking institutions compare traffic patterns from certain IP address known to be linked to malicious activity, it can be challenging for them to know if they've been breached or even probed, Clancy adds. Not all banking institutions have the same levels of visibility into their networks, and not all institutions have technology that is sophisticated enough to give them a holistic picture of attack traffic, he says.
"The technology infrastructure and technical configurations differ" depending on the institution, Clancy says. "The tools have different capabilities depending on the infrastructure. ... So you have to go through the discovery process," he says. And it could take weeks to months to get a full view of what may have been breached.
Without the constant exchange of information among institutions about suspicious traffic patterns, it's impossible for banks to keep up with emerging threats - some of which could be targeting their networks without their knowledge.
During this interview, Clancy discusses:
- Why attack details from law enforcement and groups such as the Financial Services Information Sharing and Analysis Center don't always jibe;
- How information sharing has evolved, and why new tools such as Soltra, an information sharing application recently released by the FS-ISAC, could improve the process; and
- Why banks need to understand their attackers' motives.
Clancy's department at the DTCC comprises information security and information technology risk management. He has enterprisewide responsibility for developing and implementing global security and business continuity policies, standards, guidelines, procedures and threat assessments. He also is the CEO of Soltra and chairs the DTCC Security Steering Committee, which is composed of senior IT management as well as business-line and other corporate managers. Before joining DTCC, he was executive vice president of information technology risk at Citigroup.