RESTRICTEDRESTRICTED

Cyber risk landscape, cyber

threat intelligence and fostering

inter-agency information sharing

Sivanathan Subramaniam

Deputy Director, Technology Risk Specialist Unit

Risk Specialist and Technology Supervision Department

1

RESTRICTEDRESTRICTED

2

• Cyber-attacks are growing in intensity

and sophistication.

• Broad range of entry points due to the

interconnectedness of financial

systems exacerbate the risks.

• There is an increasing need for the

agencies in Malaysia to enhance

cooperation and improve cyber

situational awareness.

Technology megatrend and innovation in financial services are

increasing the attack surface

Financial Services

Tech Megatrends

2019 - 2023

Cyber Threats

Landscape

2019 - 2020

DDOS

AI-Driven

AI/ML

FinTech BlockchainBiometric

CloudOpenAPI

MalwareAPT

IOT-Based

Data Breaches

Phishing Organized

RESTRICTEDRESTRICTED

3

Unique characteristics of cyber risk that keeping us up at night

Highly dynamic and rapidly changing cyber threat landscape

Persistent nature of a campaign by motivated threat actors

Broad range of entry points (interconnectedness)

Sophisticated attack can render risk management and business continuity management ineffective

Cyber-attacks can be stealthy and propagate rapidly

Often stems from malicious intent

X

RESTRICTED

For example, are the right skills available? Do cloud processes conflict with other established processes? How does cloud adoption align with enterprise-wide technology framework? Do cloud plans conflict with enterprise culture?

Evaluate organizational readiness to adopt cloud

Monitor and track industry concentration to cloud provider

Consider possibility of shared supervision of major cloud providers

Multi-tenancy infrastructure increasesthe attack surface, leading to increasedrisk of data leakage if the separationcontrols fail

Contagion risk

No entity is 100% safe from disasterOver-reliance on a few providers raisesconcentration risks to cyber attacks,system failures or vendor bankruptcies

Concentration risk

Shared responsibility model requires FIsto have the competency and maturity tomanage security configurationsappropriately

Competency riskWhat could go

wrong?

Possible mitigation

Examine trade-off between cost and better security configuration options

Ensure adequate cloud provider certification

Higher cost for FIs to specify better security configurations

Not all perceived benefits of cloud computing may be available in the ‘basic’ packages

Cost-savings over-exuberance

Cloud computing will be a global challenge – a global response may be

needed

4

RESTRICTEDRESTRICTED

Call Back3

Phishing attack

1

Data Exfiltration

8

Distribute malware

2

Privilege escalation Steal credential4

Steal DB credential

6

Login DB7

Lateralmovement

5

! Unpatched workstation

! Unmanagedprivilege access

!Weak local adminpassword

Common advance persistent threat (APT) modus operandi

5

RESTRICTEDRESTRICTED

10 things you probably didn’t know about the dark web

I C

H D

J B

G E

A

F

It’s way more than just what you can’t google

Friends in dark places: social networks

Cyber threat actors profiting from exploits

The role of cryptocurrency

It’s probably not speaking your language

Bad actors use the dark web to recruit corporate insiders

There’s no honor among dark web thieves

It’s a useful tool for organized crime and one of many sources of CTI

Thieves and geeks: Russian and Chinese threat actors

Data leaks aren’t only on the dark web

6

RESTRICTED

01CYBER THREAT IS BANKS’ TOP EMERGING RISK

05SOCIAL ENGINEERING ATTACKS AN EMERGING TREND

2018 / 2019 Emerging Operational Risks Survey of Malaysian CROs

Ranked

Ranked

15%

3%

Of total annual expenditure is IT-related

of which

Invested in IT and cyber security

2017 IT spend of Malaysian domestic banks

Financial institutions recognize the seriousness of cyber risks but more

needs to be done

7

RESTRICTED

01

03

02

04Strong second line of defence for technology risk management

• Fortifying the independent enterprise-

wide technology risk function to

implement technology risk

management and cyber resilience

frameworks.

• Designate a CISO responsible for this

function

Greater cyber resilience to emerging risks associated with new technologies

• Establishment of Security

Operations Centre capabilities to

monitor, identify and respond to

potential breaches

• Periodic security assessments to

provide independent view of the

state of the financial institution’s

cyber security.

Effective board oversight on IT and cyber risks

• Reviewing and approving IT and

cyber security strategic plans

and technology risk appetite

through a designated board-

level committee.

Building resilient IT infrastructure to ensure continued service availability

• Embedding security considerations in

the application systems and network

services;

• Time limits on unplanned downtime

• Risk controls for cloud computing

4 key thrusts of the RMiT –Application on a proportionate basis where additional standards are imposed for large FIs

Risk Management in Technology

Regulatory requirements aim to raise the minimum standards

8

RESTRICTED

Board

First and second line

Third line

All staff

Board should include at least a member with technologycompetencyBoard members should undergo regular training tounderstand and appreciate technology risk

Provide continuous training and certification for staff intechnology operations, cyber security and riskmanagement

Develop professionally certified internal IT auditcompetency

Ensure regular cyber hygiene training for all staff

Building cybersecurity competency is a new focus

9

RESTRICTEDRESTRICTED

10

Inter-agency cooperation and information sharing is one of the key

components of BNM’s financial sector cyber resilience roadmap

Foster coherent

regulations and reduce

information asymmetry

i. Promote and

institutionalize cyber

hygiene practices

ii. Encourage use of

cybersecurity

ratings

iii. Standardize cyber

incident reporting

convention

iv. Establish

cybersecurity

assurance and

assessment scheme

v. Develop deep cyber

insurance market

Financial Sector Cyber Resilience Blueprint (2019 – 2023)

1

Ke

y O

bje

ctive

s

Enhance identification

and assessment of

evolving cyber threats

and vulnerabilities

i. Develop financial

systems cyber

contagion map

ii. Enhance sectorial

cyber threat

situational

awareness

iii. Establish

cybersecurity

maturity

assessment

framework

iv. Strengthen

upstream

infrastructure

Enhance detection,

response and

recovery strategies

i. Increase emphasis

on ex-post liability

ii. Enhance analytical

response and

forensics tactics

iii. Conduct regular

cyber-attack

scenario analysis

iv. Strengthen

continuity of

operations and

disaster recovery

capabilities

v. Promote adoption

of emerging

cybersecurity

solutions

Promote and expand

international and

domestic cross-

sectorial cooperation

i. Empower industry

associations to

establish financial

sector

cybersecurity

advisory council

ii. Institutionalize

information sharing

iii. Expand biennial

national cyber-drill

to more FIs

iv. Promote

collaborations and

research

v. Shape global

regulatory

discourse on cyber

risks

Uplift human

capability,

competency and

awareness

i. Promote

development of

sustainable

cybersecurity

talent pool

ii. Institutionalize

cybersecurity

awareness and

acculturation

programs

Pill

ars

2 3 4 5

This is still work in progress

RESTRICTEDRESTRICTED

Cyber threat intelligence and information sharing

Challenges• Establishing trust• Achieving Interoperability and

automation• Safeguarding sensitive information• Quality of received information• Legal and organizational

requirements• Enabling information consumption

and publication• Attribution

Benefits

• Shared situational awareness

• Improved security posture

• Knowledge maturation

• Greater defense agility.

Major Types of CTI Include

• Indicators

• Tactics, Techniques and Procedures (TTPs)

• Threat Intelligence Reports

• Tool Configurations

Establishing Sharing Relationship• Define the goals and objectives• Identify internal sources of threat

information• Define the scope of information

sharing activities• Establish sharing rules• Join a sharing community• Plan to provide ongoing support for

sharing activities

.

11

RESTRICTEDRESTRICTED11 key questions to answer before you invest in cyber threat intelligence

solution

❑Which categories of CTI are most valuable to you?

❑Who will be using the CTI?

❑Will CTI be integrated with your existing security processes and infrastructure?

❑How are finished CTI reports part of your TI strategy?

❑How much expertise will you need to get started?

❑Which sources of threat data do you need?

❑How will your CTI capability scale?

❑Do you need your CTI delivered in real time?

❑Do you need an all-in-one solution or separate software tools?

❑Where is the best place to deploy the solution?

❑How will you future-proof your CTI investment?

12

RESTRICTEDRESTRICTED

Ensure a proper

cyber mindsetDo the basics

Use and share

cyber threat

intelligence

If you don’t

have cyber

insurance, get it

Accelerate your

move to cloud

(for non-critical

systems)

Some final words on how to avoid becoming a victim of cyber-attack

13

RESTRICTED

The end

14