BID® Daily Newsletter
Jul 10, 2024

BID® Daily Newsletter

Jul 10, 2024

Key Takeaways from a Wiperware Cyberattack Simulation

Summary: What happens to your institution during a wiperware cyberattack, when all your data files are wiped clean? Recently, financial professionals participated in a tabletop simulation of wiperware scenarios. Global Resilience Federation Chairman Bill Nelson shares surprising results from the exercise and tips to help your institution plan for recovery from wiperware attacks.

Wiperware can literally wipe out all your institution’s systems, including backups — are you resilient enough to withstand such a cyberattack? Wiper malware is malicious software that is designed to delete files or destroy data on any device it attacks.
To test the industry’s resilience, NACHA and the Global Resilience Federation (GRF) — a nonprofit that offers multi-sector cyber and physical security information and education — conducted two exercises in March and April of this year. These exercises were based on the Operational Resilience Framework, developed in conjunction with industry stakeholders and financial regulators.
The goal was to test the operational resilience of financial institutions and help them assess how to reach minimum viable service levels after a wiperware attack that included an outage of ACH payment systems. That way, even if they couldn’t be completely up and running, they could at least deliver direct deposits, online bill payments, and other key services.
We invited Bill Nelson, Chairman of the GRF, to be a guest writer for this article and share information about the tabletop exercises and the insights gained through them. Here’s what he shared:
The Tabletop Exercise Process
The March exercise had 260 registrants and the April exercise had 420 — close to 700 total. Players came from banks, credit unions, and core processors. Players came from professions including IT (29%), operations (38%), risk management, business continuity, & compliance (28%), communications (1.5%), and treasury management (2.5%).
During each four-and-a-half-hour exercise, we conducted three segments:
  1. We started with the scenario that we didn't have a lot of information on what was happening. We played video recordings of fictional news stories with interviews in front of the Federal Reserve after the ACH network was disrupted, in order to get the players into the mindset that it was a real event. Actors portraying consumers made comments like, “I couldn't get my direct deposit today,” or “I couldn't make my bill payments online.”
  2. In the second segment, we introduced reports that indicated this was a destructive malware attack and hundreds of institutions were affected. 
  3. The third segment took place on day five after the attack, and most of the fictional institutions were back up and running, but there were still a few hundred that weren't because they did not have adequate operational resilience policies and procedures.
Later in the scenario, we had some additional attacks including a denial-of-service attack (DDoS) in which customers couldn't access their online banking. Surprisingly, we found that more than half of the participants don’t employ DDoS remediation services. More than half of our attendees reported that they had never taken part in a destructive attack exercise — and 90% found unintended consequences from this event.
Tips for Recovering After a Wiperware Attack
As a result of the tabletop exercise, we identified a few areas where many institutions could benefit from enhancing their approach. The following are some tips to help financial leaders reinforce both their cybersecurity framework and their recovery plans in the event of an outage or attack on their systems.
  1. Knowing your minimum viable service level requirements. You need to determine the timeframe within which you can be back up and running, or at least when you can provide minimum viable service levels. We found through the exercise that only 41% of participants have service delivery objectives to meet these minimum viable service levels. Figure out how you will reinstall all of your functionality, including ancillary capabilities like risk management systems and new customer files. You also need to determine how you’re making decisions on originating transactions if your risk filter containing customers’ transaction limits is still down. Moreover, most financial institutions encrypt their data, but if everything is wiped, then encryption keys may also be wiped. You’ll need a plan to recover data and protect that data again, right away.
  2. Establishing a cybersecurity risk management plan. We also asked participants if they had a cybersecurity risk management control framework in place, and the good news is that close to 90% said yes. We encourage people to refer to the National Institute of Standards and Technology Cybersecurity Framework for guidance.
  3. Preparing for regulatory compliance during an outage. You should consider hiring a forensic company to work with your legal team to meet the legal requirements for reporting. This also protects your interests in terms of making sure the forensic company finds the source of the problem, so you can remediate it.
  4. Creating immutable and distributed backups. The exercise emphasized the concept of having immutable and distributed backups to data and systems architecture. This is a key component of operational resilience. I think a lot of people were not completely aware of the need to have both distributed and immutable backups in place. We also discussed the concept of air gapping — separating an institution’s core operations and its backup system, so the backup is immutable in that it really can't be wiped or distorted because it's out of the institution’s mainstream processing capabilities. 
Based on the data we gathered and the feedback from participants, by the end of both exercises, we realized we should provide exercises like this more often. The experience helped many security leaders in the financial industry gain insight into what a wiperware attack would mean not just for their institution, but for the industry as a whole. We hope that there is greater preparedness for those professionals and their companies as a result of participating in the exercises. Our goal is to get to a point where more financial institutions feel ready for such an attack and can minimize their downtime to ensure the least disruption to financial services across the nation.
BillNelson-Bio-ArticlePic3.png 179.93 KB
Subscribe to the BID Daily Newsletter to have it delivered by email daily.

Related Articles:

Protecting Your Institution as Ransomware Ramps Up
Ransomware attacks hit a speed bump in 2022. But the respite was short-lived. Ransomware attacks rose again in 2023, so this is no time for banks to let their guard down.
1234, This Password’s Not Safe Anymore (If It Ever Was)
Is your password too easy to guess? We discuss recent findings about the most common passwords and provide tips on creating more complex passwords that you can still remember.