Data Driven Futures

BoE uses automated detection to counter hacks

Written by Hannah McGrath

The Bank of England (BoE) has turned to automated technology in order to keep up with the growing threat of cyber attacks from rogue states, its heads of technology and infrastructure have told FStech/NTN.

In an exclusive interview with FStech, Neal Semikin, head of technology infrastructure and security, and David Ferguson, a technology management principal, highlighted the critical role of new technologies and automated threat detection as they warned that the BoE is under regular attack from malicious actors and cyber criminals attempting to hack their systems.

“People will try and attack us regularly” Semikin explained, “It tends to go in peaks and troughs, you see unusual behaviour and scanning going on and it will peak for a month and then drop off again, whether they’ve found another target or whether or not they’ve found there isn’t a weakness; if they can’t breach you they will move on to another target.”

He added that the BoE had invested heavily in cybersecurity platforms and technology products in order to remain one step ahead of attackers, including rogue state actors who are looking to disrupt the bank’s internal functions as a provider of critical national infrastructure.

“The biggest threat to cyber is the people aspect,” said Semikin. “We are a critical national infrastructure provider, so we are always mindful that state actors are probably one of the key areas that are potential threat to us.

“There is that case of run a bit faster than the other guy behind you so that you’re not the target,” he added.

Semikin said one of the principal hacking methods seen by the BoE’s 70-strong cyber security team is email phishing, with attacks attempting to access the systems through malware sent to members of staff.

“We see a lot of phishing,” he said. “Staff play a huge role, and we put a lot of effort into training our staff not just at the bank, but in their home life as well to make sure they are aware of this threat, because they are probably the first point of contact when it comes to phishing.”

As a result, the bank is thinking like the hackers in order to anticipate their next move. “Understanding the mode of operation of an attacker, how they go about their attack, looking at the killchain, how you might detect that through a kill chain,” said Semikin.

The pace at which state-sponsored hackers and increasingly sophisticated cybercriminals are able to adapt their methods is also a growing threat for businesses and the wider economy more generally, he explained.

“That is a big threat though because even those nation state actors’ techniques filter down now to the financial crime groups and hacktivists, so you know it’s keep an eye on both groups because it doesn’t take very long these days for those methods of attacking you to filter down,” Semikin said.

As a result the BoE’s cyber security teams have adopted both a resilience mindset and a hacking mindset with a variety of diverse points of view.

“We don’t want group think at this stage,” Semikin said. “The attackers aren’t doing that, they’re charged with coming up with inventive ways of breaching us, we need that same sort of thought process within the bank.”

Ferguson said the threat landscape is changing at an unprecedented rate, meaning the BoE is now adopting automated processes in order to free up staff time to carry out the more sophisticated tasks and intelligence-led threat detection.

“Historically if you take a look five years ago, the threat landscape wasn’t evolving as quick as it was today, we didn’t have the whole sort of vulnerability to weaponization from 48 hours,” he stated. “Any task that is frequently repetitive, it needs to be automated and that way we free up people to work on things such as reading the threat intelligence data, understanding what are the human threats, what are the business problems.”

However, regardless of the patching, scanning and platforms upgrades businesses undertake on a regular basis, Semikin echoed a warning made by Ciaran Martin, head of GCHQ’s National Cyber Security Centre, that a major cyber attack on the UK’s critical national infrastructure was inevitable in the coming years.

He advised business to ensure their systems are robust enough to recover quickly from potential breaches. “It’s about having an operational resiliency mindset and to plan for when these things happen, not if they happen; to think you will not have a cyberattack at some stage is a little bit dangerous.

“You need to consider that this will happen to you and we are very clear that we are planning for when we are breached not if, so it’s about making sure you have really resiliency response plans, detection capability and a real robust back up approach so that you can recover from these things.”

Both emphasised the pressing demand for a workforce with cybersecurity skills, insisting that having the technology was “pretty worthless” unless it can be used by a new generation of security experts to build an evolving cybersecurity skillset.

They are hoping to encourage a diverse generation of data scientists and mathematicians and students of other disciplines to consider careers in cybersecurity.

“We want to get teenagers involved in hacking. When I went to the event, youngsters feel they could get paid for hacking, but you can get paid for hacking - ethical hacking,” Semikin said.

Darron Gibbard, chief technical security officer at Qualys, which has provided the BoE with a white labelled version of its cybersecurity scanning software platform for the last year, said that state hackers and cyber criminals would have to work very hard to breach BoE defences.

“It’s so well protected because the Bank of England is effectively a closed shop, so network access is restricted, it’s a very shut off environment,” he added, explaining that the BoE manages its own cybersecurity in house using Qualys as an underlying software.

However, Gibbard warned that one of the most significant threats he has seen to organisations remains the risk of a “revenge” type attack from employees or those who have been targeted by criminals using more traditional methods to hold staff to ransom.

“Disgruntled employees or people have been coerced is still one of the biggest threats are still one of the biggest threats to organisation and it’s not changed. People can be influenced whether it’s blackmail, whether it’s extortion, whether it’s spying, the worst case kidnap, ransom, all that kind of horrible stuff, but that’s stuff for higher level organisations.”