close
close
Your Network of Tomorrow
Your Network of Tomorrow
Plan your path toward a faster, more secure, and more resilient network designed for the applications and users that you support.
          Experience Netskope
          Get Hands-on With the Netskope Platform
          Here's your chance to experience the Netskope One single-cloud platform first-hand. Sign up for self-paced, hands-on labs, join us for monthly live product demos, take a free test drive of Netskope Private Access, or join us for a live, instructor-led workshops.
            A Leader in SSE. Now a Leader in Single-Vendor SASE.
            A Leader in SSE. Now a Leader in Single-Vendor SASE.
            Netskope debuts as a Leader in the Gartner® Magic Quadrant™ for Single-Vendor SASE
              Securing Generative AI for Dummies
              Securing Generative AI for Dummies
              Learn how your organization can balance the innovative potential of generative AI with robust data security practices.
                Modern data loss prevention (DLP) for Dummies eBook
                Modern Data Loss Prevention (DLP) for Dummies
                Get tips and tricks for transitioning to a cloud-delivered DLP.
                  Modern SD-WAN for SASE Dummies Book
                  Modern SD-WAN for SASE Dummies
                  Stop playing catch up with your networking architecture
                    Understanding where the risk lies
                    Advanced Analytics transforms the way security operations teams apply data-driven insights to implement better policies. With Advanced Analytics, you can identify trends, zero in on areas of concern and use the data to take action.
                        The 6 Most Compelling Use Cases for Complete Legacy VPN Replacement
                        The 6 Most Compelling Use Cases for Complete Legacy VPN Replacement
                        Netskope One Private Access is the only solution that allows you to retire your VPN for good.
                          Colgate-Palmolive Safeguards its "Intellectual Property” with Smart and Adaptable Data Protection
                          Colgate-Palmolive Safeguards its "Intellectual Property” with Smart and Adaptable Data Protection
                            Netskope GovCloud
                            Netskope achieves FedRAMP High Authorization
                            Choose Netskope GovCloud to accelerate your agency’s transformation.
                              Let's Do Great Things Together
                              Netskope’s partner-centric go-to-market strategy enables our partners to maximize their growth and profitability while transforming enterprise security.
                                Netskope solutions
                                Netskope Cloud Exchange
                                Netskope Cloud Exchange (CE) provides customers with powerful integration tools to leverage investments across their security posture.
                                  Netskope Technical Support
                                  Netskope Technical Support
                                  Our qualified support engineers are located worldwide and have diverse backgrounds in cloud security, networking, virtualization, content delivery, and software development, ensuring timely and quality technical assistance
                                    Netskope video
                                    Netskope Training
                                    Netskope training will help you become a cloud security expert. We are here to help you secure your digital transformation journey and make the most of your cloud, web, and private applications.

                                      Netskope
                                      Threat Labs Report:
                                      Banking 2024

                                      This report highlights what the banking industry is doing to combat its top cybersecurity threats, which include social engineering, malicious content delivery, and data security.
                                      Netskope Threat Labs Report
                                      9 min read

                                      In This Report link link

                                      • Adversaries targeting victims in the banking industry are focused on financial fraud, using phishing as one of their main strategies to steal bank account details and banking login credentials.
                                      • The top adversary groups targeting the banking industry in the past year were criminal groups TA577 and Indrik Spider operating out of Russia. The top malware families included the downloader SLoad, the infostealer AgentTesla, and the JavaScript-based malware FakeUpdater and Parrot TDS.
                                      • The banking industry mitigates the risk of users leaking regulated data to genAI apps by deploying more aggressive controls than other industries, including aggressive blocking strategies and real-time DLP policies.
                                      test answer

                                      Introduction link link

                                      This report focuses on three types of threats the banking industry faces:

                                      • Social engineering – Adversaries use tactics including phishing and impersonation to exploit human behavior and bypass security measures.
                                      • Malicious content delivery – Adversaries attempt to trick their victims into accessing malicious content on the web or in the cloud.
                                      • Data security – Data security is at risk from external adversaries in targeted breaches and insiders mishandling data.

                                      Social Engineering link link

                                      Social engineering is among the banking industry’s most significant cybersecurity threats. Social engineering includes phishing, fake software updates, tech support scams, and Trojans. Phishing is one of the most common tactics, with 3 out of every 1000 individuals working in banking clicking on a phishing link each month, which aligns with other industries. The victims click on links in various places, including email, messaging apps, social media, ads, and search engine results. Adversaries targeting the banking industry focus on financial fraud, so their phishing targets align with that objective. Instead of targeting cloud apps–common in other sectors–adversaries create phishing pages that look like the target banking institutions’ websites to steal bank account details and bank portal login credentials and commit financial fraud. The following chart breaks down the most common targets, where more than half of the clicks were on links mimicking banking institutions.

                                       

                                      Malicious Content Delivery link link

                                      Netskope leverages its Advanced Threat Protection engines to prevent 1 out of every 100 individuals working in banking from accessing malicious content on the web or in the cloud monthly. This malicious content takes multiple forms, including malicious JavaScript content that the browser executes and malware downloads that the victim must execute. The top five families that recently used to target the banking industry are listed below.

                                      Downloader.SLoad (a.k.a Starslord) is a downloader often used to deliver Ramnit.

                                      Infostealer.AgentTesla is a .NET-based Remote Access Trojan with many capabilities, including stealing browsers’ passwords, capturing keystrokes, and stealing clipboard content.

                                      Trojan.FakeUpdater (a.k.a. SocGholish) is a JavaScript downloader that delivers various payloads, including Dridex and Azorult.

                                      Trojan.Parrottds is a JavaScript-based traffic direction system that has been used to redirect traffic to various malicious locations since 2019.

                                      Trojan.Valyria (a.k.a. POWERSTATS) is a family of malicious Microsoft Office documents that contain embedded malicious VBScripts, usually to deliver other malicious payloads.

                                      Netskope Threat Labs tracks adversaries actively targeting Netskope customers to understand their motivations, tactics, and techniques, so that we can build better defenses against them. We generally categorize adversary motivations as either criminal or geopolitical. The two top adversary groups targeting the banking industry over the past year were criminal groups based in Russia.

                                      TA577

                                      Location: Russia
                                      Motivation: Criminal
                                      Aliases: Hive0118

                                      TA577 has been targeting multiple industries worldwide, delivering malware payloads, including Qbot, Ursnif, and Cobalt Strike.

                                      Indrik Spider

                                      Location: Russia
                                      Motivation: Criminal
                                      Aliases: Evil Corp, Manatee Tempest, DEV-0243
                                      Mitre ID: G0119

                                      In their early days, Indrik Spider primarily used the banking Trojan Dridex before pivoting to ransomware and using BitPaymer, WastedLocker, and Hades. Indrik Spider frequently uses JavaScript to deliver their payloads and uses the popular red team tool Cobalt Strike to establish persistence in victim environments.

                                      Attributing activity to a specific adversary group can be challenging. Adversaries try to hide their true identities or even intentionally launch false-flag operations wherein they try to make their attacks appear to come from another group. Multiple groups often use the same tactics and techniques, some going as far as to use the same tooling or infrastructure. Defining adversary groups can be challenging as groups evolve or members move between groups. Adversary attributions are fuzzy and subject to change and evolve as new information comes to light.

                                       

                                      GenAI Data Security link link

                                      The most urgent security risks for organizations using genAI apps are data-related, and users are the critical actors in causing and preventing those risks. There are two angles to these risks.

                                      • Input: What data do users send into genAI apps?
                                      • Output: How do users leverage the outputs they receive from genAI apps?

                                      For the input, the primary risk is data leakage. For the output, the risks include correctness (genAI apps are very good at providing hallucinations and misinformation) and legal concerns (many companies trained their genAI apps on copyrighted or licensed content). This report focuses on the inputs since protecting sensitive data is typically the highest priority for most organizations.

                                      Conservative adoption

                                      The banking industry has succeeded in slowing GenAI adoption by adopting more aggressive policies to restrict its use. 93% of banking organizations block at least one genAI app, whereas the worldwide average is only 77%. Furthermore, banking organizations blocking genAI apps tend to block more genAI apps than their counterparts in other industries. The following figure shows that the average number of genAI apps that a banking organization blocks has increased from 5 a year ago to almost 9 today, with the top 25% of organizations blocking at least 24 apps. In contrast, the global average is only 2.6 apps, with 12 apps in the top 25% of organizations.

                                       

                                      The apps with the most blocks include apps from multiple categories, including writing assistants, chatbots, image generators, and audio generators, bearing many similarities with global trends.

                                      Threat Labs Report: Banking 2024 - Most blocked AI apps by percentage of organizations enacting a blanket ban on the app

                                      On the other hand, the most popular genAI apps in the banking industry include chatbots, writing assistants, copilots, and note-taking apps, mirroring many global trends.

                                      Organizations in the banking industry control access to allowed genAI apps using a combination of controls, including data loss prevention (DLP) and real-time user coaching. DLP as a genAI control is popular in the banking industry, with more than half of all organizations using it to restrict sensitive information from flowing into genAI apps, compared to a 43% global average. In banking, a highly regulated industry, the most common type of sensitive data uploaded to genAI apps is unsurprisingly regulated data, where DLP controls help prevent such data from being disclosed to third-party genAI vendors.

                                      The genAI controls used in the banking industry have been very effective. The industry sees generally lower genAI adoption than other industries, with 87% of organizations using genAI compared to the global average of 97%. Although adoption continues to increase, it is doing so modestly, rising 7 points in the past year. Similarly, the average number of genAI apps used in each organization, 6, is lower than the global average of 9.6.

                                       

                                      Recommendations link link

                                      Netskope Threat Labs recommends organizations in the banking sector review their security posture to ensure that they are adequately protected against these trends:

                                      • Inspect all HTTP and HTTPS downloads, including all web and cloud traffic, to prevent malware from infiltrating your network. Netskope customers can configure their Netskope NG-SWG with a Threat Protection policy that applies to downloads from all categories and applies to all file types.
                                      • Ensure that high-risk file types like executables and archives are thoroughly inspected using a combination of static and dynamic analysis before being downloaded. Netskope Advanced Threat Protection customers can use a Patient Zero Prevention Policy to hold downloads until they have been fully inspected.
                                      • Configure policies to block downloads from apps and instances that are not used in your organization to reduce your risk surface to only those apps and instances that are necessary for the business.
                                      • Configure policies to block uploads to apps and instances that are not used in your organization to reduce the risk of accidental or deliberate data exposure from insiders or abuse by attackers.
                                      • Use an Intrusion Prevention System (IPS) that can identify and block malicious traffic patterns, such as command and control traffic associated with popular malware. Blocking this type of communication can prevent further damage by limiting the attacker’s ability to perform additional actions.
                                      • Use Remote Browser Isolation (RBI) technology to provide additional protection when there is a need to visit websites that fall into categories that can present higher risk, like newly observed and newly registered domains.

                                       

                                      Netskope Threat Labs link link

                                      Staffed by the industry’s foremost cloud threat and malware researchers, Netskope Threat Labs discovers, analyzes, and designs defenses against the latest cloud threats affecting enterprises. Our researchers are regular presenters and volunteers at top security conferences, including DefCon, BlackHat, and RSA.

                                       

                                      About This Report link link

                                      Netskope provides threat protection to millions of users worldwide. Information presented in this report is based on anonymized usage data collected by the Netskope One platform relating to a subset of Netskope customers with prior authorization.

                                      This report contains information about detections raised by Netskope’s Next Generation Secure Web Gateway (SWG), not considering the significance of the impact of each individual threat. Stats in this report are based on the period starting May 1, 2023 through April 30, 2024. Stats are a reflection of attacker tactics, user behavior, and organization policy.

                                      Threat Labs Reports

                                      In the monthly Netskope Threat Labs Report, you will find the top 5 malicious domains, malware, and apps that the Netskope Security Cloud platform blocked plus recent publications and a threat roundup.

                                      Threat labs

                                      Accelerate your security program with the SASE Leader