SWIFT Bolsters Threat Intelligence Sharing

SWIFT Engages BAE Systems and Fox-IT to Bolster Threat Intelligence Sharing

When news of a series of attacks against member banks using the SWIFT financial messaging network emerged earlier this year, it was clear that something had to be done.

At least two of these attacks were successful, with $81 million stolen from the Bangladesh central bank and $12 million stolen from Ecuador’s Banco del Austro. In each case attackers compromised ‘originating’ banks and were then able to generate ‘authentic’ instructions for reserve banks to transfer funds to accounts held by the attackers.

At no time were either the SWIFT network or the reserve banks compromised. Nevertheless, both have been held to blame by the victim banks — and SWIFT is the common factor in all cases.

SWIFT responded quickly with a five point plan to bolster the security of the system, with ‘improved threat intelligence sharing’ as the headline. How this was to be achieved was not at that stage explained.

However, SWIFT has now announced that it has engaged the services of BAE Systems and Fox-IT to “complement SWIFT’s in-house cyber security expertise and work closely with SWIFT’s newly formed Customer Security Intelligence team to support SWIFT’s customer information sharing initiative and to help strengthen cyber security across the global SWIFT community.”

The two cyber security firms will monitor the customer banks’ systems and merge any threat intelligence it gathers with their own existing global threat intelligence, and provide forensic services if and when required. Where necessary threat data will be shared through SWIFT to the wider SWIFT community. SWIFT itself will remain one step removed from the process.

SWIFT is in a difficult position. It is owned by its members. It cannot easily impose its own security preferences and standards on its owners. But perhaps more importantly, it cannot block any members whose security is deemed wanting. Doing nothing, however, is no longer an option.

If we take the hypothetical case that BAE Systems and/or Fox-IT detect indicators of compromise on a customer banks’ networks, all SWIFT is able to do is inform the entire network of that threat. If the customer bank declines to remediate or solve the detected threat, SWIFT cannot — or at least certainly does not intend to — block that bank’s usage of the network.

However, it will share the BAE Systems and Fox-IT intelligence with every other bank on the network. It is then up to those banks to accept or reject any money transfer requests from the suspect bank — and it is likely that all requests will be rejected unless or until the originating bank can satisfactorily prove that the requests are valid and genuine.

This approach allows SWIFT to improve the security stance of the network, without actually getting involved in the security practices of its own members.

Related: Enhancing Security Through Information Sharing