Threat Intelligence Tools: What Financial Institutions Should Look for

It’s no secret that organizations in the finance industry are prime targets for cybercriminals and with the average cost of a data breach in the financial services sector standing at  US$6.08m it’s important these firms have the right threat intelligence tools in their armory to grapple with the threats they’re facing.

Additionally, the introduction of stringent regulations like the European Union’s Digital Operational Resilience Act (DORA) mandates robust cybersecurity measures and continuous resilience testing, so what do financial service organizations need from their threat intelligence tools?

Why financial services are attractive to cybercriminals

Finance organizations handle and manage large amounts of financial data, making them prime targets for cybercriminals. A serious cyber incident could destabilize financial systems, impacting critical infrastructure and the economy.

Cybercrime in the financial sector related to the theft of money and the modification, corruption, or restriction of financial data, including financial algorithms, can cause loss of trust and severe economic disruption. Additionally, the compromise of financial information can be a problem for individuals and corporations, exposing them to social engineering and further cyber attacks.

Money 

Money is the number one motivation for the majority of hackers. The financial sector, which includes insurers, banks, and financial advisors, is a massive target for those primarily motivated by making money.

Hacking financial organizations can potentially allow malicious threat actors to access accounts or personal information that can help a criminal make financial transactions or trick others into revealing more information and sending them money.

Sensitive and information 

The financial sector uses its wealth of data to provide better client products and services. This data, however, is frequently sensitive or personal data, aka personally identifiable information (PII), attracting the attention of cybercriminals.

Insurance companies, for example, typically collect and process large amounts of personal data to understand the needs of their clients and to provide customized products according to their lifestyles, demographics, risks, and other factors.

This kind of data can be valuable to cybercriminals, who can use it to create more accurate phishing attempts, threaten to destroy or share the data as part of a ransomware attack or sell the data on the dark web.

Business disruption 

A supply chain attack on the financial services sector can cause massive disruption since it forms a key part of the nation’s critical infrastructure. Other attacks, such as a distributed denial of service (DDoS) attack on a major banking sector organization, can cause severe disruption, impacting logistics, manufacturing, retail, and other daily services.

Denying access to payment methods not only erodes public confidence, which can cause reputational damage, but it also affects private and government organizations by rendering them unable to operate normally.

Digital transformation 

New technologies, such as blockchain and disrupters that modernized payment systems, have led to change in the industry. Rapid change coincides with increases in cybersecurity issues as businesses push forward with technological solutions and may not consider IT security implications until much later.

How financial institutions may be exploited 

Account Takeover 

Account takeover (ATO) is a type of identity fraud where cybercriminals leverage a person’s existing credentials to take control of their financial and credit accounts. This unauthorized access to user accounts can lead to various account takeover attacks. The impacts of a successful ATO can range from a one-time purchase to using the stolen account for other fraudulent activity, usually involving some type of illicit direct or indirect financial gain.  

SWIFT exploitation 

SWIFT (Society for Worldwide Interbank Financial Telecommunication) banking system is used by banks and other financial institutions to securely exchange information about financial transactions. The platform enables institutions across the world to conduct secure, standardized, and automated messaging for financial transactions and is essential to global commerce. 

Dark web carding forums 

Carding is the illegal practice of obtaining, trafficking or using credit card information without authorization, often to purchase prepaid cards. Carding contributes to identity theft, financial losses for individuals and businesses, and a wide range of other cybercrimes, with credit card fraud losses worldwide are projected to reach $43 billion by 2026. 

Supply chain attacks 

Research from Orange, reveals that 58 percent of large UK financial services firms suffered at least one third-party supply chain attack in 2024, with 23% being targeted three or more times. 

A supply chain attack targets an organization by exploiting vulnerabilities in its supply chain, which includes suppliers, vendors, and other third-party providers. Instead of directly attacking the primary organization, cybercriminals attack the supply chain to gain access to the target’s systems and data. 

Executive threat 

Financial executives should not feel their safety (whether online or offline) is at risk because of their job, and measures should be taken to minimize these threats.  

In a 2024 report by GetApp, they found 72 percent of senior executives had been targeted at least once by a cyberattack in the previous 18 months. For executives handling sensitive company data, financial transactions, and strategic decision making, being prepared and understanding cyber and physical threats from the dark web is crucial not only to their safety but the security of the organization. 

Core requirements for financial threat intelligence tools 

So what do financial institutions need to look for in their threat intelligence tools to make their cybersecurity effort more robust? 

Comprehensive data sources 

Due to the multitude of risks financial organizations face from cybercriminals, the threat intelligence tools they choose to use need to have a comprehensive data set that not only covers the dark web, but also the deep web.   

Having access to data that covers not only live information, but deleted posts and threads from forums and marketplaces that contain the likes of BIN lists and SWIFT codes can supercharge the organization’s security efforts. It gives them the power to monitor activity that is happening on the dark web and identify cyberattacks before they happen. 

Contextual intelligence 

While all threat intelligence tools alert security teams of the vulnerabilities they need to review, without context about who the threat actor is, the attack methods they use, and the potential impact on the organization or their customers, how can teams know which vulnerability to prioritize and differentiate between a credible threat and just chatter. 

Financial organizations and institutions need tools that can help thor security teams prioritize vulnerabilities and give them detailed information on:  

• Urgency. 
• Security. 
• Availability of compensating controls. 
• Tolerance for residual attack surface.  
• Level of risk posed to the organization. 

Without this context security teams are at risk of alert fatigue, which may lead to missed or ignored threats. 

Real-time alerts 

Financial organizations and institutions need threat intelligence tools that are able to help mitigate exposures faster than the attackers can exploit them. Daily and weekly scanning isn’t enough to protect their payment data, credentials, or infrastructure from being attacked. Hourly scanning closes the gap on detection giving security professionals real-time visibility into exposures and the opportunity to act faster. 

Traffic monitoring 

Financial institutions are now in a race with criminals to increase security and mitigate the risk of an attack. Monitoring the Tor traffic to and from an organizations network enables identification of the early indicators of cybercriminal reconnaissance, malicious software installation, and data exfiltration. 

Case study: Oakwood Bank Prioritizes Proactive Security With Dark Web Monitoring and Investigations 

Oakwood Bank has had to keep pace and its technology department has put a heavy emphasis on cybersecurity throughout. The bank wanted a solution that would enable it to monitor the dark web for threats against its infrastructure and customers.  

Oakwood Bank uses Searchlight Cyber and its threat intelligence tools to proactively monitor the dark web for data relating to both the organization and its customer base to identify security breaches as soon as possible.  

Searchlight’s dark web investigation capabilities allowed the bank to investigate an incident where they believed the debit card details of a customer had been leaked, which they successfully identified based on the Bank Identification Number (BIN) found on a dark web bank site.  

Oakwood Bank now uses Searchlight to proactively monitor the dark web for data relating to both the organization and its customer base to identify security breaches as soon as possible. For example, the bank has used Searchlight to identify employee credentials on the dark web, which had been captured in the data breach of third party sites where employees had used their work email addresses. 

You can read the full Oakwood Bank case study here.