Breaking Badness
151. Epic Bail: The Collapse of Silicon Valley Bank and Its Impact on Infosec
- This episode of Breaking Badness focuses on the recent collapse of Silicon Valley Bank and what that means for the InfoSec community. We’ll dive into what we’ve been seeing on our end, predictions on what we may see from bad actors, and practical advice for moving forward.
- Let’s start at the beginning with a crash course on what Silicon Valley Bank is for those who are unfamiliar
- Silicon Valley Bank (SVB) was founded in 1983 by individuals who recognized banking wasn’t serving the needs of startups, which had different expectations on what when loans would be repaid
- The prevailing thought was if you started a bookstore or restaurant, the profit would turn fast, whereas if you’re launching a new and unproven technology, turning a profit will take longer and it’s uncertain if it will actually succeed
- SVB formed with the idea of better serving the startup industries in Silicon Valley and they grew as technology grew
- They became a bank that was not just important in Silicon Valley, but nationwide, if not globally
- Why did SVB fail?
- When banks fail it’s because there’s a run. Folks want to pull their money out because they’re afraid it’s not stable
- Word gets around quickly – quicker than ever before so a bank run is a contagion
- There’s been some *limited* contagion, where we saw the collapses of Signature Bank and Silvergate Bank – is there a thing about banks that start with S here? But those two were not just pure contagion from the collapse of SVB—they had their own problems due to the cryptocurrency meltdown. Anyway—by calling the contagion “limited” I’m not downplaying the significance of those two other collapses but what I mean is that fortunately we didn’t see a 1929-style run on large *numbers* of banks
- The economy has been unstable for a while and looking for higher returns
- Going back a few years, SVB went to long form treasury bonds. In 2022 and coming into this year with interest rates being raised, that caused the value of those bonds to decrease by quite a bit. It also raised the borrowing cost and folks started pulling money
- Why is SVB’s failure appealing to cybercriminals?
- Bad actors thrive in chaos – when things become unstable it creates an opportunity for crime
- The uncertainty makes people act hasty and that’s lucrative for bad actors
- If it’s in the news and people are paying attention to it, so will cybercriminals
- If there’s a zeitgeist, people will act
- These big events create grounds for all kinds of potential badness
- The way we’ve studied Domain Blooms, we will likely see activity around this – some harmless but some can be harmful and we’ll go into that
- We’ve been sharing newly-created domains on our Security Snacks accounts on Twitter and Mastodon and will continue to share any additional relevant information we find
- SecOps Engineer Ian Campbell was the first to track the events surrounding SVB – he has a knack for picking out keywords to monitor and we saw a handful of things:
- Objectively speaking, some newly-created domains are geared towards phishing taking advantage of SVB customers who want to get their money out to credential harvest
- We also saw domains relating potential lawsuits (i.e. something happened and I was wronged, so I’m going to try to get my piece of it)
- This is because at the start, it seemed like the federal government might not step in, and people were thinking about suing to recoup their losses
- SecOps Engineer Ian Campbell was the first to track the events surrounding SVB – he has a knack for picking out keywords to monitor and we saw a handful of things:
- There have been rumblings of a potential collapse with SVB for a bit, but is there anything defenders can do to possibly prepare for something like this before it occurs?
- Hindsight in this scenario is 20/20 so it’s tricky to say how prepared a SecOps team could be for this specific event
- A playbook/plan to have on hand is generally good to have because it will answer questions of actions to take that you may otherwise forget in the heat of the moment (risk assessments on the spot, what are our exposures, etc.)
- Financial risk is mostly handled by the CFO’s team, but since everything is connected online now, Infosec should have a seat at the table
- Having a plan if your primary bank is compromised and you can’t move funds around was likely not on everyone’s 2023 bingo card, but now that it’s happened, and could happen again, planning for this will likely be what security teams will consider
- We’re thinking that it’s almost certain that phishing and business email compromise (aka BEC) attacks will stem from this event, or perhaps FDIC spoofs, but will we see longer cons like financial impersonation or pig butchering for a while after this?
- From the perspective of BEC, we’ll see spoofs that say “change your banking information because we were with SVB” which is one opportunity
- The other scenario we could see unfold is FDIC spoofs
- We can envision a scenario of someone posing they’re from the FDIC saying they need account verification. A naive recipient could be tempted or fooled by it
- We’ve been looking at domains with FDIC in them and they have been some that are quite obviously not done by the entity, so that’s one term to be on the lookout in addition to those spoofing SVB itself
- Are there security measures companies can consider when choosing who to bank with?
- It’s tricky because it’s not very cost-effective for a company to have redundant banking
- There’s costs associated with maintaining accounts
- But it sure seems that in light of this event, when you might only get $250,000 back, it might be more appealing even if it comes with some overhead
- Do you now need to employ an economist to know your bank won’t go under?
- Maybe? But it’s a very difficult question to answer
- The larger the bank and the longer it’s been around, there’s some solace to that, though there are counters to that (like Washington Bank)
- It’s tricky because it’s not very cost-effective for a company to have redundant banking
- What tactical things can defenders do?
- We now know this can happen and it’s not impossible for it to happen again so this is the time to work with finance and accounts receivable and payable for security education
- A healthy amount of skepticism surrounding the emails you receive is always good
- Take a step back and if you receive a questionable email, think if you are even the right person to respond to that email
- If you are, you can contact the appropriate people to confirm if what you received is legitimate or not
- If you are a company that takes credit card payment, know how that actually flows and have a plan for events such as these
- Look at your exterior cloud services
- We’re all about outsourcing, but if one of those services goes bust and they can’t pay their employees, you want to understand how to extract yourself so you can pivot because it can affect your business and what you can provide to your customers – sort of a cascading failure
- Prior to this, we don’t know how many security teams thought of this and now’s the time
If you have questions around this topic, please contact any of the folks on this team:
That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!