The enemy shall not pass: Tinkoff Bank’s “echelon” reinforced by Group-IB TDS Polygon

Group-IB, an international company specializing in the prevention of cyber attacks and Tinkoff Bank, an innovative online provider of financial services, report the successful implementation of a multi-layered cyber security system based on a set of products for detecting zero-day threats and preventing targeted attacks. An important element of the system is the flagship Group-IB product—Threat Detection System Polygon (TDS). The pilot project at Tinkoff Bank confirmed the quality of the TDS behavioral reports, which enabled specialists to assess the severity of the threat to the bank and also proved to be highly effective in detecting previously unknown vectors of hacker attacks.

Tinkoff Bank is Russia’s first and only fully online bank, serving over seven million customers remotely via online channels and a call center. The bank’s unique structure poses strict requirements in terms of the level of information security of both internal IT systems and financial products and services. In this context, the key priorities for Tinkoff Bank are stable, uninterrupted operational processes and proactive protection against a wide range of cyber threats that carry potential risks for day-to-day bank operations.

Despite the widespread use of antivirus software, it is often powerless against targeted attacks by hacker groups, ransomware epidemics, attacks on payment infrastructure using social engineering methods, illegitimate use of company resources for cryptomining etc. Anti-APT (Advanced Persistent Threat) products, which allow specialists to conduct comprehensive analysis of malicious files in what is called a sandbox—an environment isolated from the bank’s main network, play a key role in identifying zero-day threats (i.e. previously unknown).

Tinkoff Bank was using a sandbox solution of one of the leading international vendors. However, the record showed that the capabilities of this configuration were insufficient. The bank decided to enhance the quality of detection by focusing on multi-layered protection, which uses multiple sandboxes. Based on the results of long-term tests of various products, Tinkoff Bank decided to include the high-tech system for proactive detection of cyber attacks, Group-IB Threat Detection System Polygon in its stack.

It is important that we learn about the emergence of new types of threats in advance and respond to them quickly, mitigating possible risks. We decided to deploy an «echelon of sandboxes», focusing primarily on detecting zero-day threats. They, in particular, are the most dangerous and can only be detected using intelligence-driven behavioral analysis systems that allow you to analyse a file before it ends up on a user’s computer. During testing, TDS Polygon proved to be highly effective and demonstrated that we had chosen the right strategy. Now, the product is being successfully used in «combat» mode.

Dmitry Gadar
Dmitry Gadar

Head of network security Tinkoff Bank

According to Group-IB, most Russian banks will soon have to start working with multi-layered protection using the most functional and reliable «construction set», including at least two Anti-APTs, one of which is able to handle the threats in the language of their source country, and the second of which is focused on detecting a wide range of malicious activity.

Group-IB emphasizes that synthetic, «made-up» cases for testing the quality of sandboxes will not produce results. This is why, in conjunction with specialists at Tinkoff Bank, pilot testing of the Group-IB Threat Detection System Polygon was initiated exclusively on real dаta, taking into account the specifics of the bank, the volumes of information processed, typical work scenarios and other characteristics of the company’s real IT landscape.

Effective Anti-APT solutions have to not only perform static and dynamic file analysis, but also resist many techniques that allow attackers to detect OS virtualization and bypass the threat detection technology using other, rather diverse methods. The devil is always in the details: even those seemingly simple issues such as link analysis, support for hundreds of file formats that change their link status over time—all these are a serious challenge for vendors who develop products of this class. The completeness of the behavioral reports provided is also important: TDS Polygon proved to be able to solve these tasks, as demonstrated during successful pilot testing on real cases at Tinkoff Bank.

Nikita Kislitsin
Nikita Kislitsin

Head of Network Security, Group-IB

About Group-IB

Group-IB, with its headquarters in Singapore, is one of the leading providers of solutions dedicated to detecting and preventing cyberattacks, identifying online fraud, investigating high-tech crimes, and protecting intellectual property. The company’s Threat Intelligence and Research Centers are located in the Middle East (Dubai), the Asia-Pacific (Singapore), and Europe (Amsterdam).

Group-IB’s Unified Risk Platform is an ecosystem of solutions that understands each organization’s threat profile and tailors defenses against them in real-time from a single interface. The Unified Risk Platform provides complete coverage of the cyber response chain. Group-IB’s products and services consolidated in Group-IB’s Unified Risk Platform include Group-IB’s Threat IntelligenceManaged XDRDigital Risk ProtectionFraud ProtectionAttack Surface ManagementBusiness Email ProtectionAudit & ConsultingEducation & TrainingDigital Forensics & Incident ResponseManaged Detection & Response, and Cyber Investigations.

Group-IB’s technological leadership and R&D capabilities are built on the company’s 19 years of hands-on experience in cybercrime investigations worldwide and more than 70,000 hours of cybersecurity incident response accumulated in our leading DFIR Laboratory, High-Tech Crime Investigations Department, and round-the-clock CERT-GIB.

Group-IB is an active partner in global investigations led by international law enforcement organizations such as Europol and INTERPOL. Group-IB is also a member of the Europol European Cybercrime Centre’s (EC3) Advisory Group on Internet Security, which was created to foster closer cooperation between Europol and its leading non-law enforcement partners.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to protect its clients in cyberspace every day by creating and leveraging innovative solutions and services.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to fight high-tech crime while protecting our clients in cyberspace and helping them achieve their goals. To do so, we analyze cyber threats, develop our infrastructure to monitor them, respond to incidents, investigate complex high-tech crimes, and design unique technologies, solutions, and services to counteract adversaries.