Threat Hunting Across Industry Sectors

Threat Landscape

Financial institutions remain among the most attractive targets for cybercriminals and state-sponsored actors due to the direct access to money, high-value data, and critical role in global economies. Threat actors frequently deploy phishing campaigns and credential theft schemes to infiltrate employee accounts, later escalating to business email compromise (BEC) and fraudulent transactions. Ransomware operators increasingly target banking and payment systems to disrupt operations, while advanced adversaries exploit APIs and fintech integrations to bypass traditional defences. AI-driven fraud and synthetic identity creation are accelerating, enabling attackers to blend into legitimate transaction flows with alarming precision.

Key Risks (linked to MITRE techniques)

Scheduled Task / Job (T1053): Attackers embed malicious routines into system schedulers (for example Windows Task Scheduler, cron, or system timers) so code executes automatically at boot or on a regular cadence. This enables persistent, repeatable activity — such as data collection or re-establishing access — that can run without the attacker’s direct interaction, increasing the risk of prolonged, unnoticed compromise.

Account Manipulation (T1098): Threat actors create, enable, or alter user and service accounts or change group memberships to gain or maintain elevated access. Such account changes can provide attackers with sustained administrative control or backdoor access, potentially exposing sensitive data and critical systems to broad exploitation.

System Services (T1569): Adversaries install or modify operating system services or daemons so malicious code runs with SYSTEM/root privileges at startup or on demand. Because services run with high system rights and often start automatically, they provide attackers with resilient footholds and the ability to perform wide-ranging actions across infrastructure.

Steal or Forge Kerberos Tickets (T1558): By stealing, reusing, or fabricating Kerberos tickets (including Golden or Silver Ticket techniques), attackers can impersonate users or services and authenticate across the environment without needing raw credentials. This approach allows stealthy lateral movement and access to resources that would otherwise require legitimate authentication, creating a vector for extensive, hard-to-detect access.

User Execution (T1204): Many intrusions begin when a user is tricked into running a malicious file, enabling macros, or visiting a malicious link, typically via targeted social engineering or phishing. This human-triggered vector provides attackers an initial foothold from which they can deploy further tooling, move laterally, or exfiltrate data.

Recommendations (boardroom-level)

• Strengthen oversight of account and system access: Implement clear policies and monitoring for all high-privilege accounts, with regular audits to prevent unauthorized modifications.
• Enhance employee awareness: Conduct ongoing training and simulations to reduce the risk of phishing and unintentional execution of malicious files.
• Improve operational monitoring: Ensure leadership receives visibility into critical scheduled tasks, system service changes, and authentication anomalies that could indicate ongoing attacks.
• Prioritize proactive detection and response: Maintain programs to detect early signs of persistence and lateral movement, minimizing potential financial and reputational impact.
• Ensure compliance and risk governance: Embed security checks into business processes to meet regulatory obligations and protect client data.