Information interaction with the Bank of Russia's FinCERT API via API

Ruslan Rakhmetov, Security Vision

With digitalisation and widespread transition to cashless payment methods, the problem of cyber security becomes more and more urgent every year. The dynamics of the volume and number of unauthorised payment card transactions is steadily growing from year to year.

To combat cyber threats, in 2015 the Bank of Russia established a special structural unit - the Centre for Monitoring and Responding to Computer Attacks in the Credit and Financial Sphere (FinCERT). Currently, more than 800 organisations participate in information exchange with FinCERT.

FinCERT of the Bank of Russia carries out the following main functions within the framework of its activities:

• Organises and coordinates the exchange of information in the area of cyber security
  
• Analyses data on computer attacks, prepares and sends analytical materials to exchange participants.
  
• Initiates blocking of websites containing illegal content
  
• Conducts computer research and expertise in co-operation with law enforcement agencies.

CII subjects operating in the banking sector or other areas of financial markets have the opportunity to transmit information on computer incidents to GOSOPCA via the technical infrastructure of the Bank of Russia (FinCERT).

The procedure for information exchange between participating organisations and FinCERT:

• Receiving information about an incident or threat from an information exchange participant
  
• Analysing the information received
  
• Preparing an information bulletin with recommendations
  
• Sending the bulletin to all participants in the information exchange in order to prevent incidents in other organisations.

The Bank of Russia's FinCERT automated incident handling system (hereinafter referred to as FinCERT AIS) was created to organise all of the above processes and ensure continuous information interaction. The FinCERT ASIS provides for interaction with participants both through personal accounts and through the application programming interface (REST API) in JSON format.

FinCERT's REST API(https://api.fincert.cbr.ru) allows for direct data exchange between information systems without the need to use a browser and various user screen forms in a FinCERT member's personal account(https://lk.fincert.cbr.ru).

Some SIEM, IRP/SOAR software products have configured API connectors to the FinCERT ACOI LC, which can reduce the time and effort it takes for participating organizations to send and receive information. Incidents detected and processed by these solutions can be sent to FinCERT almost immediately after minor automated transformations and in some cases additions by the user. As for the information received on feeds from bulletins via API, the software solutions allow to automatically enrich the signature bases of various infrastructure protection systems of the organisation - participant of information exchange.

To register and send information about an IS incident, the REST API of ASOI FinCERT provides for specifying the attack vector:

• EXT - if the attack is directed at the client of the participating organisation
  
• INT - if the attack is directed at the member organisation's infrastructure.

Depending on the vector, it is possible to specify different types of incidents, each of which contains its own list of attributes. The following table provides a general list of IS incident types for transmission to the FinCERT ASIO.

The following types of requests can also be sent by a Participant organisation using the FinCERT ACOI REST API:

• Creating a request to change a participant card
  
• Create a vulnerability request
  
• Create a request for publication
  
• Registration of a request to block a correspondent account
  
• Registering a request to analyse a VPO.

In addition to sending information, the REST API of ACOI FinCERT allows to receive feeds from newsletters. Such bulletins may contain URLs or IP addresses of attackers, information about vulnerabilities, as well as hash sums (MD5, SHA1, SHA256) of malware.

A little later, as part of the implementation of 167-FZ dated 27.06.2018. ‘On Amendments to Certain Legislative Acts of the Russian Federation in terms of countering the theft of funds’, the Fid-Antifrod AS was created on the basis of the ACOI FinCERT platform.

AS ‘Fid-Antifrod’ realises the following main functions:

• collects data from participants of information exchange on transactions without customer's consent (unauthorised transfers)
  
• disseminates information (‘feeds’) to other participants, which makes it possible to detect and cross the activities of fraudsters.

The so-called ‘feeds’ contain the following attributes for recipients of unauthorised transfers: TIN, hashed passport data, SNILS, bank accounts, payment card numbers, telephone numbers, e-wallet numbers, SWIFT accounts, acquirer ID, and SBP numbers. The identifiers of the device from which the attacker gained access to the system or software may also be recorded as feeds during the information exchange: IP address, IMSI, IMEI, AIIC of the acquiring bank, CAT of the ATM/terminal, CAIC of the geographic location of the ATM/terminal.

Upon receipt of these data from FinCERT, the financial institution must search and verify their presence in its ABS, block the accounts of the recipient of the unauthorised transfer, and provide information to FinCERT on the results of the verification.

Interaction using the REST API service of AS ‘Feed-Antifrod’ is especially relevant for medium and large financial organisations. Direct technical interaction between the participant's software and Fid-Antifrod AS allows to receive and send a large amount of data in an automated mode, thus minimising or even in some cases completely excluding human participation in such routine operations.

The use of REST API of AS ‘Feed-Antifrod’ provides for the following scenarios:

• Performing the sending of a transaction incident report without customer consent
  
• Receive requests from FinCERT for transactions without customer consent.
  
• Responding to FinCERT enquiries on transactions without the customer's consent.
  
• Receive reports on suspended crediting of funds.

For detailed and up-to-date information (manuals, instructions, certificates, data schemas and api descriptions) on operating and connecting to FinCERT ACOI and Feed-Antifrod, please visit the information portal at https://portal.fincert.cbr.ru *.

*Note: To access the portal, it is necessary to have an installed encryption system with support for domestic encryption algorithms and appropriate TLS access certificates.