Combating Ransomware, Phishing, and Zelle Fraud at Financial and Bank SOCs

Banking and financial services companies sit on a goldmine of sensitive customer data, making them a prime target for phishing and ransomware attackers hoping to strike a payout. 

Even with defenses like MFA and security training, human error continues to be a critical point of failure for financial institutions — a 2024 report found that 3 out of every 1000 individuals working in banking click on a phishing link each month. This stark reality of risk highlights the industry’s urgent need for more proactive, automated security processes.

Below, we break down the top financial and bank SOC use cases for security Hyperautomation and cover how a major regional bank successfully reinstated Zelle services by automating account lockdowns for fraud alerts.

The Automation Imperative in Finance and Bank Security Operations

Two of the most common — and critical — security operations priorities for CISOs we’ve talked to at banks and financial services companies are to:

• Mitigate risk by quickly responding to, containing, and remediating attacks.
• Maintain materiality by focusing on the most important security issues that could cause the biggest problems and by being able to accurately assess when a cybersecurity incident requires SEC reporting.

Achieving these requires reducing Mean Time to Respond (MTTR), ensuring swift and effective remediation, and gaining visibility across all identities and security assets. However, manual processes, a jungle of spreadsheets, and siloed data compound operational challenges at financial and banking organizations. 

To modernize their financial and bank SOCs, forward-thinking CISOs are embracing Hyperautomation as a way to unify their security stack and automate incident response. Integrating solutions like ServiceNow or Snowflake with Torq’s AI-driven Hyperautomation platform can provide a single source of truth and streamline security operations for a stronger security posture and greater visibility across the SOC. 

Top 5 Bank SOC Challenges Solved by Hyperautomation

Below are the top use cases being Hyperautomated by Torq’s financial services customer base, along with real-world examples of the workflows they have built.

1. Phishing Alert Analysis

Automate the extraction and aggregation of URLs, file hashes, and message headers from Outlook messages and attachments, providing a comprehensive data set for further security analysis. 

Workflow Steps:

1. Receive potential phishing alert from Microsoft 365.
2. Execute parallel tasks to extract URLs from the email body, retrieve message headers, and process attachments (if present).
3. For the email body, extract all unique URLs and collect them.
4. Retrieve message headers using Microsoft Graph API and store them.
5. If the email has attachments, list them and filter out non-file attachments.
6. For each file attachment, retrieve detailed information and extract URLs from the content if available.
7. Collect and combine URLs from various sources (e.g. body and attachments). Set default values if no URLs are found.
8. Link message headers from the email and attachments, setting default values if none are found.
9. Generate a structured output containing URLs, file hashes, and message headers.
10. Nested Workflow: Case Management

2. Ransomware Case Creation and Categorization

Automate the ingestion and processing of CrowdStrike threat data by creating a comprehensive case in Torq. Once the case is created, notify the security team via email while categorizing the threat and adding relevant observables for further analysis. 

Workflow Steps:

1. Extract specific fields from the incoming CrowdStrike event data into a sparse JSON object.
2. Flatten the JSON object for easier processing and format it for a markdown table.
3. Convert the event’s creation date to a specified format.
4. Create a markdown table from the formatted data.
5. Use a switch-case structure to categorize the threat as malware or ransomware, setting a variable accordingly.
6. Create a case in Torq using the extracted and formatted data, including custom fields and tags.
7. Add observables to the case, such as file hashes, with specified reputation scores.
8. Query historical cases and link any closed cases with matching observables. 
9. Generate an access token for Microsoft 365 and send an email notification about the new case to the specified recipient list.

3. Automated Threat Analysis and Enrichment 

Automate the process of extracting and analyzing threat intelligence data based on specific commands submitted by the security team — e.g. “Check IP”, “Check Hash”, or “Check Host”. Facilitate communications through Microsoft Teams to trigger the workflow and receive the enriched threat analysis. 

Workflow Steps:

1. Evaluate incoming event text to determine the command type (!checkip, !checkhash, !checkhost).
   • For !checkip: Extract IP address using regex and retrieve information for each IP from AbuseIPDC
   • For !checkhash: Extract patterns using regex, retrieve analysis reports from AnyRun and get threats from SentinelOne
   • For !checkhost: Extract patterns using regex and initiate a scan on SentinelOne agents, wait for a specified duration, then retrieve threats from SentinelOne.
2. Reply with the information gathered to the thread in the originating Microsoft Teams channel. 

4. Case Management

Automate the process of checking for existing cases and creating new cases if necessary, ensuring efficient case management and reducing duplicate cases. This workflow is a valuable and repeatable tool for any case management program. Consider using a “nested workflow” attached to other Hyperautomated use cases (for example, see Phishing Alert Analysis above).

Workflow Steps:

1. Query existing cases to check if a case already exists with the specified name, event data, or observable submitted.
2. If a case exists, attach the new observable to the case and exit the workflow with the existing case ID.
3. If no case exists, create a new case with the provided details such as title, SLA, severity, and state.
4. After attempting to create a case, check the creation status.
5. If the case creation is successful, exit with the new case ID.

5. Fraud Detection

Automate the process of locking or unlocking a user account based on suspected fraud event data. Update your CRM with relevant fraud activity and notify the appropriate stakeholders with contextual information about the actions taken.

Workflow Steps:

1. Set workflow parameters to include user ID and notification email addresses.
2. Check if required fields are present in the event data.
3. Verify the user’s status via an API call and determine if the user should be locked or unlocked.
   1. If lock: Execute an API call to lock the user and set a variable indicating the action taken.
   2. If unlock: Execute an API call to unlock the user and set a variable indicating the action taken.
4. If the lock/unlock action is successful, query Salesforce to retrieve the user’s account information.
5. Add a “fraud task” to the user’s account in Salesforce and notify the specified email addresses of the action taken.
6. If adding the activity to Salesforce fails, send a failure notification to the specified email addresses.

Case Study: Automating Zelle Fraud Detection and Lockdown from End to End

A major regional U.S. bank with billions in assets faced an urgent, compliance-driven requirement to automate their detection and response to fraud alerts in Zelle, a customer-facing payment service that had been suspended by the SEC due to a surge in fraudulent activity.  

With Torq’s Hyperautomation platform, the bank’s SOC quickly automated the end-to-end process of locking down accounts triggered by fraud alerts, enabling them to reinstate Zelle services. Torq also automates CRM updates, giving customer service immediate context when talking to customers about account lockdowns.

And that’s not all they achieved with Torq — read the case study for the full story of how they published over 100 workflows in just 3 months and reduced their Mean Time to Investigate (MTTI) from hours to minutes.