Banking resilience against massive attacks: architecture, regulation, and strategic solutions

Global banking is undergoing an accelerated and irreversible digital transformation. What used to be institutions with relatively closed internal processes are now hyperconnected digital ecosystems, interdependent on external providers, third-party systems, open APIs, and fintech platforms. This technological complexity offers opportunities for innovation and efficiency, but it also multiplies the attack surface and exponentially increases exposure to sophisticated cyber threats.

Each remote endpoint, provider integration, or cloud service is a potential attack vector. Massive attacks are no longer limited to compromising an isolated system: they can scale, spread laterally, and affect the operational continuity of the entire bank. Cybercriminals no longer seek isolated technical vulnerabilities; their goal is access to privileged identities, exploitation of legacy systems, and disruption of critical operations.

In this context, banking security must evolve from a reactive mindset to a model of structural resilience. It’s not just about preventing incidents but ensuring that critical services remain operational even under attack, complying with regulations like DORA (Digital Operational Resilience Act, EU Regulation 2022/2554), and protecting both customer trust and the financial integrity of the institution.

1. The risk environment in modern banking

The technological complexity of today’s banks generates multiple risk vectors:

• Remote endpoints and hybrid work: With the rise of remote work and external support, endpoints have become the weakest link. Every laptop, tablet, or phone connected to critical systems can be an entry point for advanced malware or malicious insiders.
• Critical legacy systems: Core systems from decades ago are essential to banking operations but do not support frequent patching or modern security protocols, making them high-risk vectors for sophisticated attacks.
• Integrations and third-party providers: Third-party APIs, cloud platforms, and ICT service providers expand the attack surface. A vulnerability in a provider can become a systemic incident if not properly managed.
• Advanced Persistent Threats (APT): Targeted attacks on banks combine phishing, malware, credential abuse, and legacy system exploitation to move laterally and extract data or disrupt critical operations.

Impact of Massive Attacks:

Massive atacks may have devastating consequences:

• Disruption of critical services like payments, transfers, or account access.
• Exfiltration of financial and personal data of customers and employees.
• Loss of trust and immediate reputational risk.
• Regulatory sanctions if standards like DORA or GDPR are not met.

In many cases, the initial attack is not devastating on its own; lateral movement and privilege escalation turn an isolated incident into a systemic crisis.

2. DORA: Mandatory Operational Resilience

DORA introduces a new paradigm in banking cybersecurity, moving from a “best-effort” approach to a mandatory operational resilience model. It’s not about checking boxes — it’s about ensuring continuity of critical operations in the face of disruptive incidents.

The five pillars of DORA are key:

• ICT Risk Management: Continuous identification, analysis, and mitigation of risks, including internal systems, external providers, cloud, and APIs. Every infrastructure or configuration change must be evaluated for risk.
• Incident Management and Reporting: Strict protocols for classification, response, and immediate notification of major incidents. SOAR solutions are integrated to automate incident containment in milliseconds.
• Digital Operational Resilience Testing: Includes simulations of massive attacks, TLPT (Threat-Led Penetration Testing), and continuity analysis to ensure that core systems and critical environments withstand attacks without disruption.
• Third-party Risk Management: Continuous monitoring of ICT providers and external platforms with controls to prevent a third-party vulnerability from compromising banking operations.
• Sector-wide Information Sharing: Anticipate emerging threats, detect global attack patterns, and strengthen collective sector defense.

DORA requires banks to redesign security architecture by integrating prevention, detection, isolation, and operational continuity in a unified approach.

3. Identity as the new critical perimeter

Abuse of legitimate credentials

Most massive attacks don’t exploit technical vulnerabilities in the financial core, they exploit compromised credentials. Traditional MFA is insufficient against techniques like MFA fatigue, token theft, or advanced spear phishing.

The real risk arises after authentication, when the attacker can explore systems, escalate privileges, and move laterally, compromising critical services. This pattern has been documented in multiple global bank attacks where a single privileged account allowed data exfiltration and attack propagation for days.

Mitigation strategy: Just-in-Time access and ephemeral privileges

The solution is dynamic identity and access management:

• Temporary privileges limited to specific tasks.
• Granular auditing by action, user, and system, meeting DORA requirements.
• Context-based adaptive policies: location, endpoint state, and behavioral history.

In legacy systems, this enables modern controls without changing original code — drastically reducing the attacker’s opportunity window.

4. Endpoints and isolation of critical operations

The EDR fallacy

EDRs and antivirus tools detect malware and anomalies but do not protect against insiders or silent advanced attacks. Endpoints are direct risk vectors to critical systems. Malware that captures keyboard, mouse, or video events can compromise operational continuity undetected.

Advanced protection strategies

• Isolated environments (non-persistent VDI, Remote Browser Isolation): Users interact with critical systems without exposing data to the endpoint.
• Zero Trust Network Access (ZTNA): Each session is continuously validated and limited to specific applications.
• Automated monitoring and response (SOAR): Isolates systems and accounts within milliseconds when anomalous behavior is detected.

This architecture ensures that even if an endpoint is compromised, banking operations remain protected and DORA requirements are met.

5. Mitigating lateral movement and privilege escalation

Lateral movement is the threat that turns an isolated incident into a systemic crisis. In many real-world banking attacks, an attacker gains initial access via a remote endpoint or compromised credential and, without control measures, navigates through the corporate network to compromise critical systems, including Core Banking and customer databases.

This silent propagation has enabled ransomware and APT cases that shut down entire banks for days, causing millions in losses and regulatory sanctions.

Dynamic microsegmentation

A resilient architecture requires granular workload isolation, not just VLAN-level, but down to process and application levels:

• Isolation of critical processes: Each financial application (payments, transfers, reporting, risk management) runs in isolated environments to prevent attack spillover across modules.
• Privileged session monitoring and control (PAM): All interactions with critical systems are monitored and recorded in real-time, allowing immediate anomaly detection and forensic reconstruction.
• Deception Technology and Honeytokens: Fake assets in the network detect early lateral movements. Access attempts to decoy servers or fake tokens trigger immediate alerts without exposing real systems.

Conceptual Formula for Resilience:

Resilience = (Detection + Isolation) / Attack Propagation Time

If attack propagation time > isolation time, banking operations remain intact, even during coordinated or massive attacks. This metric becomes a key KPI for CISOs to quantify architectural effectiveness against advanced attacks.

6. Legacy systems and technical debt: protecting the core without replacing it

Legacy Core Banking systems are one of the greatest challenges to banking resilience. These systems, fundamental for payment processing, transactions, and reporting,were designed decades ago without modern security standards and do not support frequent patching or advanced encryption protocols. Rewriting them is costly and risky, but leaving them exposed is unacceptable under DORA.

External shield strategy

To protect these critical systems, an external security layer is implemented, including:

• API proxies and gateways: Filter, authenticate, and encrypt all communications to and from legacy systems, applying modern authentication and encryption controls to systems that originally did not support them.
• Just-in-Time privileged access control: Operators obtain temporary privileges only for specific tasks, reducing the risk window of compromise.
• Traffic isolation: The Core is separated from development environments, providers, and endpoints, preventing attacks in one area from affecting critical systems.

This strategy allows the Legacy Core to remain operational and protected, DORA-compliant, without immediate migrations, while reducing the risk of lateral propagation from older systems.

7. Traceability, auditing, and technical evidence

DORA raises traceability standards: every action must be logged, audited, and reconstructible. In the event of an incident, the bank must demonstrate what happened, how it was detected, who had access, and how it was mitigated. Lack of traceability is not only a technical risk, but a legal and reputational one that can lead to multimillion-euro penalties.

Advanced technical requirements

• Immutable logs (WORM – Write Once Read Many): Ensure evidence integrity, preventing tampering or deletion.
• User and Entity Behavior Analytics (UEBA): Detect behavioral deviations, identifying anomalies even before systems flag incidents.
• SOAR (Security Orchestration, Automation, and Response): Enables immediate automated response, blocking accounts, isolating systems, and activating contingency measures without manual intervention.

With these controls, the bank not only approaches DORA compliance but can respond proactively, limiting incident propagation and keeping critical operations intact.

8. Cosmikal and banking resilience

Cosmikal’s solutions, especially Endurance, apply an integrated resilient architecture approach aligned with multiple DORA pillars:

• Ephemeral identity and Just-in-Time access: Privileged credentials are granted only for specific tasks and automatically revoked, reducing abuse risk.
• Isolated environments (non-persistent VDI, Remote Browser Isolation): Users interact with critical systems without endpoints being able to capture data, eliminating direct attack vectors.
• Dynamic microsegmentation and session control: Each process and application is isolated, and interactions are recorded and audited in real time, including video recording.
• Legacy system protection: Endurance enables modern controls to be applied to legacy systems without modifying the Core.
• Advanced monitoring and SOAR: Anomalous behavior detected in real time triggers automated response, ensuring attack propagation is stopped immediately.

This architecture guarantees that even during a massive attack, operational continuity, financial asset security, and information integrity remain intact.

9. Anatomy of a neutralized attack: the encapsulated session paradigm

To understand operational resilience in practice, let’s analyze the lifecycle of an attack under a conventional architecture versus a total isolation architecture (Endurance) aligned with DORA. The goal is not only to detect the attacker, but to deprive them of the infrastructure required to progress.

Scenario: Intrusion via endpoint and session compromise

Phase 1: Initial Access and the End of Credential Harvesting

Imagine an attacker compromises a system administrator’s endpoint via session hijacking or highly sophisticated phishing.

• Endurance Architecture: Unlike traditional models where the attacker could access local credential storage or browser session tokens, here they encounter an impenetrable wall. Access to the Core Banking session runs inside an ephemeral, isolated container. The attacker has no access to the execution process; they only receive a pixel stream (video) and send peripheral events (keyboard/mouse). There are no hashes to steal and no memory to dump.

Phase 2: Collapse of reconnaissance and lateral movement

After access, the attacker attempts to map the internal network (lateral movement) to identify transactional databases or SWIFT servers.

• Architectural Mitigation: The attacker is operating inside a “glass cage.” Being inside an encapsulated session, they have no network visibility. Discovery commands (e.g., net view, ARP scans) die inside the isolated container, which has no logical routes to other critical segments. Network “pivoting” does not exist.

Phase 3: Silent detection and deception technology

To test resilience, suppose the attacker attempts to interact with UI elements to escalate privileges.

• Dynamic Response: Thanks to dynamic microsegmentation, the system identifies that the request originates from a compromised session and freezes it.

Phase 4: SOAR Orchestration and Immutable Forensic Evidence (DORA Art. 18)

DORA requires exhaustive traceability for incident management.

• Execution: SOAR (Security Orchestration, Automation, and Response) activates automatic protocols: the identity token is revoked and the compromised session container is destroyed. Crucially, a full session recording and metadata are preserved (video of attacker interaction, clicks, commands). This evidence is native, attacker-external, and ready for regulatory submission.

Phase 5: Core and legacy system immunity

While the attack is contained at the session perimeter, core and legacy systems remain in a “zero trust” zone.

• Legacy Protection: Protected by application gateways that only accept connections from the verified isolation environment, these systems were never exposed to direct communication with the compromised endpoint.

Operational outcome

The attack is contained during the reconnaissance phase, banking operations experience zero downtime, and the financial institution holds irrefutable forensic evidence of the intrusion attempt. This is the technical definition of Digital Operational Resilience.

10. Strategic benefits for the banking sector

Implementing a resilience architecture like Cosmikal’s delivers multiple advantages:

• Facilitates DORA compliance with technical evidence and full auditing.
• Drastically reduces the risk of critical incidents, even during massive attacks or APTs.
• Protects legacy systems without immediate migration, optimizing technology investment.
• Guarantees operational continuity, ensuring transactions, payments, and essential services remain active.
• Competitive advantage: customers trust banks capable of operating securely even under attack, strengthening reputation and market position.

11. Integration with the digital supply chain

DORA does not focus solely on internal systems, supplier and external API security is critical. Cosmikal solutions enable:

• Just-in-Time supplier access control: Temporary, audited credentials.
• Continuous traffic and behavior monitoring: Real-time alerts if a supplier exhibits suspicious activity.
• Isolation of internal from external systems: Microsegmentation and proxies prevent third-party failures from impacting the Core.

This integration ensures resilience extends beyond internal systems to the entire digital value chain, facilitating DORA compliance and reducing systemic risk.

12. Global benchmark and comparison

A banking cybersecurity study published by FS‑ISAC and ENISA indicates:

• Over 70% of massive banking incidents involve lateral movement or credential abuse.
• Legacy systems account for 60% of exploited attack vectors.
• Adoption of microsegmentation and advanced PAM reduces the impact of critical incidents by 80%, based on European and North American banking cases.

Applying the Endurance architecture allows a bank to multiply its operational resilience compared to traditional approaches relying solely on EDR or VPNs.

13. Additional strategic benefits

Beyond compliance and protection, banking resilience provides competitive advantages:

• Reduced incident costs: Rapid containment minimizes financial losses and avoids regulatory penalties.
• Customer trust: Guaranteed uninterrupted operations reinforce reputation and loyalty.
• Innovation agility: By isolating and protecting legacy systems, banks can integrate fintechs and modern APIs without compromising security.
• Security team optimization: SOAR and advanced monitoring reduce manual workload and allow focus on strategic analysis.

14. Conclusion: resilience as a competitive advantage

Twenty‑first‑century banking cannot afford operational failures or massive breaches. DORA defines the standards, but technical execution depends on integrated architecture, identity management, isolation, segmentation, monitoring, and full traceability.

Cosmikal’s solutions enable these practices not only to be implemented, but to become a competitive advantage, delivering:

• Regulatory compliance.
• Operational continuity during massive attacks.
• Protection of legacy systems and critical Core Banking.
• Full visibility and immediate response capability.

In an environment where advanced attacks are the norm, operational resilience is not optional, it is the foundation of survival and leadership in the financial sector.