Carbanak Case Study Part One The Case For Endpoint Monitoring Continuously – Charles leaver

Presented By Charles Leaver And Written By Dr Al Hartmann

Part 1 in a 3 part series

Carbanak APT Background Particulars

A billion dollar bank raid, which is targeting more than a hundred banks throughout the world by a group of unknown cyber wrongdoers, has actually remained in the news. The attacks on the banks started in early 2014 and they have actually been expanding across the globe. Most of the victims suffered dreadful breaches for a variety of months across a number of endpoints prior to experiencing financial loss. The majority of the victims had executed security measures which included the execution of network and endpoint security systems, however this did not supply a great deal of warning or defense against these cyber attacks.

A variety of security businesses have produced technical reports about the incidents, and they have been codenamed either Carbanak or Anunak and these reports noted signs of compromise that were observed. The businesses consist of:

Fox-IT of Holland
Group-IB of Russia
Kaspersky Laboratory of Russia

This post will act as a case study for the cyber attacks and investigate:

1. The factor that the endpoint security and the conventional network security was not able to spot and resist the attacks?
2. Why continuous endpoint monitoring (as supplied by the Ziften solution) would have cautioned early about endpoint attacks and then activated a response to prevent data loss?

Traditional Endpoint Security And Network Security Is Inadequate

Based on the legacy security design that relies excessively on obstructing and prevention, standard endpoint and network security does not offer a well balanced strategy of blocking, prevention, detection and response. It would not be hard for any cyber criminal to pre test their attacks on a limited number of standard endpoint security and network security services so that they could be sure an attack would not be spotted. A number of the hackers have actually researched the security products that were in place at the victim companies and then ended up being competent in breaking through undetected. The cyber lawbreakers knew that the majority of these security services only respond after the occasion but otherwise will not do anything. Exactly what this means is that the regular endpoint operation stays primarily opaque to IT security workers, which suggests that destructive activity ends up being masked (this has actually already been inspected by the hackers to prevent detection). After a preliminary breach has taken place, the malicious software can extend to reach users with greater privileges and the more sensitive endpoints. This can be easily achieved by the theft of credentials, where no malware is required, and traditional IT tools (which have actually been white listed by the victim organization) can be utilized by cyber criminal created scripts. This means that the existence of malware that can be identified at endpoints is not utilized and there will be no alarms raised. Standard endpoint security software application is too over reliant on searching for malware.

Traditional network security can be manipulated in a similar way. Hackers test their network activities initially to prevent being identified by extensively distributed IDS/IPS guidelines, and they thoroughly monitor regular endpoint operation (on endpoints that have actually been compromised) to conceal their activities on a network within regular transaction durations and normal network traffic patterns. A new command and control infrastructure is developed that is not registered on network address blacklists, either at the IP or domain levels. There is very little to give the cyber criminals away here. Nevertheless, more astute network behavioral evaluation, particularly when connected to the endpoint context which will be gone over later in this series of posts, can be a lot more efficient.

It is not time to abandon hope. Would continuous endpoint monitoring (as supplied by Ziften) have supplied an early warning of the endpoint hacking to start the process of stopping the attacks and avoid data loss? Find out more in part 2.

Leave a Reply

Your email address will not be published. Required fields are marked *