Continuous Endpoint Monitoring For Cyber Attacks Carbanak Case Study Part One – Chuck Leaver

Presented By Chuck Leaver And Written By Dr Al Hartmann



Part 1 in a 3 part series


Carbanak APT Background Details

A billion dollar bank raid, which is targeting more than a hundred banks across the world by a group of unknown cyber lawbreakers, has been in the news. The attacks on the banks started in early 2014 and they have been expanding around the world. The majority of the victims suffered disastrous breaches for a variety of months throughout a number of endpoints prior to experiencing monetary loss. Most of the victims had executed security steps that included the execution of network and endpoint security software, however this did not provide a lot of warning or defense against these cyber attacks.

A number of security businesses have actually produced technical reports about the attacks, and they have actually been codenamed either Carbanak or Anunak and these reports listed indicators of compromise that were observed. The companies consist of:

Fox-IT from Holland
Group-IB of Russia
Kaspersky Laboratory of Russia

This post will function as a case study for the cyber attacks and investigate:

1. The factor that the endpoint security and the standard network security was unable to discover and resist the attacks?
2. Why continuous endpoint monitoring (as supplied by the Ziften solution) would have alerted early about endpoint attacks and after that set off a response to prevent data loss?

Conventional Endpoint Security And Network Security Is Inadequate

Based on the legacy security design that relies too much on obstructing and prevention, standard endpoint and network security does not supply a balanced of blocking, prevention, detection and response. It would not be hard for any cyber criminal to pre test their attacks on a limited number of conventional endpoint security and network security products so that they could be sure an attack would not be discovered. A variety of the hackers have actually researched the security services that were in place at the victim companies and after that became experienced in breaking through unnoticed. The cyber bad guys knew that the majority of these security services just react after the event however otherwise will not do anything. Exactly what this means is that the regular endpoint operation remains primarily nontransparent to IT security workers, which indicates that harmful activity ends up being masked (this has already been examined by the hackers to avoid detection). After a preliminary breach has occurred, the harmful software application can extend to reach users with higher privileges and the more delicate endpoints. This can be quickly accomplished by the theft of credentials, where no malware is required, and traditional IT tools (which have actually been white listed by the victim company) can be used by cyber criminal created scripts. This means that the existence of malware that can be detected at endpoints is not utilized and there will be no alarms raised. Standard endpoint security software application is too over reliant on looking for malware.

Conventional network security can be controlled in a comparable way. Hackers test their network activities initially to avoid being spotted by extensively distributed IDS/IPS rules, and they carefully monitor typical endpoint operation (on endpoints that have actually been jeopardized) to conceal their activities on a network within typical transaction durations and normal network traffic patterns. A new command and control infrastructure is created that is not registered on network address blacklists, either at the IP or domain levels. There is not much to give the hackers away here. However, more astute network behavioral evaluation, especially when related to the endpoint context which will be discussed later on in this series of posts, can be a lot more effective.

It is not time to give up hope. Would continuous endpoint monitoring (as supplied by Ziften) have offered an early caution of the endpoint hacking to begin the procedure of stopping the attacks and avoid data loss? Find out more in part 2.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>