Chuck Leaver – Carbanak Case Study Part One And The Case For Continuous Endpoint Monitoring

Presented By Chuck Leaver And Written By Dr Al Hartmann



Part 1 in a 3 part series

Carbanak APT Background Particulars

A billion dollar bank raid, which is targeting more than a hundred banks across the world by a group of unknown cyber criminals, has remained in the news. The attacks on the banks started in early 2014 and they have been expanding across the globe. The majority of the victims suffered devastating infiltrations for a number of months throughout numerous endpoints prior to experiencing monetary loss. The majority of the victims had actually carried out security steps which included the application of network and endpoint security systems, but this did not supply a great deal of warning or defense against these cyber attacks.

A number of security businesses have produced technical reports about the incidents, and they have been codenamed either Carbanak or Anunak and these reports listed indications of compromise that were observed. The companies include:

Fox-IT from Holland
Group-IB of Russia
Kaspersky Lab from Russia

This post will work as a case study for the cyber attacks and investigate:

1. The factor that the endpoint security and the standard network security was unable to spot and resist the attacks?
2. Why continuous endpoint monitoring (as supplied by the Ziften solution) would have cautioned early about endpoint attacks then set off a response to prevent data loss?

Traditional Endpoint Security And Network Security Is Ineffective

Based upon the legacy security design that relies too much on obstructing and prevention, traditional endpoint and network security does not provide a balanced of obstructing, prevention, detection and response. It would not be challenging for any cyber criminal to pre test their attacks on a limited number of standard endpoint security and network security services so that they could be sure an attack would not be found. A variety of the hackers have actually researched the security services that were in place at the victim organizations and after that ended up being competent in breaking through unnoticed. The cyber lawbreakers knew that most of these security services just respond after the occasion but otherwise will not do anything. Exactly what this means is that the normal endpoint operation stays primarily opaque to IT security workers, which indicates that destructive activity ends up being masked (this has already been inspected by the hackers to avoid detection). After a preliminary breach has occurred, the destructive software can extend to reach users with greater privileges and the more sensitive endpoints. This can be easily achieved by the theft of credentials, where no malware is needed, and standard IT tools (which have actually been white listed by the victim organization) can be used by cyber criminal developed scripts. This means that the presence of malware that can be detected at endpoints is not used and there will be no red flags raised. Standard endpoint security software application is too over reliant on searching for malware.

Conventional network security can be controlled in a comparable method. Hackers check their network activities first to avoid being spotted by commonly distributed IDS/IPS guidelines, and they carefully monitor normal endpoint operation (on endpoints that have actually been compromised) to hide their activities on a network within regular transaction periods and normal network traffic patterns. A new command and control infrastructure is created that is not registered on network address blacklists, either at the IP or domain levels. There is very little to give the cyber criminals away here. Nevertheless, more astute network behavioral assessment, specifically when connected to the endpoint context which will be covered later on in this series of posts, can be a lot more efficient.

It is not time to give up hope. Would continuous endpoint monitoring (as offered by Ziften) have supplied an early warning of the endpoint hacking to start the procedure of stopping the attacks and prevent data loss? Discover more in part 2.