Chuck Leaver – Part One Of The Carbanak Case Study For Indicators Of Compromise With Continuous Endpoint Monitoring

Presented By Chuck Leaver And Written By Dr Al Hartmann



Part 1 in a 3 part series


Carbanak APT Background Details

A billion dollar bank raid, which is targeting more than a hundred banks across the world by a group of unknown cyber bad guys, has remained in the news. The attacks on the banks began in early 2014 and they have been expanding across the globe. The majority of the victims suffered dreadful infiltrations for a variety of months throughout numerous endpoints prior to experiencing financial loss. Most of the victims had carried out security measures which included the implementation of network and endpoint security software, however this did not supply a lot of warning or defense against these cyber attacks.

A variety of security companies have actually produced technical reports about the attacks, and they have actually been codenamed either Carbanak or Anunak and these reports noted indicators of compromise that were observed. The companies consist of:

Fox-IT of Holland
Group-IB from Russia
Kaspersky Laboratory of Russia

This post will act as a case study for the cyber attacks and investigate:

1. The reason that the endpoint security and the standard network security was not able to identify and defend against the attacks?
2. Why continuous endpoint monitoring (as provided by the Ziften solution) would have warned early about endpoint attacks then triggered a reaction to prevent data loss?

Standard Endpoint Security And Network Security Is Inefficient

Based on the legacy security design that relies excessively on blocking and prevention, conventional endpoint and network security does not provide a balanced of blocking, prevention, detection and response. It would not be difficult for any cyber criminal to pre test their attacks on a small number of standard endpoint security and network security products so that they could be sure an attack would not be detected. A variety of the hackers have in fact looked into the security services that remained in place at the victim companies then became skilled in breaking through unnoticed. The cyber crooks knew that the majority of these security products only react after the event however otherwise will do nothing. What this means is that the typical endpoint operation stays primarily nontransparent to IT security personnel, which suggests that destructive activity ends up being masked (this has actually already been checked by the hackers to prevent detection). After an initial breach has actually occurred, the destructive software application can extend to reach users with higher privileges and the more delicate endpoints. This can be quickly achieved by the theft of credentials, where no malware is needed, and conventional IT tools (which have actually been white listed by the victim organization) can be utilized by cyber criminal created scripts. This means that the presence of malware that can be spotted at endpoints is not used and there will be no alarms raised. Traditional endpoint security software is too over reliant on searching for malware.

Standard network security can be controlled in a comparable method. Hackers evaluate their network activities first to avoid being found by extensively distributed IDS/IPS guidelines, and they carefully monitor normal endpoint operation (on endpoints that have been jeopardized) to hide their activities on a network within normal transaction durations and regular network traffic patterns. A new command and control infrastructure is produced that is not registered on network address blacklists, either at the IP or domain levels. There is not much to give the cyber criminals away here. However, more astute network behavioral assessment, especially when connected to the endpoint context which will be gone over later on in this series of posts, can be a lot more effective.

It is not time to abandon hope. Would continuous endpoint monitoring (as offered by Ziften) have supplied an early caution of the endpoint hacking to start the procedure of stopping the attacks and avoid data loss? Find out more in part 2.


No Responses Yet to “Chuck Leaver – Part One Of The Carbanak Case Study For Indicators Of Compromise With Continuous Endpoint Monitoring”

Leave a Reply