Charles Leaver – First Part Of Carbanak Case Study And The Benefits Of Continuous Endpoint Monitoring

Presented By Charles Leaver And Written By Dr Al Hartmann


Part 1 in a 3 part series



Carbanak APT Background Particulars

A billion dollar bank raid, which is targeting more than a hundred banks across the world by a group of unknown cyber wrongdoers, has actually remained in the news. The attacks on the banks began in early 2014 and they have been expanding around the world. The majority of the victims suffered dreadful breaches for a variety of months throughout numerous endpoints prior to experiencing monetary loss. Most of the victims had actually implemented security steps which included the implementation of network and endpoint security software, but this did not provide a great deal of warning or defense against these cyber attacks.

A number of security companies have actually produced technical reports about the incidents, and they have been codenamed either Carbanak or Anunak and these reports noted signs of compromise that were observed. The companies consist of:

Fox-IT from Holland
Group-IB from Russia
Kaspersky Laboratory of Russia

This post will serve as a case study for the cyber attacks and address:

1. The factor that the endpoint security and the standard network security was unable to spot and resist the attacks?
2. Why continuous endpoint monitoring (as supplied by the Ziften solution) would have warned early about endpoint attacks then triggered a reaction to prevent data loss?

Standard Endpoint Security And Network Security Is Inefficient

Based upon the legacy security design that relies too much on obstructing and prevention, traditional endpoint and network security does not offer a well balanced strategy of blocking, prevention, detection and response. It would not be difficult for any cyber criminal to pre test their attacks on a limited number of standard endpoint security and network security products so that they could be sure an attack would not be detected. A number of the hackers have actually looked into the security products that were in place at the victim organizations then became competent in breaking through undetected. The cyber criminals knew that most of these security services just respond after the occasion but otherwise will do nothing. Exactly what this means is that the typical endpoint operation remains generally opaque to IT security workers, which suggests that malicious activity becomes masked (this has actually already been checked by the hackers to avoid detection). After a preliminary breach has actually taken place, the malicious software can extend to reach users with higher privileges and the more delicate endpoints. This can be quickly attained by the theft of credentials, where no malware is required, and conventional IT tools (which have been white listed by the victim organization) can be used by cyber criminal created scripts. This means that the existence of malware that can be identified at endpoints is not utilized and there will be no alarms raised. Conventional endpoint security software application is too over reliant on looking for malware.

Traditional network security can be controlled in a comparable way. Hackers test their network activities first to avoid being found by commonly distributed IDS/IPS guidelines, and they carefully monitor regular endpoint operation (on endpoints that have actually been compromised) to hide their activities on a network within regular transaction durations and normal network traffic patterns. A new command and control infrastructure is produced that is not registered on network address blacklists, either at the IP or domain levels. There is very little to give the hackers away here. Nevertheless, more astute network behavioral assessment, specifically when associated with the endpoint context which will be talked about later on in this series of posts, can be a lot more effective.

It is not time to give up hope. Would continuous endpoint monitoring (as supplied by Ziften) have offered an early warning of the endpoint hacking to begin the procedure of stopping the attacks and avoid data loss? Find out more in part 2.

Leave a Reply

Your email address will not be published. Required fields are marked *