Charles Leaver – Why Continuous Endpoint Monitoring Is Best – Carbanak Case Study Part One

Presented By Charles Leaver And Written By Dr Al Hartmann


Part 1 in a 3 part series


Carbanak APT Background Particulars

A billion dollar bank raid, which is targeting more than a hundred banks across the world by a group of unidentified cyber wrongdoers, has actually been in the news. The attacks on the banks started in early 2014 and they have actually been broadening around the world. The majority of the victims suffered devastating breaches for a variety of months across a number of endpoints prior to experiencing monetary loss. Most of the victims had executed security measures that included the application of network and endpoint security software, however this did not offer a lot of caution or defense against these cyber attacks.

A variety of security businesses have produced technical reports about the incidents, and they have actually been codenamed either Carbanak or Anunak and these reports noted signs of compromise that were observed. The businesses consist of:

Fox-IT of Holland
Group-IB from Russia
Kaspersky Laboratory of Russia

This post will function as a case study for the cyber attacks and address:

1. The reason that the endpoint security and the traditional network security was unable to identify and prevent the attacks?
2. Why continuous endpoint monitoring (as provided by the Ziften solution) would have warned early about endpoint attacks and then set off a reaction to prevent data loss?

Conventional Endpoint Security And Network Security Is Inefficient

Based upon the legacy security design that relies excessively on obstructing and prevention, conventional endpoint and network security does not offer a balanced of blocking, prevention, detection and response. It would not be difficult for any cyber criminal to pre test their attacks on a limited number of conventional endpoint security and network security services so that they could be sure an attack would not be discovered. A number of the hackers have actually researched the security services that were in place at the victim organizations and then ended up being proficient in breaking through unnoticed. The cyber criminals understood that most of these security products only react after the occasion however otherwise will do nothing. Exactly what this means is that the typical endpoint operation stays primarily opaque to IT security workers, which indicates that malicious activity becomes masked (this has already been examined by the hackers to avoid detection). After an initial breach has actually taken place, the malicious software can extend to reach users with greater privileges and the more sensitive endpoints. This can be quickly accomplished by the theft of credentials, where no malware is required, and standard IT tools (which have been white listed by the victim organization) can be used by cyber criminal created scripts. This means that the presence of malware that can be identified at endpoints is not used and there will be no red flags raised. Standard endpoint security software is too over reliant on looking for malware.

Traditional network security can be manipulated in a comparable method. Hackers test their network activities first to prevent being identified by widely distributed IDS/IPS rules, and they thoroughly monitor typical endpoint operation (on endpoints that have been jeopardized) to hide their activities on a network within normal transaction durations and typical network traffic patterns. A new command and control infrastructure is produced that is not registered on network address blacklists, either at the IP or domain levels. There is not much to give the hackers away here. Nevertheless, more astute network behavioral evaluation, specifically when associated with the endpoint context which will be talked about later in this series of posts, can be a lot more effective.

It is not time to give up hope. Would continuous endpoint monitoring (as provided by Ziften) have offered an early caution of the endpoint hacking to begin the process of stopping the attacks and prevent data loss? Find out more in part two.