The Case For Continuous Endpoint Monitoring Part One Of The Carbanak Case Study – Chuck Leaver

Presented By Chuck Leaver And Written By Dr Al Hartmann


Part 1 in a 3 part series


Carbanak APT Background Particulars

A billion dollar bank raid, which is targeting more than a hundred banks throughout the world by a group of unknown cyber wrongdoers, has been in the news. The attacks on the banks began in early 2014 and they have actually been expanding around the world. The majority of the victims suffered devastating infiltrations for a variety of months across a number of endpoints prior to experiencing financial loss. Most of the victims had implemented security steps which included the implementation of network and endpoint security software, but this did not offer a lot of caution or defense against these cyber attacks.

A variety of security companies have actually produced technical reports about the attacks, and they have been codenamed either Carbanak or Anunak and these reports listed indicators of compromise that were observed. The businesses include:

Fox-IT of Holland
Group-IB from Russia
Kaspersky Lab of Russia

This post will act as a case study for the cyber attacks and address:

1. The factor that the endpoint security and the standard network security was unable to detect and defend against the attacks?
2. Why continuous endpoint monitoring (as provided by the Ziften solution) would have warned early about endpoint attacks and then activated a reaction to prevent data loss?

Traditional Endpoint Security And Network Security Is Inadequate

Based on the legacy security design that relies excessively on blocking and prevention, standard endpoint and network security does not provide a well balanced strategy of obstructing, prevention, detection and response. It would not be challenging for any cyber criminal to pre test their attacks on a limited number of traditional endpoint security and network security services so that they could be sure an attack would not be detected. A number of the hackers have actually investigated the security services that were in place at the victim companies and then became experienced in breaking through undetected. The cyber crooks knew that most of these security services only respond after the event however otherwise will do nothing. Exactly what this means is that the typical endpoint operation remains primarily nontransparent to IT security workers, which indicates that malicious activity ends up being masked (this has actually already been checked by the hackers to prevent detection). After a preliminary breach has occurred, the malicious software application can extend to reach users with higher privileges and the more sensitive endpoints. This can be quickly accomplished by the theft of credentials, where no malware is required, and traditional IT tools (which have actually been white listed by the victim organization) can be utilized by cyber criminal created scripts. This means that the existence of malware that can be identified at endpoints is not made use of and there will be no red flags raised. Standard endpoint security software is too over reliant on searching for malware.

Conventional network security can be controlled in a similar way. Hackers test their network activities first to prevent being spotted by widely distributed IDS/IPS guidelines, and they carefully monitor regular endpoint operation (on endpoints that have been compromised) to hide their activities on a network within typical transaction durations and typical network traffic patterns. A new command and control infrastructure is created that is not registered on network address blacklists, either at the IP or domain levels. There is very little to give the hackers away here. However, more astute network behavioral assessment, specifically when related to the endpoint context which will be discussed later in this series of posts, can be a lot more effective.

It is not time to give up hope. Would continuous endpoint monitoring (as offered by Ziften) have supplied an early warning of the endpoint hacking to begin the process of stopping the attacks and avoid data loss? Find out more in part two.

Leave a Reply

Your email address will not be published. Required fields are marked *