- Security TWENTY
- Women in Security Awards
Kaspersky Lab have recently made public some details of a cyber criminal gang dubbed “Carbanak”, who have reportedly compromised more than a hundred financial firms across the world and netted millions in stolen funds in the process, writes Dave Hartley, principal security consultant at MWR InfoSecurity.
In December 2014, Fox-IT working with Group-IB published a report on a group named Anunak that had conducted similar compromises of banks in Russia. These groups are reportedly one and the same.
In essence, the attackers used the well known spear-phishing technique to trick bank employees into unwittingly providing remote control of their computers. The attackers then proceeded to jump from computer to computer and watch banking employees conduct their daily activities. They sat, watched and waited for a very long time until they had learned and observed enough to allow them to execute their heist. It all sounds very dramatic and has the appeal of a Hollywood heist movie. Sadly this is not a work of fantastical fiction and more a reality of the threat profile that many organisations face every day as they go about their business. However, there is some good news, and something the public should be aware of that may make them sleep a little better at night. There is no need to be swept along with the hyperbole that normally accompanies an event of this scale and magnitude. Whilst this event illustrates an increase in capabilities and levels of attacker sophistication, the UK security industry is prepared for this ‘levelling-up’ of the cyber criminal fraternities and the cyber threat. Measures are already in place to deal with the problem, and have been for some time.
The UK has one of the most mature cyber security postures in the world and this is evidenced by the respect the world has for our professional organisations and schemes (eg. CPNI, CESG and CREST). Most recently, these schemes have been extended to provide a framework specifically designed for financial firms such as those targeted by Carbanak, it is also very applicable to non financial firms also. The schemes are known as CBEST and CSTAR.
CBEST is a framework to deliver controlled, bespoke, intelligence-led cyber security tests. More details of the schemes can be found on the CREST website – http://www.crest-approved.org/.
The public can have every confidence that those financial institutes engaged in the scheme are doing everything they can to protect themselves and their customers finances. Under the scheme, UK financial institutes submit themselves to simulated attacks, designed specifically to emulate the activities of real-world hackers – in order that they can better defend their systems when the attack comes for real. Any organisation undergoing such tests is going to be able to combat advanced threat actors and have an increased cyber resilience to such targeted attacks.
It comes as no surprise that the initial foothold was obtained by the attackers, as reported in the Carbanak extracts, via a phishing attack. This technique continues to be a winning strategy over and over again. When we run controlled phishing assessments against clients for the first time, it isn’t uncommon to see more than 60% of employees clicking links or opening attachments in our suspect emails – with almost all of those users then going on to disclose sensitive credentials such as login details.
Driven by compliance requirements, a large number of organisations run security awareness training which often gives a false sense of security. Compliance, alongside providers of security awareness training have promoted the belief that raising awareness of security topics such as phishing and social engineering makes an organisation more secure. Unfortunately whilst this approach does have its place as part of a wider security programme, raising awareness alone doesn’t change employee behaviour. Many users that fall for phishing emails are aware of what phishing is – so organisations can’t purely rely on raising awareness. We’ve seen greater success when organisations focus their efforts on changing behaviours and use regular simulated assessments, combined with targeted and relevant point-in-time education.
The Carbanak attackers, once they had obtained their initial ‘beach head’, managed to maintain access for a very long time with their activities going unnoticed. If the initial attack is missed, there is a small window of opportunity for the defensive team within the compromised organisation to react, if they are looking for the right indicators of compromise (IOC). It is very likely that the compromised finance firms relied on numerous SIEM solutions to defend their environments. The breaches however illustrate that reliance on technology alone is not going to get the job done.
A motivated and creative human attacker will almost always beat off-the-shelf compliance driven defences. MWR’s cyber defence and incident response teams (one of the select few appointed by GCHQ and CPNI to be part of the UK Cyber Incident Response scheme) have found when working with clients to defend and respond to similar attacks, that they are almost impossible to detect if you don’t have the right human intelligence augmenting deployed defensive technologies. Details of the CIR scheme can be found here – https://www.cpni.gov.uk/advice/cyber/cir.
It may seem odd to some that the attackers waited so long before making away with their bounty. Especially as some breaches have been reported as being initiated back in 2013. Well, this is where perhaps a Hollywood script writer may gloss over some very boring and mundane facts about just how unsexy (for some) hacking can be.
The funds transfer systems employed by financial organisations have many moving parts. Contrary to popular belief, it’s not that easy to siphon out cash, not at the push of a single button at least. There are a number of digital and physical stacked safeguards, countermeasures and processes in place. This is why the attackers observed the Bank’s employees for so long. It takes a long time to fully understand the inner workings of a financial institution and their procedural and digital nuances. For example a transfer of £100,000 to a fraudulent account may go unnoticed in an institution that is used to transferring in excess of £100,000 per transfer, however in another organisation that amount wouldn’t be authorised and would actually set the alarm bells ringing. These rules are personal to each financier.
The tradecraft employed differs from attacker to attacker, however in principle most apply a similar approach. Once an initial foothold is obtained, the threat actor will perform internal reconnaissance looking to identify opportunities for lateral and vertical movement within the network. They’ll also begin to locate key systems and escalate their privileges. Once this activity is complete, they will often go very quiet, then wait and watch. A SIEM run by a competent team of security professionals, who are threat-intelligence driven and who understand the threats to the business, can defend the network. However, an augmented intelligence driven approach is key.