CyberWire Daily - Cyber bank heists. [Research Saturday]
Episode Date: June 16, 2018Carbon Black's Chief Cybersecurity Officer Tom Kellerman shares the results of their recent report, Modern Bank Heists: Cyberattacks & Lateral Movement in the Financial Sector. For the report, they i...nterviewed CISOs at 40 major financial institutions, revealing attack and mitigation trends. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making
apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps,
not the entire network, continuously verifying every request based on identity and context.
Simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Well, my passion has always been a greater understanding of the financial sector
due to the nature in which they are targeted by the most elite hacker crews in the world
and the fact that I used to work at the World Bank Treasury Security Team.
That's Tom Kellerman. He's Chief Cybersecurity Officer at Carbon Black.
The research we're discussing today is titled Modern Bank Heists,
Cyberattacks and Lateral Movement in the Financial Sector.
Given the recent geopolitical tensions of late, you see an escalation in cyberspace,
and you also see that some of the greatest hackers in the world are becoming more punitive with their actions.
So we decided to reach out to a number of financial institutions, over 40 financial institutions that were customers of Carbon Blacks,
to ask them some very tough questions, questions not specific to the vector that was employed to attack them,
Questions not specific to the vector that was employed to attack them, but more about the experience they had thereafter for the various stages of the kill chain or the MITRE attack methodology.
So why don't we just start off and set the table for us. What are the most popular methods that they're using to get into these systems? So to get into these systems, you know, you're still seeing a tremendous amount of spear phishing, but you're also seeing watering hole attacks where good websites are leveraging
fileless malware against people who visit specific pages. You're seeing also quite a bit of island
hopping through technical service providers where they're using a compromised network of a technical
service provider to target the infrastructure of a financial institution as well. But once they get in, it's really a question of what they're doing
beyond stealing money or manifesting front-running or different types of financial fraud schemes.
So take us through what were some of the key findings here. What was reported back to you all?
They were very much experiencing a spike in fileless malware,
memory resident malware, malware where they're using good tools against the infrastructure,
whether it was PowerShell or WMI or.NET or even SSH for that matter. 44% of the respondents had
serious concerns about the security posture of the technology service providers, the TSPs, as known in the sector.
23% also experienced counter-incident response this year.
And the adversary is literally reacting to them.
And that really highlights the escalation in the environment of hackers becoming more punitive.
I mean, essentially, we've moved from the original attacks
against the financial sector in 1995 to present day, from burglary
to essentially home invasion. And of those, close to 9% were suffering from destructive attacks that
were not ransomware, where the adversary is actually destroying the integrity of systems,
databases, manipulating time, et cetera, et cetera.
Now, what's the rationale behind that?
Is it being used as misdirection or why destroy things if what you're after is money?
Well, there's two, there's probably three rationales behind that, I would say, but two
specifically that we should highlight.
One is the nature in which they understand that you called law enforcement or that you're
becoming, you're very effective in conducting incident response.
So as they see you attempting to terminate their command and controls, as they see you
tendering back and forensically trying to pinpoint their location and their infrastructure,
they may choose to destroy the evidence.
Sometimes, though, they react viscerally knowing they lie in a country that doesn't have an
extradition treaty with the U.S.
And they react viscerally because they got what they came for, which was to steal money or steal identities or to take a position on a portfolio manager's desktop.
But after which, you've seen some of the very
best hackers in the world who were Russian-speaking, who were targeting financial institutions over
time, act as cyber militia members for Russia, and do very nefarious things part-time to show
homage to the regime. And that was mainly done to retain their untouchable status,
their unimpeachability from law enforcement
agencies around the world. Now, another trend that you noted in the research was the prevalence of
ransomware. Yeah, 90% of them were dealing with ransomware attacks, but that wasn't really what
was most concerning for them. Again, what was most concerning for them was the fact that they
were dealing with counter-incident response, that they felt that their technical service providers were inadequately secured and protected,
and that they were seeing more destructive attacks being leveraged that weren't ransomware,
where actually, you know, they were never being even asked for ransom for that matter.
Things like Mount Petya-style attacks. Also, what I found interesting was,
obviously, Russia led the list of most concerning threat actor groups for these folks. But North Korea had really risen in terms of the imports that they were paying attention to them.
campaigns of attack by Hidden Cobra, which are two known actor groups in North Korea.
But it's the fact that the North Koreans and Iranians were beginning to utilize the kill chain that was customized and operationalized by the Russians of late. You were seeing such
high levels of sophistication from these two typically non-sophisticated threat actor groups
that the financial institutions were taking note.
And what I found interesting through previous conversations and then post-conversations that I had at the FSISAC,
the big financial sector security summit that just took place this week,
is they saw noticeably that these countries were using hackers as national assets,
but more importantly, they were doing the hacking purposely to offset economic
sanctions. I suppose we hear regularly in the news that that's a common tactic of North Korea
in particular. They have a limited ability to bring in funds in other ways, but hacking is
still available to them. Correct. And the hackers, the North Korean hacker community has become much
more sophisticated. And since they are literally using the very best
playbook in the world, which is the Russian dark web kill chain playbook, and since they have access
to not only zero-day exploits, but more importantly, they see the utility in using memory resident
malware within good use tools like WMI, PowerShell, like SSH, they understand the weaknesses in the architectures.
And frankly, the weaknesses in the architectures are simply put that the architectures are
outward facing.
They've limited visibility in the lateral movement.
There's implicit trust placed on certain protocols, user groups, and subnets.
And that's to a folly.
And so now I think there needs to be a shift, architectural shift within the sector as
a whole. The current security standards in the financial sector are not effective against this
escalation of threat. And so what do you think that shift needs to look like? Well, I think
recommendations I would make were number one is they need to employ more ironboxing. Ironboxing
being a term related to modern whitelisting, which goes beyond
traditional whitelisting. They need to do much more micro-segmentation. They need to deploy
adaptive authentication that's based on risk. Can you dynamically know your customer and or
user in real time by challenging them to use new forms of authentication and biometrics specific to
their entity themselves? Are you using next-gen endpoint
protection? Have you stood up a hunt team? And is that hunt team equipped with things like EDR?
You know, I found it shocking that 63% of respondents in the financial sector had yet
to stand up a hunt team. I mean, if they could just do one thing just to start, they should stand
up a hunt team. That'll give them zero false positives that they already have compromises through their
infrastructure. A hunt team is not an incident response team. It's not reacting to telemetry
or a warning from law enforcement suggesting that something's already been compromised.
You're literally looking for a compromised system in real time from inside out without warning,
and you're doing it regularly.
Now, looking at the range of the bad guys that are out there, one of the things that the report indicates is which nations these CISOs are most concerned about. Can you give us a
rundown on that? Yeah, the majority of them are most concerned with Russian-Russian activity,
whether it's state-sponsored Russian activity or the major criminal syndicates of the Russian dark web who are targeting the financial sector as a whole.
Followed by the Chinese, who have become much more active due to the tensions in the South China Sea,
and also due to the reality that the Chinese have learned well that in the past they were too loud with their activities,
and they need to become much more clandestine and targeted.
But the Chinese are a different type of attacker attack or threat vector to these financial institutions.
The Chinese don't want to steal money from the financial institutions.
The Chinese do want to know what positions these financial institutions are going to be taking vis-a-vis their investment strategies and or merger and acquisition strategies.
And then they're very, very concerned about the North Koreans. And then some of them are becoming more concerned about the Iranians because of the manifestation of geopolitical tension that is a direct result
of us walking away from the nuclear treaty. Now, is your sense that these CISOs feel as though
the problem is getting away from them? Do you feel like they feel like they have sufficient tools?
Are they gaining or are they losing ground? You know, the one positive element of the responses that I've heard both
in person at the FSI SEC and through the survey is they have sufficient resources, financial
resources. They're suffering from a massive human capital shortage, number one. And number two is
they're trying to consolidate tools. They have too many tools right now. They need tools that are fully integrated now, that are more proactive, tools
that are focusing on anomalous behavior versus signature or versus perimeter. They need nuanced
tools, but the most important aspect in their shift now has been to really get down from the 12 to 15 tools that they're using now to about
three to five, and then focus their human resources on those three to five tools to secure
their environment. The second priority is really how can they secure their information supply
chain? They are fully aware that they have externalities and systemic weaknesses within the outside general councils that service them and marketing firms.
Certainly within the financial world, there's been a lot of consolidation.
I'm thinking of, you know, the large banks have bought up a lot of those smaller neighborhood banks.
Is that a concern for these folks? Is there, for lack of a better term, you know, genetic diversity?
Have they put many of their
eggs in one basket, if you will? So the number one concern is when they acquire these smaller
institutions is whether or not these smaller institutions still have backdoors, Trojan horses,
root kits installed in these systems, which is why establishing a hunt team is so fundamental
in today's world. They need a specific team that's multidisciplinary, that has incident responders, pen testers, and cyber intelligence professionals
using EDR tools to go into these environments and ascertain whether or not there's already
weaknesses and or footprints of an adversary that's lying in wait.
How much of what's driving their activities is driven by policy? Having to meet regulations versus the policy lagging behind their practical needs day to day to protect their systems.
The smaller institutions, not all, but most, are very compliance focused for obvious reasons.
The larger institutions are compliance oriented, but they are much more strategic because of the nature that they are
larger targets and they're being targeted more often. And they've dealt with some very elegant
kill chains and lateral movement techniques. Again, the financial sector is the most secure
sector in America and globally for that matter against cyber attacks.
But they're also playing against the best hackers in the world. They're fighting against
nation states as well. And so regardless of the resources they have at their disposal
and the advanced nature of their security posture, that is balanced out and marginalized by the
advanced nature of the adversary. The goal now for most systems in the financial sector
is to decrease dwell time. Their return on investment
on their cybersecurity controls and personnel and those correspondent budgets is truly specific to
have they decreased the amount of time that it took them to become situationally aware
of an adversary within their infrastructure information supply chain from this year to last.
And as much as that sounds like them giving in, it's not.
You know, frankly, the name of the game now has to be intrusion suppression.
The adversary is in your environment.
How do you suppress that adversary?
How do you detect, divert, deceive, contain, and then hunt an adversary unbeknownst to
an adversary until law enforcement or your outside general counsel are ready to make a move.
Our thanks to Tom Kellerman from Carbon Black for joining us.
The report is titled Modern Bank Heists, Cyberattacks and Lateral Movement in the Financial Sector.
You can find it on the Carbon Black website.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire Research Saturday is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Valecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. Thank you.