Why Continuous Endpoint Monitoring Is Preferred The Carbanak Case Study Part One – Charles Leaver

By | March 5, 2015

Presented By Charles Leaver And Written By Dr Al Hartmann


Part 1 in a 3 part series


Carbanak APT Background Details

A billion dollar bank raid, which is targeting more than a hundred banks across the world by a group of unknown cyber wrongdoers, has remained in the news. The attacks on the banks began in early 2014 and they have actually been broadening across the globe. Most of the victims suffered disastrous infiltrations for a variety of months across several endpoints prior to experiencing financial loss. Most of the victims had executed security measures which included the execution of network and endpoint security systems, but this did not supply a great deal of caution or defense against these cyber attacks.

A number of security businesses have actually produced technical reports about the incidents, and they have actually been codenamed either Carbanak or Anunak and these reports noted signs of compromise that were observed. The companies include:

Fox-IT from Holland
Group-IB from Russia
Kaspersky Lab from Russia

This post will serve as a case study for the cyber attacks and address:

1. The factor that the endpoint security and the standard network security was unable to identify and defend against the attacks?
2. Why continuous endpoint monitoring (as provided by the Ziften solution) would have warned early about endpoint attacks then triggered a reaction to prevent data loss?

Standard Endpoint Security And Network Security Is Inadequate

Based upon the legacy security design that relies too much on obstructing and prevention, standard endpoint and network security does not supply a well balanced strategy of obstructing, prevention, detection and response. It would not be hard for any cyber criminal to pre test their attacks on a small number of conventional endpoint security and network security products so that they could be sure an attack would not be identified. A variety of the hackers have actually researched the security products that were in place at the victim organizations then became knowledgeable in breaking through undiscovered. The cyber crooks understood that the majority of these security products only react after the event however otherwise will do nothing. Exactly what this means is that the typical endpoint operation stays generally opaque to IT security workers, which indicates that malicious activity becomes masked (this has already been inspected by the hackers to prevent detection). After a preliminary breach has actually happened, the destructive software application can extend to reach users with higher privileges and the more delicate endpoints. This can be easily achieved by the theft of credentials, where no malware is needed, and conventional IT tools (which have been white listed by the victim company) can be used by cyber criminal developed scripts. This means that the presence of malware that can be spotted at endpoints is not utilized and there will be no red flags raised. Traditional endpoint security software application is too over reliant on looking for malware.

Standard network security can be manipulated in a comparable way. Hackers test their network activities initially to avoid being identified by commonly distributed IDS/IPS rules, and they carefully monitor typical endpoint operation (on endpoints that have actually been compromised) to conceal their activities on a network within typical transaction periods and normal network traffic patterns. A brand-new command and control infrastructure is created that is not registered on network address blacklists, either at the IP or domain levels. There is not much to give the hackers away here. However, more astute network behavioral evaluation, particularly when related to the endpoint context which will be gone over later on in this series of posts, can be a lot more efficient.

It is not time to abandon hope. Would continuous endpoint monitoring (as offered by Ziften) have provided an early caution of the endpoint hacking to start the procedure of stopping the attacks and prevent data loss? Find out more in part two.



Leave a Reply

Your email address will not be published. Required fields are marked *