A Recipe for Disaster: Why Attackers Can Get Away With Using a "Minimal Effort Approach"
Originally Posted February 17, 2015
Interesting choice of words from two incident reports in the last three days: “Attackers always use this minimal effort approach in order to bypass a victim’s defenses.” This statement seems to appear time and again in reports issued by security firms examining larger security breaches.
Why would anyone expend more than minimal effort? There are too many financial institutions, in the United States alone, that run on unpatched software. It’s a fair bet that on any given day, a decent number of the financial institutions in the United States are months behind on installing security updates. These same institutions are running an IT infrastructure almost entirely based on Microsoft Windows. These financial institutions are also letting their employees receive emails and browse approved web sites, with older versions of Internet Explorer, using the same computers utilized to initiate wire transfers (I've witnessed this move firsthand).
Recently we had the opportunity to watch a network security consulting firm, which advertises how they help maintain the security of popular regional Credit Unions and businesses, let overconfidence in their abilities cause multiple problems for one customer. The security consulting firm completely missed adding their management software to multiple computers. This was a small business of five employees that deals with the account numbers and business financials of many businesses. The consulting organization had such faith in the software that they never physically checked their customer’s site to verify the software was working correctly.
After watching the consulting firm’s actions for eighty days we witnessed a number of security holes that were created. The consulting firm only installed Critical Microsoft security patches when they installed patches, and then on only four of the firm’s seven machines. The server the consulting firm used to access the network, the same machine used by employees for file shares and drive backups was only updated after the customer complained each month. The consulting firm never contacted the business about firmware updates required to close holes patched by hardware manufactures after the Heartbleed security bug was announced. We also witnessed the management software, installed by the consulting firm, actively blocking the business’s virus software from receiving updates. The lack of knowledge and overconfidence of the computer consulting firm was a recipe for disaster.
This isn’t intended as a dig at any company. It’s meant to illustrate a problem: Many, if not most, organizations, even financial organizations that we trust with our money, are not setup to defeat skilled attackers. They may believe they are but their network security is built around ease-of-use, compliance, and/or appeasing auditors and regulators. According to the Fox-IT/Group-IB report, the average time from the moment a group breaks into a banks internal networks and the successful theft of cash occurs is a gaping 42 days. The attacks from the Anunak/Carbanak gang showcase once again how important it is for organizations to refocus more of their resources from preventing intrusions toward detecting intrusions as quickly as possible in an effort to stop the bleeding.
This should serve as a wake-up call for small to mid-sized businesses based in the U.S. and banking online. While consumers in the United States are shielded by law against unauthorized online banking transactions, businesses have no such protection.
Russian hacking gangs like this have stolen hundreds of millions of dollars from small- to mid-sized businesses in the U.S. and Europe over the past few years. In most of those cyber-heists, the malware that thieves used to empty business accounts was on the victim organization’s computers — not the bank’s. Now, add to that risk the threat of the business’s bank getting compromised from within and the inability of the institution to detect the breach for months on end and you have a recipe for disaster.
- The Fox-IT/Group-IB report
- Kaspersky report on the Carbanak Gang
- The Great Bank Robbery: the Carbanak APT
- Carbanak APT Full Report in PDF Format
GPL Integrated IT, LLC
172 Carpenter Road
Elmira, NY 14903