Top Threat to Financial Institutions: Advanced Malware
Insights, Strategies from Solutionary's Jeremy Nichols Information Security Media Group • October 7, 2014 15 MinutesHeartbleed, Shellshock, targeted attacks - the security threats to banking institutions are legion. And there are new ways banks can get better at detecting these evolving threats, says Solutionary's Jeremy Nichols.
The first step toward improvement is to acknowledge the current threat detection gaps, Nichols says. Network visibility is one concern. But it's not merely a matter of monitoring for anomalous behavior by external sources.
"It's important to not just rule out internal activity on the network," Nichols says. "Once an attacker gets into the network, they're able to move laterally within. If you disregard that activity as authorized, it's easy for an attacker ... to go completely undetected."
In an interview about how to improve threat detection, Nichols discusses:
- Today's top threats to banking institutions;
- The different levels of threat detection to improve;
- How Solutionary's customers are ramping up detection capabilities.
As an information security analyst turned senior security engineer, Jeremy Nichols continues to focus his career at Solutionary around supporting the operations teams, specifically information security engineers, information security technicians and data research analysts. His nine years of security expertise and specialties include: Incident analysis and threat correlation, IDS/IPS management, incident response and detection techniques.
Top Cyber Threats
TOM FIELD: From Solutionary's latest research, what are today's top cyber threats, especially to banking institutions?
JEREMY NICHOLS: A lot of the threats for different institutions depend on the motivation of the attackers. So for banking institutions or financial organizations, the main motivation for attackers is typically going to be financial gain. A lot of the top threats we see against banking institutions are going to be things that are really hot in the media. Earlier this year we had Heartbleed. Over the past couple of weeks we've had Shellshock. Not necessarily that they are more targeted at banking institutions, but the exploit code typically goes out a lot faster. You see people start to pick up on that, to scan and try to exploit those very quickly. It's important for those banking institutions to stay in front of that.
Another big one is just more advanced, or targeted, malware. If you have the opportunity to make great financial gain by creating a piece of malware targeted at a specific organization -- a bank or credit union -- it's very easy for an attacker to do that and use [it] as a launch point for either further attacks or lateral movement within the client network. In addition to the financial loss as a result of some of those fraud transactions, [there could] also be exfiltration of data, especially for smaller banks or credit unions that could lead to great reputational damage, which is important.
To give you an example, what we've seen in the case of targeted malware is attackers go after the end-user of the bank. They are able to drop that malware on that customer's computer, and then when they login to the banking site, their credentials are stolen. Then the attacker uses that for a fraud transaction. While they're doing that, they'll actually launch a distributed denial-of-service attack. So while the security staff for the bank is working on preventing or mitigating that DDoS attack, there's a fraud transaction going on behind-the-scenes. It's easy for them to miss that because there's the shiny object of the DDoS attack happening.
Threat Detection
FIELD: In response to advanced threats, where can banks most improve their threat detection?
NICHOLS: The biggest step is visibility, whether it's with an in-house product or a managed security service provider. Having insight to some of the trends and risks that are happening are a critical piece. It's also important to overlap different monitoring for additional context, the ability to correlate or just more advanced detection with that.
It's also important not to rule out internal activity happening on the network. Once an attacker gets into the network, they are able to move laterally within. If you disregard that internal activity as authorized, it's easy for an attacker, if they are able to get in, to go completely undetected. It's also important to move toward more purpose-built devices. Don't use a firewall to act as a threat detection technique or intrusion prevention system. Those are critical pieces to the security foundation, but if your main concern is something like malware, then get a device that's purpose-built to detect malware or anomalous behavior.
Also, you can never have too much information. There are IP reputation feeds, different threat intelligence feeds, whether those are just based on activity being observed in the wild or if they are actually validated by a researcher through a forensics engagement or reverse engineering engagement. It's important to have all of those different pieces of information, so that when you take action, you can quickly rule out the false positives or the things that are less concerning and focus on the items that are true threats or higher risk.
Levels of Detection
FIELD: If you were to look at different levels in which detection can be improved in organizations, which levels would you focus on?
NICHOLS: A big piece is moving on with additional supplemental monitoring. So a lot of devices, especially as we get into the next-generation devices, they have add-on features that give a much more robust feature set then just relying on the traditional policy-based or signature-based detection. Those devices have a virtualized environment running within them that can look at executables as they pass on the wire. Some of them can pull in third-party threat sources or have layered detection where you can look at the lifecycle of traffic or the lifecycle of an exploit, rather than just looking at them packet by packet and session by session. It's important to work toward having that more complete picture, because a lot of these threats and attacks that are happening are very advanced. Some organizations may not have the knowledge or the staff locally that can take care of them. So it's important to supplement that by having greater visibility and devices that can assist them, rather than relying on the staff to do all that work themselves.
Specific Solutions
FIELD: What are some of the specific solutions that Solutionary has that will help organizations improve threat detection?
NICHOLS: We have quite a few different service offerings. A big one is our Active Guard Log Monitoring service. Taking feeds from various devices -- whether that's the network devices, the endpoint, all the way down to applications -- we will monitor those for any security incidents [and] tie that information together. We support well over 100 different types of devices, so we can get that whole picture of what's happening and tie that together within that Active Guard platform.
We also have device management. So if you want to offload some of the burden of taking care of device management or needing recommendations on security policies or firewall rules, Solutionary does have a managed device team that could take that on. We also have our security consultant team. We have qualified groups in all the major security, compliance and audit initiatives that can help with penetration testing, web application assessments, and all of your different consulting needs.
We have vulnerability lifecycle management as well, getting that picture of what risk you have on the network, whether that's an internal visibility perspective or an external scan. We do offer that as self-service as well, so clients can run those as frequently as possible so that they have a view into what's happening, or what exposure they have, on the network. Then we also have a critical incident response service offering. If an incident does happen, it's very important to be prepared to handle that. Our security engineering and research team, or CERT group, work with clients to establish a critical incidence response plan and test to make sure that if something does happen, the client is prepared to take that on. They have the response plan in place, the security policy in place and the appropriate resources and staff dedicated to deal with those incidents no matter what it is.
Improving Threat Detection
FIELD: How are Solutionary's customers actually improving threat detection?
NICHOLS: Number one is just with the technology. We're seeing a lot of next-generation devices being added on, especially with those additional features. Looking outside of traditional signature-based detection and looking for behavioral activity. "Is this user authorized to do this all throughout the day or is this anomalous for them to be conducting an activity on a weekend?" If clients have a risk of malware or they're worried about it, we're starting to see a lot more focus around that. All of our clients have the traditional endpoint security in place on their desktops or servers, but we've seen that's only about 50 percent effective, both from our CERT research as well as what some vendors are saying. We're starting to see clients add on to that with things like file integrity monitoring. So rather than focusing on what we know is malware, looking for things outside of the ordinary, [such as] a new application adding itself to the registry to launch when that PC starts up. Looking at more behavioral detection with users, with systems...is what they're conducting or they're doing outside of the ordinary? That's the technology side.
We're also seeing our clients take more of a hands-on approach, becoming more involved in the normalization. It's important to rule out false positives so you can catch that needle in the haystack rather than digging through so much hay. Realigning priorities... if something is classified by a vendor as a high, we may want to drop that to a medium or low depending on their specific environment. There's not that cookie-cutter solution. It's also important to have a feedback loop; clients letting us know when we catch something or if we have a false positive prone signature that we need to tune or adjust. Over the past few years we've even seen teams start to split more and focus on security. Rather than having it at network or server administrator, wearing those multiple hats and being responsible for security as well, we're seeing security teams get built up. We actually have clients that have a dedicated security team, so we're working with them directly and taking action on that together.
As far as Solutionary, we're still evolving our threat detection all the time based on what we're seeing with our clients, some of our research and engagements [and] in the wild through the research that our CERT team is doing. It's important to always stay on top of that because it is ever-evolving. Nothing stays the same in this industry.
Lessons Learned
FIELD: What would you say are some of the top lessons learned from your customers from their experiences during this evolution?
NICHOLS: Number one, it's important to acknowledge that 100 percent security isn't practical. Breaches and infections happen, so organizations need to be prepared. That's not to say everybody is going to have a massive breach, but it's easy for a user to get redirected, click on a phishing email and get redirected to a malicious site. It's important to be prepared and take care of those, and acknowledge that there's no silver bullet. There's not one technology, one product that you're going to be able to implement that's going to protect you from every threat.
It's important to have context when you do get a notification or an alert. Just knowing what IT conducted activity is helpful, but if you actually know what user or machine that is, or when that user logs in, that's incredibly valuable to chasing that down, especially in clients that have very dynamic environments. It's also important to remember that this isn't easy. It's something that needs a lot of attention, and you don't want to skip out on a specific piece just due to cost, resources or knowledge. I know that's easy to say from my perspective, but doing so just results in a security gap that can leave you weak in one area or another. It's important to minimize the impact of those items just by being prepared.
Best Place to Begin
FIELD: Where is the best place for organizations to begin this journey of improving threat detection while they're in the middle of the threats?
NICHOLS: You are spot on; they're not going to stop. They're very advanced. But the nice thing is, if you have that foundational piece, that's really the best place to begin. There are very simple things, like patch management, which can help with moving forward your security policy. If you have a very good patch management program in place, then that can greatly reduce your exposure. It's also very important to make sure you have a user education program. Users like to go with what is easiest for them. Even myself as a person in the security field, I don't want to have to deal with a lot of the security restrictions, but it's important for users to understand why that's in place. There is a lot of targeted phishing that takes place, especially with higher-level executives to get them to click a link. Or there are legitimate websites that a user may visit that redirects them to a malicious website. So it's important for users to understand why that's in place, or why those types of things exist, so that they can be cognizant of that while they're working through the day-to-day job.
Once you've got some of that foundational piece, the planning and fundamentals are really important; making sure you have good asset discovery in place, know what's on the network or what exists within your environment, make sure to have an incident response plan. It sounds like a fairly foundational piece, but if you don't test that then you're not 100 percent confident that it works. Or, you don't know how it responds to all of those different situations. It's important to make sure that an organization has very clear goals of what they're trying to accomplish. Once they have their security policy in place it's important to do a gap analysis. If you are focused on malware, but your security policy is focused on web application security, then you've got a gap that you need to focus on and address. It's very important to stay on top of that and conduct those routinely so that as threats evolve, as the organization evolves, you're constantly in front of that rather than reacting to the situation. You're prepared for it before it happens.