The front-page New York Times story about an organized gang of cyber criminals pulling off “one of the largest bank heists ever" brings us to some important realizations:
1. Hackers always find a way in
Often we find that the attack starts by compromising user credentials. In this case, a spear phishing mail was used to gain access to the internal network. As a defense mechanism, companies have the tendency to increase guidelines, policies and even adopt technologies like multi-factor Authentication in order to prevent a breach. Although these are important practices, one must understand that no matter how well the company's users are trained or how strong the prevention mechanisms are, an organization is never safe and users are always prone to being compromised. Whether penetration happens by mistake, because of insider malicious activity, deception or social engineering, hackers will find a way to break in.
2. Securing servers and databases is not enough!
Because servers and databases are generally seen as being the most valuable to hackers, security teams invest heavily to protect them and oftentimes neglect endpoint security (a supposedly less attractive target). However, the recent bank hack proves that endpoints ARE equally valuable.
In most of the attacks we've seen in the past, endpoints commonly serve as a vehicle to gain access to the network because they are known to be less protected. However, in this case, there was large amount of direct value found on the endpoints themselves: for example, source code copies, customer data dumps or cold hard cash in the case of ATM endpoints. Moreover, hackers were able to deploy a malware across the organization's endpoints in order to record the end-user's every move, giving the hackers a great understanding of the bank's everyday routine and insight as to what their next move should be.
3. Endpoints enable hackers to land AND expand
Because software is never fully patched, it is likely that vulnerabilities will enable attackers to use endpoints not only as a penetration point, but also to expand their footprint once they are in. Once hackers gain control over one endpoint, they can effectively use privilege escalation and laterally move around the organization compromising more and more information. There is good news, however: as hackers work on the endpoints, deploying tools and techniques, they will always leave traces. Although these traces may be very subtle changes in end user behavior, such as a user adopting a server-like role that was previously non-existent, can be detected by continuously monitoring end-user behavior and machine learning capabilities.
The Great Bank Hack came within weeks of the Anthem breach, which came within weeks of Sony, and so on and so on. It’s clear that any organization – no matter how much they spend of security – is likely to be breached (if they haven’t been already); it’s time we changed our methods.
Enough breaches have occurred for us to have an understanding of reoccurring attack methods. In light of this, organizations must start improving their defense, and one way to do this is to start paying closer attention to end user machines. Better visibility to endpoints and continuous monitoring can enable organizations to detect even the slightest variation from normal user activity. This capability is one of the best ways to defend against this type of advanced persistent threat, and stop hackers in their tracks before the damage is done.
