First off, I feel I need to apologize to my friends at Liquid Matrix. I hate using the buzzwords, too, guys…but they’re buzzwords for a reason. They get the attention of those whose attention needs getting.
In my last post, I ended with the question of what else may be going on during a DDoS attack. When an organization like the one supposedly sponsored by Iran is taking US banks offline…what else may they be up to while the banks’ security guys are preoccupied with getting the business functional again? When a so-called “hacktivist” group is taking a financial organization offline, under the guise of social dissent, what else may they be doing?
This morning came the story of a Christmas DDoS attack against San Francisco based Bank of the West that was the cover for the theft of nearly a million dollars from one of their customers.
Do yourself a favor and read Brian Krebs’ detailed post-mortem. It describes a very sophisticated approach, the tools/methods leveraged to avoid detection, the successful transfer of funds, and the aftermath.
There are many lessons to take away. For one, they compromised the trust model. Compromising a customers credentials, especially in a username and password world is simple. The toolkits available to the adversary make this so easy anyone can do it. Secondly, they played the process to avoid setting off the alarms. This is the phase of the attack that required the most coordination. Everything from orchestrating money mules, intelligent use of ACH transfers of safe amounts, to collecting the assets required pin point accuracy to avoid detection. Finally, they created a diversion. Taking down the banking website solved two key problems. One, it diverted resources away from monitoring other systems that may have identified the account level activity; and two, it blocked the customer from identifying the fraudulent transfers.
Risk managers need to look at this as the new model for crime. This attack pattern cannot be blocked by a single solution. Investing security budgets in complicated behavioral monitoring in the transaction platform only solves part of the problem. In this case that was just one aspect of the overall exploit. Adversaries leverage multiple attack vectors, so security practitioners should consider the same when implementing protection. We can’t just try to bottleneck the problem in one system, we need to analyze it from any input. As cliché as it may be, we need to cast a wider gaze, looking at the big picture.
Attacks, however technically simple they may or may not be, are becoming more and more complex in their layered approach. While standing at the three card monte table, not only are you being distracted from where the queen is, but while you’re trying to follow her, the dealer’s partner is lifting your wallet out of your back pocket.
It turns out, DDA’s COO, Chris Ensey, was writing a post on this topic at the same time I was. This is the resulting collaboration.