Research Saturday 6.16.18
Ep 40 | 6.16.18

Cyber bank heists.


Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by the Hewlett Foundation's Cyber Initiative. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:26] And now, a moment to tell you about our sponsor, the Hewlett Foundation's Cyber Initiative. While government and industry focus on the latest cyber threats, we still need more institutions and individuals who take a longer view. They're the people who are helping to create the norms and policies that will keep us all safe in cyberspace. The Cyber Initiative supports a cyber policy field that offers thoughtful solutions to complex challenges, for the benefit of societies around the world. Learn more at

Dave Bittner: [00:01:02] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data, all without ever decrypting anything. All without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at

Tom Kellermann: [00:01:42] My passion has always been a greater understanding of the financial sector, due to the nature in which they are targeted by the most elite hackers in the world, and the fact that I used to work at the World Bank Treasury's security team.

Dave Bittner: [00:01:54] That's Tom Kellermann. He's Chief Cybersecurity Officer at Carbon Black. The research we're discussing today is titled "Modern Bank Heists: Cyberattacks & Lateral Movement in the Financial Sector."

Tom Kellermann: [00:02:06] Given the recent geopolitical tensions of late, you see an escalation in cyberspace, and you also see that some of the greatest hackers in the world are becoming more punitive with their actions, so we decided to reach out to a number of financial institutions, over forty financial institutions, that were customers of Carbon Black's, to ask them some very tough questions. Questions not specific to the vector that was employed to attack them, but more about the experience they had thereafter, or the various stages of the kill chain, or the MITRE ATT&CK methodology.

Dave Bittner: [00:02:39] So, why don't we just start off and set the table for us. What are the most popular methods that they're using to get into these systems?

Tom Kellermann: [00:02:47] So, to get into these systems, you know, you're still seeing a tremendous amount of spear phishing, but you're also seeing watering hole attacks, where good websites are leveraging fileless malware against people who visit specific pages. You're seeing also quite a bit of island hopping through technical service providers, where they're using a compromised network of a technical service provider to target the infrastructure of a financial institution as well. But once they get in, it's really a question of what they're doing beyond stealing money, or manifesting, front-running, or different types of financial fraud schemes.

Dave Bittner: [00:03:23] So, take us through what were some of the key findings here. What was reported back to you all?

Tom Kellermann: [00:03:27] They were very much experiencing a spike in fileless malware, memory-resident malware. Malware where they're using good tools against the infrastructure, whether it was PowerShell, or WMI, or .NET, or even SSH for that matter.

Tom Kellermann: [00:03:42] Forty-four percent of the respondents had serious concerns about the security posture of the technology service providers, the TSPs, as known in the sector. Twenty-three percent also experienced counter-incident response this year. The adversary is literally reacting to them, and that really highlights the escalation in the environment of hackers becoming more punitive. I mean, essentially, we've moved from the original attacks against the financial sector in 1995 to present day, from burglary to essentially home invasion. And of those, close to nine percent were suffering from destructive attacks that were not ransomware, where the adversary is actually destroying the integrity of systems, databases, manipulating time, et cetera, et cetera.

Dave Bittner: [00:04:29] Now, what's the rationale behind that? Is it being used as misdirection? Why destroy things if what you're after is money?

Tom Kellermann: [00:04:37] Well, there's two, there's probably three rationales behind it, I would say. But two specifically that we should highlight. One is the nature in which they understand that you've called law enforcement, and that you're becoming, you're very effective in conducting incident response. So, as they see you attempting to terminate their command-and-controls, as they see you tendrilling back and forensically trying to pinpoint their location and their infrastructure, they may choose to destroy the evidence.

Tom Kellermann: [00:05:03] Sometimes, though, they react viscerally knowing they lie in a country that doesn't have an extradition treaty with the US, and they react viscerally because they got what they came for, which was to steal money, or steal identities, or to take a position on a portfolio manager's desktop. But after which, you know, they may choose to become more patriotic in their hacking activities. You see recently, since 2014--that's recent, since this has been going on since 1995--you've seen some of the very best hackers in the world who were Russian-speaking, who were targeting financial institutions over time, act as cyber militia members for Russia, and do very nefarious things part-time to show homage to the regime. And that was mainly done to retain their untouchable status, their unimpeachability from law enforcement agencies around the world.

Dave Bittner: [00:05:54] Now, another trend that you noted in the research was the prevalence of ransomware.

Tom Kellermann: [00:05:59] Yeah, ninety percent of them were dealing with ransomware attacks, but that wasn't really what was most concerning to them. Again, what was most concerning for them was the fact that they were dealing with counter-incident response, that they felt like their technical service providers were inadequately secured and protected, and that they were seeing more destructive attacks being leveraged that weren't ransomware, where actually, you know, they were never being even asked for ransom, for that matter. Things like NotPetya-style attacks.

Tom Kellermann: [00:06:27] Also, what I found interesting was, obviously Russia led the list of most concerning a threat actor groups for these folks, but, you know, North Korea had really risen, in terms of the import that they were paying attention to them. It's not just because of the wire transfer frauds being leveraged by Lazarus Group, or the very elegant campaigns of attack by Hidden Cobra, which are two known hacker groups in North Korea. But it's the fact that the North Koreans and Iranians were beginning to utilize the kill chain that was customized and operationalized by the Russians of late. You were seeing such high levels of sophistication from these two typically non-sophisticated threat actor groups, that the financial officials were taking note.

Tom Kellermann: [00:07:12] Now, what I found interesting through previous conversations and then post conversations that I had at the FS-ISAC, the big financial sector security summit that just took place this week, is they saw noticeably that these countries were using hackers as national assets, but more importantly they were doing the hacking purposely to offset economic sanctions.

Dave Bittner: [00:07:33] I suppose we hear regularly in the news that that's a common tactic of North Korea in particular. They have a limited ability to bring in funds in other ways, but hacking is still available to them.

Tom Kellermann: [00:07:44] Correct. And the hackers, the North Korean hacker community has become much more sophisticated. And, since they are literally using the very best playbook in the world, which is the Russian dark web kill chain playbook, and since they have access to not only zero-day exploits, but more importantly they see the utility in using memory-resident malware within good-use tools like WMI, PowerShell, like SSH, they understand the weaknesses in the architectures.

Tom Kellermann: [00:08:13] And frankly, the weaknesses in the architectures are, simply put, that the architectures are outward-facing. They have limited visibility into lateral movement. There's implicit trust placed on certain protocols, user groups, and subnets, and that's to a folly. And so, now, I think there needs to be a shift, architectural shift within the sector as a whole. The current security standards in the financial sector are not effective against this escalation of threat.

Dave Bittner: [00:08:39] And so, what do you think that shift needs to look like?

Tom Kellermann: [00:08:42] Well, I think recommendations I would make where number one is they need to employ more iron boxing. Iron boxing being a term related to modern whitelisting which goes beyond traditional whitelisting. They need to do much more micro-segmentation. They need to deploy adaptive authentication that's based on risk. Can you dynamically know your customer and/or user in real time, by challenging them to use new forms of authentication and biometrics specific to their entity themselves? Are you using next-gen endpoint protection? Have you stood up a hunt team, and is that hunt team equipped with things like EDR?

Tom Kellermann: [00:09:19] You know, I found it shocking that sixty-three percent of respondents in the financial sector had yet to stand up a hunt team. I mean, if they could just do one thing, just to start, they should stand up a hunt team. That'll give them zero false positives that they already have compromises through their infrastructure. A hunt team is not an incident response team. It's not reacting to telemetry or a warning from law enforcement suggesting that something's already been compromised. You're literally looking for a compromised system, in real time, from inside out, without warning, and you're doing it regularly.

Dave Bittner: [00:09:51] Now, looking at the range of the bad guys that are out there, one of the things that the report indicates is which nations these systems are most concerned about. Can you give us a rundown on that?

Tom Kellermann: [00:10:02] Yeah. The majority of them are most concerned with Russian activity, whether it's state-sponsored Russian activity, or the major criminal syndicates of the Russian dark web who are targeting the financial sector as a whole. Followed by the Chinese, who have become much more active due to the tensions in the South China Sea, and also due to the reality that the Chinese have learned well that, in the past, they were too loud with their activities, and they needed to become much more clandestine and targeted.

Tom Kellermann: [00:10:29] But the Chinese are a different type of attack or a threat to these financial institutions. The Chinese don't want to steal money from the financial institution. The Chinese do want to know what position the financial institutions are going to be taking vis-à-vis their investment strategies and/or merger and acquisition strategies. And then they're very, very concerned about the North Koreans. And then some of them are becoming more concerned about the Iranians, because of the manifestation of geopolitical tensions. It is a direct result of us walking away from the nuclear treaty.

Dave Bittner: [00:11:00] Now, is your sense that these CISOs feel as though the problem is getting away from them? Do you feel like they feel like they have sufficient tools? Are they gaining or are they losing ground?

Tom Kellermann: [00:11:12] You know, the one positive element of the responses that I've heard, both in person at the FS-ISAC and through the survey, is they have sufficient resources, financial resources. They're suffering from massive human capital shortage, number one.

Tom Kellermann: [00:11:27] And number two is they're trying to consolidate tools. They have too many tools right now. They need tools that are fully integrated now, that are more proactive, tools that are focusing on anomalous behavior versus signature, or versus perimeter. They need nuanced tools, but the most important aspect in their shift now has been to really get down from the twelve to fifteen tools that they're using now to about three to five, and then focus their human resources on those three to five tools to secure their environment.

Tom Kellermann: [00:12:00] The second priority is really, how can they secure their information supply team? They are fully aware that they have externalities and systemic weaknesses within the outside general counsels that service them and marketing firms.

Dave Bittner: [00:12:15] Certainly within the financial world there's been a lot of consolidation. I'm thinking of, you know, the large banks have bought up a lot of those smaller neighborhood banks. Is that a concern for these folks is there, for lack of a better term, you know, genetic diversity? Have they put too many of their eggs in one basket, if you will?

Tom Kellermann: [00:12:33] So, the number one concern is when they acquire these smaller institutions is whether or not these smaller institutions still have backdoors, Trojan Horses, rootkits, installed in these systems, which is why establishing a hunt team is so fundamental in today's world. They need a specific team that's multidisciplinary, that has incident responders, pentesters, and cyber intelligence professionals, using EDR tools to go into these environments and ascertain whether or not there's already weaknesses and/or footprints of an adversary that's lying in wait.

Dave Bittner: [00:13:06] How much of what's driving their activities is driven by policy? Having to meet regulations, versus the policy lagging behind their practical needs day-to-day to protect their systems?

Tom Kellermann: [00:13:19] Smaller institutions--not all, but most--are very compliance-focused, for obvious reasons. The larger institutions are compliance-oriented, but they are much more strategic because of the nature that they are larger targets, and they are being targeted more often, and they've dealt with some very elegant kill chains and lateral movement techniques.

Tom Kellermann: [00:13:40] Again, the financial sector is the most secure sector in America, and globally for that matter, against cyber attacks. But they're also playing against the best hackers in the world. They're fighting against nation-states as well. And so, regardless of the resources they have at their disposal and the advanced nature of their security posture, that is balanced out and marginalized by the advanced nature of the adversary.

Tom Kellermann: [00:14:05] The goal now for most CISOs in the financial sector is to decrease dwell time. Their return on investment on their cybersecurity controls and personnel, and those correspondent budgets, is truly specific to have they decreased the amount of time that it took them to become situationally aware of an adversary within their infrastructure information supply chain, from this year to last?

Tom Kellermann: [00:14:31] And, as much as that sounds like them giving in, it's not. Frankly, the name of the game now has to be intrusion suppression. The adversary's in your environment. How do you suppress that adversary? How do you detect, divert, deceive, contain, and then hunt an adversary, unbeknownst to an adversary, until law enforcement or your outside general counsel are ready to make a move.

Dave Bittner: [00:14:56] Our thanks to Tom Kellermann from Carbon Black for joining us. The report is titled "Modern Bank Heists: Cyberattacks & Lateral Movement in the Financial Sector." You can find it on the Carbon Black website.

Dave Bittner: [00:15:09] Thanks to the Hewlett Foundation's Cyber Initiative for sponsoring our show you can learn more about them at

Dave Bittner: [00:15:17] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at

Dave Bittner: [00:15:25] The CyberWire Research Saturday is proudly produced in Maryland, out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. It's produced by Pratt Street Media. The coordinating producer is Jennifer Eiben, editor is John Petrik, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.