Why Most High Stakes Cyber-Attacks Are Detectable

Cyberattacks are eroding trust in all things connected — from websites to apps to ATMs. But it doesn’t have to be this way. The crooks have gotten smart, so companies and enterprise security providers have got to get smarter. Unfortunately, most are struggling to catch up to the sea change in cyber-crime. All of the increased efficiency, productivity, interconnectedness and innovation of the digital era has been deeply undercut by a rash of security breaches. The worst part: many of the high profile cyber-attacks making headlines in recent months were entirely preventable.

In February, Kaspersky Labs reported that the Carbanak family of malware had robbed banks of as much as $1 billion since 2013. It’s no surprise that the banking industry has typically adopted and deployed the cutting edge of security technology. This is because financial institutions are obvious and perennial targets for thieves that have deep enough pockets to invest heavily in cyber-security. What is surprising is that a few spear-phishing emails opened back doors for criminals that slipped in and out of bank accounts and ATMs unnoticed for months or even years. How is this possible?

To better understand how the malware used in these attacks evaded detection by traditional security technology for so long, we dissected dozens of Carbanak malware samples using the Lastline Breach Detection Platform. In a matter of minutes, we discovered that the malware was written to bypass traditional signature-based security tools and to use stealthy and evasive maneuvers to avoid detection by first-generation sandboxing technology.

Simple malware is like a bad poker player — it often has “tells” that give away its maliciousness right off the bat: executables that blatantly set out to extract and transfer personal data, keystroke loggers, and so forth. Advanced malware has a better poker face. It hides its intent — going on loop, stalling or otherwise cloaking itself — while it is being analyzed by security tools at network perimeters. Once these stealthy and evasive programs slip into target systems, they are able to do their dirty work and take home the jackpot without raising suspicion. But, as in poker, there are often subtle and sophisticated signs of bluffing malware that make it detectable. In fact, 93% of the Carbanak family of malware we studied exhibited 10 or more malicious or suspicious behaviors. This malware family was arguably made up of bad poker players that managed to bluff their way into a cool billion dollars.

Unfortunately, the security infrastructure in banks, retailers, even governments, is aging and overly reliant on three things: signatures, deterrents and people. Cyber-criminals know this and the most sophisticated among them are getting away with an incredible number of attacks that exploit these vulnerabilities. Signature-based security systems like anti-virus scanners that aim to blacklist certain code from entering a network or device based on a database of known threats cannot keep up. The automation of malware distribution, the availability of affordable and highly effective malware for sale and the increasing payouts for criminals who are robbing organizations and individuals means that simple deterrents are useless. And when your security is reliant on hundreds or thousands of people following protocols, remembering training from years ago or intuitively flagging a phishing email when they see one, you’re in trouble.

One advanced security tool that uses behavior-based, rather than signature-based, approaches to detecting advanced threats is called sandboxing. According to Gartner, sandboxing is the fastest growing category of advanced threat defense. (This is excellent news for my company Lastline, since sandboxing is a cornerstone of our breach detection platform.) The rapid growth of sandboxing is due in part to the fact that signature-based technologies like traditional firewalls and antivirus scanners are missing malware that sandboxes can detect. But as companies wake up to these threats and implement basic sandboxes, malware authors are studying sandboxes and actually targeting them by creating environmentally-aware malware that can sense it is being analyzed.

Thus it is crucial that, in order to coax the “real” behavior out of malware, a sandbox be stealthy itself and act as if it were a target machine. If the banks robbed by the Carbanak family of malware had a stealth sandbox in place they more than likely would have detected the malware as it entered their systems and again as it attempted to proliferate. And many of the hacked retailers, Internet services, restaurants and even government agencies can take a page from this.

Cyber-attacks are inevitable, but very, very few are undetectable using available security technology combined with a strong security team and/or managed security service. For financial institutions to go months or even years without detecting these breaches is unacceptable. And I’m afraid these publicly disclosed breaches are just the tip of the iceberg.

The good news is that it’s not too late. If most past high profile cyber-attacks were preventable, most future attacks are as well. The security community has to step up its game because the crooks are all in and playing with a loaded deck.