Carbanak: the common threat with disastrous effects

Published on February 24, 2015

CARBANAC: the common man who changes into a god.

“There are people in the street. I think they are hunting for Carbanac.”

A form raced up beside his own, the mighty body of Carbanac—Carbanac transformed into a monster, and out of whose lungs came bellowings that were like the roarings of a beast.

(The Black Hunter, by James Oliver Curwood, 1925)

The losses are mounting and the number of institutions breached keeps growing, but what hasn’t changed much is attacker’s MO: simple and robust scheme of taking control over the target’s computer systems. Despite of all the phishing awareness efforts, intelligence sharing on sources for phishing emails and malicious websites, better monitoring and control over the execution of downloaded content, tighter management of privileged accounts, and increasing adoption of advanced security and fraud analytics, the good guys are still one step behind, playing catch-up with the attackers.

While it still takes a presidential executive order just to share data on attacks, the level of collaboration between public and private sector has to be at a much deeper level to put even a slight dent in this unrelenting wave of successful cyber-attacks. Security controls, policies, and audits have to be modernized to take full advantage of the technologies available to deal with these types of attacks; behavioral analysis, automated analytics, and kill chain modeling should be a part of an effective cyber-security program just as data encryption and identity management were for over a decade. Insider Threat shouldn’t be frowned upon as a sign of mistrust in employee’s loyalty, but considered in a larger context of Trusted Actor Threat; once the perimeter is breached, activities of an external attacker look just the same as those of a malicious insider. We have to accept that any perimeter will be breached, sooner or later, and seriously re-evaluate our capabilities to detect, stop, and mitigate successful intrusions.

Carbanak attack was neither original nor very sophisticated, but it was well planned and executed, and the organization needs to have an established a security program to defend against it. Large financials have been in this game for many years, with sufficient funding, and they still get breached. Mid and small size businesses are definitely more vulnerable to determined attackers, and once large targets get their act together and become harder to penetrate, thousands of smaller institutions will become the attacker’s next targets. There is no one tool to protect them – it has to be a defense in depth, which requires funds, skills, and time to implement. Government can and should help, not only with information sharing, but also with guidance on best practices, emerging threats, and centralized forensic and offensive capabilities to make the cost of an intrusion very unattractive.

The progress in security intelligence and threat analysis over the past few years is undeniable, and the private sector is taking full advantage of it. The Federal government also has the means, and definitely the incentive, to substantially improve its behavioral and predictive analytics capabilities. But the chain is only as strong as its weakest link, and we need to shore up the security of our state and local governments, who are desperate for funding and guidance to implement new technologies.

Security companies, on the other hand, have high demand for their services and products, as well as know-how and solid technological foundation to deliver effective, innovative solutions. What they lack is timely information on emerging threats and on the anatomy of attacks outside of their customer base. Federally-funded cyber-security organizations, sitting on troves of data on past and ongoing attacks, are citing privacy and sensitivity concerns that prevent them from sharing, but that’s like locking the barn after the horse was stolen: the attackers already have this data, and have no qualms about exposing it. The only ones in the dark are the businesses that are either trying to protect themselves or to develop better tools to prevent such attacks. We’re on the same side here, so let’s act like it, without the need for an executive order to do what’s right.