Surprise Data Harvest: 3 Network Security Stories
Cyber investigators reveal how harvesting the right data can help solve network security issues and provide legal peace of mind.
While much of the world is harvesting crops in preparation for the coming winter, network teams are, as usual, harvesting network data. As anyone who captures packets knows, sometimes these payloads contain surprises. As you enjoy a tasty meal, raise your glass to the IT professionals, occasionally harvesting more than they bargain for.
The Three-Hundred-Buck Bandit
By collecting data and understanding traffic patterns, network teams can set baselines and alerts that are triggered when anything outside of normal parameters occurs.
Network professional and Certified eCommerce Fraud Investigator, Tim O’Neill recommends that network engineers get to know the geography of their IT assets and users’ behavior by understanding the IP addresses of approved users and routine destination addresses found on their enterprise networks.
“A big bank didn’t notice that after midnight there was a lot of unusual traffic on their network because they had never established baselines,” says O’Neill. “Pretty much all through the night there was traffic and because they weren’t monitoring it, they didn’t know what normal was so they let it go, but what had happened is that they had been attacked.”
O’Neill was able to identify the traffic and what he found was shocking.
“A guy was going out and ordering ATMs to dump out $300 every night, at as many as 10 locations, maybe 12 locations,” he says. “And this one guy would just get in his car and drive from one location to the next. As soon as he pulled up, the machine had already spit out $300. He would grab it and disappear. That was going on almost every night for several weeks before someone happened to notice that some money was going out but no one could account for where it was going or what account it was coming from. There’s a perfect example of what’s not normal.”
Hackers ‘Loan’ Themselves $1 Billion
Malicious network activity can take many forms, but the end goal is generally financial. In the case of banks and other institutions, having an awareness of the network can help ensure that if there is a breach, it is found quickly.
“A couple of years ago there was a massive banking attack around the world,” O’Neill says. “It is estimated that the hackers known as the Carbanak team, made off with a billion dollars and it was all about aberrant traffic. They had gotten in and were making their own documents. They had stolen authority. But if someone had looked and said, ‘Who is this IP address?’ They would have known that it wasn’t normal on their network.”
The actual monetary losses were never officially released but more than one hundred banks across 11 countries lost many millions each day for several days. By asking simple questions, the network engineer or the security engineer could have established key facts surrounding the aberrant IP address and traffic.
“It wasn’t another bank,” says O’Neill on the value of recognition of the aberrant IP address and associated traffic. “That’s not a remote office or anything. Why are they taking out loans? Literally the perpetrator attacked 38 banks. Those are the ones that admitted they had been attacked and the cost estimate is well over $10 million for the banks that were willing to come clean.”
O’Neill recommends a simple and straightforward process for comparing and reviewing normal facts or baselines, and logging the usual or average traffic and users.
“Just collect all IP addresses for a week and put that in a spreadsheet. Then you can compare down the road or find out the normal response time between two offices or amount of traffic flow. For example, you’ll know that an office in California only contacts a specific server between 7am to 6pm so I shouldn’t see traffic in the evening if I take down my servers at night. You can begin to see and establish baselines.”
Hard Pressed: An Extreme Breach Response
In the case of a breach, the goal of an IT team is to recognize what caused an attack, how the attack was carried out, and to mitigate further damage or loss. Of course, some organizations take things to the extreme.
“One company had an attack and they literally had all the employees bring their computers,” says O’Neill. “This was about 190 to 200 employees, they literally took out the hard drives and handed them to a guy that had a big drill press and he drilled a hole through every hard drive and threw them in a trash can.”
Obviously the larger the enterprise, the more expensive such measures can be.
“They didn’t’ care what was lost,” says O’Neill. “To mitigate the attack, they got rid of every computer hard drive and reloaded everything, even the servers were mushed. That was costly.”
For Further Reading
In the case of a data breach, an ounce of prevention is worth a pound of cure. Read the full white paper for further information on proactively understanding and using the right source data to protect your own organization in the event of an attack – and what to have ready for your day in court.