The Carbanak breaches may well be the greatest series of cybercrimes committed in history. Netting as much as $1bn from financial groups across 30 countries, the attacks are bound to raise questions from Wall Street to the City of London and beyond about what happened.
Yet like all events of its kind much can be learned from the Carbanak campaign, and those involved in cybersecurity would do well to see how an advanced persistent threat (APT) works – and more important how it can be mitigated against and responded to.
1. Carbanak is ‘the definition of a modern cyber-attack’
In the earlier days of the cybercrime often used simple techniques to steal easily usable data, using phishing attacks to nick payment card details that could be sold on at high volume for a low price per unit.
Those attacks still happen, but some crooks are becoming much smarter, with campaigns taking place over months rather than minutes. "If you were going to draft the definition of a modern cyber attack, this would be it," said Rob Norris, director of enterprise and cybersecurity, Fujitsu UK&I.
"The potentially huge losses stem from a series of attacks that seem to have been working away for two years," he added. "This is not the ‘quick fire attack’ of old."
2. …yet the old tricks still work
Despite increasing innovation on the part of the hackers many of the most basic attacks tactics are still working just fine. In the case of Carbanak the attackers used plain old spear-phishing, stealing credentials by passing targeted messages to those inside the banks.
"The current information is that access was gained via malicious attachments to emails, which staff will then have opened," said Paul Glass, senior associate at law firm Taylor Wessing, adding that this "human element" of attacks must be accounted for.
"This is another example of the importance of education of staff, both to minimise the risk of opening attachments that contain malicious payloads, and to take immediate action if they realise that they have opened a malicious attachment," he said.
3. IT managers should not panic, but focus on risk
The computing press has been filled with scary stories over the last year, not least from CBR. Yet despite the dangers some experts are warning that IT should be seen only in terms of risk.
"Many organisations can be panicked by industry noise created by issues, which often will not impact them," Norris said. "Instead they need to take a risk-based approach, enabling them to target security capabilities in a way which helps them defend against those threats which actually pose a risk to their business."
Simple things that an organisation can do to protect itself includes implementing a strong password policy, using two-factor authentication where possible, and segmenting important data from the trivial stuff.
4. Companies must set benchmarks
The Carbanak hackers were expert at infiltrating banking environments, carefully watching admin behaviour before enacting their own fraud to ensure they would not be detected. It is difficult to counter such behaviour, but one way of doing it is by setting a benchmark.
"Malware leaves a trace when it compromises a system – even custom malware," said Dwayne Melancon, CTO of security vendor Tripwire. "Unfortunately, most of the times, that mark goes unnoticed because enterprises haven’t established a baseline, or known good state, and aren’t continuously monitoring for changes to that baseline."
The recent surge in behavioural analytics is now making it easier to work out when something malign is happening, with a lot of technology leveraging machine learning to gain insights into workers’ habits.
5. An ‘enormous’ cleanup is about to begin
Once an attack has been detected the remediation phase begins, and can be a real test for firms both in terms of reputational impact and regulatory pain. For those affected by Carbanak this process is about to start.
"What makes this attack more dangerous than usual is that the attackers used whitelisted software which many of the banks themselves allow for system administration," Glass said.
"Regulators will want detailed explanations from the affected banks as to how access was obtained, the extent of compromise of each bank’s systems, and how such a serious attack went undetected for many months," he added. " The cleanup operation within affected banks will be enormous."