Security Experts:

Connect with us

Hi, what are you looking for?


Security Architecture

Reservoir Rogues: Hooked on a’ Stealing

“What’s the cut, Papa?”

“Juicy, Junior. Real juicy.”

“What’s the cut, Papa?”

“Juicy, Junior. Real juicy.”

Sorry, I couldn’t help myself. Tarantino is too quotable. And that scene, it’s exactly how I imagine a gang of cyber crooks—from the likes of Metel, GCMAN, and Carbanak 2.0—sitting around debating whether or not some long-term APT-persuasion hack is worth it.

But with paydays reaching upwards of a $1 billion, I’d say, yeah, those cuts are downright succulent. And the means by which to achieve them are much more appetizing than what Mr. White, Pink, Brown, Blonde, Orange, and Blue had to go through.

Stuck in the Middle with You

Banking botnets may be passé, but banking heists are all the rage. What’s changed is the hacking strategy. Today, APTs (and, apparently, ATMs) are where it’s at.

While not stick-‘em-up-gun-point robberies, the Metel attacks were half cyber, half physical. The group used spear-phishing emails to infect a bank’s network with malware and gain access to its money-processing systems, stealing credentials and taking over a domain controller. Once they’d set everything up inside the network, automating the rollback of ATM transactions so that account balances would appear untouched, these guys went around—literally thieves in the night—from ATM to ATM, withdrawing cold hard cash.

Another group, GCMAN, also used APT-style techniques (e.g., spear-phishing emails with a malicious RAR archive, and legit pen-testing tools like VNC, Putty, and Meterpreter for lateral movement) to pull off a different set of bank heists. Patient as spiders spinning their webs, GCMAN sat in one bank’s network for 18 months before the thieving began. But when it did (the group used a cron script to transfer money to multiple e-currency services), the bank bled cash at a rate of $200/minute.

Like NSA Chief Hacker Rob Joyce indicated during his recent talk at the Usenix Enigma conference, hackers are patient and persistent. They’ll wait and wait and wait for the right moment to attack, especially when the reward is big enough. So it’s really not surprising that more cyber crooks are going in for the long haul. These recent Eastern Bloc robberies serve as great examples of how all organizations need to understand that, in all likelihood, their systems have already been compromised and they need to readjust their focus to get more pervasive visibility into their networks.

I Gotcha

Although it’s increasingly common to find that threats have been lying dormant in networks for long periods of time, this doesn’t have to be the case. Companies need to take a different tack, become more proactive, and turn the tables on folks like these banking bandits. They can do so by re-architecting existing security stacks around visibility for the best chance at surfacing areas of compromise and shutting down theft, while also continuing to strengthen and maintain perimeter defenses.

I’ve said it before; I’ll say it again: Security requires visibility. Many security vendors understand this—the need for pervasive visibility to analyze network traffic for threats, anomalies, and lateral malware movement. However, no matter how sophisticated security solutions have become, they’re still only as good as the network traffic they see. And what can help with this? A security delivery platform (SDP).

An SDP is designed to give security tools full access to network traffic and network metadata. In the case of the GCMAN hack, an SDP would have delivered full visibility to the traffic of those hackers as they looked to identify computers on the domain that handled financial transactions. In turn, the behavioral analytics devices that are fed this traffic could have flagged the flurry of activity as anomalous against benchmarks and perhaps detected the infiltration much sooner than the 18 months it actually took.

And how sweet would it be in these cases to deliver the line (again and again): I gotcha!

Written By

Click to comment

Expert Insights

Related Content

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Big-game malware hunters at Volexity are shining the spotlight on a sophisticated Chinese APT caught recently exploiting a Sophos firewall zero-day to plant backdoors...

Incident Response

Implementation of security automation can be overwhelming, and has remained a barrier to adoption

Endpoint Security

Apple has launched a new security research blog and website, which will also be the new home of the company’s bug bounty program.

Application Security

Password management software firm LastPass has suffered a data breach that led to the theft of source code and proprietary technical information.


The White House announced on Wednesday that the Industrial Control Systems (ICS) Cybersecurity Initiative has been expanded to include the chemical sector.