DECEMBER 22, 2015
Every major network intrusion tells us something about both the victim and the intruder. Often the tale centers on the mistakes made by the victim which rendered it vulnerable. Indeed, many studies have shown over the years that a significant percentage of intrusions took advantage of known vulnerabilities that a victim failed to address.
But there is a different lesson to be learned from the recently revealed indictment of several men for an intrusion into one of the nation’s largest banks. Although the information released by prosecutors does not explain the means of the intrusion, a previous public report claimed that the intruders used multiple zero-day vulnerabilities to compromise security procedures and then installed a considerable quantity of custom malware to begin syphoning data out of the bank. It is also very important to note that what was taken was data and not money. Recall Willie Sutton’s famous reply when asked why he robs banks: “That’s where the money is.” But the fact the intruders did not access customer accounts did not render their intrusion invaluable.
According to prosecutors, instead of directly stealing money, the defendants stole personal information about bank customers. This enabled the defendants to use the stolen information to target those bank customers with a stock manipulation fraud scheme. The defendants had been working together since 2007 and had stolen information about more than 100 million people from several financial services companies. The defendants operated out of at least two foreign countries, used a server in a third country to store data, and had over $100 million in accounts in a fourth country. They also laundered money for other criminals through approximately 75 shell corporations, and ran illegal internet casinos.
In short, these were professional criminals operating at a level of international sophistication that would make a traditional Mafia Don “green” with envy. Moreover, their technical skills were superb, arguably on a level that should only be expected by operatives of a nation-state.
There are several takeaways for every enterprise from this incident:
- The bad guys are increasingly sophisticated both operationally and technically, even when operating without the backing of a national government.
- They only have to succeed once. You have to keep them out every time.
- Every network must have a means of detecting unauthorized activity after an intrusion; never assume you can keep them out.
- Your sense of what is most valuable in your network might not be the same as the intruder’s.
- It does not matter where you are or where the attacker is.
- They will have friends and allies. You should, too. Find some way to share security information with your industry peers; know who your law enforcement contacts and incident response team are.
- The ability of American law enforcement to investigate and prosecute these crimes is indeed impressive, as is the increasing international cooperation it receives. But law enforcement at this level is not like a cop on a beat. It cannot offer preventive protection; it responds after the event. What happens before is totally your responsibility, and an intrusion is a bell that cannot be un-rung.
About the author
KENNETH C. CITARELLA, JD, MBA, CFE, CIPP/US
SENIOR MANAGING DIRECTOR, INVESTIGATIONS AND CYBER FORENSICS
Kenneth C. Citarella is senior managing director for the Investigations and Cyber Forensics practice at Guidepost Solutions LLC. He has more than 30 years of experience investigating and prosecuting white collar crime and computer crime. Kenneth can be reached at firstname.lastname@example.org.