C A S E S T U D Y D E C E M B E R P R E P A R E D B Y : Iftah Bratspiess

Similar documents
10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

PROTECTION FOR WORKSTATIONS, SERVERS, AND TERMINAL DEVICES ENDPOINT SECURITY NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

ForeScout Agentless Visibility and Control

Gujarat Forensic Sciences University

IC32E - Pre-Instructional Survey

EXABEAM HELPS PROTECT INFORMATION SYSTEMS

ENDPOINT SECURITY STORMSHIELD PROTECTION FOR WORKSTATIONS. Protection for workstations, servers, and terminal devices

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Compare Security Analytics Solutions

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

securing your network perimeter with SIEM

THE ACCENTURE CYBER DEFENSE SOLUTION

Verizon Software Defined Perimeter (SDP).

Designing and Building a Cybersecurity Program

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

Cybersecurity Auditing in an Unsecure World

Sobering statistics. The frequency and sophistication of cybersecurity attacks are getting worse.

2013 InterWorks, Page 1

Digital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

CYBERSECURITY RISK LOWERING CHECKLIST

Unlocking the Power of the Cloud

CyberArk Privileged Threat Analytics

CloudSOC and Security.cloud for Microsoft Office 365

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

PROTECTING THE ENTERPRISE FROM BLUEBORNE

CYBER ATTACKS EXPLAINED: PACKET SPOOFING

CYBERBIT P r o t e c t i n g a n e w D i m e n s i o n

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

The Claroty Difference

Chapter 9. Firewalls

Cato Cloud. Solution Brief. Software-defined and Cloud-based Secure Enterprise Network NETWORK + SECURITY IS SIMPLE AGAIN

Cyber Security Audit & Roadmap Business Process and

INFINIT Y TOTAL PROTECTION

CipherCloud CASB+ Connector for ServiceNow

Competitive Analysis. Version 1.0. February 2017

Security

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

May the (IBM) X-Force Be With You

Course 832 EC-Council Computer Hacking Forensic Investigator (CHFI)

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

Total Security Management PCI DSS Compliance Guide

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

Securing Industrial Control Systems

Exam: : VPN/Security. Ver :

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

Securing Your Most Sensitive Data

5. Execute the attack and obtain unauthorized access to the system.

Are we breached? Deloitte's Cyber Threat Hunting

RiskSense Attack Surface Validation for IoT Systems

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Best Practices in Securing a Multicloud World

716 West Ave Austin, TX USA

The Overlooked Costs and Risks of Firewalls

Exposing The Misuse of The Foundation of Online Security

TRUE SECURITY-AS-A-SERVICE

ORACLE MANAGED CLOUD SECURITY SERVICES - SERVICE DESCRIPTIONS. December 1, 2017

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Infrastructure Blind Spots Continue to Fuel Personal Data Breaches. Sanjay Raja Lumeta Corporation Lumeta Corporation

ForeScout CounterACT Pervasive Network Security Platform Network Access Control Mobile Security Endpoint Compliance Threat Management

This Online Gaming Company Didn t Want to Roll the Dice on Security That s Why it Worked with BlackBerry

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

TestOut Network Pro - English 4.1.x COURSE OUTLINE. Modified

Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy

SIEM: Five Requirements that Solve the Bigger Business Issues

DATA SHEET AlienVault USM Anywhere Powerful Threat Detection and Incident Response for All Your Critical Infrastructure

Challenges 3. HAWK Introduction 4. Key Benefits 6. About Gavin Technologies 7. Our Security Practice 8. Security Services Approach 9

CNIT 121: Computer Forensics. 9 Network Evidence

Aerohive and IntelliGO End-to-End Security for devices on your network

The Eight Components of a Strong Cyber Security Defense System

Deception: Deceiving the Attackers Step by Step

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Understanding Cisco Cybersecurity Fundamentals

Project 2020: Preparing Your Organization for Future Threats Today

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

How WebSafe Can Protect Customers from Web-Based Attacks. Mark DiMinico Sr. Mgr., Systems Engineering Security

DHS Cybersecurity: Services for State and Local Officials. February 2017

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

Network Access Control and VoIP. Ben Hostetler Senior Information Security Advisor

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

Seceon s Open Threat Management software

ARTIFICIAL INTELLIGENCE POWERED AUTOMATED THREAT HUNTING AND NETWORK SELF-DEFENSE

WHITEPAPER ATTIVO NETWORKS DECEPTION TECHNOLOGY FOR MERGERS AND ACQUISITIONS

MEETING ISO STANDARDS

PrecisionAccess Trusted Access Control

FOR FINANCIAL SERVICES ORGANIZATIONS

Reduce Your Network's Attack Surface

Automating the Top 20 CIS Critical Security Controls

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

Cyber Security Technologies

A Strategic Approach to Industrial CyberSecurity. Kaspersky Industrial CyberSecurity

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

Transcription:

FINANCIAL INSTITUTES PENETRATION INTO A BANK NETWORK USING TRANSPARENT NETWORK DEVICES C A S E S T U D Y P R E P A R E D B Y : Iftah Bratspiess 2018 Sepio Systems www.sepio.systems US: 11810 Grand Park Ave., Rockville, MD 20852 Israel: 63 Rothschild Blvd., Tel-Aviv, 6578510

INVISIBLE NETWORK DEVICES The use of transparent network devices that have no logical footprint, provides cyber-criminals with a constant foothold in enterprise networks for stealing and manipulating sensitive information BACKGROUND A Tier 1 bank audit revealed some irregularities, and it became evident that an external party had continuous access to the internal and secured parts of the network. The first step of the investigation was based on a thorough and rigorous scanning of the computing assets of the bank, such as the servers, the desktop workstations and management s laptops for malware with remote access capabilities. As this phase revealed no findings, the second step focused on deep monitoring of the ingoing and outgoing communications from the network, hoping it will provide a clue. Finding no evidence for the full remote access, the team was clueless and approached the Cybersecurity Investigations Practice of a leading global consulting firm for help. Working together, the teams discovered that an authentic Laptop of the bank was entirely cloned, and was connecting to the network infrastructure via an out-of-band channel in parallel to the existing and legitimate Laptop. It was then clear why none of the existing security and monitoring tools could not detect this, as the network access profile and envelope, as well as the certificate were authentic and valid. The attackers were using a ghost malicious device that was acting in the shadow of the legitimate one. Knowing which valid device was the shadow hiding the criminal activities, the investigating team was able to find an unrecognized and small hardware device that was installed in one of the distribution cabinets and was providing the remote access capabilities while the existing and many security measures were left entirely blind. No one from the IT and Network Teams knew what this device was, what it was doing, who brought it in and when. S E P I O S Y S T E M S - D E T E C T I N G I N V I S I B L E N E T W O R K D E V I C E S P A G E 2

ATTACK STUDY Incident Flow The attackers were using a legitimate off-the-shelf network router sold by a third party. Among its other modes of operation, the device supports a virtual cable mode, in which it is possible to pair two devices and then install each one of them at a different location and use them as if they are interconnected using a standard passive LAN cable. The two devices are able to reroute and tunnel the communication via a simple switchboard application, and then intercept the traffic, easily inject data packets and streams back into the network, or conduct more complex MiTM attacks. When operating in this virtual cable mode, the attack setup becomes invisible to all Intrusion Detection (IDS), Network Access Controller (NAC), and Network Monitoring tools mainly due to the fact that the devices do not have any logical entity or footprint such as an IP or even MAC address. The entire manipulation is conducted only on the Physical Layer (Layer 1) and the Data-Link Layer (Layer 2) so all higher-level communications are considered to be authentic and safe. S E P I O S Y S T E M S - D E T E C T I N G I N V I S I B L E N E T W O R K D E V I C E S P A G E 3

DECEMBER 2017 ATTACK STUDY Attack Tools That Were Involved In this specific incident, the attackers have used the PocketPort2 mobile router from Proxicast. The device pair were configured to run in virtual cable mode, and to use a private switchboard server in order that there will not be any traces to the location and origin of the attackers. We have also been able to detect and mitigate similar types of attacks that were conducted using different tools that were acting in a similar manner. Examples of such devices are map lite and AR150 both purchased as legal and legitimate products from reputable vendors. In practice, and hardware platform with an operating system and set of drivers that support promiscuous mode and the ability to directly transmit data packets (raw sockets) can be adapted to act as an invisible/rouge device. Local storage or an out-of-band communication channel, preferably wireless, can be used for leaking the stolen sensitive information without being detected and visible to existing network security tools such as an IDS or a NAC. SEPIO SYSTEMS - DETECTING INVISIBLE NETWORK DEVICES PAGE 4

MITIGATION The Sepio Solution The Sepio System's security suite was selected as the detection tool for manipulated hardware devices operating in the physical layer after a successful Proof-of-Concept phase. During the trial, various types of rogue network elements were added into the network by the IR team, and were successfully detected and located. The Sepio software system is the only available solution in the market that has physical layer detection capabilities. Using physical layer detection technology, it is possible to identify not only the above device types, but all kinds of network-invisible attack tools. Deployment and Architechture The Sepio Security Suite can be deployed 100% on-premises without any external components, or over a public or private cloud infrastructure. For this specific installation, a hybrid on-premises and cloud deployment was chosen, bringing together the best of both worlds. The Docker container based SepioPrime uses read-only access to the existing network switches using the SSH CLI interface. Sepio Prime also uses Telnet for communicating with several older switches that do not support SSH. The AAA interface (Radius and TACACS+) is used for managing the CLI and PRIV access to the switches, and the northbound interface reports to the to the bank s SIEM and SOC systems whenever a rogue device is detected, identified, and located in the network. Syslog and SNMP traps are used for logging of status and detection events, and are later analyzed using Splunk. S E P I O S Y S T E M S - D E T E C T I N G I N V I S I B L E N E T W O R K D E V I C E S P A G E 5

MITIGATION S e p i o C l o u d Optional Cloud Based Analysis and Threat Engine O f f i c e E q u i p m e n t C o m p u t i n g & S e r v e r s * Optional S e p i o P r i m e On-premise or Cloud Centralized Management N e t w o r k I n f r a s t r u c u t r e About Sepio Systems Sepio Systems is a pioneer in securing organizations against attacks via rogue hardware devices. Strategic cyber weapon technology has been leaked. This technology is in the hands of criminal organizations that are using it against civilian commercial targets with no defenses against it. The Sepio security suite detects infected peripherals or altered and malicious device behavior, isolates the attack and triggers alerts stopping the rogue hardware before it can jeopardize normal operations. Founded by cyber security experts from private industry and government agencies, Sepio Systems is the first security solution on the market that identifies and blocks malicious hardware devices before they cause harm. Sepio Systems is headquartered in Maryland, with offices in New York and South Carolina. The Research and Development Center in based Tel-Aviv, Israel. V E R S I O N : 1. 0 1. 0 4 S E P I O S Y S T E M S - D E T E C T I N G I N V I S I B L E N E T W O R K D E V I C E S P A G E 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback