As just reported, a sophisticated ring of hackers has stolen up to $1Bil from more than 100 banks in 30 countries. The Carbanak Ring operated for at least a year, lurking to detect line-of-business patterns and passwords and then orchestrating an array of fraudulent account transfers and carefully-timed ATM cash dispensations via banks around the world.

Free eBook: Modern Retail Security Risk – Get your copy now.

Amichai Shulman, CTO Imperva, Mark Bower, VP Product Management, Voltage Security, Alan Cohen, CCO, Illumio and Branden Spikes, CEO and Founder of Spikes Security (formerly the tech lead for Elon Musk at Zip2, PayPal, Tesla, and SpaceX)  share their thoughts on how this attack worked and what the banks should do now:

 Amichai Shulman, CTO Imperva

 Whatever technologies these banks were using to protect themselves failed. It’s time to look for new technologies. Such an operation resulted in countless acts of internal credential theft and explorations within the bank network. Clearly setting up traps within end stations would have triggered multiple alerts over time. Organizations must deploy this new technology. The operation involved multiple that are “unnatural” or “rare” in normal operations such as “tricking” the balance of accounts. Clearly it is impossible to scrutinize each and every such operation. Thus a technology that looks at the aggregate effect of such operation over time is something required in today’s landscape.

Mark Bower, VP Product Management, Voltage Security

Cybercriminals have got the infection-to-cash cycle down to a fine art, proving crime does pay when the victim’s perimeter can be bypassed and systems manipulated at will. Today, there are few defenses against this level of attack sophistication – but new methods have emerged to fight back, especially data-centric security which works by making stolen data completely useless to the criminal who steal it. If the data driving transactions, ledgers, and balances is encrypted at the data field level with modern Format-Preserving Encryption methods, as opposed to the storage level encryption which does not mitigate these threats, the data can be securely armored so that data tampering without invoking multiple alarms or errors when it is manipulated is practically impossible. This technique is already in place in leading banks, payment processors and Healthcare networks today as a primary defense against advanced threats and the data breach risks they entail.

 Alan Cohen, CCO, Illumio

This seems to be a take over of authorized computers (clients).  As long as they operated within “policy” it is very hard to detect. Enterprises need to increasingly lock down the communications and patterns of their server, lower the attack surface available through open ports and communicatons channels, and reduce the lateral spread of attacks. Modern security teams know hackers will get in. So, they watch them.  When you reduce the real estate that the hackers have the ability to move in, it also reduces the overhead on the security teams who are watching them so they have a higher probability of catching issues just by virtue of having less attack space to monitor. It’s like having a choice to fight a battle with your enemy on an open field where they could outflank you, or pushing them into a narrow canyon where you have the high ground. The probability of winning the battle increases.

Branden Spikes, CEO and Founder of Spikes Security

This is a prime example of risks enterprises take when they allow employees to browse the web, particularly from administrative workstations with access to valuable assets.  With attacks like these easily evading detection, this attack serves as a stark reminder that it’s unwise to shift the focus from prevention onto reactive things like information sharing (as recently bolstered with Obama’s executive order), detection, or faster response.   Policymakers and cyber security chiefs need to put more emphasis on prevention.  Investments in prevention technologies like browser isolation, and blocking the malignant and pervasive browsers from directly reaching websites from sensitive parts of the network will go a long way to stop these attacks in the future.