Norse WP LiveAttackIntelligence

8/20/2019 Norse WP LiveAttackIntelligence

1/12

WP052715A

Live Attack Intelligence

The Crucial Technology for Cutting Losses onFinancial Networks

Edited by Jeff Harrell | May 2015

WHITE PAPER


2/12

Executive Summary

Introduction

New Actors, New Motives, New MethodsThe New Threat Actors

The New Motives

The New Technology Methods

The New Banking Trojans

The New DDoS “Feints”

Why Back-End Security Fails in Financial Institutions

Intelligence-Based Security

Threat Intelligence for the Perimeter Vector

Threat Intelligence for the Website Vector

Threat Intelligence for the User Authentication Vector

Threat Intelligence for the eCommerce Fraud Vector

Improving the Efficacy of Security Controls with Attack Intelligence

Norse Live Intelligence – The Missing Layer of Security

Putting Live Attack Intelligence to Work

Case Study 1: Top 5 Credit Card Company

Case Study 2: International Bank

Case Study 3: Options Exchange

Big Data Threats Require Big Data Intelligence

The Norse Advantage: Products and Services

The Norse Intelligence Network™

Norse Appliance™ Overview

ThreatList™ Overview

Conclusion

About Norse

1

2

22

2

2

2

3

3

4

4

5

5

5

5

5

6

6

7

8

9

9

9

9

9

10

10

Contents


3/12

1333 Hatch Drive, Foster City, CA 94404 | 650.513.2881 | norsecorp.com

Executive Summary

This white paper includes three case studies that demonstrate how attack intelligence fromNorse dramatically improved the security ROI of a top five credit card company, an internationalbank, and a major options exchange.

The electronic threat landscape for financial institutions has changed dramatically. Today’sthreat actors have more advanced tools and techniques at their disposal to exploit banks,credit cards and international exchanges. The attackers are winning, and despite multi-billion-dollar investments in security software and hardware, costly penetrations are increasing – andincreasingly public.

What’s missing is real-time intelligence. Virtually all of a bank’s security hardware and software isacting on security information that is days, if not weeks or months, out of date. Yet this would beunthinkable in other departments of the modern financial institution. Think about this: what wouldhappen to a currency trader in your organization if she traded on data from market feeds thatwere 24 hours old?

The security “market” has become just the same. Attackers jump from IP to IP address inseconds, launching attacks from different locations constantly. Even the nature of the attacks aresubtly “masked” making signature-recognition technologies of little help.

Therefore, modern financial institutions must build their new defensive strategy around live attackintelligence. You need to know who’s being attacked, how, from where – and you need to knowthat second-by-second, not once a day. That intelligence must be actively channeled into theinstitution’s existing firewalls, SIEMs and intrusion prevention systems to provide a continuouslyupdated shield that shifts and adapts as attackers move to new launch-sites and change tacticsminute-to-minute.

Only with live attack intelligence can financial institutions achieve:

»

Realtime Situation Awareness in the SOC » Truly Adaptive Perimeter Security

» Multiple of ROI on Existing Security Investments

» Dramatically Improved Breach Detection, Incident Detection, Forensics and Response

http://www.norse-corp.com/http://www.norse-corp.com/


4/12


Introduction

While the financial sector remains at the forefront of cybersecurity, today’s increasingly complexand globally-coordinated attacks present a major challenge for even the most sophisticatedfinancial IT security organizations.

The Federal Financial Institutions Examination Council (FFIEC) recently found that the attacksurface of financial institutions was actually dramatically increasing, despite billions of dollars of

investment in security hardware and software to close those gaps.

Security controls purchased just a few years ago offer little protection against today’s moreadvanced attacks, as CSOs are starting to feel more like Doctors whose antibiotics increasinglyfail against ever-evolving “superbacteria.” On top of that, new security talent is virtuallyimpossible to recruit. As America’s Growth Capital banker Maria Lewis Kussmaul recently said atthe SINET meeting in Washington, D.C., “the unemployment rate in cyber security is zero.”

The situation seems hopeless. But recent advances in real-time threat intelligence show promise

When live intelligence on attacks (“live” defined as less than 60 seconds old) can be effectivelyintegrated with more traditional SIEMs, Firewalls, DPS and IDS systems, organizations becomemuch better at responding to and repelling attacks in progress. They can even block attacksbefore they hit the organizations’ networks.

New Actors, New Motives, New Methods

For all this increasing complexity, the three main elements that define a “threat” remain the samethe actor (or attacker), their motives, and their methods.

The New Threat Actors:

Until recently, defining cybercrime was relatively straightforward. Hackers were on one side andfinancial institutions and their customers were on the other. Recently though, hacktivist groupshave emerged serious threats, and state-sponsored attacks have become more frequent (or at

least more visible). Sometimes the state-actor is a “friendly” nation. These new actors are makingappropriate responses more difficult to find.

The New Motives:

Historically, hacking was limited to hobbyists, vandals and miscreants. But the motivationsbehind attacks have shifted in a decidedly more serious direction in recent years, more oftenfocusing on profit, destruction and theft.

The New Methods:

Hackers are increasingly leveraging trusted networks to launch attacks that bypass traditionalsecurity controls deployed by financial institutions. IP proxies and anonymizers such as the TORnetwork are being used to mask attackers’ identities and true locations. New mobile malware

and new variants of stealthy Trojans have evolved, new man-in-the-browser schemes are beingused, and new heist methodologies hidden under Distributed Denial of Service (DDoS) attacksare emerging, too.

The New Banking Trojans:

First identified in 2007, the Zeus banking Trojan infected computers in more than 200 countries.Zeus’ adaptability, enabling it to dodge antivirus software led to the infection of more than



5/12


Reconnaissance:

The target is profiled

and evaluated by

browsing public

information about

the company and

its network.

Probing:

More invasive

techniques are

employed using

compromised sites

on usually-trusted

networks to mask

reconnaissance

activity that seeks

out gullible humans,

vulnerable services

and potential targets.

Launch:

The attack is often

launched from

behind a proxy or

anonymizer. Once

a user account

is accessed, the

attacker works

to elevate their

permissions or hop to

other account to gain

administrator access.

Pwning the

Network:

As admin, the

attacker installs a set

of backdoors and

covers his tracks.

This system can

now be used as a

stepping-stone for

further exploration

into this target’s

networks, or used

for the further

recruitment of“bot armies”.

Game Over:

admin access, the

attacker can access

everything; even

encrypted data on the

network is pwnable

because as admin

he has access to

password lists or at

the very least can

force password

resets which he

can “watch”.

3 million users in the U.S. alone. Part of the reason for its success is that it was designed withone goal in mind - to steal banking credentials. Propagated through phishing emails and weblinks, the Zeus Trojan is now believed to be responsible for more than half of all online bankingattacks in recent years. Zeus is already spawning a “next generation” of banking Trojans witheven higher levels of sophistication[2].

The New DDoS “Feints” Another new attack method is the launch of DDoS attacks to divert attention from (simultaneous)

fraudulent Automated Clearing House wire transfers. In such a combined “cyberheist-DDoS”attack, fraudsters launch a DDoS attack against a company, and simultaneously takeover andmove money out of the target company’s accounts (using login credentials stolen with Zeusmalware). The “noise” of the DDoS traffic makes it difficult for bank personnel to quickly identifythe fraudulent transaction.

Five Stages of An Attack

Attackers typically breach and takeover machines inside an organization via a phased approach

Why Back-End Security Fails in Financial Institutions

The longer it takes to detect an attack, the higher the probability that an attack will succeed.Right now, most attacks are detected only after they have taken place. That’s because like savvyaccountants planning for the IRS, today’s hackers have a deep understanding of the types ofactivity that back-end security systems at a bank are going to scrutinize. They already know thetechnologies designed to prevent account compromise and account takeover, technologies likedevice fingerprinting and anomaly detection.

Device fingerprinting can identify the client machine and location of a customer. If the customeris using a different computer and/or logging in from an unusual location, the financial institutioncan request additional authentication. But such systems can be easily flummoxed by hackersusing virtualized servers, public cloud infrastructure, and anonymizing proxies to fake theirlocations and identities. Attackers set up and tear down attack servers within minutes, then moveon, making it nearly impossible to trace an attack to its actual source.

2. Dark Reading: New ZeuS Banking Trojan Targets 64-Bit Systems, Leverages Tor, December 2013



6/12


And since most digital anomaly detection systems are backwards-looking (forensic), that meansthey can’t sound the alarm until after a transaction actually posts to a customer’s account. Bythe time the bank sees the problem, the cash is already gone. Even so, these traditional securitysystems are notorious for high false-positive rates.

Financial institutions can’t rely on back-end, backwards-looking security. Detecting, stoppingand blocking modern attacks requires an intelligence-based approach that allows the financialinstitution to assess transaction risk in real-time.

Intelligence-Based Security

Financial institutions virtually always employ a layered security approach married withsophisticated behavioral pattern recognition systems that attempt to spot anomalies quickly.Financial professionals have been at the forefront, too, of recognizing the value of threatintelligence. But even the most sophisticated financial security operations centers have found itdifficult to make raw threat intelligence data “actionable”, or to merge intelligence about outsideattacks with their existing “defense in depth” security infrastructure in any really meaningful way.

Until Norse.

Superior attack intelligence from Norse can improve your catch-rate, reduce your workloadand dramatically increase your ROI on your entire security infrastructure investment. That’sbecause with Norse, all of your security layers work better. Norse intelligence lets you leveragethe security infrastructure you already have to provide better protection with faster responsetimes and less false positives. With Norse, you can block inbound or outbound connections torisky IPs before they happen, lightening the loads on your existing SIEMs and Firewalls and whilereducing your exposure overall.

Live attack intelligence — when integrated into your existing perimeter devices such as routers,firewalls, load-balancers, and UTM appliances – works on the four attack vectors employed bymost hackers:

Threat Intelligence for the Perimeter Vector

» Identify incoming high-risk connections, and manage or block them

» Block zero-day attacks (unknown exploits) at the perimeter, before they enter the enterprise

» Assess the risk of every inbound or outbound connection before it is completed

Threat Intelligence for the Website Vector

» At the web server level, Verifying the IP address of website visitors and assess their risk todetermine risk/threat factor before granting access

» Make granular, automated decisions about what to do with website visitors at various risk

levels

» Ask for additional authentication, present a captcha, or simply block outright they enter the siteand can launch an attack

Threat Intelligence for the User Authentication Vector

» Measure the risk of every user requesting a login page

» Use live intelligence to add data points like geolocation IP history to confidence computations



7/12


» Make granular, automated decisions about what to do with users “at the gate” presenting atvarious risk levels

» Ask for additional authentication, present a captcha, or simply block outright

Threat Intelligence for the eCommerce Fraud Vector

» Detect transactions originating or terminating at high-risk IP addresses, and drop them

or block them.

Improving the Efficacy of Security Controls with Attack Intelligence

Today, most financial organizations leverage SIEM (Security Information Event Management)solutions to prioritize security events. Even so, SIEMs are easily overwhelmed, and generateoverwhelming logs that need human examination.

Adding live attack intelligence to the mix can help organizations distill thousands of SIEMalerts down to those few that actually require immediate attention. They can identify and blockmalicious activity while it’s still OUTSIDE the network perimeter. SIEMs “fed” with live intelligencecan be interfaced directly with existing security infrastructure (like firewalls) to make fast andautomated changes to a company’s security posture based on changes in Internet “weather”.Such automated implementation of mitigating controls before the perimeter is compromisedgreatly reduces the effective attack surface of an organization.

Norse Live Attack Intelligence – The Missing Layer of Security

Norse is the market leader in live attack intelligence. Norse solutions leverage the NorseIntelligence Network — Norse’s globally distributed “distant early warning” system comprisedof millions of sensors, crawlers, honey pots and agents — to block malicious URLs, botnets,

anonymous proxies, bogus IP addresses and infected embedded devices, even those deepwithin the darknets.

Norse offerings detects new classes of attacks that current systems miss, such as cloud-vectored virtualization-evading malware, compromised Internet of Things (IoT) devices andanonymous proxies. Norse plugs a critical gap in enterprise security infrastructures. Norsesolutions are easy to set up and simple to use, with an advanced artificial intelligence enginethat distills second-by-second updates on thousands of risk factors on hundreds of millions ofIP addresses, domains, URLs and devices to deliver a single, actionable risk score with detailedcontext for any address of interest.

Norse solutions protect financial organizations from new, fast-growing classes of “grey threats,”such as those from cloud vectors and compromised embedded devices, and stops enterprise

data from being stolen via Tor and other anonymous proxies. Norse solutions can screen new-account requests by instantly back-checking requestor IPs for past risky behavior, or filter andcorrelate event data from existing security systems to zero-in on truly important security events.

With Norse, financial enterprises can automatically log activities, generate alerts or block IP



8/12


addresses based on an up-to-the minute risk score. Norse solutions can be deployed inline orout-of-band, and dramatically improve enterprise security return-on-investment by improving thecatch-rate and effectiveness of existing next-generation firewalls, intrusion prevention systemsand security information and event management (SIEM) products. Norse attack visualizationconsoles provide financial customer detailed, real-time views of threats traversing their network— and those around the world.

Putting Live Attack Intelligence to Work

Case Study 1: Top 5 Credit Card Company

This large credit card services customer created their own Splunk app, similar to SplunkEnterprise Security, but more tailored to their organization. Their custom Splunk appautomatically imports Norse ThreatList™ to correlate internal security events with externalthreats and prioritize security events. ThreatList™ provides further context when needed duringincident response.

Outcome:

» Norse uncovered ongoing malicious connections from AWS systems controlled from Iran

» Norse uncovered malicious employee/ insider activity

» Norse designed custom analytics

» Norse reduced threat mitigation time

» Norse context used to train junior cyber analysts at the CC company

Risk Context



9/12


Case Study 2: International Bank

Business Challenge:

This large international bank customer wanted to improve event prioritization and increase theefficiency of its incident response. They were overwhelmed by the speed and quantity of securityevents on their network, and that also impacted their ability to properly prioritize and investigatereal incidents. After integrating Norse ThreatList™ into their SIEM and using Norse risk scores toprioritize security events, they were able to reduce SIEM alerts by 25% and significantly reduceincident response times.

Outcome:

» Reduction of overall SOC response times

» Decreased investigation times

» Reduction of SIEM alerts by 25%

»

Norse data formed core of daily state-of-the-bank calls » Norse intelligence integrated into critical path



10/12


Case Study 3: International Options Exchange

Within days or even hours, money mules (untraceable and anonymous participants to the fraud)withdraw cash from the accounts and send the funds overseas via Western Union or similar wiretransfer services.

This Norse customer is a U.S. equity derivatives market and the fastest options exchange in theworld. The Exchange is a fully automated electronic options exchange for the trading of OCC

issued standardized options on equities and ETFs. The exchange provides a marketplace thatcaters to the needs of the trading community, and offers competitive pricing based on a low-cost operating structure, superior customer service, and outstanding technology.

After testing several other solutions, the exchange determined that they did not providesufficiently comprehensive threat data, and what they did have was quickly out of date. Thisoptions exchange chose Norse ThreatList™ to provide improved edge-security and fasterincident response. The exchange also chose ThreatList™ to block all IPs scoring 99 or above atthe network edge with their McAfee next generation Firewall in IPS mode. They are now blocking250,000 risky connections weekly that previously had gotten through.

The exchange’s IBM QRadar implementation automatically retrieves the Norse ThreatList™regularly to correlate internal security events with external threats and prioritize security events.ThreatList™ provides further context when needed during incident response. Because Norse

threat intelligence is both comprehensive and always up to date, the exchange is finally able tobe proactive and get ahead of threats before they become real problems.

Outcome:

» Norse scored every connection request in real-time

» Norse blocked >1M malicious connections/month that were previously getting through

» Correlated risk scores >90 in SIEM

» Firewall loads reduced by 20%, across the whole organization

» Identified malware callbacks



11/12


Big Data Threats Require Big Data Intelligence

Norse is a Tier-1 Telecom Carrier that doesn’t offer telecom services. Our global network existssolely for the purpose of being attacked and delivering that information in seconds to you. A fewNorse Global Intelligence Network Facts:

» Norse has over eight million sensors deployed around the world

» Norse operates in over 47 countries and more than 200 datacenters across the globe

» Norse manages 16 routers on the tier-one Internet fiber backbone

» Norse controls more than 16 million IP addresses

» Norse has honeypots which emulate more than 6,000 applications and device types includingPOS systems, ATM networks and ACH systems

» Norse manages six Border Gateway Protocol AS numbers of our own

» Norse processes more than 150 terabytes daily against a 7 petabyte threat database

» Norse weighs more than 1,500 risk factors for every actuarial risk score

»

Norse posts attack data to customers within 5 seconds of detection

The Norse Advantage: Products and Services

Norse Appliance™ - The Superior Attack Intelligence Appliance for the Darknet

Norse Appliance is the first attack intelligence appliance that defends against the latestadvanced threats emerging from darknets and the greater Internet. Deployed inline or out-of-band, the Norse Appliance dramatically improves the return on your existing securityinvestments by improving your “catch rate” while simultaneously reducing traffic loads on yourfirewall and IPS systems.

The Norse Appliance leverages Norse threat intelligence to detect and prevent malware, botnets,anonymous proxies, and bogus IPs and is available in 1Gbps and 10Gbps version.

Norse ThreatList™

Norse ThreatList is the ultimate combination of threat intelligence portal, APIs, and blacklist.Norse delivers machine-readable threat intelligence via a RESTful API that integrates with yourexisting security controls, and makes everything smarter. Norse intelligence is live and updatedsecond-by-second. You’re never out of date and you never have to rely on malware signaturesthat are useless minutes after they’re created.

Norse computes over 1,500 distinct factors to determine a risk score for every IP and URL.



12/12

ABOUT NORSE

Norse is the global leader in live attack intelligence. Norse delivers continuously-updated and unique Internet and darknet

intel that helps organizations detect and block attacks that other systems miss. The superior Norse DarkMatter™ platform

detects new threats and tags nascent hazards long before they’re spotted by traditional “threat intelligence” tools. Norse’s

globally distributed “distant early warning” grid of millions of sensors, honeypots, crawlers and agents deliver unique visibility

into the Internet – especially the darknets, where bad actors operate. The Norse DarkMatter™ network processes hundreds

of terabytes daily and computes over 1,500 distinct risk factors, live, for millions of IP addresses every day. Norse products

tightly integrate with popular SIEM, IPS and next-generation Firewall products to dramatically improve the performance,

catch-rate and security return-on-investment of your existing infrastructure.

© 2015, Norse Corporation. All rights reserved.

Silicon Valley

333 Hatch Drive

Foster City, CA 94404

650.513.2881

norsecorp.com WP052715A

Conclusion

To be effective, live attack intelligence must be integrated into the key decision points within anorganization’s infrastructure. This approach enables enterprise networks and financial institutionsthe ability to detect, respond to and prevent unauthorized access to networks, sensitive data,and customer account information.

Norse provides superior live attack intelligence that will enhance and improve:

» SOC situational awareness by letting them know exactly who’s talking to bad guys, and whichbad guys are talking to them

» Perimeter protection to end that bidirectional communication with bad guys – regardless ofSSL

» Security ROI investments in SIEMs, Next Generation Firewalls, IPS/IDS and related controls

» Breach detection and response times while speeding up investigations by identifying botscommunicating out of the network

» Continuous monitoring efforts by identifying leading indicators of compromise (IOCs)

» Policy and compliance stature

» SOC performance improvements, allowing them to operate more efficiently with less load on

critical security assets and with fewer logs to review
http://norse-corp.com/http://norse-corp.com/

Norse WP LiveAttackIntelligence

Documents

Transcript of Norse WP LiveAttackIntelligence