Misspelled word thwarts cyber-heist but not before $81 million is syphoned from Bangladesh Central Bank
This past February, hackers were able to steal $81 million from the systems of the Bangladesh Central Bank. Funds were moved from its account at the Federal Reserve Bank of New York to private accounts in the Philippines via wire transfers using the SWIFT payment network. Although this registered as one of the largest cyber heists in history, the damage could have been upwards of $1 billion if not for the attacker’s misspelled word in one of the fraudulent requests. The mistake tipped off an employee at Deutsche Bank and ultimately saved millions of dollars.
This type of tell-tale sign is all too common and is a trait that our analysts typically see when tracking adversaries like this. We are often able to recognize an adversary by something as simple as a repeated spelling mistake of the same word time and time again. Correlating this type of mistake back to a particular adversary is a key component of campaign profiling.
High profile figures, such as the Governor of Bangladesh Central Bank, were unaware of the attack until after news of the incident was released to the media. Being caught off guard, the Bank's Governor resigned and a shadow of doubt has been cast on the reliability of the security systems that make these types of electronic transfers possible.
This incident, along with many other high profile attacks this year, highlights the ever-growing threat of advanced attacks against private and public financial institutions, governments and global enterprises by adversaries who are adapting to our advanced defenses. These sophisticated attacks are masking themselves within the noise of real transactions and look genuine.
There are three things we can we learn from high profile attacks like this.
1. Breaches are inevitable but you can be prepared
Just because an intruder smashed a window doesn't mean they were able to get in and steal your valuables. Breaches are going to occur but by putting layered defenses at each step of the Cyber Kill Chain® you can prevent an adversary from achieving their objectives.
For instance, your analysts may detect that an adversary has successfully installed malware on an end point in your enterprise and it has begun beaconing out to a command and control server that the adversary owns. By not only putting a mitigation in place to prevent the C2 channel but by also preventing the installation of this type of malware, you’ve successfully blocked this particular attack at both the Installation and Command and Control phases of the Cyber Kill Chain. If you do further analysis and understand the delivery mechanism, you can prevent the breach earlier in the lifecycle. That way, if this adversary changes just one component of this attack, you are still prepared at the other phases thereby making it much harder for the adversary to repeat this compromise.
What steps can you take? Build a score card of your organizational defenses aligned to the seven steps of the Cyber Kill Chain to understand where you gaps are and take a measured approach to filling in the holes in your defenses. To give a feel for a simplified version of the output from this type of exercise, below is a conceptual matrix. Note that this kind of matrix should be accompanied by a more thorough explanation of the capabilities and how they apply. In this example, we specify whether the capability provides “Detection" () or “Protection” () at each step of the Cyber Kill Chain.
2. Being unprepared will cost you more than just your reputation
As we learned from incidents like this one, a successful attack has implications that ripple across an organization. Unprepared enterprise defenders who lack visibility into their own networks can lose their jobs, cause customers to lose confidence in the company and ruin brand reputation on top of the damage the adversary itself has directly caused.
What steps can you take? By implementing a proactive defense strategy with a robust set of security operations practices that profile the motives of your adversaries, you can avoid being the next cyber-attack headline. Here a few high-level projects that you should consider:
- Define your organization’s mission and clearly communicate it to your peers
- Get executive support and by-in at the highest levels
- Strategically plan your enterprise network and endpoint visibility strategy
- Tune up your broad-based security technologies (email, network and perimeter security)
- Define your analysis and incident response processes
- Focus on implementing an intelligence management solution
- Establish metrics for measuring success
3. Your defensive posture is a moving goal post
Adversaries of all types, be they nation-state sponsored advanced persistent threats, rogue insiders or cyber criminals are becoming more advanced every day.
As we’ve learned from the Bangladesh bank heist, sophisticated adversaries are utilizing new techniques that are becoming harder to detect unless we put layered defenses and enterprise visibility in place that allow us to respond quickly to these types of incidents.
Staying tuned into the latest vendor advances in technology is not enough to keep the adversaries at bay. As defenders we must continue to evolve our security posture, adapt to the new threats we face and pivot our resources based on the motives of the bad actors who target our enterprises.
What steps can you take? Become an advocate for an agile security posture that is willing to make the appropriate investments and drive organization changes just as our adversaries change their techniques, tactics and procedures.
Here are some tactical next steps you can consider:
- Strive for incident prevention, plan for incident response – breaches will occur, start taking the mindset of an adversary and prepare your team to respond
- Assess your current environment and understand your gaps – knowing where you lack defensive depth will help you prioritize your investments
- Start profiling your adversaries – adversaries leave evidence behind, use it against them and start building campaigns to track them
Never take your security posture for granted. Breaches are inevitable and everything important is on the line. Contact an expert today to discuss ways to leverage your cybersecurity program to outpace your adversaries.
Cyber Kill Chain is a registered trademark of Lockheed Martin.