Mind of the

attacker
JUNE 25, 2019

Abhijeet Karle
Sr. Information Security Officer
Information Technology Department
International Monetary Fund

INTERNATIONAL MONETARY FUND 1

 November 2018: Marriott Data Breach

• Personal and financial information of

over 500 million customersof its
Starwood properties compromised

• Intruders had been inside the

company’s networks since 2014.

• Intruders encrypted information from

the hacked database before
exfiltration.

• Financial cost - $450 million and

rising.

INTERNATIONAL MONETARY FUND 2

 There were others..

 May 2018: Banco de Chile, all out crash in a heist attempt (9000 computers and
500 servers crashed)

 April 2018: ex employee SunTrust bank US sells info about 1.5M customers to
criminal 3rd party

 July 2018: PIR bank Russia, $1M lost through compromised outdated router

 August 2018: Cosmos Bank India, $13.5M lost through compromise of its ATMs
(running on windows XP)

 October 2017: Far East International Bank Nepal, $0.5M lost

 December 2017: Globex Russia, $0.1M lost

 December 2016: Turkish AKBank, $4M lost

INTERNATIONAL MONETARY FUND 3

 Data Breaches by Numbers

Source - Varonis

INTERNATIONAL MONETARY FUND 4

 Where do Cyber attacks come from?

Source - Varonis

INTERNATIONAL MONETARY FUND 5

 Who is affected by Cyber breaches

Source - Varonis

INTERNATIONAL MONETARY FUND 6

 What is the cost ?

Source - Varonis

INTERNATIONAL MONETARY FUND 7

 Contents of this presentation

“If you know the enemy and know yourself, you need not fear the result of a
hundred battles. If you know yourself but not the enemy, for every victory
gained you will also suffer a defeat. If you know neither the enemy nor yourself,
you will succumb in every battle.”

― Sun Tzu, The Art of War

INTERNATIONAL MONETARY FUND 8

 Contents of this presentation

 Threat actors and their motives

 Attacker Mindset

 What can we do as financial institutions?

INTERNATIONAL MONETARY FUND 9

 Threat actors and their motives
Category Actions Real/Possible Motive
Impact
Nation Monitor other nations’ economies for Loss of trust once breach is Espionage – common
espionage; conduct cyber-attacks in rare discovered; disruption to Destruction – very rare
States cases. the financial sector.

Advance Steal information for espionage; possibly Loss of trust once breach is Making Money - common
conduct destructive attacks. discovered; disruption to Espionage – common
Persistent the financial sector. Destruction – very rare
Threats
(APT)
Cyber Crime Steal money from financial sector entities; Affects organizations’ Making money – common
at times stealing large sums. profits; loss of trust if Theft – very common
breach is publicized but org
was silent
Hacktivist Disrupt financial sector operations; attack Damaged reputation; loss Disclosure
the brand of individual institutions; data of trust
release individuals/institutions.
Insider Steal money; get revenge through Affects organization’s Revenge
destruction or data release. profits; damaged reputation

INTERNATIONAL MONETARY FUND 10

 Categorizing Threat Actors based on traits

Persist Persist Persist

Skill Greed Skill Greed Skill Greed

Stealth Stealth Stealth

Persist Persist

Skill Greed Skill Greed

Source – SANS Psychology and the hacker - Stealth

Psychological Incident Handling Stealth
INTERNATIONAL MONETARY FUND 11
 Financial Sector – Targeted Assets

 Central Banks  Payment Processors

► Money, PII, Information, Brand, ► Money, Services, Information, Brand
Services, Trading Algorithms
 Trading and Clearing Platforms
 Insurers ► Operations, Brand, Money, Information
► Information, Brand, PII
 Financial Regulatory Agencies
 Asset Managers (Hedge Fund, ► Money, PII, Brand, Information,
Private Equity Fund, etc.) Services
► Algorithms, Trading Information, Fund
Assets

 Credit Rating Agencies

► Information on Banks, Brand,
Operations

INTERNATIONAL MONETARY FUND 12

 The Cyber Kill Chain

The Cyber Kill-Chain framework, was originally published by Lockheed Martin as part
of the Intelligence Driven Defense model for the identification and prevention of cyber
intrusions activity.

The model identifies what the adversaries must complete in order to achieve their
objective, by targeting the network, exfiltration data and maintaining persistence in the
organization.

Source – Lockheed Martin

INTERNATIONAL MONETARY FUND 13

 Identify the Target

The adversaries are in the planning

phase of their operation. They conduct
research to understand which targets will
enable them to meet their objectives.

• Harvest email addresses

• Identify employees on social media

networks

• Collect press releases, contract

awards, conference attendee lists

• Discover internet-facing servers

INTERNATIONAL MONETARY FUND 14

 Prepare the Operation

The adversaries are in the preparation

and staging phase of their operation.
They may create a weapon (e.g.
malware) which will be delivered to the
victim.

• Ransomware

• Spyware

• Adware

• Malicious websites

INTERNATIONAL MONETARY FUND 15

 Launch the Operation

The adversaries convey the malware to

the target. They have launched their
operation.

• Adversary controlled delivery:

• Direct against web servers

• Adversary released delivery:

• Malicious email
• Malware on USB stick
• Social media interactions
• “Watering hole” compromised
websites

INTERNATIONAL MONETARY FUND 16

 Gain Access to Victim

The adversaries must exploit a

vulnerability to gain access.

• Software, hardware, or human

vulnerability

• Adversary triggered exploits for

server-based vulnerabilities

• Victim triggered exploits

• Opening attachment of malicious
email
• Clicking malicious link

INTERNATIONAL MONETARY FUND 17

 Establish foothold at the victim

Typically, the adversaries install a

persistent backdoor or implant in the
victim environment to maintain access for
an extended period of time.

• Install webshell on web server

• Install backdoor/implant on client

victim

• Create point of persistence by adding

services, AutoRun keys, etc.

• Some adversaries “time stomp” the file

to make malware appear it is part of
the standard operating system install

INTERNATIONAL MONETARY FUND 18

 Remotely Control the Operations

The adversaries' exploit opens a

command channel to enable the
adversary to remotely manipulate the
victim.

Open two way communications channel

to C2 infrastructure

Most common C2 channels are over web,

DNS, and email protocols

C2 infrastructure may be adversary

owned or another victim network itself

INTERNATIONAL MONETARY FUND 19

 Achieve Mission’s Goal

With hands-on keyboard access,

adversaries accomplish the mission’s goal.
What happens next depends on who is on
the keyboard.

• Collect user credentials/ Privilege

escalation

• Internal reconnaissance

• Lateral movement through environment

• Collect and exfiltrate data

• Destroy systems/ Overwrite or corrupt

data /Surreptitiously modify data

INTERNATIONAL MONETARY FUND 20

 Mind of the Attacker

Curiosity

Stealth

Persistence

Hiding their tracks

Installing Backdoors

Anonymity

Assuming your identity

False Flags
Source – Risk Factory

INTERNATIONAL MONETARY FUND 21

 Questions we have to ask ourselves

 Is our cybersecurity program appropriate for the size and complexity of the
organization?

 Does the cybersecurity program align with the overall business strategy?

 What is our overall cybersecurity risk policy, including risk appetite and tolerance?

 How do we know if the overall cybersecurity program is working effectively?

 Do we have a crisis management and communication plan in case of a breach?

INTERNATIONAL MONETARY FUND 22

 Strategy for Risk Reduction

 Information Security is not an problem that can “be fixed”, but rather a persistent
issue requiring a series of dynamic trade-off decisions

 Information Security is not a IT-only issue, but an enterprise-wide issue requiring a

risk management approach

 Security response should not be based solely on adherence to standards and

compliance, but also focus on protecting the most critical information assets from
the most likely adversaries

 Focus cannot be solely technology-driven, but must be augmented by changes in

user behavior driven by a enterprise wide cyber security culture

INTERNATIONAL MONETARY FUND 23

 Change in focus to address Cyber Threats

From … To…

▪ Just protect the perimeter ▪ Protect critical information throughout

the lifecycle

▪ Risk avoidance approach ▪ Risk management approach

▪ Reactive information security against ▪ Proactive defense against emerging

emerging threats threats

▪ Information Security is IT’s ▪ Information Security is shared

responsibility responsibility

▪ Information Security is the bottleneck ▪ Information Security is a business

enabler

▪ One time strategy ▪ Continuously adapting to business need

INTERNATIONAL MONETARY FUND 24

 NIST Cybersecurity Framework - Reference

Source: NIST

INTERNATIONAL MONETARY FUND 25

 Roadmap?

 Integrate cyber risk into overall risk management program

 Become brilliant at the basics (Cyber Hygiene)
 Identify and protect “Crown Jewels” throughout the lifecycle
 Independent Assurance to test your effectiveness
 Leverage the wider community - collaborate
 Train your staff and customers
 Control and monitor your third-party providers
 Never become complacent

INTERNATIONAL MONETARY FUND 26

 Thank You

INTERNATIONAL MONETARY FUND 27