Académique Documents
Professionnel Documents
Culture Documents
WHITE PAPER
WP052715A
Contents
1
Executive Summary
Introduction
Intelligence-Based Security
ThreatList Overview
10
Conclusion
10
About Norse
Executive Summary
This white paper includes three case studies that demonstrate how attack intelligence from
Norse dramatically improved the security ROI of a top five credit card company, an international
bank, and a major options exchange.
The electronic threat landscape for financial institutions has changed dramatically. Todays
threat actors have more advanced tools and techniques at their disposal to exploit banks,
credit cards and international exchanges. The attackers are winning, and despite multi-billiondollar investments in security software and hardware, costly penetrations are increasing and
increasingly public.
Whats missing is real-time intelligence. Virtually all of a banks security hardware and software is
acting on security information that is days, if not weeks or months, out of date. Yet this would be
unthinkable in other departments of the modern financial institution. Think about this: what would
happen to a currency trader in your organization if she traded on data from market feeds that
were 24 hours old?
The security market has become just the same. Attackers jump from IP to IP address in
seconds, launching attacks from different locations constantly. Even the nature of the attacks are
subtly masked making signature-recognition technologies of little help.
Therefore, modern financial institutions must build their new defensive strategy around live attack
intelligence. You need to know whos being attacked, how, from where and you need to know
that second-by-second, not once a day. That intelligence must be actively channeled into the
institutions existing firewalls, SIEMs and intrusion prevention systems to provide a continuously
updated shield that shifts and adapts as attackers move to new launch-sites and change tactics
minute-to-minute.
Only with live attack intelligence can financial institutions achieve:
Realtime Situation Awareness in the SOC
Truly Adaptive Perimeter Security
Multiple of ROI on Existing Security Investments
Dramatically Improved Breach Detection, Incident Detection, Forensics and Response
Introduction
While the financial sector remains at the forefront of cybersecurity, todays increasingly complex
and globally-coordinated attacks present a major challenge for even the most sophisticated
financial IT security organizations.
The Federal Financial Institutions Examination Council (FFIEC) recently found that the attack
surface of financial institutions was actually dramatically increasing, despite billions of dollars of
investment in security hardware and software to close those gaps.
Security controls purchased just a few years ago offer little protection against todays more
advanced attacks, as CSOs are starting to feel more like Doctors whose antibiotics increasingly
fail against ever-evolving superbacteria. On top of that, new security talent is virtually
impossible to recruit. As Americas Growth Capital banker Maria Lewis Kussmaul recently said at
the SINET meeting in Washington, D.C., the unemployment rate in cyber security is zero.
The situation seems hopeless. But recent advances in real-time threat intelligence show promise.
When live intelligence on attacks (live defined as less than 60 seconds old) can be effectively
integrated with more traditional SIEMs, Firewalls, DPS and IDS systems, organizations become
much better at responding to and repelling attacks in progress. They can even block attacks
before they hit the organizations networks.
3 million users in the U.S. alone. Part of the reason for its success is that it was designed with
one goal in mind - to steal banking credentials. Propagated through phishing emails and web
links, the Zeus Trojan is now believed to be responsible for more than half of all online banking
attacks in recent years. Zeus is already spawning a next generation of banking Trojans with
even higher levels of sophistication[2].
The New DDoS Feints
Another new attack method is the launch of DDoS attacks to divert attention from (simultaneous)
fraudulent Automated Clearing House wire transfers. In such a combined cyberheist-DDoS
attack, fraudsters launch a DDoS attack against a company, and simultaneously takeover and
move money out of the target companys accounts (using login credentials stolen with Zeus
malware). The noise of the DDoS traffic makes it difficult for bank personnel to quickly identify
the fraudulent transaction.
Probing:
Launch:
More invasive
techniques are
employed using
compromised sites
on usually-trusted
networks to mask
reconnaissance
activity that seeks
out gullible humans,
vulnerable services
and potential targets.
Pwning the
Network:
As admin, the
attacker installs a set
of backdoors and
covers his tracks.
This system can
now be used as a
stepping-stone for
further exploration
into this targets
networks, or used
for the further
recruitment of
bot armies.
Game Over:
admin access, the
attacker can access
everything; even
encrypted data on the
network is pwnable
because as admin
he has access to
password lists or at
the very least can
force password
resets which he
can watch.
2. Dark
Reading: New ZeuS Banking Trojan Targets 64-Bit Systems, Leverages Tor, December 2013
And since most digital anomaly detection systems are backwards-looking (forensic), that means
they cant sound the alarm until after a transaction actually posts to a customers account. By
the time the bank sees the problem, the cash is already gone. Even so, these traditional security
systems are notorious for high false-positive rates.
Financial institutions cant rely on back-end, backwards-looking security. Detecting, stopping
and blocking modern attacks requires an intelligence-based approach that allows the financial
institution to assess transaction risk in real-time.
Intelligence-Based Security
Financial institutions virtually always employ a layered security approach married with
sophisticated behavioral pattern recognition systems that attempt to spot anomalies quickly.
Financial professionals have been at the forefront, too, of recognizing the value of threat
intelligence. But even the most sophisticated financial security operations centers have found it
difficult to make raw threat intelligence data actionable, or to merge intelligence about outside
attacks with their existing defense in depth security infrastructure in any really meaningful way.
Until Norse.
Superior attack intelligence from Norse can improve your catch-rate, reduce your workload
and dramatically increase your ROI on your entire security infrastructure investment. Thats
because with Norse, all of your security layers work better. Norse intelligence lets you leverage
the security infrastructure you already have to provide better protection with faster response
times and less false positives. With Norse, you can block inbound or outbound connections to
risky IPs before they happen, lightening the loads on your existing SIEMs and Firewalls and while
reducing your exposure overall.
Live attack intelligence when integrated into your existing perimeter devices such as routers,
firewalls, load-balancers, and UTM appliances works on the four attack vectors employed by
most hackers:
Make granular, automated decisions about what to do with users at the gate presenting at
various risk levels
Ask for additional authentication, present a captcha, or simply block outright
addresses based on an up-to-the minute risk score. Norse solutions can be deployed inline or
out-of-band, and dramatically improve enterprise security return-on-investment by improving the
catch-rate and effectiveness of existing next-generation firewalls, intrusion prevention systems
and security information and event management (SIEM) products. Norse attack visualization
consoles provide financial customer detailed, real-time views of threats traversing their network
and those around the world.
Risk Context
Norse ThreatList
Norse ThreatList is the ultimate combination of threat intelligence portal, APIs, and blacklist.
Norse delivers machine-readable threat intelligence via a RESTful API that integrates with your
existing security controls, and makes everything smarter. Norse intelligence is live and updated
second-by-second. Youre never out of date and you never have to rely on malware signatures
that are useless minutes after theyre created.
Norse computes over 1,500 distinct factors to determine a risk score for every IP and URL.
Conclusion
To be effective, live attack intelligence must be integrated into the key decision points within an
organizations infrastructure. This approach enables enterprise networks and financial institutions
the ability to detect, respond to and prevent unauthorized access to networks, sensitive data,
and customer account information.
Norse provides superior live attack intelligence that will enhance and improve:
SOC situational awareness by letting them know exactly whos talking to bad guys, and which
bad guys are talking to them
Perimeter protection to end that bidirectional communication with bad guys regardless of
SSL
Security ROI investments in SIEMs, Next Generation Firewalls, IPS/IDS and related controls
Breach detection and response times while speeding up investigations by identifying bots
communicating out of the network
Continuous monitoring efforts by identifying leading indicators of compromise (IOCs)
Policy and compliance stature
SOC performance improvements, allowing them to operate more efficiently with less load on
critical security assets and with fewer logs to review
Silicon Valley
333 Hatch Drive
Foster City, CA 94404
650.513.2881
norsecorp.com
ABOUT NORSE
Norse is the global leader in live attack intelligence. Norse delivers continuously-updated and unique Internet and darknet
intel that helps organizations detect and block attacks that other systems miss. The superior Norse DarkMatter platform
detects new threats and tags nascent hazards long before theyre spotted by traditional threat intelligence tools. Norses
globally distributed distant early warning grid of millions of sensors, honeypots, crawlers and agents deliver unique visibility
into the Internet especially the darknets, where bad actors operate. The Norse DarkMatter network processes hundreds
of terabytes daily and computes over 1,500 distinct risk factors, live, for millions of IP addresses every day. Norse products
tightly integrate with popular SIEM, IPS and next-generation Firewall products to dramatically improve the performance,
catch-rate and security return-on-investment of your existing infrastructure.
2015, Norse Corporation. All rights reserved.
WP052715A