Live Attack Intelligence

The Crucial Technology for Cutting Losses on

Financial Networks

Edited by Jeff Harrell | May 2015

WHITE PAPER

WP052715A

Contents
1

Executive Summary

Introduction

New Actors, New Motives, New Methods

The New Threat Actors

The New Motives

The New Technology Methods

The New Banking Trojans

The New DDoS Feints

Why Back-End Security Fails in Financial Institutions

Intelligence-Based Security

Threat Intelligence for the Perimeter Vector

Threat Intelligence for the Website Vector

Threat Intelligence for the User Authentication Vector

Threat Intelligence for the eCommerce Fraud Vector

Improving the Efficacy of Security Controls with Attack Intelligence

Norse Live Intelligence The Missing Layer of Security

Putting Live Attack Intelligence to Work

Case Study 1: Top 5 Credit Card Company

Case Study 2: International Bank

Case Study 3: Options Exchange

Big Data Threats Require Big Data Intelligence

The Norse Advantage: Products and Services

The Norse Intelligence Network

Norse Appliance Overview

ThreatList Overview

10

Conclusion

10

About Norse

Executive Summary
This white paper includes three case studies that demonstrate how attack intelligence from
Norse dramatically improved the security ROI of a top five credit card company, an international
bank, and a major options exchange.
The electronic threat landscape for financial institutions has changed dramatically. Todays
threat actors have more advanced tools and techniques at their disposal to exploit banks,
credit cards and international exchanges. The attackers are winning, and despite multi-billiondollar investments in security software and hardware, costly penetrations are increasing and
increasingly public.
Whats missing is real-time intelligence. Virtually all of a banks security hardware and software is
acting on security information that is days, if not weeks or months, out of date. Yet this would be
unthinkable in other departments of the modern financial institution. Think about this: what would
happen to a currency trader in your organization if she traded on data from market feeds that
were 24 hours old?
The security market has become just the same. Attackers jump from IP to IP address in
seconds, launching attacks from different locations constantly. Even the nature of the attacks are
subtly masked making signature-recognition technologies of little help.
Therefore, modern financial institutions must build their new defensive strategy around live attack
intelligence. You need to know whos being attacked, how, from where and you need to know
that second-by-second, not once a day. That intelligence must be actively channeled into the
institutions existing firewalls, SIEMs and intrusion prevention systems to provide a continuously
updated shield that shifts and adapts as attackers move to new launch-sites and change tactics
minute-to-minute.
Only with live attack intelligence can financial institutions achieve:
Realtime Situation Awareness in the SOC
Truly Adaptive Perimeter Security
Multiple of ROI on Existing Security Investments
Dramatically Improved Breach Detection, Incident Detection, Forensics and Response

333 Hatch Drive, Foster City, CA 94404 | 650.513.2881 | norsecorp.com

Introduction
While the financial sector remains at the forefront of cybersecurity, todays increasingly complex
and globally-coordinated attacks present a major challenge for even the most sophisticated
financial IT security organizations.
The Federal Financial Institutions Examination Council (FFIEC) recently found that the attack
surface of financial institutions was actually dramatically increasing, despite billions of dollars of
investment in security hardware and software to close those gaps.
Security controls purchased just a few years ago offer little protection against todays more
advanced attacks, as CSOs are starting to feel more like Doctors whose antibiotics increasingly
fail against ever-evolving superbacteria. On top of that, new security talent is virtually
impossible to recruit. As Americas Growth Capital banker Maria Lewis Kussmaul recently said at
the SINET meeting in Washington, D.C., the unemployment rate in cyber security is zero.
The situation seems hopeless. But recent advances in real-time threat intelligence show promise.
When live intelligence on attacks (live defined as less than 60 seconds old) can be effectively
integrated with more traditional SIEMs, Firewalls, DPS and IDS systems, organizations become
much better at responding to and repelling attacks in progress. They can even block attacks
before they hit the organizations networks.

New Actors, New Motives, New Methods

For all this increasing complexity, the three main elements that define a threat remain the same:
the actor (or attacker), their motives, and their methods.
The New Threat Actors:
Until recently, defining cybercrime was relatively straightforward. Hackers were on one side and
financial institutions and their customers were on the other. Recently though, hacktivist groups
have emerged serious threats, and state-sponsored attacks have become more frequent (or at
least more visible). Sometimes the state-actor is a friendly nation. These new actors are making
appropriate responses more difficult to find.
The New Motives:
Historically, hacking was limited to hobbyists, vandals and miscreants. But the motivations
behind attacks have shifted in a decidedly more serious direction in recent years, more often
focusing on profit, destruction and theft.
The New Methods:
Hackers are increasingly leveraging trusted networks to launch attacks that bypass traditional
security controls deployed by financial institutions. IP proxies and anonymizers such as the TOR
network are being used to mask attackers identities and true locations. New mobile malware
and new variants of stealthy Trojans have evolved, new man-in-the-browser schemes are being
used, and new heist methodologies hidden under Distributed Denial of Service (DDoS) attacks
are emerging, too.
The New Banking Trojans:
First identified in 2007, the Zeus banking Trojan infected computers in more than 200 countries.
Zeus adaptability, enabling it to dodge antivirus software led to the infection of more than

333 Hatch Drive, Foster City, CA 94404 | 650.513.2881 | norsecorp.com

3 million users in the U.S. alone. Part of the reason for its success is that it was designed with
one goal in mind - to steal banking credentials. Propagated through phishing emails and web
links, the Zeus Trojan is now believed to be responsible for more than half of all online banking
attacks in recent years. Zeus is already spawning a next generation of banking Trojans with
even higher levels of sophistication[2].
The New DDoS Feints
Another new attack method is the launch of DDoS attacks to divert attention from (simultaneous)
fraudulent Automated Clearing House wire transfers. In such a combined cyberheist-DDoS
attack, fraudsters launch a DDoS attack against a company, and simultaneously takeover and
move money out of the target companys accounts (using login credentials stolen with Zeus
malware). The noise of the DDoS traffic makes it difficult for bank personnel to quickly identify
the fraudulent transaction.

Five Stages of An Attack

Attackers typically breach and takeover machines inside an organization via a phased approach
Reconnaissance:

Probing:

Launch:

The target is profiled

and evaluated by
browsing public
information about
the company and
its network.

More invasive
techniques are
employed using
compromised sites
on usually-trusted
networks to mask
reconnaissance
activity that seeks
out gullible humans,
vulnerable services
and potential targets.

The attack is often

launched from
behind a proxy or
anonymizer. Once
a user account
is accessed, the
attacker works
to elevate their
permissions or hop to
other account to gain
administrator access.

Pwning the
Network:
As admin, the
attacker installs a set
of backdoors and
covers his tracks.
This system can
now be used as a
stepping-stone for
further exploration
into this targets
networks, or used
for the further
recruitment of
bot armies.

Game Over:
admin access, the
attacker can access
everything; even
encrypted data on the
network is pwnable
because as admin
he has access to
password lists or at
the very least can
force password
resets which he
can watch.

Why Back-End Security Fails in Financial Institutions

The longer it takes to detect an attack, the higher the probability that an attack will succeed.
Right now, most attacks are detected only after they have taken place. Thats because like savvy
accountants planning for the IRS, todays hackers have a deep understanding of the types of
activity that back-end security systems at a bank are going to scrutinize. They already know the
technologies designed to prevent account compromise and account takeover, technologies like
device fingerprinting and anomaly detection.
Device fingerprinting can identify the client machine and location of a customer. If the customer
is using a different computer and/or logging in from an unusual location, the financial institution
can request additional authentication. But such systems can be easily flummoxed by hackers
using virtualized servers, public cloud infrastructure, and anonymizing proxies to fake their
locations and identities. Attackers set up and tear down attack servers within minutes, then move
on, making it nearly impossible to trace an attack to its actual source.

2. Dark

Reading: New ZeuS Banking Trojan Targets 64-Bit Systems, Leverages Tor, December 2013

333 Hatch Drive, Foster City, CA 94404 | 650.513.2881 | norsecorp.com

And since most digital anomaly detection systems are backwards-looking (forensic), that means
they cant sound the alarm until after a transaction actually posts to a customers account. By
the time the bank sees the problem, the cash is already gone. Even so, these traditional security
systems are notorious for high false-positive rates.
Financial institutions cant rely on back-end, backwards-looking security. Detecting, stopping
and blocking modern attacks requires an intelligence-based approach that allows the financial
institution to assess transaction risk in real-time.

Intelligence-Based Security
Financial institutions virtually always employ a layered security approach married with
sophisticated behavioral pattern recognition systems that attempt to spot anomalies quickly.
Financial professionals have been at the forefront, too, of recognizing the value of threat
intelligence. But even the most sophisticated financial security operations centers have found it
difficult to make raw threat intelligence data actionable, or to merge intelligence about outside
attacks with their existing defense in depth security infrastructure in any really meaningful way.
Until Norse.
Superior attack intelligence from Norse can improve your catch-rate, reduce your workload
and dramatically increase your ROI on your entire security infrastructure investment. Thats
because with Norse, all of your security layers work better. Norse intelligence lets you leverage
the security infrastructure you already have to provide better protection with faster response
times and less false positives. With Norse, you can block inbound or outbound connections to
risky IPs before they happen, lightening the loads on your existing SIEMs and Firewalls and while
reducing your exposure overall.
Live attack intelligence when integrated into your existing perimeter devices such as routers,
firewalls, load-balancers, and UTM appliances works on the four attack vectors employed by
most hackers:

Threat Intelligence for the Perimeter Vector

Identify incoming high-risk connections, and manage or block them
Block zero-day attacks (unknown exploits) at the perimeter, before they enter the enterprise
Assess the risk of every inbound or outbound connection before it is completed

Threat Intelligence for the Website Vector

At the web server level, Verifying the IP address of website visitors and assess their risk to
determine risk/threat factor before granting access
Make granular, automated decisions about what to do with website visitors at various risk
levels
Ask for additional authentication, present a captcha, or simply block outright they enter the site
and can launch an attack

Threat Intelligence for the User Authentication Vector

Measure the risk of every user requesting a login page
Use live intelligence to add data points like geolocation IP history to confidence computations

333 Hatch Drive, Foster City, CA 94404 | 650.513.2881 | norsecorp.com

 Make granular, automated decisions about what to do with users at the gate presenting at
various risk levels
Ask for additional authentication, present a captcha, or simply block outright

Threat Intelligence for the eCommerce Fraud Vector

Detect transactions originating or terminating at high-risk IP addresses, and drop them
or block them.

Improving the Efficacy of Security Controls with Attack Intelligence

Today, most financial organizations leverage SIEM (Security Information Event Management)
solutions to prioritize security events. Even so, SIEMs are easily overwhelmed, and generate
overwhelming logs that need human examination.
Adding live attack intelligence to the mix can help organizations distill thousands of SIEM
alerts down to those few that actually require immediate attention. They can identify and block
malicious activity while its still OUTSIDE the network perimeter. SIEMs fed with live intelligence
can be interfaced directly with existing security infrastructure (like firewalls) to make fast and
automated changes to a companys security posture based on changes in Internet weather.
Such automated implementation of mitigating controls before the perimeter is compromised
greatly reduces the effective attack surface of an organization.

Norse Live Attack Intelligence The Missing Layer of Security

Norse is the market leader in live attack intelligence. Norse solutions leverage the Norse
Intelligence Network Norses globally distributed distant early warning system comprised
of millions of sensors, crawlers, honey pots and agents to block malicious URLs, botnets,
anonymous proxies, bogus IP addresses and infected embedded devices, even those deep
within the darknets.
Norse offerings detects new classes of attacks that current systems miss, such as cloudvectored virtualization-evading malware, compromised Internet of Things (IoT) devices and
anonymous proxies. Norse plugs a critical gap in enterprise security infrastructures. Norse
solutions are easy to set up and simple to use, with an advanced artificial intelligence engine
that distills second-by-second updates on thousands of risk factors on hundreds of millions of
IP addresses, domains, URLs and devices to deliver a single, actionable risk score with detailed
context for any address of interest.
Norse solutions protect financial organizations from new, fast-growing classes of grey threats,
such as those from cloud vectors and compromised embedded devices, and stops enterprise
data from being stolen via Tor and other anonymous proxies. Norse solutions can screen newaccount requests by instantly back-checking requestor IPs for past risky behavior, or filter and
correlate event data from existing security systems to zero-in on truly important security events.
With Norse, financial enterprises can automatically log activities, generate alerts or block IP

333 Hatch Drive, Foster City, CA 94404 | 650.513.2881 | norsecorp.com

addresses based on an up-to-the minute risk score. Norse solutions can be deployed inline or
out-of-band, and dramatically improve enterprise security return-on-investment by improving the
catch-rate and effectiveness of existing next-generation firewalls, intrusion prevention systems
and security information and event management (SIEM) products. Norse attack visualization
consoles provide financial customer detailed, real-time views of threats traversing their network
and those around the world.

Risk Context

Putting Live Attack Intelligence to Work

Case Study 1: Top 5 Credit Card Company
This large credit card services customer created their own Splunk app, similar to Splunk
Enterprise Security, but more tailored to their organization. Their custom Splunk app
automatically imports Norse ThreatList to correlate internal security events with external
threats and prioritize security events. ThreatList provides further context when needed during
incident response.
Outcome:
Norse uncovered ongoing malicious connections from AWS systems controlled from Iran
Norse uncovered malicious employee/ insider activity
Norse designed custom analytics
Norse reduced threat mitigation time
Norse context used to train junior cyber analysts at the CC company

333 Hatch Drive, Foster City, CA 94404 | 650.513.2881 | norsecorp.com

Case Study 2: International Bank

Business Challenge:
This large international bank customer wanted to improve event prioritization and increase the
efficiency of its incident response. They were overwhelmed by the speed and quantity of security
events on their network, and that also impacted their ability to properly prioritize and investigate
real incidents. After integrating Norse ThreatList into their SIEM and using Norse risk scores to
prioritize security events, they were able to reduce SIEM alerts by 25% and significantly reduce
incident response times.
Outcome:
Reduction of overall SOC response times
Decreased investigation times
Reduction of SIEM alerts by 25%
Norse data formed core of daily state-of-the-bank calls
Norse intelligence integrated into critical path

333 Hatch Drive, Foster City, CA 94404 | 650.513.2881 | norsecorp.com

Case Study 3: International Options Exchange

Within days or even hours, money mules (untraceable and anonymous participants to the fraud)
withdraw cash from the accounts and send the funds overseas via Western Union or similar wire
transfer services.
This Norse customer is a U.S. equity derivatives market and the fastest options exchange in the
world. The Exchange is a fully automated electronic options exchange for the trading of OCC
issued standardized options on equities and ETFs. The exchange provides a marketplace that
caters to the needs of the trading community, and offers competitive pricing based on a lowcost operating structure, superior customer service, and outstanding technology.
After testing several other solutions, the exchange determined that they did not provide
sufficiently comprehensive threat data, and what they did have was quickly out of date. This
options exchange chose Norse ThreatList to provide improved edge-security and faster
incident response. The exchange also chose ThreatList to block all IPs scoring 99 or above at
the network edge with their McAfee next generation Firewall in IPS mode. They are now blocking
250,000 risky connections weekly that previously had gotten through.
The exchanges IBM QRadar implementation automatically retrieves the Norse ThreatList
regularly to correlate internal security events with external threats and prioritize security events.
ThreatList provides further context when needed during incident response. Because Norse
threat intelligence is both comprehensive and always up to date, the exchange is finally able to
be proactive and get ahead of threats before they become real problems.
Outcome:
Norse scored every connection request in real-time
Norse blocked >1M malicious connections/month that were previously getting through
Correlated risk scores >90 in SIEM
Firewall loads reduced by 20%, across the whole organization
Identified malware callbacks

333 Hatch Drive, Foster City, CA 94404 | 650.513.2881 | norsecorp.com

Big Data Threats Require Big Data Intelligence

Norse is a Tier-1 Telecom Carrier that doesnt offer telecom services. Our global network exists
solely for the purpose of being attacked and delivering that information in seconds to you. A few
Norse Global Intelligence Network Facts:
Norse has over eight million sensors deployed around the world
Norse operates in over 47 countries and more than 200 datacenters across the globe
Norse manages 16 routers on the tier-one Internet fiber backbone
Norse controls more than 16 million IP addresses
Norse has honeypots which emulate more than 6,000 applications and device types including
POS systems, ATM networks and ACH systems
Norse manages six Border Gateway Protocol AS numbers of our own
Norse processes more than 150 terabytes daily against a 7 petabyte threat database
Norse weighs more than 1,500 risk factors for every actuarial risk score
Norse posts attack data to customers within 5 seconds of detection

The Norse Advantage: Products and Services

Norse Appliance - The Superior Attack Intelligence Appliance for the Darknet
Norse Appliance is the first attack intelligence appliance that defends against the latest
advanced threats emerging from darknets and the greater Internet. Deployed inline or outof-band, the Norse Appliance dramatically improves the return on your existing security
investments by improving your catch rate while simultaneously reducing traffic loads on your
firewall and IPS systems.
The Norse Appliance leverages Norse threat intelligence to detect and prevent malware, botnets,
anonymous proxies, and bogus IPs and is available in 1Gbps and 10Gbps version.

Norse ThreatList
Norse ThreatList is the ultimate combination of threat intelligence portal, APIs, and blacklist.
Norse delivers machine-readable threat intelligence via a RESTful API that integrates with your
existing security controls, and makes everything smarter. Norse intelligence is live and updated
second-by-second. Youre never out of date and you never have to rely on malware signatures
that are useless minutes after theyre created.
Norse computes over 1,500 distinct factors to determine a risk score for every IP and URL.

333 Hatch Drive, Foster City, CA 94404 | 650.513.2881 | norsecorp.com

Conclusion
To be effective, live attack intelligence must be integrated into the key decision points within an
organizations infrastructure. This approach enables enterprise networks and financial institutions
the ability to detect, respond to and prevent unauthorized access to networks, sensitive data,
and customer account information.
Norse provides superior live attack intelligence that will enhance and improve:
SOC situational awareness by letting them know exactly whos talking to bad guys, and which
bad guys are talking to them
Perimeter protection to end that bidirectional communication with bad guys regardless of
SSL
Security ROI investments in SIEMs, Next Generation Firewalls, IPS/IDS and related controls
Breach detection and response times while speeding up investigations by identifying bots
communicating out of the network
Continuous monitoring efforts by identifying leading indicators of compromise (IOCs)
Policy and compliance stature
SOC performance improvements, allowing them to operate more efficiently with less load on
critical security assets and with fewer logs to review

Silicon Valley
333 Hatch Drive
Foster City, CA 94404
650.513.2881

norsecorp.com

ABOUT NORSE
Norse is the global leader in live attack intelligence. Norse delivers continuously-updated and unique Internet and darknet
intel that helps organizations detect and block attacks that other systems miss. The superior Norse DarkMatter platform
detects new threats and tags nascent hazards long before theyre spotted by traditional threat intelligence tools. Norses
globally distributed distant early warning grid of millions of sensors, honeypots, crawlers and agents deliver unique visibility
into the Internet especially the darknets, where bad actors operate. The Norse DarkMatter network processes hundreds
of terabytes daily and computes over 1,500 distinct risk factors, live, for millions of IP addresses every day. Norse products
tightly integrate with popular SIEM, IPS and next-generation Firewall products to dramatically improve the performance,
catch-rate and security return-on-investment of your existing infrastructure.
2015, Norse Corporation. All rights reserved.

WP052715A