Incident Response enabled SWIFT Security assessment and CSP Audit Services
In a distraction-based attack, several occurrences of noisy incidents happen in short time span with the intention of distracting the focus of the blue teams. Attackers may knock down workstations and servers to create panic to continuously engage the blue team’s attention.The attackers, while continuing with these not easy to detect distractions, parallelly execute attacks against a high value target like SWIFT. While static correlation rules can’t alone help with detection, a combination of those with dynamic cross correlation rules that chains triggered correlation rules will assist in early detection of such attacks.As depicted in the diagram, a dynamic cross correlation rule was able to chain all the triggered correlation rules over a time period, thereby detecting the attack.
Asset Group Tagging and Cloning of attack detection correlation rules for critical payment applications like SWIFT is an effective technique to detect distraction-based attacks like the massive KillDisk MBR-Wipe that occurred in the 2018 Chile Bank attack. The attackers used KillDisk to bring down about 9000 workstations and over 500 servers in very short duration to create panic within the Blue Teams. They were successful in distracting the SOC team and used this opportunity to execute an attack that resulted in the theft of $10M.
Below is a simple illustration that our team at NetSentries developed for increasing the awareness of targeted distraction attacks.
We recommend below measures for addressing this issue.
Asset Group Tagging and Cloning of targeted attack detection correlation rules. To do this, we need to first identify the logs from critical payment applications and services and add an asset group tag or custom tag to it. Development of the new correlation rules and modification of the existing ones by cloning and making necessary modifications like lookup for asset tag information in events of interest has to be done next.
Artificial Intelligence (AI) driven risk prediction and criticality mapping can make this process dynamic. With this step, we are further enhancing the application specific correlation rules through contextualization. This includes use of AI modules for risk prediction and impact probability.
Dedicated dashboards for critical application monitoring can further help in strengthening the monitoring capabilities. This allows SOC analysts to focus on incidents that need prioritized attention.
About NetSentries: NetSentries Technologies is a leader in the Cyber Threat Management space. NetSentries provides a portfolio of Security assessment, Control validation, Defensive, and Detective Security advisory to Enterprises. NetSentries is engaged with several business verticals like Banking and Finance, Oil and Gas, Retail, Manufacturing, and Healthcare to assess their current security posture and continuously improve resilience against targeted cyber-attacks.
NetSentries works with several Banks and FinServ companies to improve Enterprise-wide security posture and meet compliance requirements from regulators.