“For several months Carbanak was active on internal systems and also spread laterally to map out the banks' infrastructure,” Segura said.
Labeling the thefts “a significant evolution in approach,” Mike Lloyd, CTO at RedSeal, said in a statement sent to SCMagazine.com, “The time invested by criminals in studying the operations of target banks shows two things: first, that such attacks are lucrative enough for this time commitment to be worthwhile, and second, they would not have bothered if they did not have to.”
Researchers warned that similar attacks are likely on the horizon and organizations must shift their security focus to fend them off.
“These are advanced threat actors and while it may seem like they are laying low, I'm certain they are working on new techniques as their old tools and techniques have been discovered,” TK Keanini, CTO at Lancope said in a prepared statement to SCMagazine.com. “This is the co-evolution that happens between attackers and defenders.”
And Lloyd said the attacks are a clear lesson that “we need to up our game, understanding how we can be spied upon, and how motivated adversaries can work to hide in plain sight.” He said security teams must “understand normal operations in great detail, including mapping out the environment and understanding how the infrastructure supports the business.”
Calling the practice “fiendishly difficult” because “the rate of change of modern business makes it impossible to keep up without automated mapping and discovery of defensive gaps,” Lloyd noted that “employees will always be prone to being fooled, as they were at the victim banks in this case.”
He urged organizations “to strengthen internal network segmentation, so that the whole chain does not fail whenever one weak link - usually a human - gets caught out.”
If the security industry is “going to have a chance at reversing this trend,” Eric Chiu, president and co-founder of Hytrust Security said in a statement sent to SCMagazine.com that “we need to truly make security a top priority and adopt an 'inside-out' model of security where we assume that the attackers are already on the network.”
He added that “banks must lead the charge around these efforts to restore confidence that they can protect our savings accounts from these new criminals.”