lessons learned from bangladesh bank … and maintain project plan build use case. identify internal...
TRANSCRIPT
An independent member of UHY International© UHY Advisors, Inc. 2016 All Rights Reserved
LESSONS LEARNED FROM BANGLADESH BANK HEISTISACA GEEK WEEK 2016
An independent member of UHY International© UHY Advisors, Inc. 2016 All Rights Reserved
WHAT’S GOING ON?
An independent member of UHY International© UHY Advisors, Inc. 2016 All Rights Reserved
Victim
WHAT’S GOING ON?
An independent member of UHY International© UHY Advisors, Inc. 2016 All Rights Reserved
WHAT’S GOING ON?
Criminal
An independent member of UHY International© UHY Advisors, Inc. 2016 All Rights Reserved
MAIA SANTOS DEGUITO
Rizal Bank Manager with Attorneys
An independent member of UHY International© UHY Advisors, Inc. 2016 All Rights Reserved
THE BANGLADESH HEIST
An independent member of UHY International© UHY Advisors, Inc. 2016 All Rights Reserved
$150MM USE CASE
An independent member of UHY International© UHY Advisors, Inc. 2016 All Rights Reserved
THREAT ACTORS
Insider
Project Managers
Hackers
Social Engineer
BackerThreat Actors
An independent member of UHY International© UHY Advisors, Inc. 2016 All Rights Reserved
BANGLADESH HEIST TIMELINE
An independent member of UHY International© UHY Advisors, Inc. 2016 All Rights Reserved
SWIFT SYSTEMS MALWARE ACTIVITY
An independent member of UHY International© UHY Advisors, Inc. 2016 All Rights Reserved
THE PLAN
Develop and Maintain Project Plan
Build use caseIdentify internal resourcesIdentify tools Define milestonesMonetize the effort
Exploit People & Processes
Use Bank of Bangladesh credentials to request transfersUse FRB to authorize transfersExploit holiday and weekend schedulesWithdraw funds with Rizal bank manager approval
Exploit Technologies
Bank of Bangladesh Systems*SWIFT SystemConfirmation message monitoringAudit logging
An independent member of UHY International© UHY Advisors, Inc. 2016 All Rights Reserved
INITIAL VECTORS OF ATTACK
An independent member of UHY International© UHY Advisors, Inc. 2016 All Rights Reserved
TARGETED SAMPLES
An independent member of UHY International© UHY Advisors, Inc. 2016 All Rights Reserved
TARGETED SAMPLES (CONT)
An independent member of UHY International© UHY Advisors, Inc. 2016 All Rights Reserved
COMMON HACKER PLAYBOOK
Acquire Targets Data Collection
Exploit People
InfiltrateCorporate Systems
Exploit Systems Permeate
•Locate affiliated groups
•Identify individual targets
- Colleagues- Spouse- Children- Parents
•Use collected data to deploy malware to targeted individuals
•Use malware-collected data to ‘passively’ authenticate to corporate systems
•Install system exploits and deteriorate logging
•Exfiltrate corporate data
•Place trapdoors throughout environment
Characteristics of cyber threats are no longer "infect as many machines as possible". Today’s attacks only need to compromise one targeted machine to be successful.
An independent member of UHY International© UHY Advisors, Inc. 2016 All Rights Reserved
NO “HACKERS” REQUIRED!
An independent member of UHY International© UHY Advisors, Inc. 2016 All Rights Reserved
EBAY
An independent member of UHY International© UHY Advisors, Inc. 2016 All Rights Reserved
SOPHISTICATED DISCIPLINED
An independent member of UHY International© UHY Advisors, Inc. 2016 All Rights Reserved
THE HACKER PERSONA
An independent member of UHY International© UHY Advisors, Inc. 2016 All Rights Reserved
THE REAL “HACKERS”
An independent member of UHY International© UHY Advisors, Inc. 2016 All Rights Reserved
THE HUMAN FIREWALL
An independent member of UHY International© UHY Advisors, Inc. 2016 All Rights Reserved
HUMAN FIREWALL FAILURE
An independent member of UHY International© UHY Advisors, Inc. 2016 All Rights Reserved
THE PARTY IS OVER
An independent member of UHY International© UHY Advisors, Inc. 2016 All Rights Reserved
MANAGING RISK & COMPLIANCE
An independent member of UHY International© UHY Advisors, Inc. 2016 All Rights Reserved
COMPLIANCE VS RISK MANAGEMENTBeing ‘Compliant’ does not equate to being ‘Secure’. It is easy to lose sight of the risk management drivers behind the Internal Audit Function.
Internal Audit Program
COSO
SOXPCI
Internal Priorities
Self-defined
risk matrix
Customer Expectations
NIST
COSO
Regulatory Obligations
SOX PCI
Shouldn’t Compliance be positioned as the byproduct of a mature information security and internal audit program, by ‘doing the right things’ and ‘proving it’?
Compliance Risk Management
An independent member of UHY International© UHY Advisors, Inc. 2016 All Rights Reserved
QUESTIONS?