by J.Paul Haynes
On Dec. 1, a large US-based cybersecurity firm received extensive international media coverage for a reported cybersecurity incident. The incident focused on a threat actor classified as “FIN4”. Reports describe an active targeted phishing campaign with a focus specifically targeted at “the emails of C-level executives, legal counsel, regulatory risk, and compliance personnel, and other individuals who would regularly discuss confidential, market-moving information”.
The technique uses spear-phishing emails to gather credentials from users and return them back to the “FIN4” Command and Control servers (CnC) where the login credentials are then used to log into the users webmail remotely through TOR to escalate the attack. Again the level of angst was escalated further.
While this news article may be the first mention of “FIN4”, eSentire has been tracking and mitigating this very activity for more than a year. Late in 2013, eSentire issued a service advisory to its client base giving visibility to a .docm file circulating through the hedge fund atmosphere. At the time, eSentire’s Security Operations Center flagged what is now known as “FIN4” activity at its earliest inception. Then, the intent of the attack was the same: to drive a spear-phishing campaign with the explicit intent of accessing sensitive financial data in the hedge fund market through credential harvest.
The story surrounding “FIN4” is an important one, however, a story like this reminds us of the complexity and challenges faced by the Information Security industry. Complicated threats like these don’t pop up overnight. Dedicated forensics is critical in identifying and managing threats of this nature. eSentire clients have not been affected by “FIN4” attacks thanks to our Security Operations Center’s ongoing forensics and layered Active Threat Protection services.
What is it about the eSentire approach to Active Threat Protection that’s so unique? We’re able to see and mitigate threats of this nature through continuous monitoring. eSentire analysts continually monitor ALL our client’s network traffic, looking for signs of atypical behavior by utilizing ‘operationalized forensics’ - a technique pioneered by eSentire - which is the continuous analysis of all traffic flowing into and out of client networks.
As with the attack initially detected by eSentire in 2013, when a compromised word document containing the macro executes and connects to an external server and transfers data - in this case user credentials to an unfamiliar IP destination - we notice those unusual behavioral signals and immediately scrutinize it.
With our DVR-like capabilities, our skilled threat analysts rewind and replay the traffic and critically analyze it. If the traffic looks malicious, we block that specific connection on that customer’s network. Next, the block is propagated to all other eSentire subscriber networks through our Asset Manager Protect service, ensuring all clients are protected from the threat in question. At eSentire, this is standard operating procedure, 24/7/365, whether during business hours on Wednesday or at 2AM on Sunday.
If your first visibility into a major attack network like that publicized this week comes from a best-in-class forensic firm, the horse is likely already out of the barn. At this stage of breach you are also calling lawyers, regulators and law enforcement. Even worse, you have spent at least three to five full years of what Active Threat Protection services from eSentire would have cost. Let’s not rule out impact to reputation and brand which can trigger in a New York minute.
With Active Threat Protection from eSentire, clients benefit from immediate threat isolation, mitigation and real-time reports. Quite literally we are talking about an ounce of prevention versus a pound of cure.
There’s a reason why eSentire is the trusted, award-winning security services provider to more than 450 financial services firms, legal, extractive and healthcare organizations. We can comfortably lay claim to pioneering Continuous Advanced Threat Protection, which leading analyst firm Gartner Research began covering in June 2014 as a best practices framework for defending against cybersecurity attacks.
In our world, managing and mitigating a threat like “FIN4” is simply another day at the office.
J.Paul Haynes is CEO at eSentire (www.esentire.com).