Union Bank Hacking – Security Perspective
While reading through the article the below particular paragraph struck me.
“mails were sent to 15 email IDs. “Three people reported that the email was suspicious to the IT security. The other Union Bank employees were “technically-savvy” persons. They noticed that although the email address said @rbi.org.in, it had an attachment that a zip file. Within the zip file, there was a dot (xer) file and not a dot pdf file, which is why they reported it as suspicious,” Shinde said.”
Couple of key points that came out of this
- The Security team at the Bank has done a pretty good job in educating their employees on “Reporting Suspicious emails”
- There seems not much effort was put in to prevent the hack. Maybe someone with inside information can throw light!!!
Going by the article, the security team should be appreciated for the efforts in propagating awareness among its employees. At the same time they should review their response strategy to such internal “alerts/intelligence”.
This incident has provided very good lessons to our community.
- Continue to put the right efforts on security awareness. Ideal would be to make security pervasive across the Organization, but what we really need is instances like these were “Three people report it to IT Security“. You don’t need 1000’s of alerts to act on a threat. You just need one valid indicator that can help activate the IR
- Don’t spend efforts only on External “Intelligence” Feeds. Build a structured, practical and efficient Triage mechanism for alerts that are reported/identified internally also.
The biggest problem(s) that security professionals report on insider alert is
- The volume of “suspicious” email forwards to the team
- Negligible % of valid actionable alerts
We cannot expect a naive bank employee or manufacturing engineer or a scientist or a R&D Engineer to send us a valid actionable security alert every time. Anything they feel unimportant, suspicious will be sent. The more the number of emails that our Security teams receive the more the success of our awareness program.
My Experience: Email Threat Analysis team (that we built) gets 1000s of “suspicious” emails reported by employees. In the beginning it was difficult, but once we created an efficient triage process (which is constantly reviewed) we are able to effectively analyse, categorize and address every email that is reported by the employees. Around 99% of emails that are reported are junk, but we are looking for that 1% that may give us the lead to prevent a major embarrassment to the organization.
Continue to cultivate a legion of Eyes and Ears in the organization who are vigilant and serve us with these tiny but impactful bits of intelligence.
Taking this opportunity, I would like to layout a response strategy to an event like this. Bear in mind that this is just a sample methodology that I had instituted in my groups, you are free to use your own “Best suited” approach.
1. The IT team gets notice from three people about a suspicious email
2. The standard operating procedure kicks in, wherein the First responder immediately flags the emails as “unknown internal alerts”
3. The Responder carries out two triage tasks in parallel.
Reviews the Email properties to validate if the email was spoof or was received from a valid source domain (in this case RBI). The responder also does an initial analysis of the email content (subject/body)
- Considering the email has an attachment, he/she shall subject the attachment to a malware sandbox like cuckoo to identify if there are any “abnormal characteristics.
- The responder would have by now identified that the email was sent from IP address or domain not related to RBI. With this information, the responder would immediately run a query to identify how many emails were sent from the same domain, subject (if unique), source IP address and consolidate the list.
4. The cuckoo sandbox results indicates suspicious Indicators of Infection (IoIs). This will trigger the responder to re-categorize the alert as “Suspicious Phishing attack” and escalate the criticality of the incident to medium
5. It is important at this point to profile the recipients to see if this was a random list or a well-planned targeted attack. The result of this analysis will help determine the urgency of the response actions to follow
6. The sandbox results along with the list of employees who received similar emails will be consolidated and a report submitted to the Cyber Incident Response team.
7. Formal Incident Response will be kicked in at this point and the team shall start pursing the employees who may have received the email
8. All the “suspicious emails” will be deleted from the employee(s) mailbox (a copy will be retained with the Investigations team)
9. The employees may be interviewed to validate if anyone had opened the attachments. If so, their systems will be immediately isolated for further forensic investigation
10. The IoIs gathered from the analysis will be used as references for validation across the organization security/IT infrastructure ~ predominantly IP/URL Access, port connections, Hash files, registry changes
11. Those that had opened the attachment will be forced to immediately reset their credentials
12. Those who have received the email and that we have no evidence they opened the attachment, will be asked to voluntarily change their passwords at their convenience
13. The complete list of employees (and their associated assets) who were the target will be added as “Watch List” and security rules configured to alert for any suspicious activities from their IDs or corporate assets (untimely access, access from unknown geo, suspicious transaction, continuous login attempts, multiple simultaneous access attempts)
14. Meanwhile, threat hunting team will work to gather more details about the attacker, link the modus-operandi with other similar incidents across the industry and submit a report of their findings
15. All the information about the incident and the action taken shall be presented to the executive management
16. The incident will be on the watch for a predetermined time and would then slowly will be phased out depending on the follow-up actions
More often than not, our employees are the biggest source of Intelligence, let’s have an effective way to intake and respond to those “intel feeds” than be part of the “news”.
What are your thoughts/suggestions around this incident and how have you handled such alerts in your Organization?
Please leave your questions in the comments section and expect quick response from us. CyIntegriti is a cyber security start-up formed by a group of enthusiastic cyber security professionals and specialize in consulting practice for the following streams- Digital Forensics & Incident Response, Threat Hunting, SIEM, IPS, DLP, SOC Implementation, Email: email@example.com