ANZ Bank turns to peers for infosec intelligence

Businesses that rely solely on vendor signature feeds for malware detection are leaving themselves open to targeted attack, according to ANZ Bank's top cyber expert.

Speaking to the Australian Cyber Security Centre conference yesterday, Adam Cartwright warned businesses not to be complacent with the use of signature-based detection to identify threats.

While ANZ Bank uses some vendor-provided signatures to identify things like botnets and commercial banking trojans, the bank now relies a lot more heavily on intelligence for incident response, he said.

Cartwright cited one example of an attacker compromising a machine and throwing exploits at Active Directory in an attempt to steal credentials.

"This turned out to be a targeted attack. They used several watering holes and on those watering holes they filtered for the target IP address ranges. If you were one of the companies they were after, they would identify the IP address range, redirect it and try to exploit it," Cartwright said.

This particular attack was not commodity malware - it was custom code and rarely used, he said.

"These sorts of attackers don't use this code unless they're targeting a company, they're not just going ot leave it dangling and wait for people to come along and grab it," Cartwright said. 

"It's not in the wild in any volume. It wasn't a zero-day - it was nearly a zero-day - but all the devices had up-to-date virus signatures. They had up-to-date patches.

"So the question here is - how old are the signatures? Even though you've updated the day before, how old are they, how relevant are they? Do signatures for this type of attack even exist with these vendors?

Additionally, in the last six weeks, ANZ spotted what the security team initially thought was a drive-by attack on a legitimate website, but what it later suspected originated from a compromise within a user's home network.

The "community crimeware" the bank uncovered uses only PowerShell and avoids writing any DLLs (dynamic link libraries) or executables to disk to attempt to avoid detection from signature-based emails.

"This particular group have a PowerShell script that downloads two other pieces of code that are malicious," Cartwright said.

"It's encrypted within the initial PowerShell script and has some functions that decrypt and decompress the downloaded and malicious code, and they inject it into the running process, which in this case is PowerShell but it could be any other [the attacker] chooses."

"But because it's a PowerShell process, and because it's on most Windows PCs, it avoids whitelisting as well. So not only has he gone around your endpoint detection, he's gone around most of your network protection, and avoided your whitelisting protection."

Given the sheer amount of new pieces of malware uploaded to commercial feeds every day, security vendors have little choice but to prioritise based on volume and occasionally the malevolence of the software, Cartwright said.

"APT attacks or custom attacks tend to go to the bottom of the pile, bcause not many people are reporting them," he said.

"This isn't a banking trojan that millions of people are going to be affected by. So if you're waiting for a vendor to develop a signature for these types of attacks, you could be waiting for a very long time.

"APTs are small volume threats, so if you are basing the security of your company on vendor signatures, you're likely going to be compromised."

The answer, according to the security exec, is intelligence-based security: threat sharing and timely communication within peers and rivals.

"Attackers, whether they are APT or crimeware attackers, generally use similar tools and tactics and reuse them. They invest their effort into creating that methodology and deploying it against multiple targets," Cartwright said.

"And if we as defenders can implement countermeasures against that, then they have to go away and develop more tools and tactics, and it raises the costs of those attacks."

To be able to do that, industries need to come up with a data-sharing process allowing them to act quickly and limit the attackers' ability to perform the same attack multiple times, he said.

"If you knew there was an attacker out there now using PowerShell only, you could do something about that - upgrade PowerShell across the organisation to a version that supports code signing, then only allow code-signed PowerShell script to run. Straight away you've defeated that attack by that attacker," Cartwright said.

"The banks are very aligned on this. We pick up the phone and talk to each other. We have a deliberate policy of sharing indicators of compromise. That doesn't mean when I pick up the phone I have to tell the other bank what's going on, in fact I don't, but I do pick up the phone in an incident and say 'you might like to look at this'.

"Within ANZ, when I think about intelligence and the best source of information, peer community groups are the best by far."