How do you defend the world’s financial system from hackers and thieves? With a web of lies of course
When news hit that hackers had made off with $81 million from Bangladesh Bank (after attempting to transfer $951 million, most of which was blocked) in February by breaking into the Society for Worldwide Interbank Financial Telecommunication platform (SWIFT for short), most people were shocked: These criminals were so audacious in going for broke with this kind of heist.
This feeling was quickly followed up with bewilderment that the structure that essentially connects the global financial system was standing on such shaky ground and could be so easily penetrated.
In hopes of answering the call for better security, Tel Aviv-based illusive networks — one of Israel’s most innovative cyber startups — announced on Monday the launch of SWIFT Guard, a new product aimed at detecting hackers early and preventing theft.
The trademarked motto of illusive is “Deceptions Everywhere.” Unlike traditional honeypots that have been around for a while now, requiring some kind of computer, whether it be a server, router, virtual machine or otherwise, illusive works with a different kind of deception concept that they claim is far more scalable.
They scatter dummy files throughout the network at strategic spots where only an unauthorized attacker would have reason to visit. This could be the cached memory dump, or other locations where the attacker would have to hit as they move through the network, seeking higher permission credentials.
If a breach occurs, the hacker will be forced to choose from dozens if not more options, forcing them to gamble. And like any good casino, the house always wins.
“Our mission is to bring deceptions to every part of your network, so that when an attacker tries to attack the real network, he is actually attacking the illusive network,” CEO Shlomo Touboul explains to Geektime on their approach to security.
Essentially a replication of their basic deception concept, SWIFT Guard works by replicating the SWIFT servers. This server system consists of the SWIFT Alliance Access (SAA: the network proxy), SWIFT Alliance Gateway (SAG: the access point into the network), and the SWIFT Web Protocol (SWP: the massaging apparatus).
When an attacker attempts to move through these systems filled with illusive’s server decoys, they will trip off the alarms as they try to access the fakes, alerting the security team of the breach. Upon detection of an attacker, SWIFT guard starts collecting forensics, and mitigates the attack.
The company claims that they are able to uncover attackers already in a system pre-deployment of their product, which given the state of affairs for many players in this industry is a near certainty.
Touboul says that one of the issues threatening the network is that people are going through the SAA and the more sensitive SAG simultaneously, raising the risk level.
The bigger issue though is that a significant number of SWIFT’s 11,000 customers — banks and other financial institutions— are not in compliance when it comes to being up to date on their software or security practices. In an apparent response to the February attack in a letter issued by SWIFT in August, they told their customers that they had until November 19 to complete the updates and implement better protections, or they would report them to regulators.
Meeting this deadline is going to be a challenge for many of these institutions due to costs and difficulty. Touboul believes that he can provide them with a stop gap measure that will give them the breathing space to make the upgrades, while providing real security to the client. He says that they hope to sell not only to the financial bodies that use the global network, but to SWIFT itself as well.
For those who need a refresher on the SWIFT hack, and this was a fun one, a group of unidentified hackers attempted to steal $951 million from the account belonging to Bangladesh Bank in February through a series of requests to the Federal Reserve Bank of New York. In their first five requests, they routed the funds through a series of banks to reach their fictitious accounts in Asia, converting and hiding the loot. Thankfully in the attempt to send funds to an account in Sri Lanka, a spelling conscious employee at Deutsche Bank noticed that the thieves had misspelled the word “Foundation” as “Fandation” (perhaps letting their greed show through), and a request for verification of the transfer shut down the whole operation.
According to reports, the attack began like most with a phishing mission that allowed them to map out the network. Touboul tells Geektime that if they were in place for the Bangladesh situation, “We would have caught the attackers while they were in their intelligence collection phase.”
While this was not the first successful attempt to steal from the SWIFT system, it was the boldest. There are significant indications that the hackers had help from insiders, which even for a system as seemingly impressive as illusive’s, poses challenges to defenders. If the attackers already have the necessary credentials to approve illicit transfers, or provide their compatriots with them, then effectiveness of the minefield becomes somewhat lessened. However, it is worth remembering that security is all about mitigation. It is unlikely that an attacker will always have all the credentials needed to pull off their heist and will need to dig around for them, increasing their risk of detection.
As a part of Nadav Zafrir’s Team8, illusive networks seems to be rapidly pumping out solutions to some of the most interesting challenges in network security. In July they released their answer to ransomware with a similar product. At this pace, it will be interesting to see what else they succeed in coming out with by the end of the year.
Any guesses? Leave them in the comments.