illusive networks launches their response to the $951 million Bangladesh SWIFT hack
Share on Facebook
Share on Twitter
Share on Google+
Share on Reddit
Share on Email

Google Chairman Eric Schmidt with Team8's CEO, Nadav Zafrir, and illusive network's team. Photo Credit: illusive networks PR

How do you defend the world’s financial system from hackers and thieves? With a web of lies of course

When news hit that hackers had made off with $81 million from Bangladesh Bank (after attempting to transfer $951 million, most of which was blocked) in February by breaking into the Society for Worldwide Interbank Financial Telecommunication platform (SWIFT for short), most people were shocked: These criminals were so audacious in going for broke with this kind of heist.

This feeling was quickly followed up with bewilderment that the structure that essentially connects the global financial system was standing on such shaky ground and could be so easily penetrated.

In hopes of answering the call for better security, Tel Aviv-based illusive networks — one of Israel’s most innovative cyber startups — announced on Monday the launch of SWIFT Guard, a new product aimed at detecting hackers early and preventing theft.

The trademarked motto of illusive is “Deceptions Everywhere.” Unlike traditional honeypots that have been around for a while now, requiring some kind of computer, whether it be a server, router, virtual machine or otherwise, illusive works with a different kind of deception concept that they claim is far more scalable.

They scatter dummy files throughout the network at strategic spots where only an unauthorized attacker would have reason to visit. This could be the cached memory dump, or other locations where the attacker would have to hit as they move through the network, seeking higher permission credentials.

If a breach occurs, the hacker will be forced to choose from dozens if not more options, forcing them to gamble. And like any good casino, the house always wins.

“Our mission is to bring deceptions to every part of your network, so that when an attacker tries to attack the real network, he is actually attacking the illusive network,” CEO Shlomo Touboul explains to Geektime on their approach to security.

Essentially a replication of their basic deception concept, SWIFT Guard works by replicating the SWIFT servers. This server system consists of the SWIFT Alliance Access (SAA: the network proxy), SWIFT Alliance Gateway (SAG: the access point into the network), and the SWIFT Web Protocol (SWP: the massaging apparatus).

When an attacker attempts to move through these systems filled with illusive’s server decoys, they will trip off the alarms as they try to access the fakes, alerting the security team of the breach. Upon detection of an attacker, SWIFT guard starts collecting forensics, and mitigates the attack.

The company claims that they are able to uncover attackers already in a system pre-deployment of their product, which given the state of affairs for many players in this industry is a near certainty.

Touboul says that one of the issues threatening the network is that people are going through the SAA and the more sensitive SAG simultaneously, raising the risk level.

The bigger issue though is that a significant number of SWIFT’s 11,000 customers — banks and other financial institutions— are not in compliance when it comes to being up to date on their software or security practices. In an apparent response to the February attack in a letter issued by SWIFT in August, they told their customers that they had until November 19 to complete the updates and implement better protections, or they would report them to regulators.

Meeting this deadline is going to be a challenge for many of these institutions due to costs and difficulty. Touboul believes that he can provide them with a stop gap measure that will give them the breathing space to make the upgrades, while providing real security to the client. He says that they hope to sell not only to the financial bodies that use the global network, but to SWIFT itself as well.

GERMANY, BONN - FEBRUARY 03: Symbol photo on the topics computer, computer crime. Photo credit: Ulrich Baumgarten / Getty Images Israel

GERMANY, BONN – FEBRUARY 03: Symbol photo on the topics computer, computer crime. (Photo credit: Ulrich Baumgarten / Getty Images Israel)

For those who need a refresher on the SWIFT hack, and this was a fun one, a group of unidentified hackers attempted to steal $951 million from the account belonging to Bangladesh Bank in February through a series of requests to the Federal Reserve Bank of New York. In their first five requests, they routed the funds through a series of banks to reach their fictitious accounts in Asia, converting and hiding the loot. Thankfully in the attempt to send funds to an account in Sri Lanka, a spelling conscious employee at Deutsche Bank noticed that the thieves had misspelled the word “Foundation” as “Fandation” (perhaps letting their greed show through), and a request for verification of the transfer shut down the whole operation.

According to reports, the attack began like most with a phishing mission that allowed them to map out the network. Touboul tells Geektime that if they were in place for the Bangladesh situation, “We would have caught the attackers while they were in their intelligence collection phase.”

While this was not the first successful attempt to steal from the SWIFT system, it was the boldest. There are significant indications that the hackers had help from insiders, which even for a system as seemingly impressive as illusive’s, poses challenges to defenders. If the attackers already have the necessary credentials to approve illicit transfers, or provide their compatriots with them, then effectiveness of the minefield becomes somewhat lessened. However, it is worth remembering that security is all about mitigation. It is unlikely that an attacker will always have all the credentials needed to pull off their heist and will need to dig around for them, increasing their risk of detection.

As a part of Nadav Zafrir’s Team8, illusive networks seems to be rapidly pumping out solutions to some of the most interesting challenges in network security. In July they released their answer to ransomware with a similar product. At this pace, it will be interesting to see what else they succeed in coming out with by the end of the year.

Any guesses? Leave them in the comments.

Share on:Share
Share on Facebook
Share on Twitter
Share on Google+
Share on Reddit
Share on Email
Gabriel Avner

About Gabriel Avner


Gabriel has an unhealthy obsession with new messaging apps, social media and pretty much anything coming out of Apple. An experienced security and conflict consultant, he has written for The Diplomatic Club, the Marine War College, and covers military affairs with TLV1 radio. He mostly enjoys reading articles wherever his ADD leads him to and training Brazilian Jiu Jitsu. EEED 44D4 B8F4 24BE F77E 2DEA 0243 CBD1 3F7C F4B6

More Goodies From Security


4 Network Security Tips Progressive Small Businesses are Implementing

For Retail Startups, Security is Paramount

Russia in talks with US to create cybersecurity working group

  • jamie adams

    Using honeypots in enterprises is gaining more and more acceptence. Gartner has recognized this space and calls such solutions distributed deception platforms (DDP). There are several players in this space like TrapX, SmokescreenTech, Accalvio, Thinkst etc. Each has their own spin around deception while having some offerings in common. For example, SmokescreenTech also offers SWIFT decoys and TrapX offers a solution for catching ransomware.