Keith Bromley
Sr. Manager, Product Marketing at Ixia

How To Thwart The ATM Cash-out Security Attack

August 31, 2018 by Keith Bromley

The recent FBI warning to financial institutions about the "ATM Cash-out" security threat is a clear warning to banks to recheck their security protocols. This type of threat can cost a financial institution millions of dollars in a very sort amount of time. The good news is that with this specific type of threat, technology is readily available to remediate the problem. A visibility solution that uses a network packet broker (NPB) that supports application intelligence and a Threat Intelligence gateway is the answer.

This type of solution delivers four key capabilities to thwart the ATM Cash-out type of attack by enhancing the following:

  • Ability to block traffic to/from known bad IP addresses and on a country basis
  • Monitoring capability for encrypted traffic (SSL or TLS) traveling over non-standard ports
  • Monitoring capability for network traffic being forwarded to suspicious regions
  • Monitoring capability that reveals the presence of unauthorized or remote network protocols and administrative tools within the bank datacenter

The first thing you will want to do is block as much unwanted traffic as you can. Security is about finding the needle in the haystack. The trick is to make the haystack as small as possible before you start your search. For instance, if the attack is coming from a country your financial entity doesn't do business in, then just shut down any traffic to or from that country. Next, create an access list that blocks traffic to or from known malicious sites within the allowed countries. However, you don't want the creation of this access list to be a manual process. Therefore, you want to deploy a threat intelligence gateway with an access list that is constantly updated every few days so that this does not become a high maintenance activity.

Once you start the investigation process for the needle, an NPB will make the task much easier. The basic NPB itself provides data aggregation and filtering capabilities for packet-based data. The addition of application intelligence adds the capability to recognize application type data. This means that the NPB can now tell the difference between web-based applications, voice traffic, file transfer protocols, encrypted traffic, etc. This includes both packet and NetFlow data. Summarized data, like NetFlow data, delivers important summarized data for the network. Once the NetFlow data is aggregated and filtered, it can be forwarded on to purpose-built analysis tools like Splunk, Plixer, etc. for detailed analysis. Other parameters like geolocation, device type, and browser type can also be included.

Once this NPB with application intelligence is installed into the network, you have a formidable defensive capability. For instance, the solution can recognize whether TLS or SSL is being used to hide malware or confidential information. Data traffic can be captured based upon traffic link, VLAN, or IP address. This data is then replicated by the NPB and forwarded on to a security tool that can analyze in-depth whether the traffic is coming from a standard port or if it is coming/going to non-standard ports that may have been set up by a bad actor.

Geolocation capabilities also allow bank IT personnel to see whether the traffic is coming or going to any non-standard location from the financial institution. For instance, if the traffic is coming in, or being sent out from, a North American bank to a destination in Eastern Europe, then there is probably a problem and this feature can be used as an indicator of compromise for that issue. The geolocation capability can be narrowed within country and within the state or territory for the banking entity as well.

Lastly, application intelligence can also be used to show any unauthorized applications running on the bank network. Signatures are defined for all of the authorized traffic. If traffic is seen that does not correspond to one of these signatures, that data can be flagged. This means that there is an unauthorized application(s) running on the network. Some examples might include remote network and desktop control and viewing applications like PowerShell, TeamViewer, and Cobalt Strike. Whatever the unknown application is, IT now has valuable information that can be used to inspect for that type of potential threat.

If you want more information on this topic or network visibility solutions, check out the ebook The Definitive Guide to Network Visibility Use Cases and the following products:  VisionONE, SecureStack, and iBypass DUO.