Security Assessment for Financial Institutions
Group-IB history
First 24/7 CERT in Eastern EuropeCERT-GIB is the first private Computer Emergency Response Team in Russia.
Leader on the Russian marketThe first and only company in the CIS providing comprehensive services in investigation of the security incidents.
Skolkovo residentThe CyberCop project, an integrated system for counteracting cybercrime.
2003 2010 2011 2011
201260+
employees
Various service packagesPre-incident consulting;Response;Forensics;Investigation;Legal support;Post-incident consulting.
Group-IB is founded
Acquisition by Leta Group
International Expansion
Creation of CERT-GIB
Dedicated Certified Professionals
Stages of Company Development
Our key Customers
* completed project samples are available per customer request
Security analysis + penetration testing
Offensive security services
Computer Forensics & Investigations
Malware intelligence
Security incident response & Managed security services
Botnet Monitoring (Zeus, SpyEye, Carberp, etc.)
DDOS-attack protection service
Group-IB services for Financial Institutions
As a result of PCI DSS / PA DSS is rarely facing a "classical" WEB-application vulnerabilities (SQL Injection, XSS, Local File Inclusion)
WAF (WEB-Application Firewall) is widely used, however it is rarely set up and maintained properly;
Complicated applications, large dynamic changes, the use of third-party and borrowed applications and plugins;
Various attacks on the client, initially located in the untrusted environment (ActiveX-objects vulnerabilities at the client-side, client-side vulnerabilities, inefficient Information protection measures)
Banking & E-Commerce vulnerabilities specifics
Penetration testing
Traditional approaches
«Black box» model
«Grey box» mode
«White box» model
Informal testing options and qualification
- Developing exploits for vulnerabilities in online-banking software
- Using of «zero-day» vulnerabilities in client-side / server-side
- Own software security lab with more then 20 public advisories in bugtracks
- Use of social engineering and individual tactical approaches
- We provide detailed report and free of charge consulting services
HDFC Bank / Blind SQL-Injection; (CVSS Base Score - 9.0)
http://www.hdfcbank.com
«PCI Compliance does not equal security»
HTML5 Canvas capabilities / JQuery and XSS vectors vulnerabilities(taking a screenshot + keystrokes interception in the context of the session)
XSS exotics – RBS customer is under attack
Analysis of the protection measures
A trusted environment - may also contain a vulnerability( ZTIC detachable devices - Zone Trusted Information Channel)
«Dirty» security trick (after shutting of the Windows File Protection ):takeown /f <file_name> icacls <file_name> /grant %username%:Ficacls <file_name> /grant *S-1-1-0:(F)
Checkpoint Abra Multiple Vulnerabilitieshttp://www.exploit-db.com/exploits/19716/ - Group-IB’s Advisory
Sample built-in ACL-list (F:\PWC\data\sandbox-persistence.ref ):<Execute OriginalName="calc.exe" PathName="\calc.exe" AppName="Microsoft Calculator" UIDescription="Microsoft Calculator" id="134"/>
«Zero-day» vulnerabilities applicable to Banks
Network architecture misconfiguration errors
Tixi HSM-HNG Modem for Mitsubishi FX Remote Access
Gathering information from the internal infrastructure of the bankLine format: <STX><message><ETX><checksum_character>
Security Information and Event Management solutions (SEM, SIM and SIEM)
Implementation of Intrusion Detection and Prevention systems (IDS/IPS)
Implementation of Data Leakage Prevention systems (DLP) and their legal support
SOC’s & Managed security services (MSS)
Information security integration services
Forensic examination:
Restores the chronology of security events
Reveals signs of internal employees involvement
Disclose details of the committed theft in online banking
Computer Forensics
Typical cases:
Theft involving employees of the affected organizations
Theft with the use of malicious software (Trojans)
Theft involving the substitution of the transaction details sent by e-mail
Investigations
Steps of the RBS incident investigation:
Search for signs of involvement (gathering evidence) of internal staff (based on the results of forensic investigations)
Identify bot network control panels and search for links to other information security incidents
Identification of individuals providing additional services to the attacker
Getting detailed information about the structure of the control panel bot network and to obtain evidence of its use in a particular fraud in online banking
Defining a person controlling the bot-network, and its actual location
Gathering data in the form of a set of documents to be sent to law enforcement and legal authorities
Investigations
Resources used and sources of information gathering:
Distributed network of HoneyNet traps
Forensic investigation cases database
Malicious software research database
All time theft cases database, collected by Group-IB staff
Details on phishing sources
Previous investigation outcomes
Operational information & OSINT
Links to organizations involved in investigations in 48 countries
Investigations
As part of the investigation you get a detailed report on progress, as well as all necessary information and documentation:
Get the exact location of the botnet’s control center;
Malicious code sample reversing;
Details on individuals involved in a DDoS attack;
A set of documents to hand the case over the law enforcement.
DDoS attacks investigations
Successful cases and projects
«Grum botnet shutdown, kills 20 percent of worldwide spam»
http://blog.fireeye.com/research/2012/07/grum-botnet-no-longer-safe-havens.html
Successful cases and projects
Joint operation with Microsoft on arrest of Leo Kuvaev
http://krebsonsecurity.com/tag/group-ib/
Successful cases and projects
http://www.sbrf.ru/en/presscenter/all/index.php?id114=11018427
«Russian Authorities Arrest 6 More Members of the Carberp Gang»
HTTP Protection Technology
DDoS protection services
Client
Proxifying
Group-IB’s network filtering platform
Internal routing
External routing
HTTP/HTTPS Protection Technologies
DDoS protection services
Client
Client’s router
Group-IB’s gateway
Group-IB’s network filtering platform
Routing
Visitors
Security Incident response & MSS
The response to an information security incident is carried out by highly qualified professionals who are confronted daily with a variety of incidents, such as attacks on a web site, online
banking system, or another information asset. Each incident is unique and requires an individualized approach, that’s why we have a dedicated forensic team of professionals and a
certified CERT to meet the most exacting customer requirements.
Our 24/7 CERT-GIB Team respond to all sort of threats: • Denial of services attacks (DoS, DDoS); • Unauthorized use of data processing and storage systems; • Data compromise; • Asset compromise; • Internal/external unauthorized access; • Creation and distribution of malicious software; • Breach of information security policies; • Phishing and unlawful brand use online; • Online banking fraud and electronic payment systems.
CERT-GIB Europe - North America - Asia
First 24/7 CERT in Eastern EuropeCERT-GIB is the first Eastern European 24/7 Computer Emergency Response Team, and the first private CERT in Russia
Expanding global presence Europe North America Asia – for smooth and comprehensive incident handling
Immediate response to all types of security threats:Phishing, Spam, Scam, DDoS attacks, malware, etc.
CERT-GIB New York: GMT-5
.RU, .РФ, .SU: unique capabilitiesOfficial ccTLD.ru-assigned expert organization to fight phishing, malware, and botnets, authorized to take actions against suspicious activities in RU, РФ and SU domain zones.
CERT-GIB Moscow: GMT+4
CERT-GIB Vladivostok: GMT+10
CERT-GIB Singapore: GMT+7
Commendations from Law Enforcment officials
References
*translated references and commendations are available per customer request
Media about us