Spokesperson: Lucas Zaichkowsky, Enterprise Defense Architect at AccessData
How an attacker would carry out an attack against a major financial institution such as JPMorgan Chase
Targeted attacks begin by finding an initial point of entry. Chinese APT are well known for preferring spear phishing. Eastern European criminals targeting large victims tend to prefer web application exploits. They’ve both been known to change it up and enter through alternate means if their preference isn’t working out. They important thing to accept is that they will always get onto an initial system, victim zero. From there, they still have to gain administrative level access and map out the internal network to figure out where they are in relation to the data they’re after and map out user accounts to understand who has access. They often have to hack through multiple secured network segments, one at a time, finding or creating holes that let them pivot from one secured environment to the next. All the while, they have to identify what security systems are in place and test their techniques and tools in a lab environment to ensure they’ll evade detection.
Preparations that go into such attacks
The amount of up-front effort that goes into an attack is usually tied to how the attackers break-in. In this case, they broke in through a vulnerable web application which means the attack started the minute they started identifying and probing web applications for weaknesses. The web application they compromised could be completely unrelated to financial data such as the company blog. Once they gain initial entry, that’s when a bulk of reconnaissance efforts kicks in. Attackers breaching relatively secure organizations have to spend significant energy mapping out the internal network, figuring out how to get through several layers of defences undetected.
What vulnerability was exploited
Reports have said that the flaw was on a web site. Eastern European attackers are well known for exploiting web application security flaws to gain initial access to a corporate environment. That’s because web applications tend to be riddled with these types of vulnerabilities unless a Security Development Lifecycle (SDL) is strictly followed and the developers are highly skilled in secure coding practices. If the exploited web application is commercial, JPMorgan Chase most likely already reported the vulnerability to the vendor. If it’s a custom built web application, JPMorgan Chace will need to review their own secure coding practices or scrutinize contracted developers to identify where improvements need to be made.
Expected Impact of the Attack
What’s currently known is that gigabytes of data were stolen, including checking and savings account information. If financial criminals are behind this, they may use that information to commit fraud or identify account holders worth attacking next based on account details. If this is an act of espionage, that data will be used to enhance the foreign government’s collective intelligence, similar to the hypotheses surrounding the motives of the recent Community Health Systems breach. Personally, I suspect financial criminals are behind this breach although there’s not enough information to say for sure. There certainly are financially motivated attackers that show this level of sophistication and attack pattern despite claims to the contrary.
What is the best course of action for organizations that have been attacked
A: In any breach where customer information is affected, transparency and regular communications is very important for re-building trust. It’s very likely JPMorgan Chase doesn’t know the extent of the breach and many important questions can’t be answered until the forensic investigation is complete. I’d encourage them to maintain a communications page with definitive updates as progress is made. They should notify customers of the incident via email and postal mail, directing them to the web page to get up to the minute information. Additionally, they’ll probably have to offer credit monitoring for affected customers to meet the requirements of state laws.