The advanced persistent threat and security of online banking

In this video, U.S. Assistant Attorney Erez Liebermann discusses how law enforcement is addressing the advanced persistent threat within the financial industry, as well as the security of online banking. He talks about the case of TJX and  Heartland hacker Albert Gonzalez, and also provides advice on what companies should do after a data security breach, including when to call law enforcement.

Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact  

The advanced persistent threat and security of online banking

Mike Mimoso: . . . with me is Erez Liebermann. Thank you for
joining me today, Erez.

Erez Liebermann: Thank you.

Mike Mimoso: My first question to you, are there any recent
cases that the Federal Government has investigated, that
you can tell us about?

Erez Liebermann: Certainly I can talk about both what we
have investigated, in terms of a criminal investigation, and
also, what has been in the news, which is Operation Aurora,
with respect to Google and 30 other companies being hit.
What we got there is the advanced persistent threat, where
companies, and perhaps foreign nations, are coming in and
taking, looking to take intellectual property data. Data that is
important both for regular companies and, of course, for the
financial sector, with respect to how the financial sector works,
what they are investing, and that is a very serious threat where
companies, where nation states or perhaps hackers overseas
are doing everything they can, very patiently, to get information
out of companies. With respect to criminal cases that have been
investigated, we just wrapped up the case against Albert Gonzalez
in which he got 20 years, the longest sentence in a criminal
investigation, for hacking, with respect to his hacking of Heartland,
Hannaford, and about a dozen other companies. Him and his ring
were all convicted of this and we have been able to put that behind us
now, and as we look forward, we see what other kinds of hacking is
going on, and we have learned from that case how to interact with
companies, and what kind of steps we need to take, and what kind
of steps companies need to take in order to prevent this in the

Mike Mimoso: We are hearing a lot of confusion around APT. Exactly
what is it, who is involved? Can you tell me, share with us what
kinds of questions you are hearing about APT.

Erez Liebermann: Let me tell you that we hear the same questions,
and the right answer is that there is no right answer. The thing
about advanced persistent threat is that it is persistent. People
are not going in like, let us take even Albert Gonzalez, and they
were very patient, we saw them waiting in the system for months.
When they waited, it was an individual, or two, or three, let us even
Say it is ten people. These are not the most sophisticated, highly
funded engineers in the world, which is what we are seeing with
the APT. They are coming in, in every which way they can, and
what they are doing is they are waiting. They are waiting for
that one opportunity where there is something wrong, one glitch
that has gone wrong, and they are able to exploit that and to go
to the next step. Even the best engineers, the best companies in
the world, are not always able to stop that. What you need to do
is consistently monitor your systems to be able to react if
there is such a nation state and such high level of actors
coming in against you. It is right to be confused, because there
is no one vector and it is not that something like a firewall or
virus is going to be able to stop them just because you think
you have identified it and wiped it out of one system, and you
have taken it completely out. You have reset the whole server,
cleared it out, wiped it and redone the server. There could have
been a fragment of something in another server, or a backdoor
already exists in some other parallel server, and they are able
to re-exploit, go back into the server that you wiped, and keep
working on it, and they stay there, persistent, and they are
quiet, and they wait. They do not do it all at once, it is not a
money grabbing operation, it is an information grabbing
operation about how we can do things.

Mike Mimoso: What is law enforcement doing about this barrage of
attacks against online bank accounts?

Erez Liebermann: Online bank accounts, and we see it a lot with respect
to middle or smaller businesses, are receiving attacks, and in large part it
is thanks to the Zeus Bot. We have been working with the FBI,
the Secret Service, and with overseas law enforcement bodies to
combat the Zeus Bot. Additionally, we have been working with
businesses and talking to businesses about the Zeus bot, and
what could be done to prevent its success. One of the great
things and easiest things can be done, which in the grand scheme
of things is the cheapest thing that can be done, is to buy a
second computer, so all your online business banking goes from
that computer into the bank. You do not have a computer
connected to the internet, where you are surfing, even
legitimate website surfing of course, but you do not have that.
In order, when you do not have that you do not have any of the
click frauds or the other scenarios where you can get infected,
even through legitimate website surfing. When you go only to the
bank, you prevent that, and that is the easiest way to maintain
a safe environment when you are going into the banking accounts.

We are pushing for banks to do that a little more, and for
customers to do it more, and it is also, of course, just an
awareness of what you are clicking on. There was a recent
report, just yesterday, about another infestation of the Zeus
Bot going out to hundreds of thousands of millions of users. In
that infestation of the Zeus Bot, we are once again seeing that
individuals are seeing an email that is perhaps interesting,
they are clicking on it, clicking on the material within it,
they are opening the attachments, which they have no reason to
open. They are opening and clicking on website links within it,
and that's causing some more infestations of the Zeus Bot.

Mike Mimoso: What are some key steps that financial institutions can
take after a breach? For example, when should they bring in law
enforcement or call somebody like you?

Erez Liebermann: When we talk about the key steps after a breach, we
talk about the key steps before a breach, as well. Let me answer that
part first.

Mike Mimoso: Sure.

Erez Liebermann: Before a breach, you got to have an incidence response
plan. If you have that in place and you are ready when an incident occurs,
you are not in the panic mode, because everybody is in a panic
mode when you hear that 100,000 or 100 million credit card and
debit card numbers have been stolen. That is natural, you are
going to panic, engineers are going to want to save their jobs
if they think they are at risk, or prove that they did not do
anything wrong, and that is not the right time to come up with
what you want to do. When you have an incidence response plan,
then you can act correctly upon an incident. What you have when
you have an incident is going to depend, or what you do when you
have an incident is going to depend on the incident. If there is
an incident in which you have an evidence of a tremendous amount
of data base stolen, of a tremendous amount of international
presence, and international attacks, it may be a scenario where
you need to call law enforcement sooner than later. I would
always recommend calling law enforcement.

Sometimes there are scenarios where you can use in-house people,
you can use outside forensic consultants, and there is a little
more time to react. When there is an international incident or
there is material, or sensitive material being taken, certainly
when there is classified material being taken, there is a need
to call law enforcement right away. What we recommend is to
freeze data, keep data, make sure that you are preserving all
logs at that time, and make sure that you are working with the
technical people who know exactly how to react, and have reacted
to this in the past. Not just people, and you respect a lot,
certainly, firewall and antivirus companies, but also companies
that have responded to data breaches and know what kind of
stuffs are necessary both to protect the company and to check
that, not just the one server, but the other servers are also
clean, also in terms of interacting with law enforcement, and
are able to provide law enforcement with the necessary materials
so that law enforcement can continue the prosecutions.

Mike Mimoso: Great. Thank you for joining me here Ares.

Erez Liebermann: Thank you very much.

Mike Mimoso: For more information visit

View All Videos

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.