Organizations tend to involve law enforcement after the hackers have already
been in the system for some time, so there has already been some damage,
Kellermann said. The unknown Nasdaq hackers had penetrated the network multiple
times, and the investigation has been ongoing for at least six months.
Once in the system, the attackers likely had probed and traversed to other
connected systems and set up "colonies" beyond where they entered the
network, he said. The "tendrils do not end here," as the hackers
definitely probed the network to find other systems, he said. Once hackers are
in the system, they create backdoors and additional passwords to ensure they
can get back in the system, he said.
"Hackers don't just stop where they land. Like the conquistadores in South
America, they go deeper to see what they can colonize,"
Criminals often sell these "owned systems" in an underground marketplace
for others to take advantage of, he said. Those individuals may have more
nefarious intentions than the original thieves.
Criminals often target major managed services providers for the same reason
these attackers chose Nasdaq, Kellermann said. It is a "gateway" to
other systems. Instead of attacking one bank, hitting one service provider gets
them access to 300 banks at once, he said. Nasdaq's Director's Desk is
analogous to a managed service provider scenario, since Nasdaq offers its customers
a platform to share documents.
Even though Nasdaq OMX claimed to have
fixed the problem, it's not clear it can keep the attackers out. "Once
these hackers are in the system, it is much like leukemia-it's hard to
extricate them," Kellermann said.
The malware the hackers left behind allowed them to execute code, he said.
Just because attackers left this malware behind didn't mean they hadn't
accessed anything else, he said.
Usually, IT managers have to reimage and rebuild the machines from scratch
to regain control of the compromised machine, he said. The Nasdaq servers are
production machines and probably can't be down for more than 12 hours per week,
he said. These can't be reimaged so there's no way to really ensure that all
traces of the attackers have been removed.
Nasdaq OMX should be focusing on where
the attackers can go next from the breached system and protect those systems, Kellermann
said. "You can't fortify the castle once they are inside. You just have to
build a better keep and dungeon," he said. With penetration testing, IT
managers can figure out all the possible attack paths and prioritize the ones
that should be secured.
It's "glaringly obvious" this application was never properly
tested, he said. Now it's up to the defenders to find out and secure all the
other applications that can be accessed from this system, he said.