67

My CFO received an email from a director at a financial institution advising that all traffic (inbound and outbound) from certain IP addresses should be blocked at the firewall. The director at the financial institution was advised by his IT department to send this mail. The list of addresses (about 40) was in an attached, password-protected PDF. The password was sent to my CFO by text message.

I initially thought this was a malicious attempt to get our CFO to open an infected PDF, or a phishing/whaling attempt, but it seems legit. We have spoken to the IT department at the FI and they say it's genuine, but they can't (won't) provide any more information. Due to the nature of the relationship between my company and the FI, refusing isn't really an option. From what I can see most of the IP addresses appear to belong to tech companies.

Does this approach strike you as suspicious? Is there some social engineering going on here? What could the nature of the threat be?

upsidedowncreature
  • 761
  • 1
  • 5
  • 7
  • 6
    I think this question is missing sufficient detail to provide a good answer. What I find especially missing are more details on the affected IP addresses, the reasons given for the block and the original source of the recommendations (which is likely not a directory of a FI which usually has not much idea of IT security). It is not uncommon though that some information about potential dangers get only provided to selected potentially affected companies and not made public in order to not provide attackers too much information that they are known. This might explain the encrypted PDF. – Steffen Ullrich Sep 10 '18 at 15:11
  • 2
    You also do not describe the nature of your relationship with the FI to know if this is a reasonable request (legitimate or not). – schroeder Sep 10 '18 at 15:15
  • 34
    It's missing detail because I have't got any detail, other than a list of IP addresses. The fact that the request came from a director of a financial institution is what I find suspicious. I'm well aware such a person would be unlikely to be well versed in IT security matters. I know it's a vague question, something just doesn't sit right. – upsidedowncreature Sep 10 '18 at 15:25
  • 1
    What is the title of the director? What is the size of the FI? Is the director your usual contact? – jcaron Sep 10 '18 at 15:33
  • 9
    @jcaron ultimately, those 3 facts do not matter – schroeder Sep 10 '18 at 15:42
  • 9
    @schroeder Ultimately, no. But: if IT department needed to communicate with all "partners" because they were aware of a specific risk (say, Wannacry++), they could have gone to the "director of partnerships" who actually has the list of all partners with the relevant contact info. This may remove one of the elements of uncertainty OP has with the way this was communicated. OP, when you spoke to the IT department at the FI, you of course used contact information you already had, not a phone number included in the e-mail, of course? – jcaron Sep 10 '18 at 15:50
  • 3
    Could this have something to do with compliance, eg sanctions, AML, terrorist blacklists? – Sentinel Sep 11 '18 at 04:47
  • 6
    It might be worth pointing out that IP addresses can be spoofed, so blocking 40 addresses (assuming they're not IP range bans) seems fairly small and arbitrary. – SE Does Not Like Dissent Sep 11 '18 at 11:56
  • 3
    OK I checked and this is most likely a compliance issue. IMPORTANT: Where in the world are you, and where in the world are these firms? – Sentinel Sep 11 '18 at 16:17
  • 1
    To find out what the nature of the threat is, you could set up a honeypot / IP logging. – Jules Lamur Sep 11 '18 at 17:16
  • Given recent news and that the list seems to be tech companies, I wonder since the OP has not said, if the block list is for P2P or STUN services operated by tech companies that theoretically *could* allow connecting to CCTV services which sadly too many tech's leave installed with default username/passwords and unneeded services on? In such case it is easier to properly manage your own network and connected equipment. I cannot comment on the design or operation of such P2P networks but it is conceivable that when enabled on devices they leave a large wide-open opportunity for tech companies. – Willtech Sep 13 '18 at 11:41
  • My guess is that this came from FBI counterintelligence (or a similar source) and was designated [TLP:AMBER](https://www.us-cert.gov/tlp). Distributing the action item to partners under tight controls is about all they can do. Asking what you need to go to get your company on the source's distribution list is a good idea so in the future you'll have more information. – David Schwartz Sep 13 '18 at 18:35
  • Is there any possibility that not being able to access those IP addresses would give an advantage to a competitor? – Eric Duminil Sep 14 '18 at 08:15
  • is the IP's [Tor Exit Nodes](https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1) ? – user1067003 Sep 14 '18 at 10:57

5 Answers5

117

If you spoke to the FI on a separate channel, you actually spoke to the FI, and they know about this, then by definition, it is not a phish.

What strikes me as odd is "but they can't (won't) provide any more information", and "refusing isn't really an option". These 2 facts cannot co-exist if you are a separate entity from the FI.

Your push-back is simple: your firewall policy requires a legitimate reason along with an end-date for the rule to be reviewed/removed. You don't just add firewall rules because someone outside of the organisation told you to. The FI has no idea if blocking those IPs may impact your operations.

  • what effect is this rule supposed to have?
  • how long does the rule need to exist?
  • who (named individual) owns this rule on the FI side?
  • what remedies are expected if the rule has a negative effect on operations?
  • what effect will there be between your companies if the rule is not implemented exactly as requested?

You will not add the firewall rule without knowing what the impact is, either positively or negatively. If they want greater control over your firewalls, then they can supply and manage your firewalls for you.

On the other hand, if they own you and the risks, then they take on the risks of this change, so then just add the rules.

As for a Director sending this request, it's not so strange. When you need someone to do something, you have the person with the most clout make the request. The Director may have no idea what a firewall is, but the request is being made in that person's name. I am also curious why so much clout is needed, though. It seems like they want to pressure you into doing it while not having to explain themselves. Don't let them dictate your policy and how you best protect your company.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 2
    “Don't let them dictate your policy and how you best protect your company.“ unless for political reasons refusing is not an option. – DonQuiKong Sep 10 '18 at 18:55
  • 25
    @DonQuiKong then if politics beats proper security and risk management, then that's your policy – schroeder Sep 10 '18 at 18:56
  • 6
    I mean, I do like your answer in general, but op is saying *I can't refuse, what problems could this bring?* and you're saying *whatever, just refuse*. That's not really an answer. One could call it a frame challenge, but it sounds more like a utter frame destruction. – DonQuiKong Sep 10 '18 at 19:01
  • 28
    Re-read my answer. I did not say "just refuse", I said push back with specific requests for information. – schroeder Sep 10 '18 at 19:02
  • 12
    I cannot possibly imagine any scenario where the politics overrides the liabilities that *both* companies are exposed to by the one dictating firewall rules to the other. If the FI wants to push, then they must also take on the liabilities, and that needs to be made clear. – schroeder Sep 10 '18 at 19:06
  • 5
    “I won't do this unless...“ is kinda a refusal. But you're right too, it's also a conditional yes. My point is, ops question is *this smells fishy, where could the fish be*. Your answer is *don't do this*. You're right, but you're not answering the question. (But Imho it's not answereable, so ...) – DonQuiKong Sep 10 '18 at 19:18
  • 2
    That's all covered in my first line. The rest will likely uncover the "fish". – schroeder Sep 10 '18 at 19:33
  • 43
    You could always pretend to say yes. For example: "Sure, we can add those. Here's the standard form for requesting new firewall rules, please fill it out and send it back by Thursday." The form then asks for whatever information you want. – Kevin Sep 11 '18 at 00:06
  • 2
    @Kevin if the company "cannot refuse" then deception only increases the liability of the company. Everyone involved should be professional about the situation and provide mutual respect for each other's agency and responsibilities. – schroeder Sep 11 '18 at 07:51
  • 21
    I think @Kevin's point is not so much deception (despite advocating for it at face value), but that you can put a friendly face on the demand. Rather than phrasing the request as a demand for information, emphasize your openness to fulfilling the request as long as reasonable policies are met: "Thanks for this suggestion. Per our policy, we need to record some more information before we can put it in place. We also need to better understand what the intended impact is, so that we can evaluate the rule in light of the rest of our policies/rules and whether we succeeded or not." Or similar. – jpmc26 Sep 11 '18 at 19:11
  • 2
    I understand you're not advocating for appearing to be the grumpy, aggressive, "Don't mess with MY network" sort of person, of course, but your answer does read harshly. I think that's completely justified, but pointing out that you can be tactful about the demand isn't a bad thing, either. – jpmc26 Sep 11 '18 at 19:17
  • 5
    @jpmc26 It does read harshly, and I am not advocating to be grumpy but to draw very clear lines of responsibility. Any request by an outside party to configure the firewall and not provide information when asked ("but they can't (won't) provide any more information") must be resisted on its face. This is not the time for a "friendly face". And for one of the people involved to need to ask here for help means that person needs the permission to take a hard-nosed stance. – schroeder Sep 11 '18 at 19:19
39

I would lean away from this being a social engineering attempt and more towards a peer FI being uber-cautious regarding information disclosure - they may have had some kind of incident involving these IPs and are not at the stage where they want to disclose anything further.

Look at it this way: what would an apparent threat actor really have to gain from this?

You mention that many of the IPs are related to technology companies.

  • Do these companies provide any web hosting which could be used as malicious infrastructure?
  • Do these companies provide any proxy services which could be abused?
  • Do these companies provide any security testing software which could be used maliciously?

While the organizations themselves may be legitimate, they could be taken advantage of, however without further information from this FI, I would not take action: the burden of proof rests with the sender of this list.

This is effectively low-quality threat intelligence - it provides no evidence that the indicators are worthwhile actioning.

As an aside, is there any way you can set up monitoring on these IPs in the meantime? Some investigation on your end may yield the information you need to determine why these are allegedly worthy of blocking (some OSINT digging might be fruitful, also).

Doomgoose
  • 736
  • 4
  • 8
  • 5
    Could requests from these IP addresses be sent to a separate server (perhaps on a link local network) and quarantined for analysis? – Tracy Cramer Sep 10 '18 at 19:17
  • 2
    Two good options in this space; you could forward sinkhole them (such as link local) or you could allow and analyse "on the fly" but drop them further down the line if there was still a concern. – Doomgoose Sep 10 '18 at 19:24
  • 3
    "what would an apparent threat actor really have to gain from this?" Some kind of denial of service to one of the blocked parties. The threat doesn't necessarily have to be directly to the OP's company, even though it's in their interest to ensure their customer's needs are met. – jpmc26 Sep 11 '18 at 19:53
  • 2
    @jpmc26 - Absolutely correct that this is a possibility, however I feel this would be highly unlikely: it's not a tactic I've ever come across or even heard of used against an organisation. Given that this adversary would need to not only know the correct team to contact and the sender to spoof and that the blocking of these IPs would lead to service degradation for the target, I don't think it's a likely avenue of attack in this case. – Doomgoose Sep 11 '18 at 20:22
  • 8
    "what would an apparent threat actor have to gain from this" - they could be building precedence. This time it's block an IP list in your Firewall. They'll make a similar request a few more times and it'll become easier and easier to get through the red tape until it becomes almost normal. Then one request will include some whitelist rules and nobody thinks anything of it because they've been trained not to worry – Darren H Sep 12 '18 at 05:51
  • 2
    "what would an apparent threat actor really have to gain from this?" Blocking update servers related to your stack would match ips at tech companies and could just be paranoid (you need to vet updates) from a legitimate actor or malicious from an illegitimate one (we need a few days to get in.) But either way, not knowing if this is what you are doing is negligent. – lossleader Sep 12 '18 at 22:00
13

My CFO received an email from a director at a financial institution advising that all traffic (inbound and outbound) from certain IP addresses should be blocked at the firewall. The director at the financial institution was advised by his IT department to send this mail. The list of addresses (about 40) was in an attached, password-protected PDF. The password was sent to my CFO by text message.

The only part about this that I find strange is that the CFO is involved at all in this. CTOs (or subordinates) routinely deal with cyberintelligence and information sharing amongst institutions and national intelligence agencies (FBI, CERT, etc.).

I initially thought this was a malicious attempt to get our CFO to open an infected PDF, or a phishing/whaling attempt, but it seems legit. We have spoken to the IT department at the FI and they say it's genuine, but they can't (won't) provide any more information. Due to the nature of the relationship between my company and the FI, refusing isn't really an option. From what I can see most of the IP addresses appear to belong to tech companies.

Your diligence is worth applause; that is a plausible vector.

You don't specify what these "tech companies" are, but if they are things like AWS, DigitalOcean, Linode, Vultr, Choopa, Hetzner, OVH, Velia, et al. then you should know that these tech companies (and many other smaller ones, including torrent seedboxes) are routinely implicated in botnets, malware and financial fraud. Anything offering shared hosting or VPS services is a possible platform for launching attacks. I can tell you from direct experience that many of the HSA, W2, tax return fraud and other scams journalists like Krebs reports on are launched from cheap VPS services like these.

Does this approach strike you as suspicious? Is there some social engineering going on here?

Information about current incidents can get shared formally (through publication to US-CERT mailing lists, amongst institutions on DIBNET, FS-ISAC, etc.) or via weird PDF-sharing schemes between executives that originated from what was supposed to be a non-disclosable, non-attributable FBI tip. It happens.

When the FBI is the originating source, they generally provide little to no detail or context and so shaking the tree and refusing to take action without further information may not be received well by your superiors. Keep holding out and you'll end up like the shmuck at Equifax who delayed patching Struts prior to the breach; he was the first person to get thrown under the bus. You apparently have a business agreement obligating you to implement some IP blocks based on threat intelligence received. Just do it.

Again, the only fishy part to me is that the CFO was the recipient. But that could just be due to the nature of an existing relationship between him and that director.

It is entirely possible someone is trying to cause chaos by having you block IPs of companies you do business with, but that seems farfetched-- it requires a lot of inside knowledge and effort to accomplish a small interruption at worst.

What could the nature of the threat be?

Director at financial institution X was made aware of an incident. They were likely compromised by one or more of those 40 IPs, or made aware of a threat from an external source. They may or may not have observed evidence that your company may also be a potential target, either through credentials they saw attempted, endpoints requested, or data exfiltrated. They saw fit to share this information with your company so you could take proactive measures.

Between you and me, I'm not fazed by this scenario. This is the sort of thing I come in to find in my mailbox every Monday (and especially in the days following national holidays-- foreign attackers love waiting until they know nobody's going to be in the office for a few days. Labor Day was last week...).

What I personally do with these lists before implementing blocks is run them through our own logs and see what activity the same actors may have been up to with our own systems. Look for activity by any IPs within the same subnets; the IPs supplied may not have been the same ones that might have targeted you already. Sometimes it uncovers evidence of compromise that wasn't within the scope of the supplied intelligence.

Ivan
  • 6,288
  • 3
  • 18
  • 22
  • 5
    I would not really advise anyone to block a list of disposable DigitalOcean droplets on a per-IP(v4?) basis without creating a process of maintaining those blacklist records. NB: DO alone has [hundreds of thousands if not millions](https://bgp.he.net/search?search%5Bsearch%5D=digitalocean&commit=Search) IPv4 addresses which an attacker is able to move between in maybe minutes. And, say, AWS deploys much, much more. – ximaera Sep 11 '18 at 01:14
  • 7
    Also, AWS is not just a botnet hoster, it's a popular provider of convenient whatever-aaS functions, frequently used by enterprises. What if any of your customers or partners is also using AWS? What if they occasinally migrate to one of those blocked IP addresses once a malicious application is removed from those by the Amazon security team? No, this is just asking for trouble. – ximaera Sep 11 '18 at 01:20
  • 2
    The CFO involvement suggests this might be a compliance issue, not a security issue. – Sentinel Sep 11 '18 at 04:49
  • 1
    I don't see what's suspicious ... a *financial* institution's contact with your company is most likely the CFO, or someone under his command. If they contacted the CTO, there'd be a longer delay as the CTO tried to confirm the origin of the message. If the CFO contacted you directly, and you report to the CTO or CIO, then yes, get some confirmation from your higher-up, but if something goes wrong, and you just dismiss it because it seemed strange, you're the one that's going to be hung out to dry. It might be worth getting a policy of which CxO is 'confirm later' vs. 'confirm first'. – Joe Sep 11 '18 at 19:04
  • 4
    @ximaera Doing nothing in the face of a stated threat (CVE) is what led to the Equifax breach. Under the (former) CEO the prevailing mentality there was one of "waaah we can't do anything that will impact production." Look where that got them. Accidentally blocking a segment of customer/partner infrastructure (*if that's even applicable in this case*) is at worst a technical error, the resolution of which is governed by contracts and SLAs, and the consequences of which are significantly lesser than getting pwned altogether. – Ivan Sep 11 '18 at 19:06
  • @Ivan I wouldn't necessarily think that contacting the CFO has to be suspicious. In addition to the comment from Joe, there are also Fortune 500 companies that do not have a C-Suite leader of the IT department. In some of these situations, the IT Director/VP/Manager will report directly up to the CFO or COO. So the CFO may be the ultimate head of the IT department. – kuhl Sep 13 '18 at 17:59
7

The fact that the IT department does not know the reasons for blocking the IPs and the fact that the FI execs are liaising with the CFO, as opposed to CTO, suggests this is a compliance issue.

You may be facing implementation of sanctions, AML, or antiterrorism blacklists. Possibly PCI audit.

I have worked in banks, and compliance procedures can be quite bizarre, and challenging to implement. You could ask Compliance for approval on the measure itself.

Sentinel
  • 188
  • 5
6

Does this approach strike you as suspicious?

You said, "Due to the nature of the relationship between my company and the FI, refusing isn't really an option."

That is a very interesting statement. Ultimately, without being forthcoming on the details of that relationship I don't think anyone can say whether this approach is suspicious or not. It certainly sounds like the contractual arrangements between the two companies covered this scenario. If that's true, then no this is not suspicious.

Is there some social engineering going on here?

Doesn't sound like it. If you have verbally confirmed that the other company's IT department has in fact sent this request/order then no, this is not a social engineering problem.

What could the nature of the threat be?

Maybe the other company has proof that those tech companies have been infiltrated. Maybe the other company is simply concerned that their IP might be stolen by those companies. Without knowing who is involved it is impossible to guess.

NotMe
  • 696
  • 3
  • 11