On June 6th, Forbes reporter Kashmir Hill wrote about an NSF researcher who misused NSF-funded supercomputing resources to mine Bitcoin valued between $8,000 and $10,000. The article points to a student at London Imperial College and a researcher at Harvard University who are also alleged to have used their University’s computers to mine a similar virtual currency called Dogecoin.
As a CISO, your first reaction might be that inappropriate uses of your organization’s resources should be stopped, but this is probably not your highest priority. Someone using your computer(s) and network to mine virtual currency is a bit like someone charging his or her electric car from a power outlet on your home. Yes, they are using your electricity without permission or reimbursing you. However, they aren’t stealing something of high value and threatening your life or livelihood. Still, this is something we probably want to know about and stop if we can.
The typical security products used by organizations aren’t detecting illicit activity like virtual currency mining. Computers mining virtual currencies like Bitcoin or Dogecoin communicate over port 80 which firewalls are configured to allow through. If an organization uses an intrusion prevention system (IPS), those devices can use signature to detect virtual currency mining. However, not every organization uses an IPS and not all signatures are always enabled. Since there are thousands of signatures, security teams manage and prioritize them based on business risk to ensure IPS throughput performance. So, even if you have an IPS in your perimeter defenses, it may not be configured to find and stop virtual currency.
This begs the question whether detecting virtual currency mining is important at all. Before answering, it is important to remember that making significant money from mining virtual currency requires a lot of computing cycles. To get these cycles, the person driving the mining process may go to a bot herder who controls thousands of infected computers through a botnet.
If you find a computer in your organization mining a virtual currency, either the owner of the machine installed the mining software or the software was installed without their knowledge. If it is the former, then you need to worry about what other unsanctioned activity the employee is using the computer to do. If it is the latter, then there could be other infected devices on your organization under a bot herder’s control. These infected computers could be used for virtual currency mining today, but tomorrow, they could be used for a DDoS attack on a popular search engine which could cause your IP address to be blacklisted. In the attacker economy, botnets are the original cloud computing except the bot herder didn’t pay for the computers and the network that he is leasing out.
Our X-series platforms have detected Bitcoin and other virtual currency mining in networks and the thought process above is one we have witnessed customers experience. Customers use our product to augment perimeter defenses like firewall and IPS to identify malware and targeted attacks that have evaded the perimeter, or which were walked through the front door on laptops that are used outside the company firewall.
Getting back to the question of whether it is important to detect Bitcoin mining, not having security that can detect virtual currency mining is an indicator that your defenses may not be ready to detect a targeted attack. It is important to have security systems that detect all malicious behavior and report it in a manner that enables you to find signals amongst the noise, quickly triage and prioritize your finite resources on the highest risks.
To learn more about how Vectra Networks helps customers quickly detect and triage threats and attacks that evade perimeter defenses, watch Sam Kamran, CISO at Riverbed talk about his experience. To learn more about how Vectra works, watch a 2-minute demo.