Intelligent CISO Issue 06 | Page 79

We ’ re actually at the point now where Bitcoin mining centres have become the majority of the network .
decrypting myths

We ’ re actually at the point now where Bitcoin mining centres have become the majority of the network .

surreptitious cryptomining ). Or where an employee inadvertently downloads free software that might not disclose that it performs cryptomining on the back-end . There are video streaming sites and file sharing networks that have allegedly been cryptojacking users ’ computers ( as has a free Wi-Fi provider in an Argentinian Starbucks )
• The rationalising insider : Here , an individual downloads small-scale , cryptomining or cryptojacking software they intend to run when their machine is idle . This miner rationalises that it ’ s ok to use their machine to generate money when it ’ s not in use
• The malicious outsider : Similar to a DDoS attack , which uses a server or service vulnerability , a hacker can hijack an entire connected infrastructure to develop a distributed cryptomining operation . Since not a lot of traffic is generated , and servers in data centres are expected to have a fairly high load , these hijacks may go unnoticed for a long period of time
Can you share some examples of cryptojacking in action ?
After its utility bill skyrocketed over 40 %, a Florida Department of Citrus ( FDC ) employee was arrested in March for allegedly using its computers to mine cryptocurrencies . The employee also allegedly used department funds to purchase 24 graphic processing units ( GPUs ) totalling nearly US $ 22,000 .
GPUs are often used for cryptomining because they can crunch numbers faster than systems using conventional CPU chips . It happened recently to Tesla too , after a Kubernetes console was left unprotected . The risk here is not of data theft but of IT downtime , hardware burn-out , productivity losses and rising energy bills .
We know that cryptomining can use a tremendous amount of energy . But how much of your organisation ’ s power could cryptominers potentially be using and how much would it cost ?
The answer is difficult because it depends on many variables . Determining how many machines are being utilised is a start . However , not all machines consume the same amount of power ; which depends on the type and number of CPUs and whether they are using GPUs . It also depends on how often and intensively they are being used .
Add in the cooling costs and it ’ s a complicated equation . The best thing organisations can do is look for anomalies in their bills and , if seen , start looking for suspicious activity .
What should you look for ?
Cryptomining creates a significant deviation in pattern and velocity . Look for a sudden change in capacity or use , as well as for an abnormal executable . For example , consider the sudden night time appearance of an odd executable in an environment that usually only runs EXCHANGE . EXE or NTDS . EXE . This should be flagged as abnormal . Or , consider a machine , ordinarily only operating during daytime hours , that is suddenly running 24 × 7 .
A few straightforward ways to detect such irregular behaviours is to learn what sort of processes and connections servers create with outbound access ( to connect to mining pools etc ) and modelling the normal behaviours .
The same goes for server capacity and utilisation . In a production environment , there are certain benchmarks that IT performs to ensure proper service is maintained – deviation from these benchmarks may be an indicator of capacity abuse . An emerging technology called entity analytics can automate detection by baselining normal machine behaviour and highlighting the anomalies .
With the value of cryptocurrency increasing , and the less power intensive currencies still nascent , malicious actors appropriating machines for profit will most likely be around for a while . u www . intelligentciso . com | Issue 06
79