The news of the Anthem breach has hit every major media outlet in record time. The story line is the same as the previous victims, claiming that they have “State of the Art” security controls. And that an external threat actor used “extremely sophisticated” technical means to break these seemingly impenetrable systems. Yes, there could have been purpose-written malware that was used in the reconnaissance phase of the “kill chain” that evaded technical controls at the perimeter. But far more likely is the fact that hackers used a compromised identity to gain access to past perimeter defenses. First, to discover the valuable data. Second, to install malware to call home. Then to external servers, and finally, to send the data out encrypted to the thieves.
Not necessarily a cyber-security breach activity
The problem is that stealing a logon credential is not necessarily a cyber-security breach activity. It can be a phone call, or a borrowed password from a new “friend” who can be a contractor. It can also be an insider who has a plan to gain access and exfiltrate data like Edward Snowden. That is what makes these breaches of compromised accounts so difficult- human factors.
To deal with “human factors” as a risk variable, there is an emerging trend with CIO and CSO’s of major corporations. They are wrapping user and machine-behavior analytics around identities. Meta data from these identities can be cross-correlated to SIEM, DLP, and other defense-in-depth security data sets to provide a 360° context of who was doing what, when, and where. So, even if you do have users that hit a drive-by download or a watering hole attack via email using spear phishing campaign, their identity will be tracked. This is to see anomalous or unusual behavior that is exhibited and unknown even to them. You can start to predict bad behavior (even if unintentional) to prevent data loss. This is better than a call from your friendly FBI agent, or former third party supplier of business, about their data being lost from your IP address ranges.
No matter how sophisticated an attack is from an outsider, compromised identity is likely invoked to do the real damage. User Behavioral Analytics (UBA) can provide the insight and predictive analysis to get ahead of these breaches before the real damage is done.
How UBA would have detected and prevented Account Compromise
Having said that, we strongly believe with Gurucul’s technology. The outsider attack would have been identified, and stopped without significant loss of sensitive data. Our technology would have triggered on the following events:
- An outbound connection to an IP infrastructure not previously seen before, and which most likely was connected too without using a DNS query
- Large amounts of software upload from an asset when compared with its prior history or peer groups
- Lateral movement of account credentials to other assets on the network which most likely wouldn’t have seen before
- Access to DB and executing a querying aggressively across schema to find where the sensitive data is in storage
It is never too late to deploy the right technology to safeguard your future assets and prevent account compromise. But it is always better to do it before your identity is compromised.