New Hack, Same Old Story
The news of the Anthem breach has hit every major media outlet in record time. The story line is the same as the previous victims, claiming that they have “State of the Art” security controls, and that an external threat actor used “extremely sophisticated” technical means to break these seemingly impenetrable systems. Yes, there could have been purpose-written malware that was used in the reconnaissance phase of the “kill chain” that evaded technical controls at the perimeter. But far more likely is the fact that hackers used a compromised identity to gain access to past perimeter defenses, to first discover the valuable data, then install malware to call home, and then to external servers, and finally send the data out encrypted to the thieves. The problem is that stealing a logon credential is not necessarily a cyber-security breach activity. It can be a phone call, a borrowed password from a new “friend” who can be a contractor, or an insider, and who has a plan all along to gain access and exfiltrate data like Edward Snowden. That is what makes these breaches so difficult- human factors.
To deal with “human factors” as a risk variable, there is an emerging trend with CIO and CSO’s of major corporations that are wrapping user and machine-behavior analytics around identities. Meta data from these identities can be cross-correlated to SIEM, DLP, and other defense-in-depth security data sets to provide a 360° context of who was doing what, when, and where. So even if you do have users that hit a drive-by download or a watering hole attack, or via email using spear phishing campaign, their Identity will be tracked to see anomalous or unusual behavior that is exhibited and unknown even to them. You can start to predict bad behavior (even if unintentional) to prevent data loss, rather than a call from your friendly FBI agent or formerly trusted third party supplier of business about their data being lost from your IP address ranges. No matter how complex or sophisticated an attack is from an outsider, at some point an identity is likely invoked to do the real damage. User Behavioral Analytics (UBA) can provide the insight and predictive analysis to get ahead of these breaches before the real damage is done.
Having said that we strongly believe with Gurucul’s technology, the attack would have been identified, and stopped without significant loss of sensitive data. Our technology would have triggered on the following events:
- An outbound connection to an IP infrastructure not previously seen before, and which most likely was connected too without using a DNS query
- Large amounts of software upload from an asset when compared with its prior history or peer groups
- Lateral movement of account credentials to other assets on the network which most likely wouldn’t have seen before
- Access to DB and executing a querying aggressively across schema to find where the sensitive data is stored
It is never too late to deploy the right technology to safeguard your future assets. But it is always better to do it before you are breached.