New Year, Same Breaches, Worse Outcomes

[vc_row][vc_column][vc_column_text css=”.vc_custom_1689734745864{margin-bottom: 0px !important;padding-bottom: 0px !important;}”]2021 has been a boon for cybercrime. In January, T-Mobile reported a breach that compromised customer data – the company’s fourth in three years. The breach was thought to have impacted 200,000 users initially. Later, it was determined that 400 customers were actually affected. Full customer personally identifiable data was taken – everything an attacker needs to fully steal someone’s identity. The attackers gained access by compromising an employee’s account or users’ accounts, then used that data to port phone numbers to a different carrier. Once a number is ported, the attackers receive the victims’ messages and calls and essentially take over the victim’s online service accounts.

In February, Kroger reported a breach. Approximately 2% of their customers were impacted and an unknown number of employees. This breach was totally avoidable. An unauthorized person gained access to certain Kroger files by exploiting a vulnerability in Accellion, a third-party file transfer service. Accellion had asked its customers late last year to switch over to a new product since the 20-year-old application Kroger was using was nearing the end of life. Kroger did not upgrade and were breached via this third party application.

In March, four zero-day vulnerabilities in Microsoft Exchange Server were being actively exploited to deploy backdoors and malware in widespread attacks. Bloomberg estimates 60,000 organizations have been as hacked as of March 8.  Any organization running an on-premise Exchange server is most likely a victim. The attacks were so successful — and so rapid — that the hackers appear to have found a way to automate the process.

Also in March, the California State Controller’s Office was hit by a data breach. Intruders used a phishing email to steal Social Security numbers and sensitive files on thousands of state workers.

In April, the personal data of more than half a billion Facebook users worldwide was leaked online for free in a hacker forum. Malicious actors scraped the data by exploiting a vulnerability in a now-defunct feature on Facebook that allowed users to find each other by phone number.

A similar breach hit LinkedIn in April, too. The personal data of 500 million LinkedIn users worldwide was up for sale. The LinkedIn account users’ data was scraped or imported from the website into a database.

In May, Colonial Pipeline shut down its 5500 miles of pipeline or 45% of the East Coast’s fuel supplies, in an effort to contain a breach on its computer networks. The Russian based DarkSide “ransomware as a service” gang acquired the password to a single VPN account that was no longer in use yet remained active. They threatened to leak 100 gigabytes of data if the ransom wasn’t paid. It was. Colonial paid $4.4 Million in ransom of which $2.3 Million was later recovered by the FBI.

Weeks after the Colonial Pipeline attack, Russian based REvil used ransomware to extort money from JBS, one of the world’s largest meat processors. JBS paid $11 million in ransom to keep from disrupting its meat processing plants.

Breach Tactics Haven’t Changed

Attackers are using the same breach tactics they’ve been using for years, with the added intensity of automation. Rapidly automating these attacks means they spread incredibly fast with devastating consequences.

First there is Ransomware, and it’s spreading like wildfire. Ransomware is a form of malware that encrypts a victim’s files. The attacker then demands a ransom from the victim to restore access to the data upon payment via Bitcoin or other cypto currency. The files cannot be decrypted without a mathematical key known only by the attacker. Usually, victims pay. But recently attackers are taking the money and then making the files public which is a double whammy. Literally, the best defense for all ransomware cases is to BACK UP YOUR DATA. You can wipe the infected machines and just restore your backups. Your data still might get published but you won’t have to pay the ransom. So how do attackers install ransomware? They need privileged access to your systems to install it. One of the most common delivery systems is phishing. Some other, more aggressive forms of ransomware, like NotPetya, exploit security holes to infect computers without needing to trick users.

Account and host compromise is a very common breach tactic. Criminals are after privileged accounts yet again, so they can gain access to accounts and hosts with company IP, personally identifiable information, financial data and the like.

Another common attack vector is third parties. This includes people as well as services and APIs. An organization is only as secure as its weakest link.

Spear phishing and social engineering are traditional attack vectors. This has been especially common during the Pandemic where employees are working from home on personal devices and being targeted with COVID specific emails like “click on this link to see who in your neighborhood has tested positive for COVID-19.”

Exploiting server and software vulnerabilities is gaining momentum as attackers automate their exploit attacks. The easiest way to prevent these sorts of attacks is to ensure you are regularly applying security patches and software updates as they are released.

Breach Reach Has Exploded

Here’s the concerning part about what’s going on. Attackers are building communities where they share best practices, profits, and the data they’ve exfiltrated.  These folks are organized and motivated. They are weaponizing cyberattacks at scale to not only get money from victims but to also disrupt the business. In fact, they are running a business! They advertise, they sell tools, they hire security experts. In a Krebs on Security blog on the DarkSide ransomware gang, Brian Krebs shows a job posting ad they have for a Network penetration tester.

So, what can you do to protect your organization?

The Best Offense

The best offense is proactive, real-time, automated, continuous threat detection to then stop the attack. And since cybercriminals must have privileged access to install malware and exfiltrate data, these accounts are the most important to identify, monitor and secure.

Attackers are using automation at scale to breach corporate networks. If you’re not using Machine Learning powered advanced threat detection, then you’re not going to be able to keep up with the attackers. Automated and iterative machine learning algorithms reveal patterns in big data, detect anomalies, and identify structures that may be new and previously unknown. Machine Learning identifies relationships that may otherwise have gone undetected. All in all, it can surpass human capability and software engineering capability to make intelligence out of volumes of big data.

Which brings us to Big Data. In order to detect threats in real-time, you need to be able to consume and digest an enormous volume of data from all the various systems, devices, and applications across your network. As we saw in the LinkedIn breach, attackers scraped publicly available data and then linked it to individuals to present tidy profiles to scammers, phishers, and spammers on a silver platter. The ability to aggregate, filter and link data together is a key element in the identification of threats in flight.

Context is where data meets insight. Having lots of data is one thing. Adding meaning to data is everything, and is the difference between distinguishing merely unusual activity from risky, threat-laden activity.

And then we come to behavior analytics. Behavior is the leading threat indicator. You can steal my identity, but you cannot steal my behavior. You may compromise my credentials, but you don’t know what applications I typically run, who I send emails to, what files I access, and the like. Your advanced threat detection platform should include the ability to detect anomalous behavior in real-time. When something or somebody’s behavior changes, that’s an issue.

Finally, risk scoring brings everything together. When a person’s behavior changes, their risk score goes up. If it is determined – with context and machine learning – that the unusual behavior is not a threat, the risk score goes down. But if the threat is real, that risk score goes up and becomes a priority for investigation or automated remediation action. Risk scores provide you with the actionable intelligence you need to identify and then eliminate true threats.

Criminals Need Privilege

As I mentioned before, cybercriminals need privileged access to install malware and exfiltrate data. You must identify, monitor, and secure these accounts. Gurucul can help.

First, Gurucul helps you detect Privileged Access Risks at the Entitlement Level. Manually finding and securing every privileged account in a large enterprise is unrealistic. Organizations use privileged access management or PAM solutions to try and tackle the problem. However, beyond the scope of standard admin accounts managed by PAM are regular accounts with privileged access entitlements and privileged functions without a group association or legacy tracking method.

Securing privileged access originates with privileged access discovery at the entitlement level, not the account level. Gurucul Identity Analytics facilitates the complete accounting of privileged accounts and entitlements, including where administrative rights were provisioned without accountability. In deployments we typically find 70% of privilege has not been secured. We can also clean up the access plane of dormant and orphan accounts which is yet another attack vector.

Second, Gurucul uses behavior analytics powered by machine learning to detect and prevent privileged access abuse – whether the actor is a malicious insider or a cybercriminal who has compromised a valid user’s privileged account. Gurucul monitors privileged accounts continuously with contextual information around who accesses your IP and regulated data. We provide risk-based alerting of anomalous behavior so you can detect and stop a threat before it occurs.

Time is Not on Your Side

Bottom line? Time is not on your side! You need to act now if you haven’t already put in place modern security defenses. In response to the Colonial Pipeline attack, IBM CEO Arvind Krishna said, “Cybersecurity will be the issue of this decade in terms of how much worse it is going to get.

And Forrester analyst Allie Mellen says, “What do security pros do right now to lower their risk in the face of future ransomware attacks? Outrun the guy next to you.” You need to try to be slightly less vulnerable to attacks than your competitors.