President Obama’s email got breached – are you sure your data is safe?
As if death and taxes weren’t bad enough, now we can add data breaches to life’s certainties. Following up on the Target breach of 2013, which affected 40 million credit card holders, 2014 brought new highs in the Home Depot (56 million affected) and JP Morgan Chase (76 million affected) breaches. In 2015 we have already had a major incident at the health insurer Anthem, which saw the names, social security numbers, dates of birth and several other pieces of personally identifiable information of its 78.8 million customers being stolen. And just last week hackers even managed to hit the White House’s unclassified network andread President Barack Obama’s emails. If the President of the United States’ emails can be breached, just how sure are you that your data is safe?
Leveraging data for an enhanced and personalized customer experience is one of the core strategies of digital transformation. So companies are gathering more and more data about their customers, their transactions and behaviour, to mine it for insights and improve the customer experience. This goldmine of data is also the target of highly professional, focused hackers who employ extremely stealthy and long-running attacks to get into corporate networks and exfiltrate this data. These types of attacks are classified as Advanced Persistent Threats (APT) and typically can go undetected for months.
These targeted attacks typically have four distinct phases.
External Reconnaissance Phase
In this phase the attackers sometimes survey the enterprise network from the outside through scans or probes to find a vulnerable outward facing service. Modern firewalls and intrusion prevention systems are pretty good at blocking these attempts but certain service or network misconfigurations may still let the attackers map the network. At other times they scour through publicly available information about the company employees to craft customized phishing emails to snare their victims.
In the exploit phase the attackers typically use the vulnerability in some application running on the enterprise servers or an employee workstation to install malware on the compromised machine. For example an employee could receive a phishing email with an infected attachment or a link which when opened drops malware via drive-by-download onto the victim’s computer using a browser exploit. More frequently now these exploits are zero-day – a previously unknown vulnerability in an application or OS that the developers have had, literally, zero days to fix – and often escape detection by intrusion detection systems.
Lateral Movement Phase
Once on the first victim machine, the hacker begins internal reconnaissance and lateral movement to find the interesting data. At this point perimeter security measures like firewalls are blind to this movement. At this stage the hacker is looking for open shares, vulnerable services with unpatched exploits, systems configured with easy or no passwords etc. One of the other missions at this stage is to compromise the credentials of an employee or a system user with elevated or admin privileges. This often gives the access to databases containing sensitive or customer information.
Data Exfiltration Phase
Upon finding the sensitive data such as personally identifiable information, product designs, proprietary source code etc, the hacker begins exfiltration of this data. This operation again is designed to evade detection and techniques include breaking the data into smaller chunks, encrypted transmission, using in-country or sometimes even in-enterprise intermediate hops to avoid alarms etc.
What enterprises need to protect them against such highly sophisticated and stealth operations is a strong security intelligence setup that augments the other protections such as firewalls and IDS/IPS or anti-malware.
A good security intelligence system should…
- Have the ability to monitor network traffic at Gigabit speeds and do deep packet inspection. The high bandwidth processing is especially needed if we are to monitor traffic that is fully internal to the enterprise (lateral movement of attacker, internal data transfers by attackers).
- Be able to decrypt and see inside encrypted traffic in real-time. This is because most malware today uses encrypted traffic in its communication with the command and control center as well as during data exfiltration.
- Should integrate with existing enterprise IDS and IPS systems as well as SIEMs to consume critical alerts and filtered events that can be then analyzed and correlated with the network observations.
- Have real-time analytics capabilities to co-relate security events from multiple sources to produce security and threat related insights. This type of co-relation is needed both over short and long-running time windows.
- Do behavioral modelling of users and services and then be able to detect seemingly low key deviations from such behavior that symbolize a threat. For example, incidents such as a system access at 3:00 am, multiple password failure attempts, unusually large data transfers to new destinations etc.
- Should integrate with external threats sharing systems and platforms that provide domain and IP security ratings, malware signatures and binary file hashes etc. This allows the system to build on the collective intelligence of threats observed across the world and either detect known malware being downloaded or unknown binaries being downloaded from suspicious domains.
- Offer search and discovery mechanisms that help sift through the terabytes of archived metadata from network traffic, alerts and logs. This should also support forensic investigations such as checking for the presence of a newly discovered infection in last X weeks of data or which other machines did this infected server connect to in the last 7 days etc.
In short, a good security intelligence system should provide you a real-time, early warning system combined with the ability to quickly get a holistic view of an attack in progress or a compromise and reduce the time to remediate and recover from it.
There you have it. Death, taxes and security breaches. In the US, folks just filed their taxes. I’m hoping death is a way off for most of us, so let’s not talk about it. But as we’ve seen with companies across the globe, and recently at the White House, a hack or security breach might happen any time. In fact it could be happening while you’re reading this. Are you ready for it ?
Let me know your thoughts and also check out my previous post, co-authored with Dr. Siddhartha Chatterjee, on how Security is at the heart of digital transformation.