cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Sophisticated Attacks Usually Aren't

Level 11

If someone steals your password, you can change it. But if someone steals your thumbprint, you can’t get a new thumb. The failure modes are very different.” –Bruce Schneir

In my last post I talked about how the traditional security model is dead, and that companies have to start thinking in terms of “we’ve already been hacked” and move into a mitigation and awareness strategy. The temptation to put a set of really big, expensive, name brand firewalls at the edge of your network, monitor known vulnerabilities, and then walk away smug in the knowledge that you’ve not only checked a box on your next audit, but done all you can to protect your valuable assets is a strong one. But that temptation would be shortsighted and wrong.

Since I wrote last, one of the largest security breaches ever—and possibly the most damaging—was reported by the insurance giant, Anthem BlueCross BlueShield. Over 80 million accounts were compromised, and what makes this hack worse than most is that it included names, addresses, social security numbers, income, and some other stuff—pretty much everything that makes up your identity. In other words, you just got stolen. A credit card can be shut down and replaced, but it’s not so easy when it’s your whole identity.

Anthem is using wording suggesting that the company was the victim of “a very sophisticated external cyber attack” which, while plausible and largely face-saving, is almost guaranteed to not be the case. While the attack was probably perpetrated by an external entity, the sophistication of said attack is probably not high. In most of these cases it’s as simple as getting one employee inside the company to open the wrong file, click the wrong link, reveal the wrong thing, etc. The days of poking holes in firewalls and perpetrating truly sophisticated attacks from the outside in are largely gone, reserved for movies and nation-state cyber warfare.

The one thing we can take from this attack, absent of any further details, is that the company self-reported. They discovered the problem and responded immediately. What isn’t known is how long the attackers had access to the system before the company’s security team discovered and closed the breach. Hopefully we’ll get more information in the coming days and will get a better picture of the scope and attack vector used.

So, what do you think of the Anthem attack? Do you have processes in place today to respond to this sort of breach? Would you even know if you’d been breached?

24 Comments
Level 15
The days of poking holes in firewalls and perpetrating truly sophisticated attacks from the outside in are largely gone, reserved for movies...

HACK THE PLANET!!!

Level 15

Didn't Kevin Mitnick find most of his success using social engineering.  I think that our security people (and realistically, aren't all IT people actually security people) need to remember to be diligent with security both internally and externally.  External seems to be the scapegoat and there is some truth but how did the external people manage to put the malware into the Home Depot terminals?  We do not need to be skeptical of our fellow co-workers but we as IT people need to focus some of our efforts on mere education of our users and teach them not to fall for the modern social engineering tricks.

MVP
MVP

I agree that social engineering is a big risk that is hard to mitigate.  But when you have a large company with a large number of pc's that can connect to the internet, you are open to malware and other nepherious things that may or may not be caught by anti-virus software. 

We have a team that is responsible for such monitoring and responding to such events. 

Level 8

Using multiple vendor firewall clusters and ips systems would avoid that

It all depends on cost and how much you are able to spend for your security environment.

Level 14

I wonder how long they actually waited before it was "immediately" reported.  And when we finally do hear a when or how, it probably won't be the whole truth.  And this is a loaded question that most people cannot answer.  No one knows that they have been breached until they "find" the breath.  There is no alert that just triggers telling you "You've been breached!".  It takes time just to discover that you have been breached.  Most of the time, it is discovered when the hacker decides to start using the information or starts looking for more information.  By this time, you may have already been breached for weeks or even months, and it is something that they are doing now that prompts you to look at it.  You can have all the teams that you want monitoring, but if you are breached where you aren't looking, it won't do any good.  It will look like valid traffic to the monitoring team.  This is why internal breaches are so hard to discover rapidly and when they are discovered, it is too late. 

Level 13

Detecting a breach is easy:  Do you have users?  Yes?  Then you've been breached.

Now, the real question is what undesired actions have been taken?

Level 11

With what they charge for insurance and what little they have to pay on the dollar amount of the bill, I would expect nothing less. More suits lining their pockets with the money and identity of the customers.

Level 9

I am working with network team in a school district. I would like know if there are any thwank members who are in the similar field. How do you monitor threats and what do you use to monitor them? We only have Cisco firewall, Ironport and Solarwinds NPM + NTA. Most traffics that we are currently focus on is ingress. Once a while I do see our internal IP talking with 24.143.x.x, but who is this 24.143.x.x. Why there is 2.5Gb of data on ingress and egress on NTA page. Using nalookup on this IP, I got nothing. Search on Ironport with this IP, I got no records. BUT some one inside is talking to it!!! Should I shut it down from firewall? Maybe is a 3rd party company for an app that we are using at school. What would be my idea approach to find it out?

Level 15

I used to work in that field in a former life.  I have always been partial to the squeal method in education.  I would block it in your firewall and send a note to the faculty regarding the network change.  Then, IF it is needed you can unblock it and IF it is NOT needed you will be saving on the 2.5gb of useless data.  Just my thoughts......

Level 11

flweyand wrote:

Using multiple vendor firewall clusters and ips systems would avoid that

It all depends on cost and how much you are able to spend for your security environment.

It really wouldn't.  Having multiple clusters and IPS systems only creates complexity for management, while your real risks are internal.  Users are the biggest security risks, and no amount of firewalls or IPS systems are going to stop a user who gets a zero day on their machine that uploads to a brand new data theft server.  How can you stop a user who gives their password to the 'IT' guy who called asking for it?  Certainly not with a firewall or IPS.

A firewall vulnerability is so far down on the list of attack vectors.  After all, this is not the movies where a hacker is typing feverishly into a console trying to 'bring down the firewall'.  In reality, if you bring down the firewall, you just stopped all traffic going in and out of the network.. for everyone.

Level 14

I so agree!

Level 8

From inside you are right, FW and IPS systems are for external access.

Yep its not possible to protect your company or network from inside intruders, you can protect your network access with NAC solutions but you can not protect your company from stupid employees.

USB ports can be blocked by GRP or LRP, traffic can be filtered with a proxy, access between networks can prohibited by network design, but if any employee shares his personal data (like passwords) you are mightless.

Level 8

(addition)

But of course there is a way to scan for abnormal events created by users.

Like "why is the financial guy accessing data from the IT storage, he never did this before"

You can log all access (like file access on shares or website access) and find abnormal events (we do this with Splunk)

It gives you a bit of security but of course its not 100% perfect and doesn't work in every environment for every data.

You are 100% secure after shutting down your network and isp connections, but after this nobody is able to work

Level 14

Well written post.  Although there are ways to monitor and detect data exfiltration, this doesn't seem to be common place.  The common mentality to to throw hardware solutions at the boundary call yourself secure.  A check in the check box does not a secure network make.

MVP
MVP

sad that we (all tech companies) are fundamentally insecure

the days of a business desktop pc with access to both internet and business applications are almost over

Level 11

Yeah, the last stats I saw were that 76% of all hacks were due to weak or stolen passwords. The inside/outside metrics are a little misleading because most hacks are initiated from outside actors, but originate from inside the system in the sense that inside users were tricked or compromised somehow. Fastest way to "own" a company's network? Drop a USB stick in the parking lot. Someone will stick it in a computer eventually.

Level 11

Hence a twist on the saying in my original article: "There are two kinds of companies: those who have been hacked, and those who don't know they've been hacked."

Level 11

Guess what accounts were compromised in the Anthem hacks? IT administrators with access to the database in question.

Level 11

For what it's worth, that range appears to be owned by an ISP out of Denver named Broadstripe.

Level 11

I think that as more people wake up, micro-segmentation is going to see broader adoption than it has hereto. That's only another defense mechanism, of course... as someone else mentioned, you have to keep adapting to new threats.

Level 11

In all honesty, past a moment or two of sheer puckering panic, they probably did report the hack immediately after it was discovered. The problem is, the attackers were probably in the system for months before they were discovered. An entire database of 80 million users' personal information can't be sucked out unnoticed in a short period of time. Most likely it was stored and moved slowly out.

Level 21

After having worked with several companies in the health care industry, it's scary to see what their back-end infrastructure looks like and how disorganized they are at managing it.  To make it even more difficult their teams are typically silos that either don't work or don't work well with each other.  When you mention things like "centralized monitoring", "single pane of glass", or "centralized log management" they look at you like you fell off another planet.

Even at more tech savvy companies what they accept as "security" is a joke.  They seem to think that edge firewall and hit/miss desktop patching covers it.  Two factor authentication is only seen in a small handful of companies that I have worked with, certainly not mainstream.

At the end of the day; there is a lot of education and work that needs to be done out there and until it is you don't need sophistication to get past the limited security that does exist at these places.

Level 21

On an interesting side node; I recently ran across Illumio and they make a security product that seems pretty unique so I thought I would share it here since this was a security thread.

Level 13

Multiple vendor firewalls didn't do Anthem much good.

The CMMS guidelines they are subject to specify that different vendor firewalls must be used between successive application layers (i.e. Web interface, app server, DB server).

About the Author
Life-long and professional Network, VMware, and Unix Geek; Whiskey Taster; Brain Hacker; Student of Everything. Cancer Survivor. Armchair theoretical physicist.