“What I did 50 years ago is 4,000 times easier to do today because of technology,” says Frank Abagnale, 70-year-old FBI security consultant and former con man. His exploits as a check forger and impostor in the 1960s were showcased in the 2002 film Catch Me If You Can. Back then, it took a lot of preparation to complete a mission-based, malicious, and catastrophic attack. Today, while we may be better equipped to defend against attacks such as Abagnale’s that were far ahead of their time, we’re now worse off because of the number of vulnerable points a cybercriminal can exploit.
In the last five years, we’ve seen a curious phenomenon play out in the business world: companies have spent more and more on security, yet data breaches continue. Organisations need to realize that this growing challenge affects the entire business world, and learn from incidents that have plagued other companies.
Some attacks from the last four years
Let’s look at attacks at five different organisations: SingHealth, Google, SunTrust Bank, Cosmos Bank, and JPMorgan Chase.
SingHealth: SingHealth is Singapore’s largest group of healthcare institutions, serving around 3.8 million patients each year. Between June 27 and July 4, 2018, a security breach compromised the personal data of 1.5 million SingHealth patients in what became Singarpore’s biggest cyberattack ever. The attackers accessed patients’ sensitive information, including their name, gender, identity card number, address, race, and date of birth. Furthermore, prescription details of 160,000 patients, including those of prime minister Lee Hsien Loong, were stolen.
The initial breach was due to malware that was inadvertently downloaded by a front-end employee through a malicious website or phishing email. The malware allowed the attackers to obtain this employee’s account credentials, through which the attackers could access all the applications this employee had access to. From there, the attackers could lurk in the network and sniff out particular servers, including domain controllers, that stored all authentication information. Then, they gained privileged access to the patient database.
Google: Anthony Levandowski worked in Google’s autonomous car division until January 2016, when he left to found Otto Motors. Just seven months later, Otto was acquired by the transportation network company Uber. It has been alleged that just before his exit from Google, Levandowski downloaded 9.7GB of confidential files and design trade secrets.
The charge from Google was that, as a user with privileged access, Levandowski had the permissions to carry out the breach; Levandowski also attempted to cover his tracks after the deed was done. Uber finally settled with Google out of court for USD 245 million.
SunTrust Bank: On April 20, 2018, SunTrust Bank, a large, US-based bank holding company, revealed that a former employee tried to steal information—including names, addresses, phone numbers, and, in some cases, even account balances—of 1.5 million clients. It was also alleged that this former employee tried selling the data to a criminal party.
While details on how the former employee gained access have yet to emerge, the breach itself is not suprising. Kamalakannan Subramani, manager of IT services at Zoho Corporation, says, “Even some larger corporations fail to take adequate measures to deprovision accounts of former employees. Proper deprovisioning can occur only if proper provisioning was done in the first place. Otherwise it’s easy to miss.”
Cosmos Bank: Cosmos Bank is a 112-year-old cooperative bank in India, with deposits of more than INR 156 billon (USD 2 billion). Between August 11-13, 2018, the company likely fell victim to an attack carried out by the Lazarus Group of North Korea. Attackers probably gained an initial foothold through spear phishing. From there, the attackers targeted the bank’s ATM infrastructure.
Under normal circumstances, a cash withdrawal request from an ATM would reach the bank’s core banking system for authentication. However, the attackers created a proxy switch which authenticated each of their fraudulent requests. The end result? Close to INR 9.4 billion (USD 13.5 million) was siphoned off through ATMs from 28 different countries.
JPMorgan Chase: The IT security team at the American bank JPMorgan Chase discovered a major data breach in July 2014. The names and email addresses of more than 70 million customers were stolen. The criminals initially waged a phishing attack to obtain employee credentials. At the time, JPMorgan Chase had two-factor authentication deployed in almost all of its servers, except for one server used by a third-party company. All attackers needed was this simple but costly oversight to gain access to JPMorgan Chase’s infrastructure.
So how do you defend against all this?
Companies need to understand the modus operandi of cybercriminals. Once a cybercriminal gets into a company network, they may spend a long time trying to escalate privileges and move laterally before completing their mission. Some of the ways attackers gain an initial foothold are through phishing emails and malicious websites. Once the attacker gets into the network, they may employ tactics such as port scanning, token theft, pass-the-hash, and sometimes even social engineering to move laterally.
It may be months before any overt activity even occurs; in the meantime, the attacker could be just lurking around gaining more and more privileged access and making their presence a normal occurrence. They may even access certain classified files and folders, but at a rate that will not arouse any suspicion. Attackers may also try covering their tracks once they exfiltrate data. Some ways attackers attempt to hide their activities are by clearing event logs, disabling auditing, or sometimes a combination of both.
Therefore, enterprises need to shift their mindset from relying solely on perimeter protection to emphasizing vulnerability detection. A good way to start would be to do an exhaustive risk assessment and plug all holes.
Organisations also need to test their ability to prevent, detect, respond to, and contain an attack. This can only be done if the IT team assumes that an attack will definitely happen, and runs through real simulations. The organisation may also find it worth their while to employ an ethical hacker to help them with this. An ethical hacker who goes by the moniker of Freaky Clown says, “I have legally broken into hundreds of banks, and I have only been caught two times and that too because of the client’s mistake.”
Finally, companies need to invest in the right threat intelligence systems, systems that can correlate different network anomalies. But this alone is not enough. The insight provided by these systems should in turn be correlated with user behavior analytics (UBA). UBA uses sophisticated machine learning technology and an analytical approach to create a baseline of normal activities that are specific to each user, and notifies security personnel when there is a deviation from this norm.
What will happen in a highly-digitised future?
In the future—as technologies such as smart devices, augmented reality, and the Internet of Things become common—the number of vulnerable endpoints in a typical organisation will increase. As if those won’t be difficult enough to contain, cybercriminals may also start exploiting these vulnerable endpoints by employing artificial intelligence. Machines could be taught to infiltrate and perform malicious attacks on their own and bring organisations to their knees.
Imagine a situation in which a self-learning machine turns a driverless automobile into a weapon. Or picture a future in which a combination of holography and brain decoding technology allows people to have meetings between their virtual selves in the office. What if a cybercriminal impersonates a CEO’s virtual self and compromises the business by giving the wrong instructions during a meeting?
In scenarios like this, organisations would need to detect deviations in behavior with highly-sophisticated AI tools of their own. And these AI tools would just be a single, yet important part of a highly-layered and tight defense strategy.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.