Analyst Breach Insights: Dissecting the Trend Micro Insider Breach
In this week’s analyst breach report, we’re taking a look at on one particularly interesting breach that happened last week -- at anti-malware cybersecurity company Trend Micro.
Here’s the short version of what happened:
An employee at Trend Micro accessed thousands of customer records, exfiltrated them, and sold them over the Dark Web. Trend Micro only became aware of the breach when they started to get concerned questions from customers, who were wondering why they were getting unsolicited calls from “Trend Micro support personnel.” The third party that the data was sold to had begun using it to a conduct a social engineering campaign, reaching out to Trend Micro customers under the guise of being part of the support team.
Trend Micro became aware of the breach in August of 2019 and concluded that it had been a malicious insider in October of 2019. Trend Micro claims that around 68,000 customers were affected.
When we sat down to discuss and examine this case, our analysts were in agreement that there are a few elements of this particular story that make it especially worthy of additional discussion.
First: How does this even happen to an anti-malware company?
This is the first question that’s impossible to ignore: how it is possible that a company that deals entirely and exclusively in cybersecurity software could have a breach on this scale -- and fail to detect it until customers raise the alarm?
More importantly, how can Trend Micro’s anti-malware solutions protect their customers from breaches when they couldn’t protect themselves?
To us, the answer to this question is obvious. Trend Micro is indeed a cybersecurity company, but their products are focused on detection and protection against malware. Even if we presume that they’re internally utilizing the full suite of Trend Micro products, those products still won’t offer the kind of visibility that they’d need to detect or stop this particular breach. This speaks not to the quality of Trend Micro products for their intended purpose, but to the core nature of them.
They weren’t paying attention to the right data.
Sometimes, companies ask us what makes Dtex different from other security products, or why tools like EDR can’t fulfill the same purpose. This is the most damning illustration of the answer: they are two tools designed to address totally different problems. Anti-malware solutions simply do not collect the data required to answer questions around human threats like this one -- including questions that not only would have allowed Trend Micro to catch this breach earlier, but may have given them the warning signs to stop it altogether.
“Anti-malware solutions will not protect you from breaches,” said Steven Spadaccini, Dtex’s VP of Field Engineering. “We see malicious users, negligent users, and / or nation state actors using typical data paths for exfiltration of PII data. They hide in everyday activity using everyday methods as it extremely difficult to find these users and elevate them for inspection.”
A cybersecurity company may make or utilize the best AV tools in the world, but it wouldn’t have made a difference.
Second: What else doesn’t Trend Micro know?
We’re willing to bet that there’s a lot.
We know that Trend Micro did not detect the data breach themselves, and even after they became aware of the breach, it still took them months to figure out that it had been an insider who had misused the data.
These two facts alone mean that we can safely assume that Trend Micro was not utilizing user visibility across their whole organization, and the fact that the investigation took so long to produce even basic answers means that they likely did not have an audit trail to follow.
This is important, because an insider data breach is never really just one isolated event. There are multiple steps that go into that process, each of them revealing important information. This is what we call the Insider Threat Kill Chain -- five stages that appear in nearly every insider data breach case, and that Trend Micro almost certainly didn’t have any visibility into.
Without this, they can’t answer questions like:
- How did this user manage to access this data if it was outside of their typical or allowed data usage?
- Did any security measures fail during this event? If so, how and when?
- Did the user download all the data at once? In stages? Is it possible that this had happened before?
- Did the user investigate other potential targets?
- How did the user exfiltrate the data? Was it through cloud storage, or a USB drive, or external harddrive -- or some other measure? Did they obfuscate the data before exfiltrating it?
That final question is perhaps the most important. Because the data was sold to a third party, it managed to completely leave the bounds of the organization, which means this user had to research, download, aggregate, and exfiltrate a very large amount of data without triggering any alarms.
This all leads us to believe that there are likely many, many unanswered questions around this event. Trend Micro estimates that 68,000 customers were affected -- but do they really know that? Realistically, 68k is probably the smallest possible number affected… and it is possible that many more were impacted, and Trend Micro simply doesn’t know.
If the scammers had been a little smarter about their social engineering, this might have gone on for much longer without ever being detected.
And third: What should they have been looking for?
This incident is stark proof of the importance of organization-wide visibility. This need, too, goes beyond insider threats specifically. We live in a world in which data is at risk in thousands of different ways at any given moment, and things just slip through the cracks all the time -- for instance, Dtex recently detected a phishing email that slipped past multiple layers of AV defense.
No one can expect any single security solution to be 100% bulletproof. Organizations need to see into the blind spots. This means obtaining full visibility across devices, machines, applications, and people -- enterprise-wide, 24/7, in real time. Detecting these kinds of threats is a matter of collecting the audit trail and then elevating suspicious users for inspection
If Trend Micro had utilized this kind of visibility, what might they have found?
Without knowing the details of this specific case, key red flags that they may have picked up on might include:
- Earlier stages of the insider threat kill chain. As we mentioned earlier, every insider threat data theft incident tends to include multiple different stages as the user prepares to steal data. Was the user taking measures to disable or evade security measures? Were they aggregating large amounts of information?
- Behavior that is unusual for that specific user. This is a key part of early intervention. We have not been given any information about who this insider was or what their role was, but we have worked on previous cases where data theft was stopped before it happened because Dtex detected that a user was downloading, manipulating, or doing excessive reconnaissance in a folder or server that had nothing to do with their role at the company. Often times, the customers in question didn’t even realize that the user was allowed access to those locations (again, another prime example of how all security measures, including access control, are fallible).
You may notice that all of the above examples involve looking at the user’s behavior in context. They key is not only obtaining the data itself, but contextualizing that data within the greater story of that user’s specific role, their history of activity, and the risk factors of the data involved.
The takeaway: The importance of asking and answering the right questions.
This breach caught our particular interest because it encapsulates a tenet that we frequently see in practice: you don’t know what you don’t know, and you can’t react to what you can’t see. Trend Micro is a perfect example of this. They’re a cybersecurity company, but the fact that they’re a respected leader in AV security only proves the fact that human threats like this one require a different response.
This is a two-part requirement: it means that you need to see the anomalies that ensure you’re asking the right questions, and then you need the data that allows you to answer those questions with speed and certainty.
“An enterprise needs to be able to ask the who, what, why, when, and where questions of their data and get an answer back in minutes to fully understand their risk at any given moment,” Spadaccini said – a conclusion that he, and the rest of our analyst and field teams, have seen demonstrated over and over again in the field.
As this breach has proven, an investment in anti-malware cybersecurity doesn’t necessarily offer protection if organizations are looking at the wrong data.
Do you want to see what Dtex would uncover in your organization? You can find out with an Insider Threat Assessment.