Announcing Weekly Breach Insights from Dtex Analysts:
Week of November 4
Tales of new data breaches and other cybersecurity incidents hit the media every single day — in today’s world, they are a constant, unavoidable reality. The sheer quantity means that many have already begun to tune them out.
But to us? That seems like a huge missed opportunity.
Every time yet another one of these stories hits the news, our analysts and cybersecurity experts almost always find something notable about it, or are able to find something new to learn even from seemingly run-of-the-mill cybersecurity tales.
This is why we’re thrilled to kick off our first installment of our weekly Analyst Breach Insights series.
In these posts, we’ll be rounding up a few notable breaches from the past week and discussing them with Dtex’s threat experts, who will provide responses and insights based on their experiences in the field.
This week, we sat down with Dtex’s Manager of Insider Threat and Cybersecurity Investigation, Armaan Mahbod, to discuss what we can learn from this week’s breaches — including phishing attacks, software exploits, ransomware, and more.
On October 16, Web.com (which also owns Network Solutions and Register.com, with Network Solutions now being the world’s 5th largest domain name registrar) discovered that a “third party gained unauthorized access” to their databases and as a result customer data “such as name, address, phone numbers, email address and information about the services that we offer to a given account holder” may have been accessed. Web.com is currently working with authorities and independent investigators to gain more information about the incident. Read more in their official notice.
Our analysts took particular note of the squishy language in the announcement — like “such as” and “may have”. This, combined with the fact that the intrusion was not detected until months after it had happened, make it fairly obvious that Web.com has very, very little information about exactly what happened and how. We’re willing to bet that they likely aren’t sure which data was actually compromised.
So, above all, this story is yet another example of why it is so important to have full visibility over endpoints, data, and people — because it is notoriously difficult to piece together a coherent story from incomplete information.
This story also reminded Armaan of an incident he had seen at one of our customers.
“I look at that ‘third party’ language and it makes me wonder if it was a third party, like a contractor or service provider, that still had access they weren’t supposed to have anymore,” Armaan said. “We see that all the time. It could be a complete outsider, but I think it is much more likely that it was someone who, at some point, did have authorized access and ended up misusing it after the fact.”
This was very similar to an incident he observed at a customer. Dtex was deployed across the full organization, and shortly after, the analyst team noted significant spikes in risky activity for a particular account. The account was identified having torrenting, removable device, and other unauthorized activity. It turned out that this account belonged to a contractor, and the third-party administrative account and associated device had been left active for more than three months after it should have been deleted.
“This type of visibility and control becomes even more critical as organizations have more contractors, remote workers, and offices all over the world, which can become more difficult to monitor without the right solution,” he added.
A ransomware attack has hit the public-school system in Las Cruces, New Mexico on October 29. It appears that the school system detected the attack quickly, and immediately shut down all computers and networks. New Mexico State University has alerted its staff not to open any emails from Las Cruces public schools, due to risk of malware. However, recovering from the attack has proven to be difficult. As of yesterday, computers and networks are still shut down.
Ransomware is a growing problem among local governments and small healthcare organizations. From the DarkReading article:
According to EmsiSoft, the first nine months of 2019 saw ransomware attacks against 621 government entities; healthcare service providers; and school districts, colleges and universities. That number includes at least 62 educations institution incidents involving more than 1,000 individual schools.
As with any malware, full visibility is essential across all laptops, desktops, servers, and virtual machines if an organization needs to immediately understand the impact and source of a ransomware attack.
“Although shutting down the devices and network will hopefully stop any further damage,” Armaan said, “the IT team still needs to forensically audit what activities occurred, how the infiltration actually occurred, what documents were touched, what other applications may be associated with the ransomware attack, what devices and accounts were affected, etc.”
But he also pointed out that in cases like these, involving a full network shutdown, the uses of this visibility go beyond the investigation of the malware itself. One Dtex customer, which went through a forced network shutdown due to another company that shared their office space, used this visibility to measure their productivity decrease during this time. Although in many cases, these shutdowns are unavoidable, having the ability to quantify the full impact of an incident is still very important.
A new phishing scam has emerged that emails Office365 users claiming that they have a new voicemail — sometimes even going so far as to include an audio attachment that sounds like the beginning of a voicemail — and then directs them to a fake O365 login page. This login page even pre-populates the user’s email address, making it a very convincing fake.
This new scam comes on the heels of the news that phishing kits lifespans are shortening, signaling that specific phishing scams are short lived, but that they also evolve more rapidly.
Many people think that only the technologically-illerate can fall for phishing schemes, but this story is a testament to the great lengths some scammers go through to create a genuinely convincing experience. We’ve seen an increase in phishing attacks, which Armaan attributes to the nature of the modern enterprise:
“Phishing attacks are only increasing because this is one of the major ways outside attackers are able to gain further access and persist within an organization,” he said. “Companies will never be able to fully get rid of email as it is one of the most utilized forms of communication within an organization. Furthermore, there is always internal and external communications meaning that at least one individual in an organization can be tricked to click on a well worded email. These infiltrators are hoping to initially gather intelligence through reconnaissance by monitoring network activity, file locations, applications, and much more.”
This is why organizations cannot afford to ignore phishing attacks: they’re increasingly common, and they evolve more quickly than ever, which means relying solely on known indicators of compromise is an insufficient approach — especially when phishing schemes are reaching a point where they can fool even wary users.
For example, we recently saw a highly-targeted, very convincing phishing attack install a java backdoor on the computer of a C-level executive — all without triggering an alert from ProofPoint or from the customer’s other AV solutions. Because those solutions didn’t look at the malware’s behavior (which would have been commonplace for, say, an IT admin user) in context, and because the malware didn’t trigger any specific IOCs, they didn’t fire an alert. Dtex, however, recognized that the machine’s behavior was highly abnormal for that specific user and alerted immediately, allowing for the situation to be fully resolved within hours.
Ideally, EDR and AV tools are able to catch malware like this, but we frequently see situations where that isn’t the case, or where anti-malware tools are not enough to identify who was affected. What’s more, phishing is very much a human problem too, which means that you need to be able to see how users interact with these emails in order to diagnose the damage if your organization is hit with a similar attack.
Coalfire CEO Lambasts Dallas County Sheriff - Due to the arrests of two employees over the penetration testing of a courthouse
On September 11, 2019, two employees of cybersecurity firm Coalfire were hired to conduct a penetration test on a Dallas county courthouse. However, in the middle of this test, they were caught inside of the courthouse, arrested, and charged with burglary. Though the charges have been de-escalated to trespassing, they still haven’t been dropped, and the case has drawn into question whether the state has authority to “authorize a break-in” to a county building.
While at first glance this story might seem like a fairly extreme outlier, we see much lower-stakes version of this problem all the time: a lack of communication causing problems for pen-testers or wasting the security team’s time with huge numbers of alerts.
“Pen testers are hired by organizations and governments all of the time,” Armaan said. “And these guys will generate hundreds of alerts in a very short period of time. So, there are two reasons why this is an important topic. Organizations need to make sure everyone is aware of this activity and that they have the ability to disregard the known-bad things that they’re doing. But on the other hand, sec ops teams also need to have enough visibility to be certain that these third-party, highly-skilled users don’t commit unauthorized malicious activity with their access.”
While most organizations won’t find themselves in a situation that reaches stakes quite this high, it still parallels the need for monitoring and open communication when dealing with pen testers.
This week’s breach news highlighted the importance of visibility and the sheer variety and unpredictability of today’s threats. As we continue to analyze current breaches on a regular basis, and relate them to our experiences in the field, we expect that we’ll see these points arise again and again… though the way in which they manifest, as always, will likely continue to arise from new angles.
Join us again next week for another round of breach insights. Until then, if you’d like to learn more about Dtex’s field experiences, consider reading our recent article in The Sunday Times’ Fighting Fraud Report, in which we discuss the role of visibility in insider fraud.