Mandiant, which is working with Anthem to investigate its massive breach, confirmed to SCMagazine on Wednesday that the attack involved the use of custom backdoors – but how exactly did the cyber-crooks pull off one of the largest health care data heists to date?
Joseph Swedish, president and CEO of Anthem, noted in a message posted on Wednesday that Anthem made efforts to “close the security vulnerability” immediately after the attack was identified.
More details are expected to emerge from Anthem on what that vulnerability is, but security experts have begun weighing in on how criminals could have gained unauthorised access to the managed health care company's IT system.
Jasper Graham, former NSA technical director and SVP of Cyber Technologies and Analytics at Darktrace, told SCMagazineUK.com in a Thursday email correspondence that attackers could have gained access to the information by either exploiting a bug in Anthem's IT system, or obtaining credentials via social engineering.
“I don't believe this was a smash and grab,” Graham said, speculating on how long the attackers were carrying out the attack. “Based on the amount of data stolen, it took the attackers some time to figure out where they were and what they could have access to.”
In a Thursday email correspondence, Ken Westin, senior security analyst with Tripwire, toldSCMagazineUK.com that the initial attack vector could have been a successful spear phishing attack that targeted an admin or other individual with high level access to data.
“Another more likely scenario is that this was a SQL injection attack or a direct attack on the database servers,” Westin said.
He took note of two job listings currently listed on Anthem website: one posted on Wednesday for a Cloud Encryption Security Professional, and another posted on Friday for a Checkpoint Firewall Expert.
“This could be indications of where [their] lapses in security may have been and where they are now trying to bolster their defences,” Westin said.
Part of the problem Anthem might have been facing is that “large organisations cannot visualise and understand their whole attack surface, and inevitably end up leaving some side door unlocked and overlooked,” Mike Lloyd, CTO of RedSeal, told SC on Thursday.
“Attackers only need to automate the process of twisting doorknobs, on a grand scale, to find a toe-hold, and once in, smart attackers can move laterally to find all kinds of data," Lloyd said. "Defenders have no choice – they have to automate in turn, since only 99 [percent] compliance with a security policy is nowhere near enough.”
According to unconfirmed reports, Anthem first noticed suspicious activity on January 27 and verified two days later that that it had been the victim of an attack dating back to December 10. But what exactly tipped off the company to the breach?
Citing Thomas Miller, chief information officer of Anthem, The Wall Street Journal reported on Thursday that “the first sign of the attack came in the middle of last week, when a systems administrator noticed that a database query was being run using his identifier code although he hadn't initiated it.” The report adds that the information was tracked to an outside web-storage service where the data was frozen, although it is unclear if the data had been moved elsewhere.
Graham and Westin both noted that companies may be able to detect large amounts of data leaving the organisation.
Westin went on to explain that attackers may have only compromised a single data store – as opposed to a whole network compromise – because the data did not include medical information.
“Given how quickly they reported it, it seems likely that this was a probe from [the] outside that managed to access information, but was detected and blocked as it was happening,” Steve Hultquist, chief evangelist at RedSeal, told SC. “It seems likely that their detection systems triggered and their processes were effective enough to respond quickly to the attack.”
One fact did not sit well with the security experts: the data was reportedly unencrypted.
Graham said he is surprised by the lack of encryption, especially in the wake of recent high profile breaches such as Target, Home Depot, and JPMorgan Chase. He called it inexcusable, contending that all companies must accelerate their efforts to encrypt sensitive information.
The data that was accessed – names, addresses, Social Security numbers, and more – can be used by attackers to open credit cards, conduct phishing campaigns, and make fraudulent phone calls in an attempt to get information, Graham said, adding the data could also be sold on the black market.
“What becomes particularly dangerous with these types of breaches is when we start to apply “overlays” where we overlay one set of breached or public data with other data,” Westin said. “This process can be automated using various big data analytic tools and machine learning utilities to generate rich profiles of individuals.”