Feb 9, 2015 4:00 AM PT

Anthem: How does a breach like this happen?

It's not as difficult as you'd think

REUTERS/Gus Ruelas

Remove all the hype, all the sensationalism, and Anthem's security dilemma is no different from one that any other large organization would face. Was this attack truly sophisticated, or could anyone have pulled it off?

On December 10, 2014, someone compromised a database owned by Anthem Inc., the nation's second largest health insurer.

The compromise wasn't discovered until January 27, 2015, after a database administrator discovered his credentials being used to run a questionable query – a query he didn't initiate. Two days later (January 29), Anthem alerted federal authorities and HITRIUST C3 that their internal investigation determined the incident was in fact a data breach. On February 4, 2015, the company disclosed the breach to the public.

"Anthem was the target of a very sophisticated external cyber attack. These attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members," Anthem President and CEO, Joseph R. Swedish, said in a statement.

Those responsible for the attack were able to obtain "personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data," the statement added.

The scope of the breach isn't fully understood, but there's a good chance that a majority of the 80 million records contained in the compromised database were exposed. According to company metrics, one in nine Americans have medical coverage through one of Anthem's affiliated plans.

Anthem, based on data posted to LinkedIn and job listings, uses TeraData for data warehousing, which is a robust platform that's able to work with a number of enterprise applications.

This technical detail also provides an idea on the level of security Anthem had available, as TeraData has a number of solid security controls available to customers, such as user-level security controls, role-based support, directory integration, traffic encryption, in addition to auditing and monitoring.

In the aftermath of the breach at Anthem, experts have speculated on whether the data in the database was encrypted at the time the attackers compromised it.

The problem is, while HIPAA requires that identifying information be encrypted, that protection goes by the wayside once an attacker compromises an administrator's credentials. So even if the data was encrypted, it didn't matter once the attacker(s) had total control over the database.

As for the attack itself, was it truly sophisticated or will the investigation reveal an attack that's similar to the ones that target organizations the world over day-after-day?

The Associated Press, looking to confirm information first posted by Salted Hash, got Anthem on the record to confirm that not only did the incident start last December, but the company also confirmed that five tech employees had their credentials compromised. It wasn't clear if this number included the employee who raised the alarm after noticing his credentials being abused, but the count is still significant.

Easier is better. So while the attackers could have used Java, Windows, or Adobe vulnerabilities, the fastest way to obtain credentials is to ask for them, which is exactly what Phishing does in most cases.

Between Google, LinkedIn, Facebook, and various posts across the Web, it wouldn't take long to develop an email scheme that would eventually lead someone within Anthem's technology group to reveal their credentials.

But the difference between a passive attack that uses Phishing and what happened at Anthem is persistence.

Based on Anthem's defenses, it's possible that they attacker(s) tried to compromise the database earlier in 2014, but were thwarted. However, they kept at it and eventually succeeded. Generic attacks play the numbers game, hoping to get victims on volume. Focused attacks have a small number of targets, and keep taking shots until they get a hit.

While it's possible that legacy systems are in use on the network, or perhaps Anthem was behind on patches or other maintenance, it doesn’t matter once the credentials have been compromised.

"It will be interesting to discover of what exactly the DBA's credentials consisted. If they were simply a username and a password, shame on Anthem. Even President Obama has figured out that systems containing PII need two-factor authentication, and said so in his Presidential cybersecurity directive," said John Zurawski, Vice President at Authentify.

In that case, two-factor authentication might have prevented, or at least made an attack such as the one at Anthem difficult, he said. But what if the attack was sophisticated enough to capture and maintain a valid authenticated session token in real-time, even with two-factor authentication in place?

"This type of session hijacking attack is post-login - once you login, the network maintains a session token that indicates the user in this active session was authenticated. Malware on your computer or in your browser - the advanced persistent threat or APT - captures that session token and is able to maintain and use it. It's a validated session, so even your two-factor authentication is beaten," Zurawski explained.

Again, technical controls will only go so far. Once the humans are exploited, those controls are next to useless. Behavioral controls and monitoring can help flag a compromised human element, but it isn't an exact science. For example, technology didn't detect the Anthem breach, a human who was paying attention did. Self-awareness among the staff is a serious bonus to any information security program.

In truth, implementing a solution that's robust enough to offer scaled access, monitoring, and identity controls is hard. The technology exists, but putting it to work isn't as simple as installing a box and pushing a configuration file.

So why target Anthem? If Anthem were a bank, the quote attributed to Willie Sutton would be a perfect fit. Allegedly, when asked why he robed banks, Sutton said "because that's where the money is..."

Thus, Anthem was targeted because the attacker(s) wanted information, and Anthem has millions of records at their disposal; they went where the data was. Perhaps there's more to it than that, but if not, the fact the data was there is all the reason the attacker(s) needed.

"Healthcare providers [and insurers] hold verified personal information that can tell thieves almost anything they need to know about a person, including where they live, their phone number and email addresses and also their social security details. All of this data, in the wrong hands, can be sold on for profit, used to conduct Medicare fraud or indeed complete identity theft," said Trent Telford, the CEO of Covata, in a recent statement.

The Anthem breach, based on the information they've disclosed to the public, doesn't look to be as sophisticated as advertised. The root cause was most likely Phishing, which would render many of their technical controls useless once the attacker(s) had root-level access to the network and database.

Often, Phishing doesn't require the use of zero-day vulnerabilities or known exploits – all that's required is a person who's willing to do exactly as they're told.

So who was it that attacked Anthem? At this stage, it doesn't matter. All that matters is fixing the network and getting back to business as soon as possible.

When it comes to data breaches, there is so much focus on "who" that the "how" isn't completely addressed, resulting in repeat attacks. Anthem took steps to address "how" and said that passwords were changed immediately, and the data warehouse was secured. It's a start, but there's a long way to go.

Attribution is often wrong during a breach investigation, and speculation only makes the incident being addressed worse. Soon after Anthem announced the breach, several media outlets reported that China was to blame. The source of those claims were anonymous people familiar with the investigation – allegedly they worked with FireEye (Mandiant).

FireEye denied these claims as soon as possible, but by the time their statement hit the media, the rumors had spread. Many of those reporting the claims have yet retract them and update their stories.

"I would like to change the rhetorical argument then from caring about the who so much and more about the how a hack happens. How did the adversary get in? How did they leverage the vulnerabilities within the company to steal the data without being seen? How did the company miss all of this ex-filtration of data in the first place," security expert Scot Terban wrote, in a recent blog on the question of attribution.

"The problems with many corporations stem from a lack of security awareness as well as presence within the org to instill secure practices like patch management and employee awareness on what a phish looks like and how to detect them."