Anthem: How does a breach like this happen?

It's not as difficult as you'd think

1 2 3 Page 2
Page 2 of 3

The Associated Press, looking to confirm information first posted by Salted Hash, got Anthem on the record to confirm that not only did the incident start last December, but the company also confirmed that five tech employees had their credentials compromised. It wasn't clear if this number included the employee who raised the alarm after noticing his credentials being abused, but the count is still significant.

Easier is better. So while the attackers could have used Java, Windows, or Adobe vulnerabilities, the fastest way to obtain credentials is to ask for them, which is exactly what Phishing does in most cases.

Between Google, LinkedIn, Facebook, and various posts across the Web, it wouldn't take long to develop an email scheme that would eventually lead someone within Anthem's technology group to reveal their credentials.

But the difference between a passive attack that uses Phishing and what happened at Anthem is persistence.

Based on Anthem's defenses, it's possible that they attacker(s) tried to compromise the database earlier in 2014, but were thwarted. However, they kept at it and eventually succeeded. Generic attacks play the numbers game, hoping to get victims on volume. Focused attacks have a small number of targets, and keep taking shots until they get a hit.

While it's possible that legacy systems are in use on the network, or perhaps Anthem was behind on patches or other maintenance, it doesn’t matter once the credentials have been compromised.

"It will be interesting to discover of what exactly the DBA's credentials consisted. If they were simply a username and a password, shame on Anthem. Even President Obama has figured out that systems containing PII need two-factor authentication, and said so in his Presidential cybersecurity directive," said John Zurawski, Vice President at Authentify.

In that case, two-factor authentication might have prevented, or at least made an attack such as the one at Anthem difficult, he said. But what if the attack was sophisticated enough to capture and maintain a valid authenticated session token in real-time, even with two-factor authentication in place?

"This type of session hijacking attack is post-login - once you login, the network maintains a session token that indicates the user in this active session was authenticated. Malware on your computer or in your browser - the advanced persistent threat or APT - captures that session token and is able to maintain and use it. It's a validated session, so even your two-factor authentication is beaten," Zurawski explained.

Again, technical controls will only go so far. Once the humans are exploited, those controls are next to useless. Behavioral controls and monitoring can help flag a compromised human element, but it isn't an exact science. For example, technology didn't detect the Anthem breach, a human who was paying attention did. Self-awareness among the staff is a serious bonus to any information security program.

In truth, implementing a solution that's robust enough to offer scaled access, monitoring, and identity controls is hard. The technology exists, but putting it to work isn't as simple as installing a box and pushing a configuration file.

1 2 3 Page 2
Page 2 of 3
SUBSCRIBE! Get the best of CSO delivered to your email inbox.