Anthem: How does a breach like this happen?

It's not as difficult as you'd think

1 2 3 Page 3
Page 3 of 3

So why target Anthem? If Anthem were a bank, the quote attributed to Willie Sutton would be a perfect fit. Allegedly, when asked why he robed banks, Sutton said "because that's where the money is..."

Thus, Anthem was targeted because the attacker(s) wanted information, and Anthem has millions of records at their disposal; they went where the data was. Perhaps there's more to it than that, but if not, the fact the data was there is all the reason the attacker(s) needed.

"Healthcare providers [and insurers] hold verified personal information that can tell thieves almost anything they need to know about a person, including where they live, their phone number and email addresses and also their social security details. All of this data, in the wrong hands, can be sold on for profit, used to conduct Medicare fraud or indeed complete identity theft," said Trent Telford, the CEO of Covata, in a recent statement.

The Anthem breach, based on the information they've disclosed to the public, doesn't look to be as sophisticated as advertised. The root cause was most likely Phishing, which would render many of their technical controls useless once the attacker(s) had root-level access to the network and database.

Often, Phishing doesn't require the use of zero-day vulnerabilities or known exploits – all that's required is a person who's willing to do exactly as they're told.

So who was it that attacked Anthem? At this stage, it doesn't matter. All that matters is fixing the network and getting back to business as soon as possible.

When it comes to data breaches, there is so much focus on "who" that the "how" isn't completely addressed, resulting in repeat attacks. Anthem took steps to address "how" and said that passwords were changed immediately, and the data warehouse was secured. It's a start, but there's a long way to go.

Attribution is often wrong during a breach investigation, and speculation only makes the incident being addressed worse. Soon after Anthem announced the breach, several media outlets reported that China was to blame. The source of those claims were anonymous people familiar with the investigation – allegedly they worked with FireEye (Mandiant).

FireEye denied these claims as soon as possible, but by the time their statement hit the media, the rumors had spread. Many of those reporting the claims have yet retract them and update their stories.

"I would like to change the rhetorical argument then from caring about the who so much and more about the how a hack happens. How did the adversary get in? How did they leverage the vulnerabilities within the company to steal the data without being seen? How did the company miss all of this ex-filtration of data in the first place," security expert Scot Terban wrote, in a recent blog on the question of attribution.

"The problems with many corporations stem from a lack of security awareness as well as presence within the org to instill secure practices like patch management and employee awareness on what a phish looks like and how to detect them."

1 2 3 Page 3
Page 3 of 3
SUBSCRIBE! Get the best of CSO delivered to your email inbox.