Reading Steve Ragan's write-up on the recent Community Health Systems breach in CSO online took me back to my blog post on Heartbleed from the Inside from May 1, 2014 that included this cautionary note.
"It's only a matter of time – actually, it's probably already happening – before we see targeted attacks that utilize Heartbleed as one of the weapons in the attackers' arsenal to acquire key account credentials and use those credentials to get to the crown jewels."
From the reports available at this point in time, the Heartbleed vulnerability was exploited in an unpatched Juniper device soon after the Heartbleed vulnerability was widely publicized in the technical community.
It would be easy to lament the woeful underfunding on the OpenSSL open-source effort or the pace at which patches to highly publicized vulnerabilities are created and distributed or the speed with which such patches are deployed. But the existence of vulnerabilities in software is an unfortunate fact of life that won’t go away anytime soon. And most vulnerabilities are not as well publicized as Heartbleed and often don’t generate such a concerted effort to patch systems in advance of a cyber attack that exploits the vulnerability.
While the use of Heartbleed in this cyber attack makes for a great story line, the elements of the attack that came after this initial security exploit echo those seen in many of the publicized attacks of the recent past, with the Target breach serving as the archetype. In a blog post on the CHS breach on TrustSec's website, there is a statement to the effect that given internal access to any computer network, there is virtually a 100% success rate in breaking into systems. The implication is that the break-in not only succeeds, but also that it remains undetected.
While I agree that many companies are similarly vulnerable, this is not something we should accept as a necessary status quo. Notwithstanding the fact that a Heartbleed brute-force cyber attack is quite unusual in terms of the network pattern it represents and can be recognized by the right analytic tools, the attackers of CHS – and Target – had to do more than just get their hands on some privileged account credentials. They still had to perform the necessary reconnaissance to find the crown jewels, they had to siphon off information from those crown jewels in ways that would have looked unusual compared to normal access patterns and had to send large amounts of information out of the company’s network in ways that would have been out-of-the-ordinary.
All these steps in the cyber attack represented tangible opportunities to detect anomalies with significant potential network security risk. This was not a hit-and-run incident, but rather a long con. Once all the information about this attack is revealed, we will find out that the various steps and missteps by the attackers occurred over several weeks or several months.
We can and must do better to equip ourselves with automated tools that hunt out both specific attack patterns and significant anomalies, and stitch them together into a narrative arc that help InfoSec teams catch up with and get out ahead of the attacks before they a three-letter agency calls to say we found a trove of your data in Kazakhstan.
Watch this recent segment from Taking Stock on Bloomberg TV, or click here for a risk-free cyber assessment.