The Internet has dramatically increased the speed of commerce across the globe. Today, the interconnectedness of various businesses facilitates just-in-time manufacturing, replenishes store inventories automatically and allows groups of companies to act as if they were a larger, vertically integrated business.
Every business now has a connected ecosystem of partners; even the Department of Defense has a chain of suppliers connected by Internet access. Unfortunately, not all of these businesses are at the same level of sophistication when it comes to their security posture. The Target, Home Depot and Goodwill data breaches are prime examples of what can go wrong when no formal program exists to vet and continuously monitor abnormal – but legitimate – access by a potential attacker looking to steal valuable information.
As has been widely reported, the Target data breach started with VPN access from a service supplier company that had been compromised by an attacker. In this case, the attacker had obtained valid credentials that allowed for use of the VPN to access Targets systems, switch identities, discover access to point of sale (POS) systems and put malware in a position to syphon off millions of credit card records.
It has also been widely reported that there were alerts from security systems that indicated the start of command and control in the Target environment. These were not acted on because they were not seen as part of the attack chain of events at the time.
The Home Depot data breach started in a similar fashion with access via a third-party supplier. It is also believed the Goodwill breach started when its hosted credit card services provider, C&K, was informed by an independent security analyst that its “hosted managed services environment may have experienced unauthorized access.”
Most of the focus of the press has been on the malware that was used to harvest credit card information from the retailers, but little focus has been placed on the fact that at some point the attackers obtained and used valid credentials to gain access to systems, allowing them to execute each phase of an attack chain. Humans are prone to mistakes, and it only takes one employee to fall for a phishing attack to give hackers a foothold on the network.
Once inside, it’s easy for hackers to plant malware that travels across connected systems, departments and businesses, leading them directly to sensitive information. With tens of thousands of malware variants created every day and the attacker able to test the malware on sites like Virus Total, counting on antivirus vendors for detection is a futile approach to the problem.
When we view the headlines that a company has experienced a major data breach, it’s easy to understand the massive costs to the company. Eradicating malware, training company employees, hiring additional security staff, changing business processes and any monetary penalties from regulatory agencies all add to the cost of a data breach. What’s not discussed is that we all pay as consumers when companies raise the price of their goods and services. Not only that, but when credit card fraud is perpetrated on businesses and banks, identity theft costs us our credit reputations.
Supply chain and service provider vendors need to consider the expanding attack surface. For example, any third-party access to business systems by persons with credentials, as well as automated access through service accounts, should be monitored and carefully scrutinized. The question of whether this access with legitimate credentials was initiated by a friend or foe begs for an answer.
Just about every service provider, retailer and transportation company, as well as numerous parts of the federal government, rely on the Internet to provide faster and more cost-efficient services to customers and citizens. Monitoring unusual VPN usage and other access from supply chain partners and service providers (and their use of highly privileged access) is a must for businesses. Direct detection of particular kinds of access after a VPN has been established, coupled with credential behavior monitoring, can provide the user behavior intelligence needed to answer the friend or foe question and mitigate the amount of damage. User behavior intelligence is the missing piece of a comprehensive approach to stopping large data breaches that includes user security awareness and better security processes.