What Lessons Can We Learn from the Verizon Data Breach Digest?

Verizon has released its first Verizon Data Breach Digest (DBD), an inside – and significantly condensed – look at the cyber investigations which comprise the Data Breach Investigations Report (DBIR), published annually by Verizon Enterprise Solutions. The layout of the digest provides a look into cyber investigations, including the casework and how each investigation works. I recommend that you as a security professional take the time to read through this enlightening report. What are the commonalities in the breaches covered in the DBD? What can we learn? BeyondTrust looked at all 18 stories which comprise the DBD and have outlined in a few cases how solutions could have mitigated the severity, if not avoided these breaches completely. Over the course of the next few days we will look at a few of the most interesting stories. Today we’ll focus on the role of least privilege and application control to combat social engineering. Social engineering – the Hyper Click (pages 10-14 in the DBD) What Happened A chief design engineer was contacted by a “recruiter” via LinkedIn. A recruiter was sending employee position listings in an attached document. The document contained small malicious software, which deployed onto host systems and established a connection to a command and control (C2) server overseas. This was a targeted, state-sponsored attack that involved social engineering and malware. The actors knew who to target to get the data they wanted and even encrypted the data prior to exfiltration to avoid being detected by DLP solutions. Normal monitoring would see no real suspicious behavior as the chief design engineer had legitimate access to all this content. Recommendations

• Training on social engineering
• Defining how data can be transferred
• Deploying dedicated systems to perform engineering work without email or web access

Lesson Learned Security controls can be enhanced with strong and mutual authentication combined with robust identity and access management programs. Financial Pretexting – the Slick Willie (pages 15-17 in the DBD) What happened An unknown threat actor attempted to initiate wire transfers of $5.3 million from a bank. The bank did not discover the attack and was only made aware of it after being notified by the Feds after the transfers were denied. During the investigation they learned that the bank finance manager requested the wire transfers over a 24 hour period. Upon interviewing the finance manager the bank learned that she was unaware of the transfers, however, she stated her computer had been acting funny and did things on its own. Earlier that month she recalled an email from the CIO praising her which contained a hyperlink. She did not recall working with the CIO, but appreciated the gesture since it came from the bank CIO. The CIO did not send the email. Her computer was infected the day the email was received with credential stealing and data-scraping capabilities of a standard infection, but also full remote access and control of the affected system. Recommendations

• Training on social engineering
• Leveraging multi-factor authentication to control access to financial systems

Lessons Learned Social engineering attacks put people in a frame of mind so they do what you are asking. How BeyondTrust could help mitigate the effects of social engineering PowerBroker for Windows, a least privilege and application control solution, removes administrative rights on end user accounts, using policy to dictate what applications can run with higher privileges. Operating under a least privilege model and application control would limit the scope of attacks such as this one. Consider the evidence:

• In 2015, 85% of vulnerabilities on Windows could have been mitigated by removing admin rights. Almost every vulnerability that would have resulted from users surfing the web using Internet Explorer – 99.5% -- could be mitigated by not running as an administrator.
• 12% of attacks are thwarted by not allowing unknown software from running from a user’s profile or anywhere.
• The remainder of attacks are thwarted by checking if trusted software, software that has been specifically allowed with known vulnerabilities, are restricted from running.

BeyondTrust can help by not only enforcing least privilege, but by leveraging patented technology to automatically scan applications for vulnerabilities at run time – triggering alerts, enforcing quarantine, reducing application privileges, or preventing launch altogether based on policy. Watch for more blogs coming in this series in the next few days. In the meantime, if you’re combatting social engineering and want to know how least privilege can help, contact us today!