A Review of the Nine Worst U.S. Data Breaches Reveals the One Common Element that Led to Disaster
In this blog article, we reviewed nine of the most notorious U.S. data breaches with the details now available. It revealed one common element that led to the extensive damages being as large as they were: the attacks were not detected while active on the internal networks. In this blog, we review each data breach and the circumstances that led to the data devastation and describe how a new approach can improve network visibility, allowing faster incident response and the ability to quickly stop attacks.
Before we get started with the data breach review, let’s take a moment to discuss what we mean by an internal network. It’s easy to think of a network as only what’s inside your premises, what’s onsite, and in your immediate control.
However, in today’s business environment, it’s not that simple. Organizations rely on a mix of different technologies that extend beyond what’s on-premises, like instances within the public cloud and off-site hosted data centers.
In addition, within your internal network, there’s the extra consideration of new intra-VM-to-VM and container connections that create high volumes of lateral east-west flows as well as data flows that travel in and out through firewalls to the Internet. So, getting a handle on all the east-west traffic patterns to understand what’s happening inside a hybrid and expansive internal network has become a difficult, and unfortunately, an often overlooked challenge to solve.
Why is this? Unfortunately, most of the well-used security tools focus on north-south data and perimeter protection, even though only 20% of threats are discovered in this way. That means that many, many more threats successfully get inside the network and often go undetected, thus demonstrating the importance of true internal network visibility.
The Equifax Breach
With that in mind, let’s start with one of the most damaging data breaches. In August of 2017, Equifax suffered a series of website hacks that gave intruders access into the network to ultimately get access to the personal information of more than 143 million Equifax customers.
The company failed to patch an Apache Struts website vulnerability, which the hackers exploited and used as the access point in August 2017. They jumped from the initial web server across the internal network and were eventually able to get access to all of the collected customer data, and then exfiltrate it over several months—all undetected.
The Equifax example highlights an important lesson here: The industry assumption to date is that you will find and fix every vulnerability before any hacker will, and do so flawlessly. Equifax had invested heavily in tools, people, and processes; however, these efforts were not focused on monitoring the internal network to find threats one they got in or identify the resulting data exfiltration. This data breach had a number of significant consequences for Equifax beyond the expected consumers’ loss of confidence and a tarnished reputation: a $700M fine, and even an official downgrade from Moody’s.
Unfortunately, Equifax is not alone as many of the most infamous breaches were the result of missed threats on internal networks, which allowed hackers to access and then exfiltrate massive amounts of data over long periods of time, undetected.
How was this possible? According to Forrester Research, up to 90% of today’s cybersecurity budgets are still spent on perimeter measures—north-south traffic—yet only 20% of network threats are discovered this way. The remaining 80% of threats appear on organizations’ internal networks, missed entirely, or found too late to prevent massive data loss.
Our assertion is that with better internal network visibility—monitoring and an ability to control specific east-west traffic conversations in addition to perimeter activity—breaches like Equifax can be minimized, or even completely avoided.
Additional High-Profile Breaches
Consider these other high-profile data breach events that might have had different outcomes with a better solution.
- Target: The retailer failed to segregate payment card data from the rest of its network, giving hackers unfettered lateral access unseen across the internal network to access extremely sensitive data.
- Anthem: The health insurance giant was the victim of a sophisticated phishing attack that used links to malicious websites disguised as internal services. The malware infiltrated user accounts and used them as a gateway into the internal network to find, access, and then exfiltrate information from the corporate data warehouse.
- Capital One: In the grand scheme of things, the Capital One data breach was small in scope, compromising approximately 150,000 social security numbers and 80,000 bank accounts. But a well-protected cloud could not prevent the insider hacker from accessing a misconfigured firewall and using that as a means to navigate behind it, gain unnoticed access, and then make off with consumer PII completely undetected.
- Marriott: While much remains unknown about the recent data breach, Marriott said that it involved unauthorized access to a database containing guest information tied to reservations made at Starwood properties on or before Sept. 10, 2018. Its ongoing investigation suggests the perpetrators had been inside the company’s networks since 2014. The hackers apparently gained access to the internal network and eventually used administrative privileges to get access to the database, encrypt the data and then exfiltrate it over the internal network—all without being detected for nearly four years.
- Home Depot: The world’s largest home improvement retailer announced that it had suffered a data breach that affected up to 56 million customers’ credit and debit cards. All of this was the result of an attack where hackers were able to access rights to Home Depot’s network. From there, they were able to spread and deploy targeted malware that, once it landed on POS systems, was used to collect payment information at checkout lanes. Home Depot later agreed to pay a $27.25M fine and continues to face ongoing lawsuits from the credit card companies and banks.
- JPMorgan Chase: In 2014, JPMorgan Chase was the victim of a cyber attack that compromised data associated with 83 million accounts—a total of 76 million households (approximately two out of every three households in the country). Worse, while this cyber attack was originally discovered in July 2014, it wasn’t fully understood in scope and intent—due in part to being hampered by a lack of internal network visibility. This led to the attack not being completely halted until September 2014, giving hackers an enormous amount of time inside the network to find and exfiltrate valuable data and PII assets.
- Citrix: Cloud computing giant Citrix also felt the pain when it was hit for an estimated six to ten terabytes of confidential internal information, eventually detected by outside sources in March 2019. This was apparently an Iranian state-sponsored attack that gained access to Citrix’s internal network and exfiltrated data for years without being detected. This successful attack is suspected to be the result of “password spraying,” a technique used to exploit weak passwords. This data breach was especially alarming since Citrix provides cloud services to the U.S. military and is one of the Department of Defense’s approved vendors.
- Anthem: A phishing email opened by an Anthem employee in 2014 led to the download of malware that allowed sophistaked hackers to gain control of the specific device. From there, the malware jumped to at least 90 other systems over the internal network, and eventually gained access to a patient data warehouse system where 80 million PHI records were exposed. It took more than one year for the attack to be detected, again in part due to lack of internal network visibility.
Gain missing internal network visibility needed for effective Incident Response
As we’ve shown with just a few examples, to be truly effective at finding, verifying, and stopping cyber attacks requires complete visibility into all your network traffic—north-south and east-west. Yet as we’ve illustrated, this is not an easy feat given the east-west communication paths used by public cloud, datacenter, and on-premises data and application stores.
But given the weighty investment that organizations have already made, any solution to this problem should easily fit with your existing security processes and strategic tools.
Our ARIA Software-defined Security (SDS) was designed to monitor the internal network threat surface, an ever expanding attack surface, allowing quick detection and a means to stop attacks. Our solution also provides a simple means to extend your existing SOC processes while leveraging the tools you have with transparent integrations to SIEMs and IDS/IPS.
The ARIA solution has fully open APIs allowing it to be controlled through scripts or plays within SOARs. This provides organizations with the ability to orchestrate and automate the security and protection of high-value assets across the entire enterprise. With the ARIA enhanced network visibility for east-west and north-south network traffic provides better, more complete insights into your network, allowing you to find and stop threats that are normally missed in minutes before significant harm is done.
With ARIA SDS, organizations gain a clear advantage in cyberattack preparedness. Our solution gives you all you need to:
- Provide complete network visibility (up to 80% greater threat-surface coverage).
- Find and stop missed network born attacks early in the kill chain
- Detect and stop network-borne exfiltrations
- Verify data breaches including exact records exposed
- Stop threats at the conversation level - leaving legitimate communications intact.
- Protect IoT devices transparently from the network
Learn why ARIA SDS has become critical to mitigating potential threats in fluid east-west communication paths.
About ARIA Cybersecurity Solutions
ARIA Cybersecurity Solutions recognizes that better, stronger, more effective cybersecurity starts with a smarter approach. Our solutions provide new ways to monitor all internal network traffic, while capturing and feeding the right data to existing security tools to improve threat detection and surgically disrupt intrusions. Customers in a range of industries rely on our solutions each and every day to accelerate incident response, automate data breach detection, and protect their most critical assets and applications. With a proven track record supporting the Department of Defense and many intelligence agencies in their war on terror, and an award-winning portfolio of security solutions, ARIA Cybersecurity Solutions is committed to leading the way in cybersecurity success.