In late 2014, Sony Pictures Entertainment was hacked in a combined assault against its corporate networks. Apart from harvesting data from databases and company servers containing intellectual property, the attackers successfully disabled the corporate exchange server and a large portion of the computers in the network. Full-featured movies, screenplay drafts, and executive correspondences were all part of a massive dump published by the hackers later that month. Although Sony sustained its fair share of financial and reputational damage, the direct damage caused by the “Wiper” malware unleashed in the network, along with leaks of files containing manual-like descriptions of its entire IT operation, have had a long-lasting effect on Sony.
Late last night, several researchers began confirming that a “dump” containing 10 GB of compressed data does in fact hold the personal records of millions of distinct Ashley Madison users. In later reports, researchers and bloggers have indicated that the dump also contains keys to a Windows domain that can potentially be used to authenticate securely into internal networks linked with Ashley Madison. This is obviously even more bad news for the company who will likely be struggling to rebuild itself after this dramatic security incident.
An important proportion of post-breach remediation is drawn to the assurance there are no more compromised entities (users and machines alike) that can further compromise the network. This requires actions both on the human and the technical side, and requires employees’ full commitment and attention. When a company’s data breach includes potential compromise to IT integrity, this task requires an even larger proportion of corporate attention and potentially even a mass clean-up operation to ensure no exposed credentials are still in use. All in all, this is only one of several post-breach concerns, but one, that with careful planning and implementation, can be resolved rapidly.
Both hacks mentioned (and more accurately, both hack dumps) demonstrate the true significance of user behavior for threat detection and mitigation. Using authorized insider user credentials, and later elevated network privileges, is both a weakness and a flaw in the attack “Kill Chain.” Where user access isn’t monitored and regulated, unsupervised anomalous user access events will go undetected for months. Utilizing Fortscale User Behavior Analytics, security analysts gain the visibility they need into user activity across their network. From an attacker’s point-of-view, this means getting in may not be a problem, but staying in, and accessing prized sensitive resources without being detected is merely impossible.