- SOAR 101
Welcome back to our Data Breach of the Month series, where we look at a notable cyber incident or data breach from the past month. Sometimes we’ll offer deeper analysis of the latest big breach, and other times we’ll focus on a lesser known incident that has outsized implications for the security industry.
In each case, you’ll learn the type of data breached, the vulnerabilities or gaps that were exploited, and what organizations can do to remediate effectively and address potential root causes.
So without further ado, our breach of the month for May, 2019 is… the customer account breach at Fast Retailing.
On May 13, Fast Retailing, the owner of several major Japanese clothing retailers including Uniqlo and GU, announced that 460,000 customer accounts for their online stores were accessed through unauthorized logins. The customer information that was potentially accessed includes: names, addresses, phone numbers, email addresses, genders, dates of birth, purchase history, and partial credit card information—only the first and last four digits of each card.
The breach occurred between late April and early May. It was brought to Fast Retailing’s attention when customers reported receiving unsolicited emails. Their security team investigated, confirmed the unauthorized access, identified the origin of the access attempts, and blocked it. They also reported in their public notice that they increased monitoring of other access points, disabled passwords for compromised accounts, and notified affected users.
How Did it Happen?
The breach is thought to have been achieved by credential stuffing, or “list type account hacking”, as it is referred to in Fast Retailing’s public notice. Therefore, the logins that were used had likely been exposed in other data breaches and purchased by the attackers.
Credential stuffing is an extremely common type of cyber attack, because it is one of the cheapest and easiest ways to access private data. The entire process can even be automated by hackers. In 2018, there were more than 100 million credential stuffing attempts per day, with retailers presenting a popular target.
How to Minimize the Risk of this Type of Breach
For users looking to protect themselves against being compromised by credential stuffing, the answers are unlikely to be new to anyone: use strong, unique passwords for all accounts, use multi-factor authentication whenever possible, and check your email addresses against the Have I Been Pwned database of major breaches.
There are also precautions organizations can take to protect their user accounts from credential stuffing, such as using CAPTCHAs, device fingerprinting to prevent suspicious logins, and disallowing the use of email addresses as user names, which reduces the chance that a user’s login information will be the same on multiple sites.
From our perspective at D3, we’re interested in helping organizations make rapid correlations to detect and disrupt ongoing security incidents. Because the pattern of events that marks a credential stuffing attack is relatively subtle—a seemingly innocuous series of user logins—security tools need to be capable of advanced correlation to detect the threat. This is why D3’s ATTACKBOT is so effective. ATTACKBOT places events in the context of a cyber kill chain—the steps that an adversary is likely to take towards their goal—and correlates events and IOCs to find other traces of the attack.
So in the case of a credential stuffing attack, if a single suspicious login was detected by a security tool and ingested into D3, ATTACKBOT could identify the potential use of credential stuffing and test that hypothesis by searching for other indicators of that technique. D3 could then strip out the source IP address for the unauthorized login, quickly find all other events that involve that IP, and confirm the scope of the attack. Using D3’s orchestration capabilities, the user could then trigger a command to the firewall to blacklist that IP.
To learn more about D3’s ATTACKBOT, check out our recent whitepaper on the feature.
Thanks for joining us. We’ll see you back here next month for a new Data Breach of the Month.
Do you want to see D3 in action? Join us for a 25-minute deep-dive demo and see how our award-winning Security Orchestration, Automation, and Response (SOAR) platform helps security teams accelerate incident response, scale processes, and learn from every incident.REGISTER NOW