Welcome back to our Data Breach of the Month series, where we look at a notable cyber incident or data breach from the past month. Sometimes we’ll offer deeper analysis of the latest big breach, and other times we’ll focus on a lesser known incident that has outsized implications for the security industry.
In each case, you’ll learn the type of data breached, the vulnerabilities or gaps that were exploited, and what organizations can do to remediate effectively and address potential root causes.
So without further ado, our breach of the month for April, 2019 is… the theft of personal information from FBI National Academy Associates.
In early April, a hacker group breached three websites belonging to chapters of FBI National Academy Associates, a non-profit education and training organization that is independent of the FBI itself. The hacker group, which is known but has not been named in media reports, posted the data for downloading on their website. The leaked data reportedly contains 4000 unique records, including personal information belonging to federal agents and law enforcement personnel, such as names, email addresses, job titles, phone numbers, and mailing addresses.
The FBINAA says that their national database was not affected; however, the hackers claim to have compromised more than 1000 government sites, and plan to sell the data.
How Did it Happen?
The FBINAA put out a press release noting that the same third-party software was used by all three chapters that were hacked, but stopped short of saying the software was definitely the entry point for the hackers. A member of the hacker group spoke to TechCrunch and said that the hacked sites had outdated plug-ins and that the group used public exploits to hack the sites.
How to Minimize the Risk of this Type of Breach
As with many breaches, this attack was successful because an organization did not keep their systems perfectly up-to-date. While it is easy to say diligently patching and conducting basic vulnerability management can protect against this type of attack, it is just as easy to overlook these processes without a strong internal program in place. This is especially true when the vulnerability comes from a third-party, as it seems to have in this case.
An article about the FBINAA hack in Data Breach Today speculated that the attackers probably took advantage of a web application vulnerability and then moved laterally within the network to find databases. This suggests that there was a significant amount of time between the attackers gaining access to the network and exfiltrating the data. Organizations can lessen their vulnerability to this type of attack by reducing mean time to detection (MTTD). One way to achieve this is by connecting network security tools and other security systems so that data silos are eliminated and unusual network activity can be correlated against data from other systems in order to identify potential intruders. D3 SOAR serves this function in many SOCs, ingesting alerts from security tools, enriching them with contextual data, and flagging high-risk events.
Another valuable tool in combatting multi-stage attacks is to filter security alerts through the framework of a kill chain, such as the MITRE ATT&CK matrix. The ATT&CK framework—like other variations of the cyber kill chain—lays out the steps that adversaries are likely to take on their way to an end goal. Uniquely, ATT&CK includes hundreds of techniques that adversaries use to accomplish the steps. By considering alerts as pieces of larger attacks, security teams can make correlations that would otherwise be missed. For example, a seemingly legitimate process (e.g. access to the FBINAA database) could be correctly flagged as potentially malicious because it fits in the kill chain of another recent alert (e.g. generated by the initial hack).
D3 has embedded the MITRE ATT&CK matrix into its SOAR platform, giving operators the ability to identify the adversary techniques used in any alert, search for traces of other steps in the kill chain, and uncover a complete picture of adversarial intent. To learn more about this process, check out our recent SOAR 2.0 whitepaper.
Thanks for joining us. We’ll see you back here next month for a new Data Breach of the Month.