Ah, another day, another massive breach of millions of consumer records - including names, addresses, social security numbers, and medical history.
Early indications are that the Premera attack is very similar to the attack against Anthem, and was likely carried out by the same parties. In the Anthem breach, a technique known as domain spoofing was used to bait employees into visiting we11point.com instead of wellpoint.com, the idea being that the mis-spelled domain "looks" like the real domain, or at least real enough that most won't notice the difference. Threat analysis firm ThreatConnect reports that another domain, prennera.com resolved to the same static IP address as we11point.com. In the case of prennera.com, the attackers replaced the "m" in Premera with two n's, in an attempt to visually hide indications that the domain was false. Let's take a closer look at how these types of attacks frequently play out.
- First, the attacker(s) register the spoofed domain - prennera.com. While registering, they use a masking service that hides the identity of the registrants so that a simple whois lookup is a dead-end for uncovering the criminals.
- Spear phishing emails are sent to employees of the organization. These emails are carefully crafted to look legitimate and personal. They may appear to come from a coworker, the HR department, or payroll. In any case, they bait the user into visiting the false domain.
- Once the employee(s) visit the domain, they log in with their Premera credentials.
- Premera credentials are then shipped over to the attacker.
- The employee is then logged into the actual site, none-the-wiser that they were ever at the spoofed site, drastically reducing the chances that the attack is detected.
- At this point, the attacker has everything they need to gain access to the Premera network, and begins the process of exfiltrating data. This phase requires patience - exfiltrating large quantities of data all at once is far more likely to trip security alarms than dripping small amounts over time. Since the initial attack was conducted with such stealth, time is a luxury that attackers have in this case.
In this case, it took Premera 269 days from initial breach to discovery. This may sound like a long time, but according to security firm Mandiant, the average time from breach to discovery is a staggering 205 days. Premera took longer, but their timeline isn't completely outside the realm of what might happen in your organization.
Traditional security programs and technologies have been focused on prevention of attacks and breaches. Today's organizations must recognize that prevention is no longer effective on its own. Breach discovery capabilities must be put into place to help shrink the window from initial breach to detection, allowing the organization to limit the damage when (not if) breaches occur.