Capital One Data Breach – What should we learn from it

A few days ago, a hacker breached and accessed the personal information of 106 million Capital One credit card holders or applicants across the US and Canada, in the latest massive data breach at a large company.

Capital One Financial Corp., one of the nation’s largest issuers of credit cards, said that among the information obtained by the hacker includes hundreds of thousands of Social Security numbers and bank account numbers. The breach is therefore among the largest of a major U.S. financial institution ever on record. Capital One estimates that responding to the incident will cost $100 million to $150 million in the short term. But, as usual, consumers are the true victims in the end.

Though the exact tactics used in this breach are yet to be fully disclosed, from the court filings and public information available in the security communities, there are a few known steps that the hacker used to perform these activities.

  • The hacker was a former Amazon Web Service employee where the Capital One credit card information and related services were stored and hosted; in other words, this is essentially an insider job.
  • The hacker infiltrated cloud based servers and gained access to the critical database server through privileged escalation, exploring some of the web application protection vulnerabilities.
  • The hacker used TOR browser and VPN to hide its tracks
  • The hacker downloaded nearly a 30GB data file from servers hosted in the cloud.
  • The hacker uploaded stolen data on Github and talked about this openly on different social media platforms.

This massive data breach has many hallmarks of a modern, advanced and sophisticated threat attack. The attack surface occurs in different stages and actually leaves traces in each stage to be detected or prevented. This will be a classic textbook case for security researchers and policy makers to learn from and make policy changes.

Here are some of the areas we can learn from this incident:

Network perimeter defense has becoming less effective.

Attackers using various vulnerability exploitations and other phishing tools can easily penetrate detections and preventions at the network border. As matter of fact, in MITRE ATT&CK framework, perimeter security defenses such as firewalls only cover a very small percentage of the attack tactics and mostly in the pre-attack or initial access stages. Nowadays, cyberattacks have become more sophisticated, purpose driven, more targeted, more concealed, more covered and more prolonged during the attack in progress.

Another important aspect of this is that more and more threats and attacks are coming from within the enterprise network and by an “insider”. According to the 2018 “The Verizon Data Breach Investigations Report (DBIR)” , twenty percent of cybersecurity incidents and fifteen percent of the data breaches were originated from people within the organization.

As the result, cyber security defensive paradigms has also shifted to detect and protect the entire attack process with more emphasis on post-breach attack surfaces. Intranet threat detection and protection to critical data and servers have becoming more important.

No single security technique alone is proven sufficient to stop these sophisticated and targeted attacks from inside.

Instead, various different security techniques need to be deployed and work together in a coordinated way to construct a layered, closed loop form to continuously monitor and detect the attack in progress at different stages in order to effectively break the attack chain and thwart the ultimate attacker’s goal, which is to exfiltrate valuable business information or personal data.

For example, in this incident, if network traffic analysis techniques had been deployed near the database servers and traffic behaviors are closely monitored, the unusually large amount of data file sync would have been flagged and noticed. Another element includes properly segmenting and isolating different business applications and critical data to enable granular access privilege control to each segment.

Threat intelligence is vital in providing robust and critical traces during forensic and threat hunting.

Threat intelligence goes beyond the current attack alert itself; it expands the attack surface in time and space spectrums. For example, using network traffic analysis (NTA) or user behavioral analysis (UEBA) , forensic analysis can trace back days, weeks or months of network traffic and user behavioral logs; additionally, threat intelligence can correlate forensic data using information including IP, domain names, URLs, files and other user useful information to track down and accurately identify the sources of the attacks.

In this incident, the hacker was eventually tracked down on open source communities where stolen data is stored along with social behavioral activities associated with the user account.

Finally, just as important as security technologies themselves, security is about people and process.

Security problems cannot be solved by technology alone, people, on the other hand, are often the weakest link on the defense line. Continuing to educate people on potential security risks during even normal business activities, improving and strengthening security awareness among company employees, partners and all who are involved in the management or have access to critical business applications and sensitive data are critical in having a strong security defense.

On the other hand, it is equally important to establish proper procedure and policies around business applications and data. Process needs to be established to continuously monitor and audit the flow of those applications as well as data generation, transportation and storage so as to provide proper access controls to sensitive information.