Point of View – Learnings from the Uber Breach

Social engineering attacks are increasingly becoming the most common method to gain a foothold in a target/victim’s environment. Hackers are also getting smarter, and the entry barrier is lower as tools and kits become almost commoditized. The Uber breach has once again proved that the weakest link in an organization’s security defenses is often the human element. Organizations need to employ multi-layered defenses that go beyond preventing attacks to detecting threats on time and remediating them with minimum disruption to business. SISA recommends putting two levels of controls in place – Preventive and Detective – to help improve cyber resilience and security posture.

Preventive controls

1. Conduct employee training and phishing simulation

The essential element in the chain of defense is to train employees on phishing and social engineering attacks. Organizations must ensure the training content is updated with the latest phishing and social engineering attack trends. Secondly, organizations must incorporate the processes followed by the IT team in troubleshooting so that if employees get any requests other than the standard operating ones, they can raise an incident.

SISA has also observed that, in almost 43% of the cases we investigated, phishing is the primary method used to compromise the environment. As the percentage of ingress arising out of social engineering and phishing has increased drastically, organizations are advised to conduct social engineering, and phishing simulation exercises every quarter. This can help improve employee awareness and familiarity with emerging threat vectors and equip them to identify any suspicious alerts/events on time.

2. Deploy data discovery and classification tool

Another growing trend that SISA has observed is that intruders, after establishing persistence in the network, are running scripts for scanning the intranet for sensitive data such as card numbers, user credentials, cloud secret keys, etc., to aid them in deeper penetration of the network. Hence, running a data discovery and classification tool is a recommended prevention control for identifying and scanning the locations where the sensitive data are stored. More importantly, the data scanning tool should locate any files or locations containing sensitive keywords such as ‘pass,’ ‘password,’ passwords,’ or ‘credential,’ etc. Currently, no data scanning solution can identify whether the passwords are stored in clear text. Hence, identifying the potential locations where passwords may be stored in clear text, base 64 encoded value, or encrypted form is a good start for the organization’s security team. Although this method might have a 90% false positive result, it is still better to analyze the false positive than take a chance of leaving something to the intruder to take advantage of.

Detective controls

1. Deploy intelligent monitoring solution

Organizations must consider deploying an ML-based intelligent monitoring solution beyond traditional rules-based and signature-based tools for detecting anomalies and/or suspicious behavior. SISA has observed that most entities that got breached could not detect the breach despite having a log monitoring solution.  As a best practice, organizations must ensure that all remote access logs, such as the VPN logs, are captured, and the monitoring team monitors the following:

• • Enrich the IP address of the remote access logs to capture the Geolocation and Geo city from where the user has logged in.
  • Once enriched, use multi-aggregation for aggregating usernames to the Geo city from where they have logged in. Once aggregated, use the long tail analysis technique to identify a user’s login from a new geo city.
  • If the organization has a UEBA-capable monitoring solution, feed the remote access logs like the VPN logs to the UEBA solution to identify the anomalies.

2. Create an incident response playbook

As per SISA Forensic investigation learnings from other cases, one of the main reasons for inefficient detection is that organizations do not have a well-established incident investigation playbook for analyzing various critical alerts. Organizations must therefore ensure they have a well-documented incident playbook to follow, investigate and analyze if a mapping of user login from a new geo city is identified. The playbook should include a detailed checklist of actions, determine communication channels, set pre-defined roles, and document the end-to-end process flow.

3. Deploy a deception solution

Like the Uber breach, where the intruder scanned the intranet to identify the PowerShell containing the credentials, intruders and malware have been widely seen scanning the internal network to determine their next action. Hence, deploying a deception solution or honeypot trigger is a robust detection control for detecting internal breaches and scanning attempts by intruders. Organizations needn’t implement deception solutions but can consider the following steps to create a deception trigger:

• • Create a deception file, and record the following data in the file –
    • Dummy card number – include at least five dummy card numbers.
    • Dummy credentials – ensure that the keywords like ‘password’ and ‘pass’ are mentioned.
    • Dummy cloud private keys.
  • Ensure that the file format for the deception file is either .txt or .log. It’s better to have two copies of the deception file with a .txt and .log.
  • Identify the various virtual LANs (V-LANs), network segments, and cloud segments within the organization’s architecture.
  • Deploy the deception file for each identified network segment, V-LANs, and cloud segment.
  • Configure logs and alerts to ensure access to these files is alerted as a ‘Critical alert.’
  • Ensure that an incident playbook is in place that can guide on how to investigate these alerts and contain either the malware or intruder.