Spear Phishing Detection Matters: The Anthem Data Breach

By: Kevin O’Brien of GreatHorn


Spear Phishing Detection: Why Machine Learning Is The Answer

A key lesson to take away from the Anthem data breach is that organizations need to recognize that simply throwing a SIEM or log aggregation tool and an IDS into their infrastructure is not sufficient. Consider how the Anthem data breach worked:
Robots are better at catching phish.

  • A group of Chinese Hackers, dubbed “Deep Panda” by Crowdstrike, registered a domain (we11point.com) that was designed to look like Anthem’s corporate domain prior to Q4 2014 (wellpoint.com)
  • A number of subdomains, including myhr.we11point.com and citrix.we11point.com, were also tied to the suspicious we11point.com domain; trojan-horse style malware was installed on these domains.
  • The malware, masquerading as “CITRIX Access Gateway Secure Input”, was digitally signed with a certificate owned by DTOPTOOLZ Co., who are associated with the Deep Panda group
  • Spear phishing attacks sourced from the number-substituted we11point.com were used to propagate the malware throughout Anthem
  • The compromised accounts were used in a classic escalation of privileges and subsequent data exfiltration scheme

The Case for Predictive Analytics

This is a depressingly standard attack — and it works, repeatedly, for three basic reasons:

  1. Users are a weak link: As busy as most people are, the difference between wellpoint.com and we11point.com is apt to go unnoticed, especially if the resulting site looks and operates as expected
  2. Information security analysts are buried in alerts: Even when good monitoring software exists, it’s unlikely that the average infosec team (or worse, IT or DevOps team who have had security thrown onto their already overloaded plates) will see and respond to minor domain name changes
  3. Attacks that take place over long periods of time fly under the radar:
  4. Time to detection for the average attack is measured in weeks and months; attackers can get into an environment in minutes or hours. If they are patient — and most government sponsored or large criminal syndicates can afford to be — they can spread the attack out over a long enough timeline to not be noticed.

Reducing Time to Detection and Response

The measurement of good security (in light of this type of sophisticated attack) should be time to detection and time to response. Based on Verizon’s 2015 Data Breach Investigations Report (well worth reading), however, these two key performance indicators are both trending in exactly the wrong direction:
Time to detection and response matter.
The good news is that even modest staffed information security teams can be given the means to change this trend. Machine learning and predictive analytics tools are capable of seeing threats that human users miss, manage even vast quantities of alert data, and identify trends across long timeframes.
It’s clear that something need to change; intercepting spear phishing attacks, recognizing and interrupting early indicators of intrusion, and protecting your organizations’s critical data is well within reach. Want to see for yourself? Request a free trial of the GreatHorn predictive security platform today, and don’t become the next Anthem.

Upcoming Events


Related Articles