When it comes to compromising user accounts, not much seems to have changed in thirty-three years. That was one big takeaway from the Anatomy of a Hack presentation by Darran Rolls today at Navigate 2016, chief technical officer and CISO at SailPoint. The other takeaway: if enterprises had the right processes and tools in place, they could be much more prepared against attacks.
Rolls shared with the audience a video of what is very likely the first live hack ever televised. And the account takeover was achieved through an attack many of us would be familiar with today: a social engineering ploy used to trick the user to divulge their password.
Here’s the background: On October 2, 1983, Micro Live, which was a BBC2 TV series and part of the BBC Computer Literacy Project was televising a show. During the show you could see John Coll, the host, make a common mistake as he was trying to demonstrate a new thing called “email.” While Coll’s mistake wasn’t to have a note with his password tucked under his keyboard, he did something almost as bad. He had a great big sign sitting on top of what would now be an antique monitor with his USERNAME in all caps. After Coll logged into his account, the following message displayed:
Computer Security Error. Illegal access.
I hope your Television PROGRAMME runs
as smoothly as my PROGRAM worked out
your passwords! Nothing is secure!
“Put another password in,
Bomb it out and try again,
Try to get past logging in,
we’re Hacking, Hacking, Hacking.
Try his first wife’s maiden name,
This is more than just a game,
It’s real fun, but just the same,
It’s Hacking, Hacking, Hacking.”
( Hackers’ UK )
HI THERE, OWLETS, FROM OZ AND YUG (OLIVER AND GUY)
That was the extent of the prank hack. After the hacker message displayed, it vanished, and Coll went on reading his email and continued the demonstration. “It’s easy to think that this happened because of clever hack involving complex password cracking tools,” explained Rolls. “But it was a basic human error and a method we are all familiar with,” Rolls said.
Here’s how it happened: About an hour before the live broadcast, Coll was in the studio getting ready for his demo and the director was in the control room. The director was talking to Coll on one radio channel and he was talking to a show guest located in the greenroom on a different radio channel. The director made the error of linking the two channels together and he connected both the greenroom and the studio. When the director wasn’t listening, one of the guests in the greenroom asked Coll “Do you know what the password is?”
Coll replied dutifully with the password.
That guest turned out to know a hacker, who he quickly phoned. Within 30 minutes the show system was owned. And when Coll authenticated, the message above was displayed. “This was classic social engineering. This is the textbook example right before the textbook was even written,” explained Rolls. “No zero day malware, no complex cracking, no sophisticated software tricks. Just simple user error and malicious intent.”
That breach is more than 30 years old. But it could have just as easily happened today. And it does, probably every day, despite the high level of maturity many enterprises believe themselves to maintain.
The reality is that many enterprises miss chances to catch identity-based attacks all of the time, Rolls explained.
With that in mind, and highlighting what has changed since 1983 when it comes to both knowledge and established defenses against identity-based attacks, Rolls introduced the IAM Cyber Kill Chain. The IAM Cyber Kill Chain highlights the potential weak points attackers target to exploit enterprises using identity, and it addresses where prevention and detection need to exist to work best. It’s a model to step through the phases of a typical attack as it highlights the points of weakness and defines where required protection and detection should be.
When an enterprise is attacked, there is a lot that that an attacker can do when it comes to exploiting weaknesses in identity management. If the right identity management processes and technical controls are in place, the enterprise will have many opportunities to stop an attack. But, as Rolls explained, many have no such visibility and control, and therefore no ability to identify the various places identity-based attacks strike.
Rolls walked the audience through a recent real-world enterprise that was compromised, and identified many areas of the compromise that the enterprise missed that could have made a significant difference in spotting and stopping the attack much sooner.
This comprised initially started as many do: through reconnaissance and a spear-phished executive. From there, with a comprised system, the attackers used stolen credentials and other exploits to weave their way through the targeted company’s network and applications.
The attack continued, largely made possible because of what was lacking in their identity and access management program. They didn’t inventory their identities, for starters. There were default accounts and passwords available for the taking, Rolls explained. There were accounts that were no longer being used, so-called orphan accounts, that should have been detected and cleaned out. And while the breached enterprise had been conducting access re-certification, the window for that re-certification was spread out too long.
This enterprise didn’t use strong authentication, or analysis in user behavior in context of their roles. When somebody was authenticating to the systems during unusual hours, or from unusual parts of the network, no one was altered. They were still given access, Rolls said.
This enterprise also lacked the most basic password hygiene. Such as strong passwords policies and life cycle enforcement. Such as making sure that at certain points in time, or when certain activities occurred that passwords are changed and alerts driven as a way to put detective controls and policy checks in place. This way, when things change in the infrastructure, the enterprise is able to detect it and take action.
The company in this example was breached from January 2014 to January 2016. That’s quite a long time. Fortunately, for enterprises today, there are ways to ensure good identity and governance activities. There are ways to monitor for anomalies and ways to shut down outdated and bad accounts in ways that simply were not available in 1983.
To get more helpful details on data breaches, read our white paper, “Anatomy of a Data Breach.”