So, this week, I got an email in my inbox with the following text, and I’m pretty certain several of you may have also got the email.
Now, as they’ve stated, this is not a new breach. It resurfaced in the headlines last week when it was discovered that more data from the 2012 breach was now available for sale online (you can read the statement made by LinkedIn’s CISO, Cory Scott, here). Turns out that what was initially thought to be a breach of 6.5 million accounts, is actually 167 million accounts -- roughly 38% of LinkedIn’s registered members.
Granted, we do not have the exact details on how the LinkedIn systems were breached but it’s evident that intruders gained access to these high value assets and exfiltrated data out. This is fairly typical of any breach.
Keep in mind there are several steps that an attacker could take after a perimeter breach. An initial infection point might not be where an intruder ultimately wants to get to. Once they are inside, they would move laterally within the network from system to system, to get to their final destination. Also, attackers often transfer the data from internal systems to a hosting server within the network (think of it as a holding place for the data), before being exfiltrated out through the perimeter.
While most organizations place a lot of importance on monitoring their perimeter, monitoring the internal network can prove very useful in detecting the data acquisition and transfer stages of an attack. One useful aspect to monitor would be just the volumes of data transferred between hosts or different segments of the network. For example, different users accessing files via a file share is normal. These files could be of varying sizes depending on the documents accessed, but an exceedingly large data transfer from a file share would be less common and of interest to investigate. Corvil auto-detects and provides visibility into the data transferred between file shares, by different users and systems, right down to the details of the files accessed. These observations would help analysts pinpoint suspicious activity that warrants further investigation.
This type of visibility into data transfers also proves useful in detecting the actual exfiltration of data out through the perimeter over overt or covert channels. Overt channels are those which would be used by any general user of the network to transfer data out. Although subject to scrutiny, organizations are likely to leave them open for natural communication, which is then exploited by attackers. Covert channels are used by attackers to avoid detection by network visibility tools by concealing the data being exfiltrated. Let’s take a look at some of these channels.
HTTP/S allows for large file transfers, even if it’s via a web proxy. The visibility Corvil provides is interesting in a couple different ways. Firstly, if the site/domain name/IP the data is being transferred to is one that’s on a blacklist from our threat intelligence partners, we would flag any communications made to it. Now if this is followed by large data transfer to the same site, it is definitely a cause for concern and investigation. Even if it is over HTTPS, we would be able to provide visibility to the unusual pattern of data bytes transferred going to a destination on a blacklist or an unknown destination.
Similarly, FTP can be easily used by attackers to upload files as Windows and Linux systems typically come with built-in FTP functionality. Or SSH utilities found on Linux servers on the target organization can be exploited. RDP enables users to log into a Windows machine, control it and even enable transfer of files between the two machines. Once again, Corvil tracks data bytes transferred over such types of communication, which would be valuable for investigation.
Another channel that attackers could exploit is DNS. DNS is used for translation of domain names into IP addresses and in common use in organizations. Although DNS not meant for data transfer, it can be exploited to do so. The exploit misuses the DNS service to tunnel data through this open channel. With Corvil's Security Analytics we detect and flag instances of DNS tunneling. We also flag instances of large and suspicious responses, (DNS should typically only be 512 bytes) percentage of TXT records seen etc, all of which can all be key to detecting and investigating exfiltration attempts.
So, in short, yes Corvil provides visibility into aspects of internal and external data movement which would prove essential in detecting and investigating lateral data movement and exfiltration.
Now that being said, what should you do you if your LinkedIn account has been compromised? Change your password! And not just on LinkedIn. LinkedIn may have invalidated passwords that were set pre-2012 and may have enforced stronger password policies. However, the true danger of the data harvested stems from the fact that a fairly large percentage of users use the same passwords everywhere. A user’s LinkedIn account password is very likely to be the same password for their online banking account.
You can check if your credentials have been compromised in any of the known data breaches by going here. My advice is to make sure any password you set adheres to strong password policies. As a best practice, use different passwords for different portals that you use. You could invest in a password manager help you create strong passwords and securely remember them for you. And yes, now that your email address is publicly available for sale, watch out for phishing emails and don't click on those email links to cute cat videos.
Stay safe on the big bad web and enjoy the long weekend coming up!