Published on September 29th, 2016 | by Raj Wadhwa
Lack of Network Visibility May Have Killed Yahoo
Yahoo Inc. recently confirmed that a copy of user information was stolen from their network sometime in the latter part of 2014. While not a lot of information is available on how exactly the breach may have happened, given its size and the fact that it went undetected for so long, one thing is very obvious: The data was most likely leaked over the network.
Tech giant Yahoo takes data security very seriously. It has a large team of in-house security analysts who work around the clock to protect Yahoo’s digital assets, and one can assume that they would settle for nothing less than the very best breed of network security solutions. Yet, despite all the precautions they took, their network was breached, indicating strongly that this was a very sophisticated attack by a highly motivated hacker or group (though Yahoo suggested the possibility of a state-sponsored actor).
Network Exfiltration a Common Denominator
One can draw parallels to breaches that happened previously at Google and LinkedIn where hackers were able to stealthily exfiltrate data over a long period of time without their network security solutions detecting any anomalous behavior.
However, a data breach that involves over half a billion user records doesn’t just happen over a matter of hours or days – an intrusion on this scale takes months or even years to get the information out from Yahoo’s highly-protected network.
There are a number of scenarios that could explain how the initial compromise might have happened. One could hazard a guess that an advanced persistent infection could have been launched via a spear-phishing attack, or it could have been an exploit of a Zero-Day vulnerability, or even a possible compromise of admin credentials that could have even been used to gain access to systems holding the now-leaked information. Once the infection manifested itself within the network, data would have been leaked in small chunks – likely over an encrypted network channel – over time.
Full Intrusion Prevention is Virtually Impossible
In today’s world, it is impossible to stop a highly motivated hacker or organization from getting past all of your security systems. Just look at the news and recent large-scale breaches that have been publicized. But you can still detect instances of the data being leaked over the network.
When it comes to breach detection and response, most enterprises today still use logs from network appliances like firewalls and web gateways, attempting to correlate them with their security information and event management (SIEM) systems to answer the question of how they were breached. However, given how sophisticated attacks like these are, the traditional use of a SIEM is something like having a blind watchman protecting your house.
Many log-based tools only provide Layer 3 and Layer 4 information, and are often so verbose and lacking in more detailed, layer-7 application-level information that creating a pattern of network communications for longer than 48 hours becomes a mission even the great Ethan Hunt would find impossible. This makes it nearly impossible to detect attacks that span weeks, if not months.
Even using User Behavior Analytics (UBA) systems has its drawbacks. UBA solutions attempt to create a baseline of good activity on the network to more easily detect the bad activity. This sounds good in theory, but the challenge here is that it is almost impossible to create a baseline of good activity as it is being formed from already verbose log data, often resulting in either too many false positives or too many false negatives.
That leaves us with only one real approach, which is to look at the actual data leaving the network, kind of like a CCTV camera watching robbers trying to escape after a house they’ve just burglarized. When any data leaves the network, there are tell-tale signs like:
- SSH connections to servers that the enterprise doesn’t connect to often
- Variances in inter-packet arrival times for protocols like HTTP, DNS, etc.
- HTTPS sessions being larger than they usually are
- Or, many times trusted and often-used applications within an enterprise being used to exfiltrate sensitive data (such as Dropbox, Google Drive, etc.)
There are a variety of ways to detect network intrusions and exfiltration, but the most effective and efficient are those that can offer total visibility into a network while using advanced behavioral analysis to detect data exfiltration – both in real-time and retrospectively. If a company such as Yahoo had total network visibility, a breach could have been spotted much more quickly, leaving an attacker much less time to capture sensitive information.
Rajdeep Wadhwa heads Product Management for SS8’s Law Enforcement and Enterprise Security business units. Prior to SS8, Rajdeep was the Global Solutions Architect for the Cloud and Content business unit at McAfee, where he was responsible for product strategy and sales execution for the Data Loss Prevention product line.