The attack on Anthem, the second-largest health insurer in the US, which exposed identifiable personal data of tens of millions of people, was probably not a smash-and-grab raid but instead a sustained, low-key siphoning of information over a period of months.
The breach was designed to stay below the radar of the company’s IT and security teams, using a bot infection to smuggle data out of the organisation.
According to statements released by Anthem, the first signs of the attack came in the middle of last week, when an IT administrator noticed a database query was being run using his identifier code when he had not initiated it.
>See also: The 2015 cyber security roadmap
The company determined that an attack had occurred, informed the FBI and hired an external security consultant to investigate.
Investigators reported that customised malware was used to infiltrate Anthem’s networks and steal data. The exact malware type was not disclosed, but is reported to be a variant of a known family of hacking tools.
However, an independent security consultancy reports that the attack may have started up to three months earlier. The consultancy said that it noticed ‘botnet type activity’ at Anthem affiliate companies back in November 2014.
Below the radar
This would not be surprising, as long-term bot activity is commonplace in enterprises. Check Point’s 2014 Security Report, based on monitored events at over 10,000 organisations worldwide, found that at least one bot was detected in 73% of companies, up from 63% the year before. 77% of bots were active for over four weeks, and typically communicated with their ‘command & control’ every three minutes.
Bots are able to avoid detection because their developers use obfuscation tools to enable them to bypass traditional signature-based antimalware solutions, and stay below companies’ security radar.
As such, threat emulation, also known as sandboxing, should be used as an additional layer of defence to stop bots before they can infect networks. Anti-bot solutions should also be deployed to help discover existing bot infections, and prevent further breaches by blocking their communications.
It’s also important that organisations segment their networks, separating each segment with layers of security to prevent bot infections spreading widely across internal IT estates.
Segmentation can contain infections in one area of the network, mitigating the risks of the infection accessing and breaching sensitive data residing in other network segments.
With these preventative approaches, companies can dramatically reduce their exposure to the type of slow, stealthy bot attack that appears to have struck Anthem, and avoid being victims of similar large-scale breaches.
Sourced from Keith Bird, Check Point