What Should You Learn from the Massive Data Breach “Operation Soft Cell”?
Another massive data breach was uncovered last week (30.6.19).
The US-Israeli based company Cybereason traced via a year-long operation (called “Operation Soft Cell”), an attack that had been underway since 2012.
This time it was the telecommunication sector that was hit.
The most worrisome fact about this breach is not only the methods that were used (which were highly sophisticated) but the purpose of the hacking.
Cybereason believes that according to the method, tools, and resources required to run this operation, the hackers are likely in the service of the Chinese government. The hacking itself included a specific targeting of 20 people working in government, law enforcement and politics.
“The threat actor was attempting to steal all data stored in the active directory, compromising every single username and password in the organization, along with other personally identifiable information, billing data, call detail records, credentials, email servers, geo-location of users, and more.”
This allowed them to espionage after the target’s life and understand even the smallest details about their life events, behaviors, connections and more.
According to Amit Serper, head of security research at Cybereason, attackers pulled gigabytes of data from the target networks, but always in relatively smaller amounts to remain under the radar.
The entry point was a weakness in a web server (IIS) which allowed the attackers to access the network and completely take it over (Cyberreason’s full article).
No one is safe. What can be done?
Malicious attacks keep rising each year and will affect every sector. Here are some alarming numbers for 2019 (link to the full article) :
- Ransomware is expected to cost businesses and organizations $11.5 billion in 2019.
- The global average cost of a data breach is $3.6 million, and it keeps increasing every year.
- The global cost of cybercrime is expected to exceed $2 trillion in 2019 and will cost the world $6 trillion annually by 2021. (Cybersecurity Ventures, 2018).
- 1.76 billion records were leaked in January 2019 alone.
Cyber attacks are the fastest-growing crime in the U.S. (Cybersecurity Ventures, 2017), while the connection of more and more devices to the internet, the massive usage of cloud computing, and other factors, make organizational security demands even greater and more complex.
70% percent of businesses surveyed believe their security risk increased significantly, and that applies to a survey conducted by the Ponemon Institute in 2017.
Think of it: It’s true that the monetary costs of a data breach are enormous ($3.6 million), but the risk of damage to your brand’s trust level (which are one of the most valuable assets of a company today) is incalculable.
Learn how to enhance your corporate data security with XpoLog automated security log analysis
How to enhance your corporate data security?
You can’t go against the flow; it is obvious that more and more objects, employees and entities, and business activities will occur in a digital environment.
You must incorporate tools which allow your IT department to control the digital sphere.
If you want to effectively and efficiently manage vast amounts of data, AI and automation can really come in handy.
1. Gain real-time and historical visibility into your environment
In order to protect and be in control of what is happening in your environment – systems, cloud, DB, applications, servers, devices, etc.; every organization should make sure there is complete and ongoing visibility into IT data.
The IT department should be able to quickly answer questions such as: Which users are active? When? What are they doing? Source of users, pages they have visited and more.
It should be very easy to extract insights over users and entities activity and manage complete access control procedures.
How and which data to monitor?
We will show some examples of pre-defined dashboards and reports, related to the Soft Cell data breach.
These reports help you track and understand what is going on in your IIS server and in your Active Directory. Out of the box.
Active Directory Insights
Login/ Logouts Dashboard – contains:
- Successful Logins Report
- Successful Logins Per User
- Failed Logins Per User
- Failed Logins Report
- Successful Logouts Report
- Successful Logouts Per User
Users Access Dashboard – contains:
- Locks Per Administrator Report
- Locked Users Report
- Unlocked Users Report
- Enabled Users Report
- Disabled Users Report
- Top Disabled Users Report
- Top Locked Users Report
Password Dashboard – contains the following reports:
- Password Resets per Administrator
- Password Resets Report
- Top Reset Passwords – Users
- Password Changes Report
- Password Changes per Administrator
- Top Changed Passwords – Users
Policies Dashboard- contains:
- Top Changed Policies
- Policy Changes Report
- Top Policy Changes Per Administrator
Security Detection Dashboard – contains:
- Failed Logins Report
- Top Failed Logins Users
- Unique Failed Logins Users – Daily
- Total Failed Logins Times – Daily
- Unique Number of Users – Failed Login Attempt
- Unique Number of Users – Successful Login Attempt
Group Management Dashboard – contains:
- Deleted Groups Members Report
- New Group Members Per Administrator
- New Groups Members Report
- Deleted Group Members Per Administrator
- Top Active Groups
IIS Server Insights
- Visitors by Geo Data
- Top countries
- Geo Data Stats
- Visitors IP Information
- Hits by Country Over Time
- URL By Geo
Data Trends Dashboard
- Hits by Server Over Time
- Bandwidth (MB) by Server
- Top Resource Requests
- Unique Users by Server Over Time
Pages and URLs Dashboard
- Status Code Per Platform
- Top Content by IP and Total Size (Bytes)
- Top Requested Content by Referrer
- Number of users
- HTTP status code distribution
- Top hits per user
- Number of users over time
2. Use a good SIEM tool in combination with an advanced log management tool
SIEM is an important enterprise security technology, with the ability to tie systems together for a comprehensive view of IT security.
To enable a wider and deeper investigation of your environment it is important to complement your SIEM platform with an advanced log management tool.
Pro Tip: remember that not everything is being processed by the SIEM tool and a good log management tool will help you monitor a wider range of events and incidents.
Advanced log management tools collect the data from all of your systems, clouds, etc. and many important insights are achieved by the log management tool. Then you can decide which events and incidents should be forwarded directly to your SIEM in real time.
How to choose a log management and log analysis tool?
What to look for in a log management tool?
- End-to-end solution – to make the IT/security department as efficient as possible, look for a tool that offers an automated deployment – log collection and parsing, as well as out of the box log analysis.
- AI assistant – tools such as XpoLog offer an AI-powered engine that understands log patterns and detects errors, trends, anomalies, and suspicious activities. XpoLog exposes these possible problems, adds severity tagging, allowing a simple drill-down process, to investigate the issue.
- Simple log search and investigation – log search can be tough. Searching for problems and root cause can be like searching for a needle in a haystack. Tools like XpoLog makes the log search simpler due to the tool’s advanced log normalization technique (even customized logs) and offer quick filters and other features to facilitate log search, if needed.
- Centralized console – to aggregate log data and find correlations between events which occurred in different systems and sources. XpoLog doesn’t limit log sources rather charges according to the amount of data only (limitless users, retention, alerts, all analysis apps are included).
- Monitoring and alerts – flexible and simple alerting system that notifies when certain rules occur real-time. XpoLog also offers a proactive approach, whilst alerting on possible problems, the admin can click to monitor the specific suspicious activity.
- Real-time filtered forwarding – must have an ability to forward in real time, filtered events to the SIEM, to ensure that only security-related events are picked from all sources and injected into the SIEM processing.
Our experts will be happy to advise