What Should You Learn from the Massive Data Breach “Operation Soft Cell”?

Another massive data breach was uncovered last week (30.6.19).

The US-Israeli based company Cybereason traced via a year-long operation (called “Operation Soft Cell”), an attack that had been underway since 2012.

This time it was the telecommunication sector that was hit.

The most worrisome fact about this breach is not only the methods that were used (which were highly sophisticated) but the purpose of the hacking. 

Cybereason believes that according to the method, tools, and resources required to run this operation, the hackers are likely in the service of the Chinese government. The hacking itself included a specific targeting of 20 people working in government, law enforcement and politics.

“The threat actor was attempting to steal all data stored in the active directory, compromising every single username and password in the organization, along with other personally identifiable information, billing data, call detail records, credentials, email servers, geo-location of users, and more.”

This allowed them to espionage after the target’s life and understand even the smallest details about their life events, behaviors, connections and more.

According to Amit Serper, head of security research at Cybereason, attackers pulled gigabytes of data from the target networks, but always in relatively smaller amounts to remain under the radar.

The entry point was a weakness in a web server (IIS) which allowed the attackers to access the network and completely take it over (Cyberreason’s full article).

No one is safe. What can be done?

Malicious attacks keep rising each year and will affect every sector. Here are some alarming numbers for 2019 (link to the full article) :

• Ransomware is expected to cost businesses and organizations $11.5 billion in 2019.
• The global average cost of a data breach is $3.6 million, and it keeps increasing every year.
• The global cost of cybercrime is expected to exceed $2 trillion in 2019 and will cost the world $6 trillion annually by 2021. (Cybersecurity Ventures, 2018).
• 1.76 billion records were leaked in January 2019 alone.

Cyber attacks are the fastest-growing crime in the U.S. (Cybersecurity Ventures, 2017), while the connection of more and more devices to the internet, the massive usage of cloud computing, and other factors, make organizational security demands even greater and more complex.

70% percent of businesses surveyed believe their security risk increased significantly, and that applies to a survey conducted by the Ponemon Institute in 2017.

Think of it: It’s true that the monetary costs of a data breach are enormous ($3.6 million), but the risk of damage to your brand’s trust level (which are one of the most valuable assets of a company today) is incalculable.  

Learn how to enhance your corporate data security with XpoLog automated security log analysis

How to enhance your corporate data security?

You can’t go against the flow; it is obvious that more and more objects, employees and entities, and business activities will occur in a digital environment.

You must incorporate tools which allow your IT department to control the digital sphere.

If you want to effectively and efficiently manage vast amounts of data, AI and automation can really come in handy.

1. Gain real-time and historical visibility into your environment

In order to protect and be in control of what is happening in your environment – systems, cloud, DB, applications, servers, devices, etc.; every organization should make sure there is complete and ongoing visibility into IT data.

The IT department should be able to quickly answer questions such as: Which users are active? When? What are they doing? Source of users, pages they have visited and more. 

It should be very easy to extract insights over users and entities activity and manage complete access control procedures.

How and which data to monitor?

We will show some examples of pre-defined dashboards and reports, related to the Soft Cell data breach.

These reports help you track and understand what is going on in your IIS server and in your Active Directory. Out of the box. 

Other out-of-the-box analysis apps can be found here

Active Directory Insights

Login/ Logouts Dashboard – contains:

• Successful Logins Report
• Successful Logins Per User
• Failed Logins Per User
• Failed Logins Report
• Successful Logouts Report
• Successful Logouts Per User

Users Access Dashboard – contains:

• Locks Per Administrator Report
• Locked Users Report
• Unlocked Users Report
• Enabled Users Report
• Disabled Users Report
• Top Disabled Users Report
• Top Locked Users Report

Password Dashboard – contains the following reports:

• Password Resets per Administrator
• Password Resets Report
• Top Reset Passwords – Users
• Password Changes Report
• Password Changes per Administrator
• Top Changed Passwords – Users

Policies Dashboard- contains:

• Top Changed Policies
• Policy Changes Report
• Top Policy Changes Per Administrator

Security Detection Dashboard – contains:

• Failed Logins Report
• Top Failed Logins Users
• Unique Failed Logins Users – Daily
• Total Failed Logins Times – Daily
• Unique Number of Users – Failed Login Attempt
• Unique Number of Users – Successful Login Attempt

Group Management Dashboard – contains: 

• Deleted Groups Members Report
• New Group Members Per Administrator
• New Groups Members Report
• Deleted Group Members Per Administrator
• Top Active Groups

IIS Server Insights

Geodata Dashboard

• Visitors by Geo Data
• Top countries
• Geo Data Stats
• Visitors IP Information
• Hits by Country Over Time
• URL By Geo

Data Trends Dashboard

• Hits by Server Over Time
• Bandwidth (MB) by Server
• Top Resource Requests
• Unique Users by Server Over Time

Pages and URLs Dashboard

• Status Code Per Platform
• Top Content by IP and Total Size (Bytes)
• Top Requested Content by Referrer

Users statistics

• Number of users
• HTTP status code distribution
• Top hits per user
• Number of users over time

HTTP errors