Last month brought news of another data breach from a blue-chip organization—AT&T—involving the call records of 109 million customers. Once again, we learn that the breach was from an underlying third-party service provider—Snowflake—and so joins the list of breaches from this big data technology—AT&T, Ticketmaster, Advance Auto Parts, Pure Storage, Banco Santander, Neiman Marcus, Los Angeles Unified.
There is much to unwrap here. For us in the defender community, there are lessons and pointers that we would all do well to reflect upon as we strive to execute the security mission for our organizations and wider society.
Before I get to Snowflake, let’s pause to consider the AT&T breach itself, now declared under Form 8-K filing with the SEC and reported to the FBI. I was CSO at BT (British Telecommunications plc), so I appreciate the magnitude of this incident and the necessary response. AT&T seems to have done the right things once this breach was discovered – bringing on board a full investigative team and the support of national agencies and law enforcement and ultimately filing the report. The investigations will no doubt be continuing beyond this initial 8-K filing.
‘Signals Intelligence’ – the call records breached – potential aftermath
The breached data involves the call records (call and texts) of 109 million mobile customers, either direct AT&T wireline customers and those with associated MVNOs, and the numbers of other customers the above interacted with. The call records give phone numbers, volumes, aggregate call durations, and, in some cases, cell site identification numbers.
Essentially, we have ‘signals intelligence’ – it shows which numbers interacted when and how (calls and/or texts). For a proficient analyst, this data can be enriched, and any proficient actor group could do so and fully contextualize the data to identify the owners of the numbers involved.
This then gives them ‘patterns of communication,’ potentially physical locations, and movement. For identified ‘high-value individuals,’ this could be married up to wider publicly available information that may reveal their travel itineraries, diary commitments, etc. This all essentially builds a ‘pattern of life,’ which is a foundation of human targeting—which will involve both the target individual and their family.
Imagine if the records show communication between high-value individuals from organizations that may be currently in confidential business talks about joint ventures, mergers, etc. Perhaps important public officials are in these call records. So, the potential for additional risks to these individuals and organizations cannot be ignored. I would guess the period involving the FBI after detecting the breach will have covered this risk in some detail. I can imagine risk assessments have been undertaken, and I guess cell numbers may have been changed.
Apart from high-value individuals, what could it mean for the other customers? Well, if the contextualization of the signal’s intelligence can identify and filter out calls and texts to ‘private services’ – dating services or ‘vices’ – then there is a platform for extortion. Imagine you receive a text saying, “… we know what you’ve been doing; pay up to this cryptocurrency wallet, or we will tell your family, employer…” etc. More innocently, if the records can be filtered out by mainstream organizations, like banks, healthcare, utilities, and retailers, then the opportunity for fraud is enhanced as the fraudster will know already the target victim is a customer of the entity they are impersonating.
Either way, the breached data has value to those motivated to enrich and mine it. The fact that it does not have direct PII does not diminish its usefulness that much. If it’s out there in the community, it will be sliced, diced, and traded many times over. This is part and parcel of UNC5537’s business beyond direct extortion of the victim organization.
My advice for those whose numbers were involved in this breach is to elevate your awareness, think carefully about communications you receive from your number, and implement means to verify the legitimacy of the communication directly with the organization involved. It’s important to adopt a mantra of “Stop-Think-Protect.” Don’t react immediately; take a breath (Stop) to consider rationally what you’ve received (Think) and don’t click; then make a good conscious step to independently verify or, if malicious, report (Protect).
Are our heads in the Clouds?
On to Snowflake, a cloud-native big data company that has revolutionized the ability for customer organizations to store and, with their inbuilt ML/AL, extract value from their big data. The currency in the cybercriminal fraternity is data, and Snowflake, with its customers, has huge amounts of that.
But what troubles me most about the AT&T breach and the list of others is what I intuit from the advisory issued by Snowflake in the wake of the breaches. In this advisory, Snowflake shares a list of recommendations around: (a) setting up Network Policies to set up trusted CIDR sources for login; (b) Set up account restrictions on data access/export; (c) Monitor accounts for privilege changes; (d) MFA for privileged accounts.
This ‘hardening’ of a customer’s service and access is ‘security 101,’ and the fact Snowflake is issuing this makes me wonder what condition the breached accounts were in prior to their breaches. Security by design and execution based on thorough risk assessment is fundamental. No services should be signed off into operation until and unless they have been fully hardened to protect the data and users.
In my view, third parties must step up to their responsibilities – not just in providing means for services to be locked down appropriately, but diligently pressing and advising their customers to do so as part of onboarding and service build.
We know that for AT&T, the actor was in the account between April 14-25 and we must assume that their activity and access remained undetected. What does that say about operational security surrounding this cloud service either from Snowflake or AT&T or indeed both as a partnership? I’ve always said that security is a team game, and teams need to know each other and work together to ensure there is an established set of appropriate overlapping and compensating security controls, especially in production, where there is always a chance of controls drift.
AT&T and their investigative teams will be doubling down over that period of persistence to uncover what else happened or could have been happening off of that access and credential. Post-breach, it is vital to ensure you know (a) how they gained access; (b) everything they did, observed, and extracted with that access; (c) that your remediation has permanently removed the actor from your estate (no new back doors or persistence). It is vital that incident playbooks cover this in detail, and with third parties, that means you need shared playbooks – pre-agreed and, ideally, for your most critical services, rehearsed.
My mind is also drawn to the root of these Snowflake breaches – reportedly via stolen credentials and, in initial stories, that these credentials had been acquired through info stealers on endpoints. We all know that modern EDRs you would find on corporate endpoints would guard against info stealers so what are we to intuit here? Does this indicate that individuals were using non-corporate devices to access their Snowflake accounts? We know that in many organizations, people find that they are ‘always-on’, and that could mean they are away from their corporate device when an ask arrives, or it is simply more convenient to use a personal or family device outside of work.
Organizations need to set policies very clearly on this and enforce controls. If BYOD is to be allowed, then corporate protections must be deployed on these devices so they can be enrolled and monitored appropriately. That said, I would recommend using a dedicated, trusted corporate device for highly privileged roles—separate from the user’s normal work device—for all privileged work.
Privileged accounts should always have unique credentials (IDs and passwords). Access to the services should utilize MFA and trusted enrolled devices—no compromises here!
This segregation of access down to the actual endpoint establishes strong control and auditability. Knowing what normal and tightening access is (from trusted endpoint to cloud service) makes seeing anomalies much easier. There is too much at stake, and the cost vs. the assurance is surely worthwhile.
Can the SOC cope?
And lastly, stemming from this point is the criticality of visibility bonded to relevant threat intelligence.
Many organizations with traditional SIEMs know they have had to compromise on visibility; they lack the means to hold the data needed with a means to search it for the detections that would uncover the presence and activities of the competent threat actors – this is often limited by cost or the underlying technology or both.
But ensuring you also have the very latest threat intelligence associated with any threat or campaign and instantly bonded with your telemetry without analysts having to write the detections and queries, and indeed that those queries can return in time to make a difference to your response is a present and increasing challenge.
It puts extraordinary pressure on CISOs and their CTI And SOC teams. Anomali has met this challenge head-on and freed organizations from these restrictions. At Anomali we do security differently. We do it how it needs to be done, to protect the modern digital enterprise and society.