Bupa Data Breach: Another Case of Unknown Threats

Prior to the news of Bupa's data breach, there was an assault on our senses with stories around the latest in cyberterrorism from WannaCry, NotPetya and their offshoots. However, data loss from the inside, whether from rogue employees or security neglect, creates havoc in our information economy.

Think about it. If we have an information economy, then the most fundamental asset we have is data – everything is intellectual property. Its protection is not a side project, but must be guarded like crown jewels.

The Passive Security Playbook

Passive security cannot deliver what is required to address these unknown threats that continue to menace our crown jewels. We have calibrated models, we have droves of threat intelligence, we have alerts that trigger when authentication is unusual, and we await the sirens to leap into action – meanwhile, the unknown, unforeseen, and unimagined threat flanks us time and again. In the case of Bupa, 108,000 customer records are compromised.

Let us consider a metaphor for passive style to security: a playbook. The playbook has a few directives that need revisioning. The primary directives for the passive security playbook are: collect a lot of data, store that data in a big database (e.g. SIEM), fine-tune the models to the extent you can imagine, give an analyst access to that database. Presto! You are now secure.

But...if the playbook would have worked, then the playbook would have worked. I don’t need to splash details of Bupa or other breaches that are now a part of our collective knowledge. It’s not from lack of investment that these breaches occurred. It’s because we followed an outdated playbook with directives that haven’t evolved to keep pace with real-world challenges.

These investments do not address the evolving landscape or its human players. Legacy security directives and tools that map to the passive security playbook continue to miss advanced attacks enterprises face and the malicious behavior perpetrated by rogue insiders. 

The passive security paradigm and its playbook do not conform to reality. The real-world consists of sophisticated adversaries who camp out in our networks for 200+ days. The real-world consists of sinister employees with far too easy access to the crown jewels. The real-world consists of overwhelmed security teams chasing false-positives all day, while cybercriminals (external and internal) burglarize our organizations.

There's an old saying, "If nothing changes, then nothing changes". Though this may seem like a puerile tautology, it is inescapable. If we want outcomes to change, we have to change what leads to such outcomes. And playing firefighter, waiting for the alarm to sound is far too late, and what is worse, it just doesn't work.

Threat Hunting for Everyone

Threat hunting is the answer. Threat hunting is a discipline that brings open-ended search and hypothesis-driven analysis across all datasets to uncover the changing Tactics, Techniques and Procedures (TTPs) of sophisticated adversaries – including our own employees. 

Why threat hunt? Because absolute prevention is unattainable. Prevention systems and tools can help reduce our exposure and can confine the attack surface. But with changing asset types and what they contain (SDN, Hybrid-Cloud, Virtualization/Containerization, Hyperconvergence, etc), we must now constantly hunt for the threats that evade our defenses.  

Threat hunting is scientific – in the broad sense of SEEKING EXPLANATIONS OF WHY THINGS HAPPEN. Now, we have two distinct pathways: known and unknown.

With our “knowns” we tend to have a set of indications of compromise and use case libraries. We model and monitor these known variables – blacklisting/whitelisting, ACLs, threat indicators, etc.

With “unknowns” we deploy our threat hunting method – a method anyone can perform (see the image below). It begins with theorizing about what an adversary may do. Assembling data to begin seeing if these tactics, techniques and procedures are present in my environment.

Again, the method is scientific in the broad sense of seeking explanations for why things happen. In the hunting paradigm, data reigns supreme. What the data says should change our beliefs, biases and best guesses.

Once assembled, we analyze with the adversary in mind. When we find something, we kick off our standard incident response (IR) process, we debrief to document what we’ve learned, and add that new learning to our library. Often, hunting programs and the hunting platform feed the SIEM with new material.

That’s it. Anyone can hunt, because anyone can follow the method. Bupa is just another instance of an unknown threat, it did not conform to a model, it did not come with alerts, whistles, sirens or alarms. 

The passive security playbook is on its last leg; we have to think differently. We have to start hunting.

#FireMon #Bupa #threathunting