Hackers who raided health insurance records from Anthem may have been inside the system since December.
According to Associated Press, although the breach was first detected on January 27th when an Anthem computer system administrator discovered outsiders were using his own security credentials to log into the company system and steal data, unauthorised data queries with similar hallmarks started as early as December 10th, and continued sporadically until the 27th of January.
Kristin Binns, a spokeswoman for Anthem said that attempts may also have been made earlier in 2014. She declined to be more specific, saying the matter is still under investigation.
Fred Touchette, senior security analyst of AppRiver, said: “It is very hard to anticipate or predict a custom attack that has been specifically crafted for their targets. In the case of a phishing email, for example, these don’t follow any previously used templates, they’re often typed out by hand as a normal email would and any links used within them contain domains with clean reputations.
“These emails often look just like any other email in the eyes of automation. That is why it is so important for the recipient to be well trained and able to spot these scams if and when they arrive in the inbox (or any other route they may take).”
TK Keanini, CTO of Lancope, told IT Security Guru that this shows that the most advanced threats are in your network with valid credentials, meaning that they are not setting off the normal violation alarms that traditional security products provide.
“It is about turning the network in to a sensor and leveraging Netflow/IPFIX, which acts as a general ledger leaving the adversary nowhere to hide,” he said. “Having the operational visibility on network activity that notifies you when abnormalities happen is task one in this battle against advanced threat.”
Although details of the investigation were not fully disclosed, investigators now believe that the hackers compromised the credentials of five different tech workers, possibly through a phishing scheme.
Rohyt Belani, CEO of PhishMe, dismissed the “five employee” theory as speculation, as the attackers likely targeted more employees.
He said: “Phishing is the #1 attack vector. It is important that organisations don’t get distracted in training their users on other theoretical threats that have little to no impact as such an approach can result in employees getting desensitized to security training in general.
“We have found that the most successful security programs take a threat-oriented approach that provides two to three minutes of micro-education if and when employees are found susceptible during the course of immersive phishing exercises.”
Anthem’s security consultants also said that the breach resulted from a “sophisticated” attack by hackers using techniques usually associated with organised financial crime rings or groups working for the government of some country.
Touchette said: “It is not uncommon for more than one person to be a potential target for these phishing attacks. Also, even though one person was ‘accredited’ for the being the main ‘in’ in the RSA attacks, it’s still possible that more than one person had been targeted and this one person was the one who fell for it.
Mike Spykerman, vice president of product marketing at OPSWAT, said: “In the common attack scenario, the more targets – the bigger chance of success. Though in a targeted attack such as this, the number of targets is kept much lower to avoid raising flags.
“It is very hard to anticipate or predict a custom attack that has been specifically crafted for their targets. In the case of a phishing email, for example, these don’t follow any previously used templates, they’re often typed out by hand as a normal email would and any links used within them contain domains with clean reputations.”
Keanini said: “In many cases, a phishing campaign will ‘cast a large net’ across a specific community so those 5 that are being named are from a large set of targets that are in the hundreds, maybe thousands. The other entitlements these five had versus the others that have been compromised during this campaign. These five would likely have had access to something in the attack continuum.”
