In the handwringing post mortem after a hacker breach, the first point of intrusion usually takes the focus: The phishing email that Clinton campaign manager John Podesta's aide accidentally flagged as legit, or the Apache Struts vulnerability that let hackers get access to an Equifax server. But Dmitri Alperovitch, chief technology officer of security firm Crowdstrike, argues that the crucial moment isn't necessarily the initial penetration, but how quickly intruders can move from that beachhead to expand their control. And no one, Alperovitch has found, does it faster than the Russians. In its annual global threat report, released Tuesday, Crowdstrike introduced a new metric of hacker sophistication: what the firm calls "breakout" speed. Analyzing more than 30,000 attempted breaches in 2018 the company says it detected across its customer base, Crowdstrike measured the time from hackers' initial moment of intrusion to when they began to expand their access, jumping to other machines or escalating their privileges within a victim network to gain more visibility and control.
In a sophisticated breach of nearly a dozen global cell networks, researchers say hackers with connections to China were able to obtain sensitive call information on at least 20 targets. The hackers -- as detailed by security firm Cybereason and first reported by TechCrunch -- were able to scoop up a wealth of information from their efforts including'billing data, call detail records, credentials, email servers, geo-location of users' throughout the past seven years. That gamut of data, despite not containing actual recordings of calls, would prove particularly useful in tracking the activity and agenda of politicians, spies, law enforcement, and foreign agents, according to Cybereason who discovered the breach last year. Data gathering efforts took place throughout the last seven years and was able to breach at least 10 global cell networks across the globe. 'Having this information becomes particularly valuable when nation-state threat actors are targeting foreign intelligence agents, politicians, opposition candidates in an election, or even law enforcement,' reads the report.
The variety of techniques used by the SolarWinds hackers was sophisticated yet in many ways also ordinary and preventable, according to Microsoft. To prevent future attacks of similar levels of sophistication, Microsoft is recommending organizations adopt a "zero trust mentality", which disavows the assumption that everything inside an IT network is safe. That is, organizations should assume breach and explicitly verify the security of user accounts, endpoint devices, the network and other resources. As Microsoft's director of identity security, Alex Weinert, notes in a blogpost, the three main attack vectors were compromised user accounts, compromised vendor accounts, and compromised vendor software. Thousands of companies were affected by the SolarWinds breach, disclosed in mid-December.
If one of the biggest names in cybersecurity can be breached, what chance does an average person stand against hackers? That's a likely question after high-profile cybersecurity firm FireEye earlier this week said hackers breached its network and stole the toolkit it uses to probe customers' systems to find weaknesses. The hack was conducted "by a nation with top-tier offensive capabilities," FireEye CEO Kevin Mandia said Tuesday in a blog post. The company is investigating the incident, as is the Federal Bureau of Investigation, and companies such as Microsoft. Mandia said there is no sign that the hackers have used the stolen tools, nor is there evidence that customer information was stolen, Mandia said.
It's the breach we can't see that is emerging as the proverbial silent killer. In recent weeks, hundreds of millions of passwords, user names, email addresses and user data have been exposed. Information dumped in the recent MySpace, Tumblr and LinkedIn episodes was stolen many years ago. As big data, the IoT, and social media spread their wings, they bring new challenges to information security and user privacy. Previously, the fact that hackers were in corporate systems for weeks or months without detection was the glaring revelation in post-hack forensic reports.