Illusive Blog July 30, 2019

Capital One & Sephora Breaches Evince Usual Defense Limits

By Daniel Brody

One week after Equifax announced the settlement terms of its recent breach, two new breaches are making headlines. First, various outlets reported this week that Capital One, among the top 10 banks by asset size in the US, was victimized by a hacker that gained access to more than 100 million customer accounts and credit card applications in early 2019. The hack is one of the largest data breaches to ever hit a financial services firm. What got compromised? The stolen data includes 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers, 80,000 bank account numbers and an undisclosed number of names, addresses, credit scores, credit limits, balances and other personally identifiable information.

Unlike many hacking cases, there has already been an arrest: an American tech company software engineer that had previously worked at Amazon Web Services, which provided data services to Capital One. She exploited a misconfigured web application firewall to gain access to the data, which she then promptly shared on GitHub and bragged about on social media. She’s in custody, but the damage is done, and if she had been a little more discreet she might not have been caught at all. Capital One itself noted that the hack will end up costing the bank somewhere between US$100 and 150 million. In the process, surely dozens of jobs will be lost, and untold lives affected.

This same week, Sephora, a French chain of personal care and beauty stores, revealed its own data breach affecting customers in Southeast Asia, Australia and New Zealand. The breach took place within the past two weeks, and exposed data such as names, birthdays, gender identification, email addresses, encrypted passwords and personal beauty preferences of customers to unauthorized third parties. It is still unclear how many customers may have been affected by this breach.

The Asymmetry between Attackers and Defenders

The cases of Capital One and Sephora are very different, but what unites them is a demonstration of the limits of traditional breach defense in stopping determined hackers. Large organizations are besieged by an array of threats, including malware, malicious insiders, nation-state attackers, cybercriminal gangs looking for a quick buck, and many others. In response, organizations deploy a variety of defensive solutions and technologies to protect themselves. Most of the time, this panoply of cybersecurity platforms keeps out the bad guys. But there is an asymmetry when it comes to cyber-attacker offense and large organization defense. Cybercriminals only need to get lucky once when they attack to be successful; their many unsuccessful hacking attempts may land with a thud but otherwise don’t have any further negative consequences for them. On the other hand, large organizations must stop every attempted cyberattack aimed at them, and if they are wrong even once the consequences are just as catastrophic for the brand, its revenue and its customers such as the Capital One and Sephora breaches.

The one false move that enables a breach can take many forms: an unscrupulous third-party vendor’s employee, human error, an unpatched vulnerability, or a new malware strain taking advantage of a zero-day exploit, just to name a few. Perhaps one of the dozens of defensive security systems aimed at each of these potential vulnerabilities triggered an alert. Even if the security solution did so, the alert probably got buried in an avalanche of false positives, and the SOC didn’t know which blinking light meant an attack was really happening. New technology has expanded the amount of new digital assets, endpoints, and IoT devices that now also need to be protected, which has expanded the attack surface and given adversaries more targets to go after. Protecting it all by playing Whac-a-mole, one threat at a time, has only delayed the inevitable breaches from occurring, but can’t eliminate them outright.

But what if you could reverse the asymmetric factors that favor cybercriminal odds in eventually achieving a successful breach? What if, instead of the cybercriminal’s victim being at the mercy of one false move before enabling an attack, the cybercriminal bore the burden of one false move ruining each of their attack attempts?

How Deception Reverses Attacker-Defender Asymmetry

Deception is the offensive technology that makes such security script-flipping possible. Through the automated placement of false information and infrastructure throughout an organization’s network, deception technology seeks to scramble a potential cybercriminal’s typical decision-making process if they happen to breach a perimeter. Fake endpoints, servers, data, applications and many other parts of typical network architecture are interspersed with the real thing, so that potential attackers will have no idea what is real and what is fake. Once they interact with any fake element, which they do within three lateral moves of their entry 99% of the time, they set off an alert that will reveal their presence to defenders, who can then throw them off the network, or collect detailed forensics to study attacker behavior.

Clearly, Capital One and Sephora were doing all they could to stop a breach. They most likely used a traditional defensive approach that involved scores if not hundreds of individual cybersecurity solutions to prevent and mitigate breaches. And yet they were still attacked successfully by a determined adversary. It is clear that what many organizations are doing to prevent breaches from a defensive crouch is still leaving them vulnerable. Deception technology paves the way for a different approach that puts cybercriminals on the defensive and lets organizations play offense for a change, so that adversaries’ own greed is used against them to stop attacks.

Learn more about Illusive Networks’ deception technology.