According to the Associated Press, the attackers who targeted and exfiltrated more than 80 million customer records from Anthem Inc, were able to commandeer the credentials of at least five different employees. We know from Anthem themselves that at least one admin account was compromised, as the admin himself noticed his credentials being used to query their data warehouse.
Looking at job postings and employee LinkedIn profiles it appears that the data warehouse in use at Anthem was TeraData. By doing some quick searches on LinkedIn I was able to find more than 100 matches for TeraData in profiles of current employees at Anthem, including, CXOs, system architects and DBAs. Discovering these employees emails is trivial and would be the first step attackers could take to identify who to target for spear-phishing campaigns.
Once they are able to compromise a few high level employee systems through a phishing campaign either through malware attachments or through a browser exploit, gaining access to a user’s database credentials would be trivial. This would be where the “sophisticated malware” that is being reported would be utilized, if the malware was designed specifically for this attack it would evade most anti-virus products.
What may be a key weakness here is that it appears there were no additional authentication mechanisms in place, only a login/password or key, with administrative level access to the entire data warehouse. Anthem’s primary security sin may not have been the lack of encryption, but instead improper access controls. Although it appears the user data was not encrypted, in Anthem’s defense if the attackers had admin level credentials encryption would have been moot anyway.
I should note that TeraData provides quite a few security controls, including encryption, as well as additional data masking features, even specifically called out for protecting Social Security Numbers and related data. So odds are the actual vulnerability here is not in the software, operating system or hardware, but how the system and access controls were configured based on business and operational requirements.
From what we know so far on the prevention side, the access control issue is troubling for many organizations, as it not only increases risk with cases of phishing, but also with regards to insider threats, or simple mistakes by users with high level access. Many organizations have loose access controls, so Anthem is not alone. Using basic frameworks such as the 20 Critical Security Controls, organizations should evaluate #12 “Controlled Use of Administration Privileges”and #15 “Controlled Access Based on the Need to Know”. Attackers will get into the network, if they do what data will they have access to in your organization?
The Anthem case also shows the importance of monitoring database activity, if the admin had not noticed his credentials were being used it may have taken longer for Anthem to respond and additional data could have been compromised. Tools like Tripwire Enterprise provide automated monitoring of popular enterprise databases and when paired with correlation rules with log intelligence tools like Tripwire Log Center administrators can flag suspicious activity such as access at odd hours and other indicators.