Digital transformation is moving steadily to prevail in all business aspects; nowadays, most organizations’ data are created digitally and are kept in company’s local data centers or at cloud service providers. A great amount of the stored data is sensitive, such as customers’ Personally Identifiable Information (PII), patients’ Personal health information (PHI), and customers’ financial information (credit card and banking information), in addition to business sensitive data such as business plans, trade secrets, and other proprietary information. Threat actors are aware of the importance of such data and are developing new means to gain unauthorized access to such data for malicious purposes.
The cost of data breaches surged over the last several years. This is due the increased shift to digital transformation, where lax safety practices open organizations to wide arrays of cyberattacks. According to the IBM report “Cost of a data breach 2022“, the global average cost of a single data breach has reached up to $4.35M, while the average cost of a data breach in the United States has reached up to $9.44M, highest worldwide.
The IBM report covers the causes of data breaches as well. For instance, it states that stolen or compromised credentials remain the primary vehicle leveraged by threat actors to gain initial access to the target corporate IT environment. As Medibank experienced, discovering data breaches is also a daunting task. Threat actors may remain hidden within the target IT environment, further increasing the cost and exposing the target organization’s data. According to an IBM report, in 2022, it took an average of 277 days to identify and contain a breach.
Falling victim to a data breach is costly and recovering from it will cost even more. The best solution to fight against data breaches is to take proactive actions, knowing where data is, who has access to it and how it’s accessed. The most effective control for this purpose is a continuous monitoring and alerting system monitoring data and its access. In this post, we will discuss the recent cyberattack against Medibank, a popular Australian health insurer and see how implementing preventative measures could help mitigate similar incidents.
Medibank is among the largest private Australian healthcare insurance providers. The attack was first discovered on October 12, 2022, when the Medibank technical team spotted suspicious activity on their networks.
According to Medibank, at that time, there was no evidence that the threat actors were able to access any customers’ sensitive information. However, things changed when attackers contacted the company on October 19 and threatened to publish exposed data publicly if they refused to pay a ransom.
It has been reported that the threat actor provided a sample of the 100 most famous Medibank customers to prove they have access to its data. Based on this and on the investigation conducted, Medibank later confirmed that attackers gained access for all its customers’ data (about 200 gigabytes belonging to 3.9 million customers). It’s noteworthy, that this covers a significant population (15%) of the great nation of Australia.
Medibank also serves international students, as purchasing health insurance is a must for international students studying in Australia. It’s been reported that international students’ data who have accounts in Medibanks was also stolen.
The exposed data of customers can be used in digital personification, fraud and identity theft, it included the following PII data:
- First and Last Name
- Mail Address
- Date of birth
- Phone number
- Medicare numbers
- Policy numbers
- The location where the customer received the medical service
- Codes that point to medical procedures prescribed for each customer
- Other financial data, such as customer credit card and banking information, are not verified to be stolen in the breach.
Technical Analysis of Medibank attack
The entry point used by threat actors to access the Medibank environment is using a high-level employee’s stolen credentials. A hacker stole a Medibank employee access credential (with high privilege) and sold it on a criminal forum that acts as a broker of stolen credentials. Another hacker or criminal group purchases the access credential and uses it to gain unauthorized access to Medibank networks and to plant backdoors to exfiltrate data silently.
After the attackers gained initial access, they moved laterally across the Medibank networks, IT systems and discovered the location of sensitive data storage. Lateral movement is a technique that advanced threat actors use after gaining initial access to the target network/IT systems. They use various security tools, such as system and networking tools, to discover all endpoints devices that exist on the target network, map the target network, find where sensitive data are stored, and steal users’ access privileges. This enables threat actors to escalate privileges, dive deep in the network and remain undetected for an extended period. After the attackers found where Medibank customers’ data was stored, they began collecting them in a zip folder. This zip folder was later moved from the Medibank network to the attackers’ external server. This was another failure which caught Medibank by surprise.
How Similar incidents to the Medibank cyberattack can be prevented?
It is estimated that the Medibank incident will cost the company between $25M and $35M. This cost estimate is likely to increase if there are legal fines that may be imposed by official regulatory bodies, change of customer Medicare cards, and lawsuits that individual customers could raise against the company in the future. It’s noteworthy that even after all this action, exposed clients will remain vulnerable.
To be clear, preventing cyberattacks from happening completely is impossible; however, by implementing proper security procedures, organizations can reduce the likelihood of advanced cyberattacks:
- By applying data mapping and related security controls; and
- Preventing threat actors from hiding in compromised networks for long periods – by implementing continuous monitoring, anomaly detection & alerting.
Apply Data Mapping
Data mapping has become an essential component of any cybersecurity defense plan. For instance, you can only protect your data if you know what you have and where the data is stored. Data doesn’t sit in a vault, but it moves in an enterprise as it’s accessed by customer service representatives, finance analysts, consumers, and third-party service providers. An enterprise must know where its data is and who has access to it. This is done using data mapping.
In data mapping, an organization will have a catalog that answers the following questions for the company regarding its data assets:
- Where is company data stored?
- Who can access this data?
- Who owns each data asset?
- What are the security controls and governance procedures currently deployed to protect these data?
Next, the organization will need to determine the type of security controls for each data type – technical and procedural – which are necessary to protect each piece of data. These controls would ensure that availability, confidentiality, and integrity of data is maintained in line with the business priorities.
Companies are now leveraging advanced technologies, such as Machine Learning (ML) and Artificial intelligence (AI), to discover sensitive data in structured and unstructured data sets, such as MS Office documents, Log files, and SQL databases.
As Medibank case highlights, if there is a proper data mapping strategy in place, an enterprise would be able to cater to its commitments to protect consumers’ data.
Apply Continuous Monitoring of Your IT Environment
Continuous monitoring is the practice of using different tools and methods to monitor networks and IT systems in real-time automatically, which allows for discovering abnormal behaviors, vulnerabilities, and non-compliance issues early and detecting them before they turn into security issues or risks.
Continuous monitoring requires covering four areas in the IT environment:
- Monitoring application software in your IT environment.
- Infrastructure monitoring requires monitoring all physical devices in your IT environment, such as servers, endpoint devices, networks, and storage. Regardless of their existence, local or in the cloud, all physical devices should be monitored regularly to discover any vulnerabilities or performance issues.
- Network monitoring: In this area, the networking component of your IT infrastructure, such as routers, firewalls, repeaters, Wi-Fi access points, and other networking devices, will be monitored to detect any suspicious traffic or intrusion attempts.
- Data access monitoring involves knowing your data users and monitoring data usage.
When organizations implement a continuous security and data monitoring and alerting capability in their IT environment, they will be able to have better visibility over their IT assets, can detect threats early and can respond to attacks faster, reducing their damage significantly.
Organizations have become heavily reliant on digital solutions to run their business in today’s digital age. For organizations to work efficiently it’s imperative that they process and store sensitive customer and employee data. Failing to protect this data can put the affected organization against various legal consequences. The recent attack against Medibank is a clear example of this risk.
To face advanced cyberattacks such as APT and ransomware, you must develop a continuous monitoring capability to know your assets and detect abnormal behaviors in your network before they become a direct threat.
Concepts described in this article have other benefits too. For instance, data mapping also helps isolate important data, mainly regulated data, and allows your organization to destroy historical records when no longer in use, reducing operational burden for the organization.
DruvStar Threat Insights™ and DataVision™ solutions provide data mapping and continuous threat insights to prevent, detect and respond to IT vulnerabilities using AI/ML technologies. Reach out to us for further information on this topic.