How to Detect a Data Exfiltration Threat in a Custom App

By on Dec 22, 2016

In 2014, cloud analytics provided by McAfee’s (formerly Skyhigh Networks) CASB solution helped a large financial services customer detect a breach in their systems where a malware was exfiltrating sensitive data via Twitter by sending over 100,000 tweets in one day. As cloud is increasingly being used as a threat vector by hackers, enterprises are using Cloud Access Security Brokers (CASBs) to cover multiple dimensions of cloud security, including visibility into cloud services, enforcing DLP policies, detecting threats from insiders and compromised accounts, and enforcing encryption and access controls, in order to maximize the likelihood of detecting a security breach.

A recent incident with a large healthcare customer helped reaffirm the importance of McAfee’s comprehensive approach to cloud security in remediating a potential security incident. The credentials of a custom app used by employees were compromised creating a high risk of data exfiltration and compliance breach. The custom app, hosted on AWS, was used by the company to share patient data with its partner network of hospitals as well as with authorized contractors.  Within the app, employees had uploaded large amounts of Protected Health Information (PHI), which if compromised could put the company in violation of a number of healthcare regulations (e.g HIPAA and HITECH).

Custom apps on public cloud platforms represent a growing security threat to organizations because they are largely ungoverned by internal IT teams. They do not always go through the standard security reviews required by external apps because they are developed in-house by developers and DevOps teams. If login credentials to such apps were to be compromised, it would put the company at high risk for a security breach.

The company in question had identified this security gap and deployed McAfee’s for Custom Apps solution to secure the use of their in-house apps. This meant that McAfee’s solution was able to enforce granular DLP policies on data uploaded to the app and had visibility into user activity performed within this app. Using data from the activity logs, McAfee was able to apply machine-learning based threat protection to identify threats associated with insiders and compromised accounts.

While analyzing usage activity within the custom app, McAfee flagged multiple anomalies. Multiple user accounts showed logins from untrusted locations. McAfee detected these anomalies by using geolocation analysis to define trusted locations for each user based on their login behavior. Next, McAfee also recorded a ‘superhuman’ anomaly, where there were multiple logins to the same account from different locations in timeframes that indicated impossible travel. And finally, for certain accounts, McAfee recorded anomalies associated with brute force login attempts.

Once hackers steal credentials, they monetize the theft by selling the credentials on the darknet. Healthcare data has become far more valuable for attackers than banking credentials, which become useless once the passwords are changed. Healthcare data includes patient health information, family history, and identity data, which remain valid for longer periods of time. Healthcare systems are also often connected to other entities that have access to patient data and this can give attackers access to additional patient information. For these reasons, health records fetch ten times the price of a credit card number on the black-market.

For the healthcare customer in question, McAfee found a number of its employees’ login credentials for sale on the darknet. These credentials provided malicious third party users access to the company’s custom healthcare app, allowing them to exfiltrate patient health data from company systems. The detection of credentials on darknet, combined with other anomalies discovered for the custom app usage, elevated the threat level to ‘Severe’ and the company IT team was alerted.

When the threat was detected, McAfee’s remediation controls via adaptive authentication kicked in and the solution automatically imposed multi-factor authentication (MFA) on the suspected accounts. This remediation provided an additional layer of control that helped contain the impact of the compromised accounts. The IT teams also instructed all users to change their passwords and enforced mandatory MFA on all accounts as an added measures of control. Further investigation of this security breach by the IT team led them to detect malware that was active in multiple user systems and was transmitting user data such as login credentials to the attackers.

A report by McAfee found that a staggering 92% of the companies have credentials for sale on the darknet and, on average, organizations experience 5.1 incidents of compromised cloud service accounts each month. By deploying a CASB solution that can detect threat using a machine-learning anomaly analysis method and one that provides coverage across SaaS, PaaS, and IaaS services, enterprises are able to plug in the gaps in their security infrastructure while allowing employees to leverage the benefits of the cloud.

About the Author

McAfee Cloud BU

Learn about cloud threats, the latest cloud security technologies, and the leading approaches for protecting data in cloud services.

Read more posts from McAfee Cloud BU

Categories: Cloud Security

Subscribe to McAfee Securing Tomorrow Blogs