The attack on Anthem, the second-largest health insurer in the U.S., which exposed identifiable personal data of tens of millions of people, was probably not a smash-and-grab raid but instead a sustained, low-key siphoning information over a period of months. The breach was designed to stay below the radar of the company’s IT and security teams, using a bot infection to smuggle data out of the organisation.
According to statements released by Anthem, the first signs of the attack came in the middle of last week, when an IT administrator noticed a database query was being run using his identifier code when he had not initiated it. The company determined that an attack had occurred, informed the FBI and hired an external security consultant to investigate.
Investigators reported that customized malware was used to infiltrate Anthem’s networks and steal data. The exact malware type was not disclosed but is reported to be a variant of a known family of hacking tools. However, an independent security consultancy reports that the attack may have been started up to three months earlier. The consultancy said that it noticed ‘botnet type activity’ at Anthem affiliate companies back in November 2014.
This would not be surprising, as long-term bot activity is commonplace in enterprises. Check Point’s 2014 Security Report, based on monitored events at over 10,000 organisations worldwide, found that at least one bot was detected in 73% of companies, up from 63% the year before. 77% of bots were active for over four weeks and typically communicated with their ‘command & control’ every three minutes.
Bots are able to avoid detection because their developers use obfuscation tools to enable them to bypass traditional signature-based antimalware solutions. As such, threat emulation, also known as sandboxing, should be used as an additional layer of defence to stop bots before they can infect networks. Anti-bot solutions should also be deployed to help discover bots, and prevent further breaches by blocking their communications.
It’s also important that organisations segment their networks, separating each segment with layers of security to prevent bot infections spreading widely. Segmentation can contain infections in one area of the network, mitigating the risks of the infection accessing and breaching sensitive data in other network segments.
With these three preventative approaches, companies can dramatically reduce their exposure to the type of slow, stealthy bot attack that appears to have struck Anthem, and avoid being the victim of such a large-scale breach.
About the Author
Article written by the Check Point staff
Edited by Pierluigi Paganini
(Security Affairs – Anthem, Data Breach)