Could Gartner’s hot trend have saved Medibank?

Authored by Adrian Bole.

It’s been a busy 6 months for security breaches here in Australia. Unfortunately it appears that insufficient identity and access management controls may have played a large part in the ease with which attackers gained access to the systems and data of the affected companies based on media reports.

Today I’d like to zoom in on the Medibank breach and discuss how prescient Gartner’s was to introduce a new hot trend in March – Identity Threat Detection and Response [link].

So how did the bad guys get into Medibank? To save me typing, let’s paraphrase the succinct summary from the Guardian.

“The attack is believed to have begun when a person with high-level access within Medibank’s systems had their credentials stolen by a hacker, who then put them up for sale on a Russian-language cybercrime forum acting as a credential broker, according to the source who was not authorised to speak publicly.

The credentials were then reportedly bought, and another hacker or group of hackers infiltrated Medibank’s network and established two backdoors, including one for redundancy in case it was discovered.” [link]

Now it’s always difficult to tell what actually happened looking from the outside in, but it seems like Medibank’s woes stemmed from a compromised credential which we assume was privileged given the extent of access across systems.

Identity threat detection and response (ITDR) is a category of technologies which are uniquely suitable to solve this kind of problems – spotting abnormal access across regardless of technology or platform that access is used on.

ITDR technologies look at user behaviour across applications clients and destination systems which spot inappropriate access and can trigger a response action such as an MFA and alert.

Commonly ITDR systems plug into enterprise directory services such as active directory which are the heart and soul of many enterprises. As enterprise systems and applications reliant active directory authentication plumbing and ITDR systems receive visibility of all authentication access requests regardless of legacy protocols. I TDR systems are particularly effective in applying MFA to heritage applications and all categories of non-web applications.

They are in enterprise and in a similar boat Medibank. Is it a privilege credentials been compromised. When an attacker attempts to use these credentials the ITDR system would flag this as anomalous. Why would this be anomalous? Would analysing even a small number of risk indicators stop the credentials being used from another country or from a system where they have not been used before?

In response to this detection the ITDR system could interrupt authentication and require multifactor authentication (MFA) before allowing access. Because of these risk indicators, subsequent activity by this user can also be treated more cautiously by the system. At this point alerts can be sent to the SOC to trigger active investigation and the user can be prompted again for MFA on other interactions they attempt.

ITDR systems can have policy layers which provide logical segmentation even when networks are flat, requiring MFA to progress deeper into the network and access different kinds of systems. These policies will also take effect regardless of the type of application the attacker is trying to interact with, as long as those applications reliant on a common directory service.

Gartner cited ITDR as one of its tops security trends for 2022 and given the types of attacks we are seeing in the media, it’s rather pertinent. We recommend all our larger clients, especially those with a rich heritage application and systems environment evaluate it.

Overall, we’re fairly product agnostic here in IdentityXP, but if you wanted a few product names to look at, the two major vendor is in the space at the moment that we are seeing are CrowdStrike Identity Threat Detection and Silverfort. Full disclosure: we’re partner of Silverfort.

CrowdStrike makes a lot of sense if you’re already a Falcon customer. Recently the Falcon and identity centres were combined the common engine will give you both EDR and identity threat protection capabilities.

Silverfort has a rich Microsoft partnership, with deep insights into active directory and AD specific threats and is fairly easy to deploy.

Image Credit vectorjuice on Freepix

Links

Medibank hack started with theft of company credentials, investigation suggests  https://www.theguardian.com/technology/2022/oct/24/medibank-hack-started-with-theft-of-staff-members-credentials-investigation-suggests#:~:text=The%20attack%20is,it%20was%20discovered.

Medibank mystery: Was a user credential all that was needed for hack?  https://www.afr.com/technology/medibank-mystery-was-a-user-credential-all-that-was-needed-for-hack-20221021-p5brqv

No cyber insurance as Medibank breach hits four million customers  https://www.arnnet.com.au/article/702737/no-cyber-insurance-medibank-breach-hits-four-million-customers/

Gartner top security and risk management trends 2022 https://www.gartner.com/en/newsroom/press-releases/2022-03-07-gartner-identifies-top-security-and-risk-management-trends-for-2022

Crowdstrike Identity Threat Detection https://www.crowdstrike.com/products/identity-protection/falcon-identity-threat-detection/

Silverfort Unified Identity Protection Platform https://www.silverfort.com/