By George Aquila
On October 2nd, JPMorgan Chase revealed through an SEC filing that it had been the target of a massive cyber intrusion resulting in a significant data breach over the course of the summer months, roughly between June and August.
Although reports on the perpetrators’ identity are inconclusive, sources including the New York Times have suggested the protracted attack was carried out by a Russian cyber criminal ring, possibly with connections to the Russian government.
Rather than money, it was information on approximately 83 million customers that was stolen, taken from over 90 servers hosting the company’s data storage systems, as well as some critical information on the company’s inner computers.
The infiltrators were reportedly unable to access the data stores that hold the most sensitive customer financial data (such as account numbers, passwords, and SSNs) before the intrusion was detected and mitigated.
How did it Happen?
Although details of how the attack was initiated have not been disclosed, the point of access can likely be attributed to a spearphishing attack that targeted a JPMorgan employee. For Advanced Persistent Threats (APTs) such as organized crime rings or nation states, this is a primary method through which sophisticated attacks are initiated, particularly when attacking a large organization with multiple potential points of access.
Once inside of the bank’s network, the intruders were able to establish a “backdoor” to easily access the network and gained root privileges on the bank’s servers. Root access is unrestricted administrative control, and would have allowed for unchecked navigation of databases and exfiltration of vital information to staging servers outside the company. There are multiple techniques for privilege elevation that could have been used at this point by infiltrators, exploiting design flaws in system architecture or within specific programs installed on network machines. The breach was halted in September, only after system administrators detected anomalous login activity.
What was Compromised?
The personal contact information seized in the breach included emails, phone numbers, and addresses. Although no financial assets were accessed, the the stolen personal information of customers could allow the perpetrators, or anyone buying the information off black markets, to wage a detailed phishing campaign of enormous proportions. One such campaign, executed in August, targeted JPMorgan customers and may have been related to the breach as it utilized the stolen information.
In addition to the troves of personal customer data, the infiltrators made off with a file containing the list of all programs installed on standard JPMorgan computers and their specifications. This knowledge could enable easy and rapid intrusion into the bank’s network if any exploits are discovered on those standard programs, and changing these programs will be costly and time-consuming.
The Sqrrl Benefit
JPMorgan recently reported that they spend $250 million dollars a year on cybersecurity efforts, and by all accounts they are in full compliance with established best practices and traditional security measures. So, what could have been done differently to help prevent this attack?
Unfortunately, it is unlikely that anything could have been done to completely prevent an attack similar to this scenario. A determined, sophisticated adversary will almost always be able to find a breach in perimeter defenses, whether it be via a zero-day vulnerability, social engineering, or user error. The key instead is being able to mitigate the consequences of the breach by detecting the breach as quickly as possible.
Mandiant reports that the average time to detect a breach is 229 days, and Verizon reports that 87% of breaches are detected by third parties and not the victimized organization itself. This is further evidence that new approaches are needed to more quickly detect and mitigate breaches once they happen.
Sqrrl Enterprise is designed to enable organizations to securely integrate, explore, and analyze large, disparate cyber datasets. Sqrrl uses a linked data approach and advanced graph analytics to enable investigators to more quickly pivot through extremely large datasets and detect anomalies within them. Sqrrl has built an advanced breach detection demo that walks through how Sqrrl’s platform can be used to detect a scenario very similar to the JPMorgan breach.
Let us know if you’d like to see a demo!