Chase Breach Offers Detection Lessons

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/chase-breach-offers-detection-lessons-a-7527

The latest details reported about the JPMorgan Chase breach investigation
illustrate why it's critical for organizations to scrutinize external
sources of information to help detect attacks.

The nation's largest bank discovered its massive network data breach
through an investigation it initiated that revealed a breach of the website
of a charity it supports, according to the Wall Street Journal. The
investigation of the JPMorgan Chase Corporate Challenge charity website
attack was launched when Chase reviewed a collection of compromised
credentials posted in August by a security vendor, the newspaper reports.

Shirley Inscoe, a financial fraud analyst for the consultancy Aite, says
Chase is fortunate that its investigation of the charity site attack helped
it to detect its own network breach. "Otherwise, it could have continued
for much longer, and more secure data may have been affected," she says.

But fraud expert Avivah Litan, an analyst for the consultancy Gartner, says
we may never know when Chase was actually breached - and for how long. "The
post-breach investigation data only comes out in dribs and drabs," she
says. "We may never really know all the details."

And if some of the personally identifiable information compromised in the
Chase breach is used to perpetrate fraud or compromise identities, such as
through other resources or e-commerce sites, "no one will ever be able to
trace it," Litan contends.

In September, Chase confirmed that personal information about 76 million
households and 7 million small businesses had been breached in a
sophisticated cyber-attack. Information compromised in the attack included
customers' contact information, including names, addresses, phone numbers
and e-mail addresses (see: Infographic: Chase Breach: What We Know So Far).

Connecting the Dots

The discovery of the compromise of the Chase Corporate Challenge site sped
the bank's detection of a breach within its own systems, The Journal
reports.

The bank, along with security vendors, found an indication of a possible
breach of the charity website when reviewing a collection of compromised
credentials posted in August by Hold Security, according to The Journal
(see: Security Firm: 1.2 Billion Credentials Hacked).

Hold Security claimed at the time that a Russian cybergang over the past
several months had breached more than 420,000 websites and FTP sites to
pilfer more than 1.2 billion credentials. The security vendor said that the
cybergang had amassed more than 4.5 billion records, 1.2 billion of which
appeared to be unique and tied to more than half a billion e-mail addresses.

During its investigation into the breach of the charity site, Chase linked
that attack to several overseas IP addresses, the newspaper reports. Chase
then queried its own network logs and discovered there had been
communication with the same offshore servers, which led to the discovery of
its massive network breach, according to the news report.

The bank determined that hackers had gained access to Chase's internal
systems in June, The Journal reports. Based on its own review, the
newspaper says several of the IP addresses linked back to Eastern Europe,
including Russia, as well as Egypt and Brazil.

"Sometimes the most interesting artifacts for incident response are
external, not internal," Kirk Soluk, threat intelligence and response
manager at Arbor Networks, tells Information Security Media Group. "In this
case, [it was] identifying some 'bad' external IPs, then checking to see if
any of the internal systems are communicating with them."

Compromised Credentials

Still, Chase doesn't believe that the corporate challenge website was an
entry point for the breach into its systems.

Chase spokeswoman Patricia Wexler tells Information Security Media Group
that the charity site, as well as the systems run by the third party that
manages the site, are "unconnected to ours." She didn't comment further.

Litan says it's unlikely hackers were able to tunnel their way to Chase's
corporate network through the compromise of a third-party website. "The
banks have done a good job of segmenting their networks," she says, to
prevent this type of attack.

Challenging Investigation

The investigation into the breach at JPMorgan Chase proved difficult
because the hackers deleted many of the log files that tracked their
movements through the network, according to The Journal report.

Two sources told The Journal that the hackers entered JPMorgan Chase's
network by compromising the computer of an employee with special privileges
used at both work and at home.

Aite's Inscoe says organizations need to work toward getting out of a
"perpetual defensive position."

"With hackers continually creating new methods to gain access, the goal has
to be to try and become proactive with better security defenses as well as
improved monitoring that detects hacks prior to allowing time for tunneling
to other systems," she says.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!