It’s all over the morning news. Late yesterday, in a filing with the US Securities and Exchange Commission, JPMorgan Chase revealed that more than half of American households were affected by last summer’s data breach at the bank.
We’re talking about 76 million personal and 10 million business accounts from which “user contact information – name, address, phone number and email address – and internal JPMorgan Chase information relating to such users have been compromised,”according to the New York Times.
It is reportedly the biggest such intrusion ever.
Possible Inside Attack
And while the hackers who broke-in and took the data could have been complete outsiders, there may be reason to believe that someone who is, or was, employed at the bank might have participated.
“The vehicle of the attack, once the attacker already infiltrated, was probably a user’s identity,” said Idan Tendler, CEO of Fortscale, a startup that aims to change the cyber security landscape based on an intelligence-driven big data analytics approach.
The hackers had been inside JPMorgan’s network for at least three months before they were discovered, according to Jordan Robertson, a reporter who initially covered the news for Bloomberg TV. There was layer after layer of custom-built malware specifically for the JPMorgan network, he explained.
It’s interesting to note that at least one of the criminals could be either a current or past employee because he knew how to navigate the network and how to avoid triggering alarms while taking lots of data, according to Emilian Papadopoulos, chief of staff at Good Harbor, a cyber-risk consulting firm.
But the intruder could have also been a complete outsider who hijacked a legitimate user’s credentials.
Either way, one of the best ways to catch the bad guy and to mitigate risk may be to look closely at user behavior and identify inconsistencies, said Tendler in an earlier interview. Consider, for example, a user who works in New York but logs in from Iran, Russia or China — there’s reason to ask a question, like is the bank employee actually there. Ditto for someone who works in payroll and is suddenly accessing customer files. There could be a legitimate reason for it or not.
Was Everyone Sleeping?
Though JPMorgan has more than 1,000 employees looking at network security, they certainly missed a big one.
How could that have been avoided? That's the question we asked Tendler, who spent years working as Head of a Key Intelligence Department in the Elite Intelligence Unit of Israel’s Defense Forces (IDF).
To catch the villain before he breaks-in may be the perfect answer— that’s why monitoring patterns of behavior is as important as monitoring a user in real time because” once an attack bypasses the perimeter security, traditional or advance, the hacker will make significant efforts to hijack legitimate, low level, user credentials.
"At this point, it will be very difficult to identify this malicious yet stealthy activity,” said Tendler. “Only user behavior and activity profiling could discover compromised users."
Fortscale’s software, which didn’t become generally available until Wednesday, might have had a chance to discover it with its user behavior analytics that runs against large volumes of historical data to discover suspicious activity of users before it is too late.
Michael Pinsker, president of Docuspace, which provides a secure and compliant electronic processing platform for financial institutions and wealth management firms, said the number of households affected by this breach could have been a lot smaller.
“Events like this are absolutely preventable,” he said. “Transaction-based systems that are handling serial transactions should have limitations in the system to prevent large scale downloads or bulk exports.”
Aviv Raff, co-founder and CTO of Seculert, echoes the sentiments of Tendler and Pinkster. He said that what happened at JPMorgan is similar to the recent large scale breaches we’ve seen over the year — persistent attackers were able to successfully and silently entrench themselves behind the walls of a company. And not just that, but that companies are now coming to a conclusion that they are either already compromised or will soon be.
“It's not a matter of if, it's a matter of when,” said Raff. He added that, “As JP Morgan basically admits attackers were able to steal details about the company's internal infrastructure and applications, this shows the necessity of Enterprises to start using security tools that are able to detect attacks not just in real time (e.g IPS, NextGen Firewalls, etc.), but more importantly, over time (e.g. By analyzing historical and ongoing traffic logs).”