Decrypting Cyber Intrusions: Anatomy of an Attack and Strategies for Prevention
Download MP3From time to time, there's a really good insight or investigation into a cyber attack or a hack that gives us as insurers or even as clients some details on how these attacks happen. It can help you prevent them or even see what kind of coverage you might need. So, this is an attack that happened at the beginning of this year, about one year ago, and it was a tech company that provided platforms for clients, and they had one of their platforms hacked, and it provided hackers with a lot of information. So, to be very transparent, this company provided details on how this happened, and it's good for business but also good for the outside world to see how these attacks take place.
In this case, they did a forensic report, and they found that the threat actor, the hacker, controlled a single workstation used by a support engineer with access to their resources. The control lasted for 25 minutes on January 21st, and during that limited window of time, the actor accessed two active customers within the super user application. That's key; super users have very extensive access to systems. But it does go on to say that the threat actor, the hacker, was unable to perform any configuration changes, password resets, or customer support impersonation events. The threat actor was unable to authenticate directly to any OCTA accounts, and this is important because they had internal controls within this company that prevented the hacker from getting much farther than they did.
So, the hacker was able to get control of somebody's workstation, but because the company had controls, blocks, and best practices within their company, the hacker couldn't get beyond that workstation. Basically, they poked around a few places but didn't really get into anything sensitive, and this is key. This is crucial. Most companies at some point are going to get a breach; you're going to get somebody as an employee, a vendor, that will accidentally give access to a hacker. The key is what damage they can do, right? So, if you have proper internal controls, even if somebody gets into your system, they can't do a lot of damage. Imagine if this company, OCTA, did not have these controls, and the hacker got into all kinds of sensitive information: customer information, vendors, clients, deleted things, damaged things, even went farther than that company and went into other platforms. There would be a lot more liability, a lot more damages, and a lot more expense.
So, it's unknown whether or not these controls were put in place because OCTA had cyber liability insurance and the insurance company required them, or they just put them in place because of best practices. Either way, it solves some problems. But they took it a step further. They talked about lessons learned. We recognize how vital it is to take steps to rebuild trust. Conclusions from the forensic audit do not lessen our determination to take actions committed to third-party risk management. This is what happened. They had a third-party platform that was connected to their system. The hacker got in through that third party. So, having proper vetting and protection from third parties is important. Access to customer support systems. OCTA will now directly manage all devices of third parties that access our customer support tools. So, this is something that's important. If you just allow anybody to log into your system from the outside, you don't know if their computer is safe. You might have all the protections on your own system, your servers, and your cloud, but if you allow somebody to log in from the outside, it's kind of like not having the protections throughout your network. So, they're going to look at having those kinds of protections for third parties that access their systems.
Look, this company talks in this disclosure in ways that are apologetic, but I think they did a great job. Even though they had a breach, their system was resilient. It didn't allow too much extensive access from the hacker, and they're even using it to learn more lessons to protect their system even more. So, whether or not you have a cyber insurance policy or not, being aware of how these hacks work is important because it can help prevent catastrophic damage rather than just the minor inconvenience of rebuilding a system.