The Risky Business podcast last week ran a fascinating interview with Stephen Moore, Anthem’s former senior director of information security, discussing what went wrong at Anthem, how the company responded its major data breach, and what other organizations should be doing to avoid a similar fate.
Moore’s team was tasked with understanding potential adversaries and working within the company’s existing security and information technology (IT) structure to address these threats. However, when the team identified traces of a state-level adversary prodding Anthem’s network, it was met with a high degree of skepticism from business leaders over the healthcare giant’s feasibility as a target of cyber espionage. Interestingly, this first indication of state-level interest in the Indianapolis-based healthcare company was a distinct and separate incident from the intrusion that would ultimately lead to the theft of somewhere between 37 and 79 million customer records.
Moore said that his team started seeing interesting behaviors in some of Anthem’s computing environments, including phishing schemes and the use of malware that demonstrated some previously established characteristics of Chinese threat activity. The team began working on that problem, trying to understand the potential motives of the adversary and share its findings with the broader organization. This concept, Moore claimed, was a completely foreign one in healthcare at the time. The team was making progress, he said, but some people in the organization were still skeptical of an espionage actor targeting the organization. They were questioning whether or not Anthem needed to actually make the changes that Moore and his team were recommending.
In the end, it would turn out that this espionage activity, which the security team referred to as “Group B,” was seemingly unrelated the suspected Chinese threat actors that would eventually perpetrate the breach.
“At the point that you have someone interested in your organization, especially for espionage,” Moore said, “you have to understand that there will very likely be multiple groups involved, and they may not know about one another.” He would go on to explain that “If [organizations] believe they have parties interested for espionage or maybe just for financial gain, it’s likely that they’ll be multiple groups involved”
We were identifying one group, Moore explained, when a second group carried out the well-publicized data breach.
Moore and his team were in the process of convincing Anthem leadership that they may have a espionage problem when a successful phishing attack compromised the network of a highly connected—albeit unnamed—Anthem acquisition that was in the process of integrating into the larger Anthem network. The attackers used that access to move laterally into Anthem’s core network.
A major part of the problem, Moore explained, was that Anthem’s security apparatus had limited visibility into the subsidiary during the merger process. The subsidiary’s network simply wasn’t being monitored with the same level of rigor as Anthem’s.
“If you’re going through an M&A, even if you do due diligence ahead of time like a breach assessment, that’s fantastic and I highly recommend it,” Moore cautioned, “but still know that if it’s a large organization, it could be a year before everything is fully integrated.”
“Be ruthless in your approach to what you do when you go in and integrate technically. Make it quick. Don’t fall to the sorts of political pressures that can come to you.”
Another contributing factor resulted from a problem that Moore claims is commonplace: organizations—even mature ones with sophisticated tooling in place—frequently have a difficult time recognizing lateral movement within the internal network. Anthem seemed to lack context around credentials and where they might be used, and, as a result, Anthem was not able to reliably identify the malicious use of legitimate credentials.
Moore and his team discovered the data breach after a database administrator contacted them about some anomalous network activity.
“You see strange things in a computing environment,” Moore said. “Sometimes it’s just bad IT and other times it’s a bad day.” This, he went on to say, was a bad day.
Moore also spoke about what, in retrospect, might have been done to better defend Anthem against this adversary.
“I’ll put them in two buckets: there’s the technical/tactical bucket and then there’s the process or what I’ll refer to as team religion and mindset,” Moore explained. “Technical elements: you need visibility. You’ve got to be able to see your network, and you’ve got to then be able to make decisions based on that. So having better centralized logging into areas and being able to see even more information… avoid any type of single factor, username-password. It’s basic fundamental things. You need to be able to see it. You need to limit the usefulness of stolen credentials. And you’ve go to make sense of that once an external adversary is inside, you need to be able to tell where they go.”
From a process perspective Moore advised that organizations “really go through and evaluate what is [their incident response] plan and does it actually make any sense. Most organizations I talk to, after I get digging in a bit, they have an IR plan but it doesn’t represent the scope or the breadth or the amount of pain they are likely to feel if they have a breach. It has to represent reality. You have to train like you fight.”
He went on to explain that there is an incident response gap in most all organizations, one that needs to be fixed.
“One of the things that the team and I did: we made process a priority before the breach,” Moore said. “So that even a small team of six or seven people, we worked for months and months and months documenting our processes. Not because an auditor told us to. We wanted to be better and faster.
Moore credited Anthem’s leadership, claiming his team had buy-in from Anthem’s then CEO Joe Swedish and the other executives. Swedish bought into, and let Moore and his team implement their processes. They made communications a priority. While Moore clearly understands that the breach was a terrible outcome, he was proud of the way his team and the rest of the organization responded to it.
“There’s a lot of technical things that I wish were different,” Moore told Risky Business, “but a lot of procedural and the team spirit and process [were] great.”