Dealing with cyber-attacks has become the norm. Sadly, it is no longer a question of if someone’s information will be compromised, but rather just a matter of when the compromise will occur.
It is through this lens that many people observed the Marriott breach, one of the biggest attacks to date, which came to light in late November. The giant hotel chain revealed that it was the victim of a cyber-attack that resulted in the compromise of the personal information of up to 500 million individuals.
While this number didn't reach the sky-high amount of the infamous Yahoo attack, it is still a staggering total, and leads Marriott customers and cyber professionals alike to wonder what made the attack unique and allowed the compromise of so much information. Analysis of the attack identifies key factors, specifically the length of the compromise and data exfiltration techniques, which could enable the theft of such a large amount of information.
In order to understand how so much information was stolen, it is important to evaluate the type of attack that occurred. According to the information that Marriott has made public, the exploitation relied upon a specific type of access to the United States Starwood guest reservation database.
A security tool, leveraged by Marriott, first identified the suspicious access on 8th September. By September 10th, the odd access, after evaluation, was denied, and the attack ceased. What also ceased was the exfiltration of massive amounts of customer information such as name, address, credit card information, and passport information.
An ongoing investigation by Marriott already has revealed additional concerning information, such as the potential compromise of the encryption keys used to protect credit card information and that the attack took place over the span of four years – a long time in the world of cybersecurity and one of the contributing explanations as to how so much information was stolen.
In the cyber field, time can be an attacker’s best friend and a responder’s worst enemy. The longer that attackers have access to an organization’s system, the more time they have to analyze a network, identify key data points, and steal information of interest.
Conversely, the sooner an incident responder identifies a concerning event, the sooner he or she can respond to the attack and mount a response. In the case of the Marriott hack, the attackers had four long years to assess the internals of the Starwood guest reservation database, identify what type of information was worth stealing, and set up nefarious architecture to enable further exploitation, potentially exploiting other systems on the Starwood network.
In fact, it is not uncommon for attackers to set up administrator accounts or back-door exploitations, which provide them with easier ways of accessing compromised systems at a later date. Marriott will need to keep an eye out for these back doors to ensure that the attackers are unable to gain access again and continue their data exfiltration.
The method through which the attackers exfiltrated data from Starwood database is also noteworthy. Specifically, the attackers encrypted all of the data before removing it from the database. As a result, the information leaving the network slipped past any potential data loss prevention tools that might have been in place.
This is noticeably different from previous attacks, such as the 2013 Target attack, wherein all of the data was moved across the internet in unencrypted plaintext. Since this encrypted data could not be inspected, it had a much easier time of going unnoticed as it left the network.
Through leveraging their extended period of access and by encrypting their exfiltrated data, the Marriott attackers were able to pull off one of the more extensively compromising attacks of the last few years. However, through identifying that these tactics were used and by responding quickly upon identification of the attack, Marriott took the right steps in stopping the attack and subsequently informing the compromised individuals.
Hopefully Marriott and the cybersecurity community can learn from this lesson and understand that it is important to identify an incident as soon as it occurs to limit the amount of time that an attacker has access to organizational resources.