Chase Breach Offers Detection LessonsExternal Sources Can Provide Important Clues
The latest details reported about the JPMorgan Chase breach investigation illustrate why it's critical for organizations to scrutinize external sources of information to help detect attacks.
The nation's largest bank discovered its massive network data breach through an investigation it initiated that revealed a breach of the website of a charity it supports, according to the Wall Street Journal. The investigation of the JPMorgan Chase Corporate Challenge charity website attack was launched when Chase reviewed a collection of compromised credentials posted in August by a security vendor, the newspaper reports.
Shirley Inscoe, a financial fraud analyst for the consultancy Aite, says Chase is fortunate that its investigation of the charity site attack helped it to detect its own network breach. "Otherwise, it could have continued for much longer, and more secure data may have been affected," she says.
But fraud expert Avivah Litan, an analyst for the consultancy Gartner, says we may never know when Chase was actually breached - and for how long. "The post-breach investigation data only comes out in dribs and drabs," she says. "We may never really know all the details."
And if some of the personally identifiable information compromised in the Chase breach is used to perpetrate fraud or compromise identities, such as through other resources or e-commerce sites, "no one will ever be able to trace it," Litan contends.
In September, Chase confirmed that personal information about 76 million households and 7 million small businesses had been breached in a sophisticated cyber-attack. Information compromised in the attack included customers' contact information, including names, addresses, phone numbers and e-mail addresses (see: Infographic: Chase Breach: What We Know So Far).
Connecting the Dots
The discovery of the compromise of the Chase Corporate Challenge site sped the bank's detection of a breach within its own systems, The Journal reports.
The bank, along with security vendors, found an indication of a possible breach of the charity website when reviewing a collection of compromised credentials posted in August by Hold Security, according to The Journal (see: Security Firm: 1.2 Billion Credentials Hacked).
Hold Security claimed at the time that a Russian cybergang over the past several months had breached more than 420,000 websites and FTP sites to pilfer more than 1.2 billion credentials. The security vendor said that the cybergang had amassed more than 4.5 billion records, 1.2 billion of which appeared to be unique and tied to more than half a billion e-mail addresses.
During its investigation into the breach of the charity site, Chase linked that attack to several overseas IP addresses, the newspaper reports. Chase then queried its own network logs and discovered there had been communication with the same offshore servers, which led to the discovery of its massive network breach, according to the news report.
The bank determined that hackers had gained access to Chase's internal systems in June, The Journal reports. Based on its own review, the newspaper says several of the IP addresses linked back to Eastern Europe, including Russia, as well as Egypt and Brazil.
"Sometimes the most interesting artifacts for incident response are external, not internal," Kirk Soluk, threat intelligence and response manager at Arbor Networks, tells Information Security Media Group. "In this case, [it was] identifying some 'bad' external IPs, then checking to see if any of the internal systems are communicating with them."
Still, Chase doesn't believe that the corporate challenge website was an entry point for the breach into its systems.
Chase spokeswoman Patricia Wexler tells Information Security Media Group that the charity site, as well as the systems run by the third party that manages the site, are "unconnected to ours." She didn't comment further.
Litan says it's unlikely hackers were able to tunnel their way to Chase's corporate network through the compromise of a third-party website. "The banks have done a good job of segmenting their networks," she says, to prevent this type of attack.
The investigation into the breach at JPMorgan Chase proved difficult because the hackers deleted many of the log files that tracked their movements through the network, according to The Journal report.
Two sources told The Journal that the hackers entered JPMorgan Chase's network by compromising the computer of an employee with special privileges used at both work and at home.
Aite's Inscoe says organizations need to work toward getting out of a "perpetual defensive position."
"With hackers continually creating new methods to gain access, the goal has to be to try and become proactive with better security defenses as well as improved monitoring that detects hacks prior to allowing time for tunneling to other systems," she says.
Executive Editor Tracy Kitten contributed to this report.