and other types of active adversaries.
Popular cryptocurrency exchange Coinbase has recently become the latest well-known online brand to admit to being breached. Coinbase’s breach report was an interesting mix of partial mea culpa and advice for others. The company used the term ‘sophisticated’ when describing their attackers, a term which can often be interpreted as ‘better than our defences’. In their report, Coinbase confidently stated that their cyber controls prevented the attacker from gaining direct system access and prevented any loss of funds or compromise of customer information. However, they also admitted to a limited amount of data from their corporate directory being exposed. This is a common tactic of cybercriminals, known as lateral movement, which takes advantage of the information and access acquired in one part of a breach to gain wider system access.
The Coinbase attack provides some useful tips for threat defenders and XDR teams. XDR stands for extended detection and response, which is a regular and active search for hints that someone is attempting an attack on your network, rather than waiting for traditional cybersecurity detections in your threat response dashboard. While XDR does not mean turning off existing cybersecurity alerting and blocking tools, it does mean extending the range and nature of your threat hunting to watch for attackers before they attempt an attack.
The reconstructed attack seemed to involve the following stages: (1) An SMS-based phishing attempt, where staff were urged to login via a link which directed them to a bogus site, (2) A phone call from someone claiming to be from IT, (3) A request to install a remote-access program, and (4) A request to install a browser plugin. To prevent similar attacks, it is important to never login by clicking on links in messages, never take IT advice from people who call you, never install software on the say-so of an IT staffer, and never reply to a message or call by asking if it is genuine. It is also important to report suspicious contacts to your security team.
Finally, to protect against active adversaries, it is important to be a human part of your company’s XDR sensor network. Giving your active defenders more to go on than just access logs means they will be better equipped to detect and respond to an active attack. It is also important to learn more about active adversaries, XDR and MDR, and social engineering. Doing so can help protect against similar attacks.