The Facebook Hack – The proof we need to embrace Machine Learning Threat Detection Tools for faster detection and response, by Martin Cook, Cyber Solutions Architect, Cyberseer.
Whilst the Wall Street Journal reports that Facebook could land a $1.63 billion dollar fine from the European Union under the new GDPR regulations, I wanted to take a moment to think about the timeline of events, look at some of the currently “unknown unknowns” with a view to reflecting on this and asking “how would your organisation detect anomalous activity from the compromise of credentials or theft of an identity token?”
The vulnerability that was exploited during the Facebook hack has resulted in 50 million user accounts being affected with Facebook resetting 90 million user accounts after identifying the malicious activity. The vulnerability arose from a change that was made to Facebook code in July 2017 for their ‘view as’ feature. Facebook currently has not published the extent of the hack and therefore it’s difficult to say at this juncture what data exactly if any, was exfiltrated from user accounts or associated accounts on Instagram and other connected applications which utilise Facebook as a centralised authentication platform. The Wall Street Journal also reported that Ireland’s Data Protection Commission is also struggling to learn information about what exactly happened during the attack.
What’s interesting to me here is that there was a large window of time, from July 2017 until Sept 2018 (Circa 390 days) within which the vulnerability existed on Facebook systems. That doesn’t mean that it was exploited for this duration, just that the potential was there during this period. It’s hard to predict how long the vulnerability was being exploited for prior to Facebook spotting it, or what techniques they utilise to help them identify potential account compromise. The Mandiant M-Trends report 2018 stated that the global median dwell time from initial compromise to discovery increased in 2017 from 99 days to 101.
Taking these statistics into consideration and transposing a similar series of events, from the Facebook hack, to your organisation’s enterprise; would your cybersecurity capability detect anomalous activity swiftly? Sophisticated attacks utilised by attackers today focus on obtaining credentials for the system as the primary attack. This approach leaves many legacy security devices blind to the attack as with valid credentials the attacker can hide in place sight masquerading as a valid user. Utilising a series of Machine Learning and Behavioural Analytics tooling that underpins an Advanced Threat Detection Service to swiftly identify anomalous and potentially malicious activity is the only way to increase the visibility of activity across your enterprise and subsequently reduce detection time down from days to hours and minutes. How would your solution fair in comparison? Get in touch now.