The SANS Institute is attributing a data breach that exposed roughly 28,000 records containing personally identifiable information to a malicious Office 365 add-on, which caused an employee’s email account to automatically forward emails to an attacker’s address.
The security training authority has confirmed to SC Media that it was the victim of a “consent phishing” scam – an attempt by adversaries to get employees to install a malicious application and/or grant it permissions that will allow it to access sensitive data or perform unwanted functions. And the fact that a trusted source of cyber expertise fell victim to the scheme demonstrates that no organization is immune to security slip-ups – as it takes just one uninformed, distracted or negligent employee to trigger an incident.
Just last month, Microsoft warned of consent phishing scams targeting remote workers and their cloud services, including Office 365 (recently rebranded as Microsoft 365). “…[C]loud platforms are rich in data but in turn have attracted malicious actors seeking to gain unwarranted access to this data,” wrote Agnieszka Girling, group program manager at Microsoft. “One such attack is consent phishing... Instead of trying to steal the user’s password, an attacker is seeking permission for an attacker-controlled app to access valuable data.”
Jim Yacone, chief of mission at the SANS Institute and a former FBI assistant director, told SC Media that the add-on “was the result of a phishing email sent to several [SANS] employees. One employee clicked the link and authorized installation of the malicious add-in, which allowed for the creation of the forwarding rule” that sent 513 emails containing the exposed records to the anonymous attacker. “There were no credentials divulged, nor any active malware on the victim’s system or any other SANS systems,” he continued.
Yacone noted that the phish “was a carefully crafted email that looks like a file share from SharePoint via O365. After the add-on was installed, the employee was specifically “asked to grant special permissions needed to set up the forwarding rule. We validated it during forensic analysis. This ‘permission-granting’ highlights the need to educate staff and the community on these types of attacks via security awareness.”
To that end, Girling from Microsoft previously advised organizations to understand the data and permissions that applications ask for, and to watch out for key indicators of consent phishing scams such as spelling and grammar mistakes in emails and app consent screens, and spoofed domain names designed to look like legitimate apps and companies.
“We are in a day and age where everyone, even those at security organizations, need to remain alert about the items that come across their inbox, hovering over links from all email sources to make sure they correspond with the sender’s information, and double-checking who the email is actually from,” said Heather Paunet, VP of product management at Untangle.
In an online notification, the SANS Institute said it first discovered the suspicious forwarding rule during an Aug. 6 review of its email configurations and settings.
“This is a unique disclosure involving access to a mailbox rather than a [breached] database,” said Zack Allen, director of threat intelligence at ZeroFOX. “Malicious forwarding rules are definitely an interesting vector for actors who are performing business email compromise, or worse, espionage. Especially with SANS clientele, who are all security professionals that work at the largest firms in the world, this could be an interesting attack from an information gathering/espionage actor. But the more likely answer is a more persistent BEC actor that is going after financial details."
The SANS Institute ultimately removed both the add-on and the rule. Nevertheless, Chris Clements, vice president of solutions architecture at Cerberus Sentinel, is dubious as to why the organization didn’t catch the issue sooner. “It is surprising that an organization like SANS would suffer such a large breach and that the compromise was not detected until a supposedly unrelated review of email configurations was taken," he said.
The company also came under criticism for how one email account resulted in the compromise of nearly 30,000 records. “The breach of one single email… should not lead to such a significant exposure of PII data, even if it’s a drop in the ocean of disclosed data breaches from the last 18 months,” said Ilia Kolochenko, founder and CEO of ImmuniWeb.
For the moment, it’s not clear as to the organizational role of the SANS Institute employee who was phished.
"We don’t know if the employee… was on the security team or if they were in another function such as sales, marketing or operations… said Chloé Messdaghi, VP of strategy at fellow infosec training organization Point3 Security. “If the phishing target was someone not on the SANS security team, it begs questions about what kind of training they had…And if the phishing victim at SANS actually is someone on the security team, it’s important to realize that they’re likely not apathetic to security practices but that the organization may not be investing in their own security teams, or team members may be suffering from burnout.”
Should the SANS Institute’s own internal training and security controls been strong enough to prevent such an event from occurring? Easier said than done.
“I don’t think that we should hold SANS accountable to the same standard of security and data protection as we impose on, let’s say, financial institutions and other highly regulated industries,” said Kolochenko. “Otherwise, their training would become exorbitantly expensive and few organizations will be able to afford them, causing a domino effect of global insecurity and poor awareness. Like many others, SANS seems to fall victim to unforeseen work from home (WFH) measures that have undermined many security mechanisms and controls readily available in the office.”
Salvatore Stolfo, CTO and founder of Allure Security and professor of computer science at Columbia University, said the attack serves as a “wake-up call that many organizations need: The phishers and scammers of today are just plain good. Good enough to trick even the most professional eye.”
In that sense, the incident serves as a reminder security awareness training is not a panacea for cyberattacks. There are no silver bullets, and organizations may want to supplement their employee training with technologies designed to detect email-based threats. Of course, that’s not necessarily the best marketing message for a company specializing in training.
“Organizations that rely on training and the vigilance of their users should use this as an opportunity to reconsider their anti-phishing strategy… one that takes the responsibility away from the users, and empowers security teams to take control and solve the problem with technology,” said Stolfo, whose company, it should be noted, is among those offering a technology-based approach toward combatting phishing.
Moreover, it’s not a great look when an organization that specializes in cyber training commits a cyber gaffe. “Security organizations generally suffer more brand damage from security incidents than do firms in other verticals,” said Stolfo, although “those impacts are generally temporary, especially if the organization discloses the breach transparently and takes the opportunity to talk openly about the lessons learned that will ensure that the past doesn't repeat itself.”
And that does appear to be the case here. Indeed, experts largely praised the SANS Institute for its timely incident response and resiliency.
“The rapid and transparent reaction of SANS to this incident is laudable and professional. Moreover, this fairly insignificant incident will now likely boost internal security at SANS and provide additional confidence to its clients and partners,” said Kolochenko.
"…Bravo to them because they were fast and forthright in responding. While some personal information was disclosed, it could have been worse – fortunately, no financial information was leaked,” said Messdaghi.
“When a respected security organization such as SANS Institute experiences an event like this, it underscores that for many organizations attempting to prevent each and every attack is a fool’s errand and an expensive one at that,” said Tim Wade, technical director of the CTO Team at Vectra. The real hallmark of modern security is about resilience to attacks – the capacity to perform timely detection and response before material damage is done even after preventative controls have failed. Additionally, the steps that SANS Institute is taking to both complete a thorough investigation and use the outcome of that activity to further instruct and prepare the rest of the security community should be applauded.”
It only takes one click, which can happen in the blink of an eye, before you even realize what you’ve done,” said Lisa Plaggemier, chief strategy officer at MediaPro. “Think of how quickly we all move through our email on busy days. Add to that the stress of Covid. Simply put, human beings are fallible… The important thing is that they were quick and clear with their disclosure, and that they take steps to keep it from happening again.”
Yacome supplied SC Media with additional specifics beyond what were detailed in the SANS Institute breach notification, confirming that the compromised PII belong to two different groups.
“The first group were individuals who had recently registered for our virtual DFIR (Digital Forensics and Incident Response Distribution) Summit and the second group were individuals that were part of SANS general outreach programs. Because the compromised lists were intended for basic communication, the data consisted of information that is largely available in publicly available databases.” Customer and instructor records were not affected and not everyone who registered for the summit was impacted.
Exposed data included name, places of employment, work title, industry, address and country of residence.
The SANS Institute will share additional details in a forthcoming webcast, which will include screenshots of the redacted phishing email, Yacone said.