News is circulating that T-Mobile servers have been breached. An anonymous message to the Full Disclosure mailing list on Saturday was the start of the topic. This message included a claim that T-Mobile has been owned for some time, and that the attackers “have everything” up for sale to the highest bidder. It also included a list of 511 production server details such as their hostname, IP address, OS and applications.
This situation raises two distinct questions. First, how can an organization best anticipate and detect breaches? The second question is how an organization can best respond to a breach, especially with regard to preventing another.
Before answering those questions, a quick look at the spreadsheet of servers raises several other questions. For example, do the 511 servers in the message have anything in common? Are they managed from a particular department or under a specific project? This kind of analysis could help reveal that the attack was a leaked document rather than a breach of network security. A quick review shows all of the systems listed are a UNIX flavor. Either the attackers did not want to reveal a more representative sample from their victims or they may really just have found a UNIX project manager’s USB in a parking lot.
Back to the core questions, the best way to anticipate and detect breaches is by analyzing logs. If the attackers were trying inventory systems on the network, for example, this activity would leave a trail of evidence in those system logs. All 511 servers listed should have the same or similar footprint left by the attackers. The network devices connecting the servers also would have log information to help identify attacks. This means a robust log archive and analysis system would need to be in place when attacks begin in order to capture enough information to identify the problem and alert administrators before the breach is successful or spreads. Log management is no longer just about operating systems and network devices, however. It also needs to incorporate detailed user information from identity systems, especially with regard to shared or system accounts. Identity integration means that if the attackers compromise the “root” account, logs can be correlated to show which user was really using root.
Log management is also critical in responding to a breach. Proving that there was no attack requires an archive of logs that can go back several years. This can be used to counter any claims that the servers have been breached for “some time”. The logs could show that a breach actually did not happen. On the other hand, the ability to identify attack signatures, as mentioned above, also helps with avoiding future breaches. When the attack vector is thorougly understood, an alert can be programmed into Security Information and Event Management (SIEM) systems. Every time a log or set of logs has a particular attack, or even just similarities to other attacks, the SIEM can send out an instant alert or start a watch list for administrators to investigate.
Perhaps most important of all is to recognize the potential cost of disruption from this kind of message. Does your organization have a system in place to rapidly assess the validity of an attack claim? Without an effective system of managing logs and security information, an anonymous message to a forum could pose a significantly high risk even without any validity or proof. The T-Mobile message raises a number of important points that organizations should reflect upon as they review their logs tonight.