Marriott & Starwood Breach

You can check out anytime you like, but you can never leave!

Marriott Breach! Here is your 6am wake-up call.

The Marriott breach woke us all up this morning as news broke of one of the largest compromises of all time. 500 million records stolen, potential credit card information and other personally identifiable information (PII) stolen. It’s easy to fault Marriott and Starwood, but unfortunately, this is not an individual organization problem, it’s a challenge for the industry as a whole. Here are three reasons we think so:

#1: Dwell Time is not fine wine

From the Marriott breach press release (emphasis is mine):

On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database in the United States. Marriott quickly engaged leading security experts to help determine what occurred. Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014. The company recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.

Marriott revealed today that the Starwood network had been compromised since at least 2014, but it seems the first alert – or at least the first alert the security team caught – didn’t come till September 2018. Almost 4 years later! And it took another two and a half months to determine what occurred, only to find out that the attackers were busy encrypting (how secure of them!) and exfiltrating information. With that much time, I’d be surprised if they didn’t have access to pretty much all of the crown jewels!

The reality is that on many networks today, is it simply takes too long to detect and respond to threats. Overall, organizations have strong and robust malware defenses and perimeters but squishy centers since the attacker on the inside (whether a malicious insider or external attacker) looks just like all of the other regular users. What’s worse is that they behave just like regular users—a little SQL query here, some PowerShell there blends right in. Think about it, even with highly paid “leading security experts” (and you know they were highly paid), it still took almost 90 days to get (some?) answers. What hope does the average security team have?

The challenge is security teams simply don’t have the tools to identify living off the land and non-malware threats, and the tools they do have provide very little context to jumpstart the response process. In this case detecting and responding earlier could, at the very least, have lowered the 500 million records number perhaps?

#2: Attackers are like guests who don’t pay their bills – kick ‘em out and keep ‘em out

Here is another interesting fact. Starwood disclosed a breach of their payment card systems in November of 2015 and at that time believed it dated back at least a year (circa November 2014). Wait, didn’t we just say this current breach dates back to 2014! This is pure speculation, but would you bet against the fact that these weren’t connected? Were all remnants of attacker footholds in the environment from the November 2014 breach successfully eliminated back then?

Unfortunately, there is often no easy way to know since again security tooling and processes force responders into a whack-a-mole like process of eliminating the symptoms. Just from talking to our own customers we find that even the best security teams are often blind to 40-60% of their infrastructure. Think about all those shadow IT instances lying around, and dare I say IoT and BYO devices. This makes it impossible to understand the full depth and breadth of a campaign and how far into your infrastructure the attacker’s tentacles go.

#3: When there is a fly in your soup, it doesn’t matter how it got there!

For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.

Another part of the press release also caught our eye. In spite of all the efforts and expenses that seem to have gone into responding to this breach over the last few months, it still seems there are a lot of unanswered questions. From my experience, this is often because security teams simply don’t have a way to easily go back in time and reconstruct the attacker’s activity. This becomes a painstaking (and expensive) exercise in pulling threads and hoping for answers.

Knowing what your true business assets (in this case the encryption keys) are and ensuring you have the right security detection and monitoring controls (so you can audit and report on access to them at a minimum) is critical in this day and age. We simply can’t try to protect everything all the time. This also helps in triage, so security teams are simply not prioritizing based on “risk” as reported by the security tool but true business impact.

This is also interesting given the context of Marriott purchasing Starwood. From our discussion above, it would appear that the breach of Starwood potentially started years before this transaction and at least one of the breaches was disclosed after the acquisition closed. Not to beat a dead horse, but again it bears repeating that anytime your business changes, you have to look at how your threat model has evolved as a consequence, what new business assets are now in the mix and how are they being protected.

The worst might be yet to come, and not just for Marriott

Clearly, this is going to have a financial impact on Marriott in the short term. As of this writing the stock is down about 6% and the company has a SEC filing on the topic. In the long term, opinions differ. With that said, there is very little debate that the impact of this mega breach will be felt by every other enterprise now, as the inevitable phishing attacks commence. The attacker will likely target the consumer’s personal email addresses and social media accounts but as we all know those are an easy backdoor into the enterprise. Unfortunately, almost no enterprise is protecting those personal accounts but are they enabled to detect and respond to those attacks quickly? What is your strategy to find typosquatting attacks targeting the corporate traveler or anomalous traffic from their devices? If someone did click, how quickly can you know which users and devices were impacted, what kind of information was divulged, whether other users are browsing related sites, etc.

Today where everyone is just as likely to be breached, I believe organizations are judged based on how and how quickly they respond. So, my 2c of advice, make sure your people, process and technologies can rapidly answer the questions that inevitably come up after such an event. We can’t keep going on assuming we can prevent these events entirely.

By Rudolph Araujo
Breach Response