The Avid Life Media hack is a striking example of everything that can go wrong when a company is completely breached followed by a total disclosure of the stolen information. This attack resulted in an estimated $200 million in costs, firing of the CEO, and countless lives ruined. This presentation will review the data exposed and what can be learned to prevent this from happening to your organization.

1. Lessons Learned from
Avid Life Media
Rob Davis, CISSP
Founder – Critical Start
CEO – Advanced Threat Analytics
rob.davis@criticalstart.com
214-674-1748

2. 4© 2015 Advanced Threat Analytics LLC
• Attacks are up
• Defense is down
• There’s more vulnerabilities every year than the year before
• We’re still getting breached
• The media loves to talk about
• We’re tired of them talking about it
Things we all know already… but I am gonna say anyways

3. 5© 2015 Advanced Threat Analytics LLC
The normal response to this information…

4. 6© 2015 Advanced Threat Analytics LLC
This slide is intentionally blank
Vendors that provide a bullet-proof solution…

5. No such thing

7. 9© 2015 Advanced Threat Analytics LLC
The Elephant in the Room

8. Corporate Alignment to Strategy to Mitigate Cybersecurity Risk
People
Money
Time
Business
Impact
Risk
Tolerance
Threat
Landscape
SecCon 01
SecCon 02
SecCon 03
SecCon 04
SecCon 05

9. SecCon
05
SecCon
04
SecCon
03
SecCon
02
SecCon
01
Operational
Operational security –
minimal resources and
budget allocated
Industry Average
Use security practices
that are typical for a
given peer group and
industry. Higher risk
tolerance.
Industry Best Practice
Use security practices
that are best practice
for their industry.
Lower risk tolerance.
Advanced
Goal is to detect and
effectively respond to
sophisticated, targeted
cyber attacks
Compliance
Security is an outcome
of compliance

10. • Stored information in clear readable
text
• Easily guessed passwords
• Did not limit access between
networks
• Unable to identify the source of
cybersecurity attack
• Failed to adequately restrict access
of third-party vendors to its network
and servers
• Failed to employ “reasonable
measures to detect and prevent
unauthorized access” to its computer
network or to “conduct security
investigations”
• Did not follow “proper incident
response procedures”

11. • Stored information in clear
readable text
• Easily guessed passwords
• Did not limit access between
networks
• Unable to identify the source of
cybersecurity attack
• Failed to adequately restrict access
of third-party vendors to its
network and servers
• Failed to employ “reasonable
measures to detect and prevent
unauthorized access” to its
computer network or to “conduct
security investigations”
• Did not follow “proper incident
response procedures”
FTC Chairwoman Edith Ramirez said in a statement that
the decision “reaffirms the FTC’s authority to hold
companies accountable for failing to safeguard consumer
data. It is not only appropriate, but critical, that the FTC
has the ability to take action on behalf of consumers
when companies fail to take reasonable steps to secure
sensitive consumer information.”

12. Rob Davis, CISSP
Founder – Critical Start
CEO – ATA
rob.davis@criticalstart.com
214-674-1748

13. 15© 2015 Advanced Threat Analytics LLC
Avid Life Media - Key Metric Summary (All Properties)
Metric 2013 2014 Change
Visits 700,871,661 2,333,210,131 +233%
Unique Visitors 519,543,630 1,878,447,802 +271%
Signups 7,146,172 9,726,537 +36%
Purchasing
Members
1,913,521 2,562,425 +34%
Credits Used 120,284,398 173,226,994 +44%
Metric (US $’000,000) 2013 2014 Change
Revenue (GAAP) $78 $114 +46%
EBITDA (Cash) $34 $55 +61%
$-
$2,000,000
$4,000,000
$6,000,000
$8,000,000
$10,000,000
$12,000,000
6/1/01
4/1/02
2/1/03
12/1/03
10/1/04
8/1/05
6/1/06
4/1/07
2/1/08
12/1/08
10/1/09
8/1/10
6/1/11
4/1/12
2/1/13
12/1/13
10/1/14
Monthly Bookings

14. 16© 2015 Advanced Threat Analytics LLC
• Legal/Compliance
– A programming bug or oversight leading us to lose our regulatory compliance status (storing sensitive authentication
data, storing unencrypted credit card number, divulging PII)
– A data leak resulting in a class action lawsuit against us.
• Data leak/theft issues
– Internal users being infected with malware/viruses allowing hackers access to our user data.
– web app remote code exploit in our codebase resulting in a man-in-the-middle attack where a hacker gains access to
our customer's billing/credit card information.
• System integrity
– web app SQL injection resulting in alteration of user data
– Application code bug exploited to alter code and introduce malicious payload delivered to our customers
• Disclosure
– Bad actor creating accounts on our sites, crawling search results and finding a method of correlating our users to their
private lives (facial recognition, image metadata location coordinates, etc…)
– Internal bad actor stealing customer data and exposing it in social media/blackmailing
– Internal bad actor using a known/shared password to access customer data
– A hacker/bad actor at New Relic gaining access to our customer data.
– Third party billing partner getting hacked, exposing our customer list.
Internal Document Around Areas of Concern
1
2
3

17. Administrative Passwords to Production Domain

18. 20© 2015 Advanced Threat Analytics LLC
Passwords to Production Domain

19. 21© 2015 Advanced Threat Analytics LLC
Passwords to Employee Domain

20. 22© 2015 Advanced Threat Analytics LLC
Passwords to Employee Domain

21. 23© 2015 Advanced Threat Analytics LLC
Beware of QA Systems, Default Passwords

22. Breach Doesn’t Mean Loss of Information
Microsoft has published a
comprehensive whitepaper that
contains mitigations and guidance
called “Mitigating Pass-the-Hash
(PtH) Attacks and Other Credential
Theft Techniques.
NSA has a fantastic document on
Windows Event log collection
including a section on detecting PtH
from log data
LAPS Tool from Microsoft
https://technet.microsoft.com/en-
us/library/security/3062591.aspx

23. Simple Example of Attempting to Trick Users
• Notice that by default,
macros are usually
disabled.
• The document tries to
create a sense of urgency
by falsely claiming that the
file is protected with a RSA
key and requires the user
to “Enable Content”.

24. Simple Example of Attempting to Trick Users
• Notice that by default,
macros are usually
disabled.
• The document tries to
create a sense of urgency
by falsely claiming that the
file is protected with a RSA
key and requires the user
to “Enable Content”.

25. Simple Example of Attempting to Trick Users
After the user enables the
macro, the malicious Word
document will display
different content so the user
believes the documents has
been decrypted.

26. Alert via iPhone App, Email, or SMS Text

27. From Alert to Investigation

28. 30© 2015 Advanced Threat Analytics LLC
Incident Response – Isolate Host Immediately

29. Incident Response – Real Time Investigation
The responder has
a real time window
into the isolated
host – both on and
off the corporate
network.

30. Investigation of Host

31. Secondary Download – Uncategorized Traffice
http://anacornel.com/images/desene/united.exe

32. ATA Alerts – Breach Detection
• ATA Alerts is a custom branded list of queries
to detect activity consistent with malware
infections, malicious credential usage, and
attackers using credentials to move laterally.
• ATA Query Feed examples shown are:
o Attempts to add user to a system from
the command line
o Attempts to add users to a local group
from the command line
o Instances of SVCHOST running in an
incorrect user context
o Use of Sysinternals Tools
o PSEXEC process on endpoints

33. 35© 2015 Advanced Threat Analytics LLC
Tracking All Unsigned Process with NW Connections
• Constant tuning is required for any proactive security system to reduce false positives. ATA Security Analysts
constantly tune queries using custom analytics and processes.
• In this example, whitelisted executables are posted using Threat Analytics Search Extension to analysis process.
• After analysis, this whitelist information is sent to Carbon Black server as a feed and also to analytics system.

34. 36© 2015 Advanced Threat Analytics LLC
• Configuration and good security practices are critical for Active Directory security
– Use proper segmentation and privileged account control
– Don’t mix regular and administrative accounts
– Disable or protect local administrative accounts – log privileged account success/failures
• Initial breach is still overwhelming caused by exploits and malware missed by anti-virus –
AV is dead, so don’t depend on it to protect against malware
• Don’t depend on IDS/IPS/Firewall to detect a breach – use next generation tools that use
machine learning/statistics to detect breaches
• DO NOT USE PASSWORDS FOR REMOTE ACCESS
• From the FTC Lawsuit Against Wyndham, these items increase your liability:
– Easily guessed passwords
– Did not limit access between networks
– Unable to identify the source of cybersecurity attack
– Failure to adequately restrict access of third-party vendors to network and servers
– Failed to employ “reasonable measures to detect and prevent unauthorized access”
– Did not follow “proper incident response procedures”
Lessons Learned from Avid Life Media

35. www.advancedthreatanalytics.com
6860 North Dallas Pkwy, Suite 200 | Plano, TX | 75024
operations@advancedthreatanalytics.com