Skip to main content

The enemy within: Monitoring, machines and mobiles at Three

Last week, a very particular brand of cyber-attack took place at mobile network provider Three. Leaving less damage and infrastructure issues than using traditional brute force, the attack was far harder to detect than your run-of-the-mill forced entry. I’m talking of course about an insider threat and the use of a legitimate employee log-in to gain access to Three’s network. 

This was the turning point in this attack, and why it is worth looking at this in more detail. Attacks like this often happen stealthily and can wreak havoc in a very short space of time. It emerged that hundreds of thousands of customer records were taken from the “upgrade database” at Three which notifies the company when people are due a new phone. This data was seemingly just collateral damage, as the thieves looked to upgrade people early and intercept the expensive handsets before they reached their destination. 

This may well sound like a farfetched idea, but this is often why such gangs succeed – their plans are so audacious, no one actually expects them to carry them out.  The main reason that the Three attack resulted in the loss of so many records was due to this insider threats strategy being implemented by the thieves. Simply put, these kinds of attacks just don’t have the same amount of focus afforded to them by organisations, meaning that education around them is lacking. 

Far too many businesses focus on external threats, which while warranting a focus, simply does not cover all of their bases.

Automation and user monitoring

So how can a company deal with these dangers? There are of course tried and tested technology strategies to be implemented such as two-factor authentication and whitelisting of approved programmes to name but two. But the real advantage that businesses are not utilising fully is that of automation and user monitoring. Fundamentally, user behaviour analytics (UBA) provide a company with an overview of what data is being accessed, where and when this is taking place, and who is within the system at any one time. 

The underlying methodology is not to see the content of people’s communications or system, but instead build a profile of how a user works and flag up a warning if they attempt to take data away from the system or access something that they have no need to use.  

The technology to monitor and combat insider threats – certainly at an industry-leading level – is intrinsically linked to automation. For employees to monitor the goings on within a network at all times of the day would be a huge expense and drain on resources.  Three would have had to station an office block full of people to monitor and check the goings on through each of their employee log-ins on a daily basis, something that no company can afford to pursue. 

An automated system allows users to monitor huge swathes of data through a singular portal, with the software doing the heavy lifting of constantly prowling the network.   

Enter machine learning

Secondly, user behaviour analytics – of the automated variety – has begun to see an even newer trend relating to how effectively it can work: machine learning. In this instance, Three works as a perfect example. If this software was installed, then the user of the log-in used by the cybercriminals would have slowly built up a profile on the software as they went about their daily work without even realising. 

They would look at sales figures, they would authorise new contracts as people were signed up in store, and they would manage HR such as sick days and holiday requests during an average day in the branch. This information would be fed in day-by-day to the software, building up their profile. So, when the log-in details were stolen, or given out freely, or even left logged in on a lost mobile phone, this intelligent software would begin to pick up on when the patterns changed. If stock levels for expensive handsets were printed off. 

If customer upgrades were being authorised by someone that didn’t usually fulfil this role. And especially if the times and addresses for these upgrade deliveries were being changed so the attackers could get their hands on the goods.  We are not sure what it was in the end that led to the attack being discovered; maybe someone tried to upgrade to see that they had magically ordered a phone, but we can be confident that UBA would have flagged the issue up far earlier than this.

Dangers of the silver bullet

The Three attack is an interesting user case for UBA and the kinds of technologies that can be implemented by businesses with sensitive stock or IP. Of course, it’s still dangerous to view this intelligent automation as a silver bullet; as with any technology, it won’t make the blindest bit of difference if it’s not engaged with by an educated and security-aware staff. Training is a vital stepping stone to achieving a useful overview of your businesses online footprint, so companies will need to make sure they invest in their staff if they look to install something along these lines.  

But for any major business – especially one dispersed across an entire country – there needs to be a newfound respect for the threat posed to their network through legitimate means. As previously mentioned, all it takes is log-in details left on a public computer for a far subtler type of attack to occur. It’s not the enemy bashing on the gates you need to worry about – it’s the one that has slipped through an unlocked back door. 

Jamie Graves, CEO, ZoneFox
Image source: Shutterstock/lolloj

Jamie Graves
Jamie is the CEO of ZoneFox, which focuses on detecting insider threats and other fraudulent activities by examining human behaviours using machine-learning. He has PhD from Edinburgh Napier University.