Afew weeks ago, the Spanish Data Protection Agency (AEPD) concluded its investigation into the insurer MAPFRE over the massive cyberattack it suffered last August. As we covered in our blog when we explained the security breaches that affected airlines such as EasyJet or British Airways, regulators like the ICO in the UK or the AEPD in Spain have the power to issue heavy fines against organizations if customers’ personal data are compromised following a cyberattack.
But this hasn’t been the case for MAPFRE. In fact, the AEPD stresses in its findings that the impact on the data volume compromised “was almost zero and any exfiltration attempts were detected and prevented” and it concludes that “swift communication with customers, collaborators, providers and employers enabled an efficient response to the attack.” But how did this incident happen and how did MAPFRE act so diligently?
Event timeline in 10 steps_
In its investigation report, the AEPD details a minute-by-minute breakdown of events, which has been published in Business Insider. We summarize below how the cyberattack was produced and MAPFRE’s response in 10 steps:
- At the end of July, the cybercriminal obtains the credentials of an external collaborator in order to break in through the collaborator’s remote computer. The most likely hypothesis is that it was infected with malware (most probably after a phishing campaign), which got hold of the collaborator’s password when she logged into MAPFRE.
- On August 1, “the first unauthorized access is reported using the credentials of a user to gain access to MAPFRE’s systems”. In the following days “access from a number of different countries and connection attempts to other servers and devices took place, seeking to get hold of the credentials of privileged users,” which is achieved on August 6.
- On August 7, the hacker obtains the credentials of a domain administrator “by using sophisticated tools”. Then, until August 11, the cybercriminal employs a range of techniques “to analyze the network, file servers and shared resources” and carry out “several attempts to extract data blocked by the company’s security network.”
- On August 14, the hacker breaks into the MAPFRE network and distributes a map.exe file that uses a variant of the ransomware known as Ragnar Locker. At 21:04, the ransomware is executed. It takes the company just 7 minutes to detect errors in a number of applications and it activates its response protocols.
- At 21:15 the incident management procedure is officially opened after monitoring from the Data Processing Center. Five minutes later, MAPFRE’s Crisis Committee is activated and at 21:30 the business continuity plans are already implemented. Moreover, a permanent communication channel is opened between the Security and Technology areas.
- At this point, the diagnosis is that it could be a ransomware cyberattack and the initial contention tasks are carried out. Only 26 minutes have elapsed since the ransomware was executed and the company has already switched off all its devices, non-essential services, as well as isolating some of its network segments and obtaining backups. MAPFRE’s communications with third parties are also cut.
- The first members of MAPFRE’s cybersecurity team arrive at the head offices at 22:30 and the Technology personnel head to the company’s Data Processing Center. By 23:00 they had already managed to regain control of email. After midnight, reinforcements arrive at the company’s call centers and at 00:45 remote workers were operational again.
- By 4:18 in the morning, the ransomware has been fully identified, and it’s sent to be assessed by external cybersecurity analysts, who send back the data on the malicious code and MAPFRE starts disinfecting its devices.
- Next day, they contact the Spanish National Cybersecuriy Institute, the CCN-CERT and the Dirección General de Seguros y Fondos de Pensiones to provide details of the cyberattack. MAPFRE issues a statement and reports all the details of the incident to the AEPD.
- On August 17, the company offices reopen and the incident is reported to the Spanish Civil Guard.
Speeding up detection and response_
This much praised and prompt action by MAPFRE demonstrates that, the quicker the threat is detected and acted on, the greater the chances are of containing and mitigating the damage it could cause an organization. For this purpose, SOCs must be equipped with advanced Threat Hunting solutions, which enable them to reduce the time needed to investigate and remedy incidents.
Cytomic Orion provides the response needed via mass data analysis and correlation with threat intelligence. Moreover, it automates suspicious behavior, incident detection, correlation and investigation through pre-created and editable Jupyter Notebooks and its Threat Hunting library. This means it provides many other options so that if you are affected by an incident like the MAPFRE case, damage is minimized, and operations can be restored as soon as possible.