SANS Institute Sees Its Breach as Teachable MomentCybersecurity Training Center Wants Others to Learn From Phishing Attack
The SANS Institute, which is known for its cybersecurity training courses, is now planning to turn its own data breach into a teachable moment for its membership.
On Tuesday, SANS published a notification on its website acknowledging an employee was tricked by a phishing attack in late July, which gave hackers partial access to the worker's Office 365 account.
The hackers then used a malicious add-in that created a rule in the compromised Office 365 account that allowed them to forward members' emails to a suspicious external email address . SANS found that around 500 emails from the employee's account were forwarded, including emails that exposed the data of 28,000 customers. The personal information in those emails contained details such as names, work titles, company names, industry, addresses and country of residence, according to the notification.
The SANS investigation found that access to a single Office 365 account was granted through a malicious add-in, but that no actual credentials were divulged. In addition, no malicious code was deployed to the client system, however, the attack did involve a malicious server-side code in the form of an Office 365 add-in.
The organization first discovered the breach on Aug. 6 and immediately cut off the hackers' access to the network after discovering the forwarding rule within the compromised Office 365 account. In addition to its own investigation, the institute will contact law enforcement about the breach, says Jim Yacone, SANS' chief of mission.
"The compromised personally identifiable information consists of information from individuals who had recently registered for our Digital Forensics and Incident Response Summit," Yacone tells Information Security Media Group. "SANS is a teaching organization, and we want to handle this by the book with the greatest discretionary care and concern for the individuals."
Founded in 1989, the SANS Institute now serves about 165,000 individuals, offering a range of cybersecurity training courses and certifications, including courses on incident response and penetration testing.
After discovering the phishing attack and data breach on Aug. 6, and then conducting its own internal audit, SANS is planning to create a webinar and training material on the lessons learned in this incident, says James Lyne, CTO.
"We want this to be a reminder to everyone of the importance of constant vigilance," Lyne tells ISMG. "Being a teaching organization, we are going to do a webcast looking at our findings and making sure we share that transparently with people, such that others might avoid an incident like this. While the breach doesn't really meet the bar of a regulatory disclosure, I'm proud of the high bar we've set in driving notifications to individuals and the quality work executed by the forensic team here."
Both Lyne and Yacone noted that they would release more details about the phishing attack and data breach when SANS prepares its webinar and training materials.
What Is Known
The phishing attack apparently tricked one employee into giving partial access to their Office 365 account in the form of the malicious add-in, according to SANS.
It does not appear that the worker was spear-phished. Rather, the incident was part of a larger phishing attack that happened to ensnare the one employee, according to Lyne and Yacone.
The attackers tricked the employee into giving them access to their Office 365 account in the form of the malicious add-in, which allowed the hackers to create the rule to forward the emails through the add-in, Yacone noted.
SANS declined to identify the employee or what department the person worked in within the organization, but it noted the worker did not have access to sensitive personal or financial data and was not part of the cybersecurity training staff or instructors.
Lyne and Yacone added there will likely not be any punitive measures, but that SANS would review its training and security methods and then update its educational materials.
"Any time an incident like this occurs, it's an opportunity to pause and reflect and see with hindsight what you should have done better," Lyne says.
"We have regular reviews as you would expect, which involve the leadership. We use any bump in the road as an opportunity to ask ourselves questions in retrospect of what we should have done differently. That's exactly the process that we're in the middle of now, because, clearly, if things had been better, we would not be in this situation. And you can always improve."
Managing Editor Scott Ferguson contributed to this story.