Public companies are required by law to report data breaches. These carefully written data breach notifications are often vague. For example, Blackbaud, a company that handles charitable contributions for educational institutions and nonprofits, including the IEEE Foundation, recently announced (https://www.blackbaud.com/securityincident) that it had a security incident affecting hundreds of clients.

What really happened? The Blackbaud message provides an opportunity to read between the lines. Let’s dissect their notification to gain insight into the occurrence and enumerate their explicit and implicit “confessions.”

Here’s the opening to the data breach notification message.

The Cybercrime Industry represents an over trillion-dollar industry that is ever-changing and growing all the time—a threat to all companies around the world. Like many in our industry, Blackbaud encounters millions of attacks each month, and our expert Cybersecurity team successfully defends against those attacks while constantly studying the landscape to stay ahead of this sophisticated criminal industry. We wanted to notify our customers and other stakeholders about a particular security incident that recently occurred.

Yes, the state of cybercrime is lamentable, but opening with this in an attempt to soften the blow set me on edge immediately. This is like a bank saying: “There sure are a lot of bank robbers out there; so, when we tell you your account was emptied, we hope you’ll understand…”

That “millions of attacks each month” number is enigmatic. What qualifies as an “attack”? Is an asynchronous network connection attempt that gets dropped by the firewall count as an attack? Are brute-force login attempts attacks? Is a phishing email an attack? Maybe yes to all three.

The first confession: if it’s true that Blackbaud is encountering millions of attacks each month, they need to reconsider their security architecture to preclude such a wide attack surface. Later on, in their notification, they make another “confession”, but the first one here is that they probably don’t understand their own I.T. environment enough to limit the number of possible attacks.

Next, they tell their story.

Summary of Incident: In May of 2020, we discovered and stopped a ransomware attack. In a ransomware attack, cybercriminals attempt to disrupt the business by locking companies out of their own data and servers. After discovering the attack, our Cybersecurity team—together with independent forensics experts and law enforcement—successfully prevented the cybercriminal from blocking our system access and fully encrypting files; and ultimately expelled them from our system.

Did you notice some information missing in the story? They didn’t say how long the data breach attack had been occurring. I read in a notification from the IEEE Foundation that “Blackbaud notified us of a data security incident that occurred between February and May 2020.” So, Blackbaud’s discovery of the ransomware attempting to encrypt files was in May, but the attack had been happening since February.

This is very typical. When a company, like mine (https://www.abacode.com) is hired to perform digital forensics and incident response (DFIR), we often find that the attacker has been in the system, unnoticed, for 180 days on average. Yes, 180 days!

Understanding an adversary’s tactics, techniques, and procedures (TTPs) is essential to containing cyber threats. I recommend checking out MITRE, which has put together a knowledge base of adversary TTPs based on real-world observations called the ATT&CK framework. This is used as a basis for understanding how attacks work, so that kill chain actions can be enacted as early as possible to limit attacks.

Here’s an important takeaway from the MITRE ATT&CK framework: Encrypting files is the LAST thing attackers do, after they have already exploited some vulnerability, gained persistence, moved laterally, established command & control, and exfiltrated data. The fact that Blackbaud caught none of these actions for four months is a real concern.

How bad was it? The next confession is revealed in this part of the message:

Prior to our locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self-hosted environment. The cybercriminal did not access credit card information, bank account information, or social security numbers. Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed. Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly.

Blackbaud here states that no SSNs or credit cards were compromised, but according to the IEEE Foundation notification, Blackbaud divulged that the attackers were able to access personally identifiable information (PII) such as names, emails, addresses, date of birth, gender, and charitable giving amounts. That PII can be used to create fake identities, apply for credit cards, discover people’s account recovery questions/answers, etc.

Also, Blackbaud paid the ransom to keep from being doxed. But what guarantees do they really have that the data will never show up anywhere? Are these ransomware groups really so stable and reputable that they fear what a negative review could cost them?

I have spoken to some DFIR experts who claim ransomware groups are keen to maintain their reputation and have excellent “customer service”, but I have not personally witnessed this.

I am seeing irregular, inconsistent levels of engagement, although there is definitely a playbook for negotiations.

One must wonder: did Blackbaud run the numbers by their actuary, who told them it would be a better bet to pay the ransom and hope for the best versus notifying all donors with a data breach notification and potentially having to pay for credit monitoring?

The third confession:

This incident did not involve solutions in our public cloud environment (Microsoft Azure, Amazon Web Services), nor did it involve the majority of our self-hosted environment. The subset of customers who were part of this incident have been notified and supplied with additional information and resources. We apologize that this happened and will continue to do our very best to supply help and support as we and our customers jointly navigate this cybercrime incident.

What I read here is that they had inadequate security in their on-premises systems, and had they migrated these to the cloud, they might not have run into these issues.

The wrap-up. What they are going to do to prevent data breaches in the future?

More about Blackbaud’s Cybersecurity Practices and Next Steps Following this Incident

Over the last five years, we have built a substantial cybersecurity practice with a dedicated team of professionals. Independent reviewers have evaluated our program and determined that it exceeds benchmarks for both the financial and technology sectors. We follow industry-standard best practices, conduct ongoing risk assessments, aggressively test the security of our solutions, and continually assess our infrastructure. We are also a member of various Cybersecurity thought leadership organizations, including: The Cloud Security Alliance and Financial Services Information Sharing and Analysis Center (FS-ISAC), where we team up with other experts to share best practices and tactical threat information for the Cybersecurity community. We believe the strength of our cybersecurity practice and advance planning is the reason we were able to shut down this sophisticated ransomware attack. We have already implemented changes to prevent this specific issue from happening again. You can review more details on our security, risk, compliance and privacy programs here.

My only response to this is that compliant does not equal secure. You can have the best people, policies, training, preventative measures, etc. – but none of this can tell you, right now, whether an attacker is in your system.

My guess is that Blackbaud did not have a Security Information and Event Management (SIEM) system in place with 24/7 eyes-on-glass monitoring. A SIEM aggregates system security audit log information from your firewalls, network infrastructure, servers, cloud, and other systems then runs correlation rules based on continuously updated threat feeds. The result is that it bubbles up security alerts for investigation in near real-time, allowing analysts to contain incidents as early as possible in the MITRE ATT&CK kill chain.

Without this level of visibility, an organization is flying blind.

Cybercriminals spare no one, and that includes charitable organizations. Charities tend to get hit from both sides – trying to scam donors and trying to breach the payment processors. We have seen numerous charities/nonprofits and their support systems attacked like this.

Attackers are stepping up their game. Now is not the time to skimp on cybersecurity. If anything, with increasing telework and a wider potential attack surface, organizations need to ensure they have full visibility with a well-deployed SIEM technology and a hypervigilant Security Operations Center.

Contact us today to learn more about Cyber Lorica™ and how it can help you be more proactive and avoid having to write one of these data breach notifications.