Trustwave Blog

Latest AT&T Data Breach Highlights the Need to Double Down on Cybersecurity Basics

Written by Eric Harmon | Jul 15, 2024

AT&T reported on July 12 that an internal investigation had revealed that the telecommunication provider had been victimized by a third-party breach,resulting in the compromise of records of calls and texts of nearly all of AT&T’s cellular customers. An AT&T spokesperson confirmed to a news source that the breach resulted from of the data stolen from cloud storage firm Snowflake.

AT&T stated in a release it does not believe the attackers took any personally identifiable information, but the breach is limited to “data including files containing AT&T records of calls and texts of nearly all of AT&T’s cellular customers, customers of mobile virtual network operators (MVNOs) using AT&T’s wireless network.”

Trustwave SpiderLabs has a long track record of incident response in similar data breach cases but is not involved in this specific investigation. In May, it posted a security advisory detailing how the Snowflake data breach impacted many of that firm's clients and making recommendations on mitigative measures related to this particular threat.

As with most breach headlines, this incident does not appear at this time to be the result of a sophisticated nation-state cyberattack. Instead, it follows the same narrative we are seeing all too often.

Cybercriminals generally breach organizations using a combination of relatively low-sophistication tactics which could be disrupted by layered cybersecurity controls and diligent cybersecurity hygiene. There are simple and clear-cut steps that an organization take to reduce the chances of a data breach impacting your organization.

 

Getting Back to the Basics

This breach, along with the unrelated incident AT&T endured in March 2024, highlights the need for a thorough approach to cybersecurity that focuses on ensuring the basics are covered, as damaging breaches frequently hinge on preventable mistakes like weak passwords, unpatched systems, unmanaged supply chain risk and proper identity access management.

These "open doors and windows" are easily exploited, leading to significant disruptions, financial losses, litigation, and reputational harm. In fact, most breaches and their associated headlines result from these preventable errors rather than sophisticated attacks. Advances in AI are making it even easier for attackers to systematically and swiftly identify and exploit vulnerabilities.

To mitigate these risks, it’s crucial to implement offensive and defensive security measures, leverage human expertise alongside AI and automation, institute the basics like multifactor authentication and effectively utilize resources to identify and close the gaps that cybercriminals are eager to exploit.

 

People Plus AI Equals Effective Cybersecurity

Human expertise is crucial in cybersecurity. While security technology is invaluable, especially with the recent hype around Generative AI, it alone is insufficient. Skilled cybersecurity professionals wwho understand attacker tactics and can analyze threat intelligence are essential for comprehensive protection. Enterprises need cyber experts who can match the skills of their adversaries, as the human element, especially when augmented with AI and automation, is indispensable for identifying and closing vulnerabilities before attackers exploit them.

Building an Offensive and Defensive Posture

Hackers thrive on the increasing complexity and the rapidly evolving landscape of the attack surface. The average number of applications organizations use has surged, with typical organizations now using around 130 SaaS apps, up from just 16 five years ago, rapidly expanding the attack surface that threat actors can exploit.

These applications, along with supply chain connections, cloud databases, and other innovations, offer significant business benefits and amplify risk.

To cut through this complexity, organizations need to deploy proactive threat hunters who will actively search for signs of attackers within your network, identifying and eliminating threats before they cause damage and often even before they are identified by sophisticated cyber technologies.

Additionally, a proven managed detection and response (MDR) solution is your safety net. It detects compromises quickly, contains them, and eradicates threats before they escalate.

Support these efforts with offensive security measures, such as penetration testing and Red Team exercises. These will show you how your organization appears through an attacker’s lens and remediate any open vulnerabilities before they are exploited.

The dynamic nature of cyber threats necessitates frequent testing, not just for compliance but for proactive risk reduction through expert assessments. While total risk elimination is impossible, these targeted actions can substantially diminish it.

Also consider implementing a multi-layered email defense. Relying on a single tool means hackers only need one successful email to get through and wreak havoc. Layered security combines techniques like domain blocking, malware detection, and anti-phishing measures to create a formidable barrier and dramatically reduce the number of malicious emails reaching their intended targets.

Beyond email, which remains the most common attack vector, secure your data with identity and rights management and implement a Zero Trust Architecuture (ZTA).

ZTA allows you to monitor user activity, identify suspicious behavior, and contain potential breaches even after credential theft or malware infection. This is accomplished by conducting a thorough vulnerability and configuration assessment, implementing an identity and access management program, and enforcing data access policies.

ZTA will help identify any staffers who are “over permissioned.” Over-permissioned refers to a situation where an individual is granted more access to data than is necessary or appropriate for their role.

Over-permissioned users pose a severe danger because if that person or their credentials are compromised an attacker gains authorized access to the data making any illegal access difficult to spot, often remaining unknown until the breach itself becomes visible.

 

Improving Cyber Resilience by Maximizing Value of Cyber Investments

Investing heavily in cybersecurity doesn't guarantee success. Simply acquiring the latest technology and tools won’t automatically translate to impenetrable defenses.

The key lies in optimizing existing resources – streamlining security processes to reduce redundancies, automating tasks, and freeing up human resources for strategic analysis. Organizations need to fine-tune and test security tools to ensure effectiveness and minimize false positives, delivering actionable insights instead of overwhelming security teams with irrelevant noise. Most importantly, focus on the threats that truly matter.

Conduct regular risk assessments to identify adaptive threats and new vulnerabilities, tailoring defenses accordingly. Prioritize the threats with the highest potential impact rather than trying to defend against every possible attack.

Last but not least, instill cybersecurity into your organization's culture through recurring security awareness training, tabletops, and other means to minimize the opportunity for your employees to be the open door on a potential attack.

This latest AT&T incident might soon be a distant memory, but its lessons shouldn't fade. It serves as a wake-up call to prioritize cyber resilience, invest in human talent, embrace proactive strategies, continuously adapt to the evolving threat landscape, and manage supply chain risk effectively.

Cybersecurity is an ongoing process, not a one-time fix. Leaders can keep their organizations secure in the ever-evolving threat landscape by staying vigilant and adapting strategies.