Connecting the Dots of the Uber Hack

Even a seemingly simple cyberattack unfolds through many steps. With the right technology, security teams can now spot the warning signs.

Uber Hack Cybersecurity

Last month, Uber dropped a PR bomb. In 2016, the company, then under embattled CEO Travis Kalanick, quietly paid at least one hacker to destroy the personal information of 57 million customers and drivers they’d obtained. The culprit ended up being a 20-year-old from Florida, who spearheaded the cyberattack and was paid off through Uber’s bug-bounty program.

In the cover-up, Uber fired its CSO Joe Sullivan and his deputy, senior lawyer Craig Clark. Meanwhile, officials in the states of New York, New Mexico, Connecticut, Illinois, and Massachusetts are all investigating the hack. Presumably, the FTC will follow.

Like many cyberattacks, this one could’ve been stopped had Uber deployed security analytics powered by unsupervised machine learning, or holistically integrated its existing cybersecurity tools into this type of platform. Using this artificial intelligence, security analytics can ingest and process billions of real-time events from several data logs, while expanding with a company’s data growth. This creates multidimensional baselines of behaviors for several entities (users, devices, servers, applications, IP addresses, and so on), then looks for anomalies in both their individual and collective behaviors. In the end, security teams—often overwhelmed by false alerts caused by SIEMs and other rules/threshold-based solutions—are made more efficient by working off a short, validated list of critical threats.

In the case of Uber’s breach, there were multiple stages at which suspect behavior could’ve been spotted early in the cyberattack process. (Please note that we’re making the logical assumptions that Uber controlled its own GitHub account and that the company had the appropriate logging turned on across all environments.) Below, a break-down of what the hackers did, and how they could’ve been caught using security analytics that leverages unsupervised machine learning.

uber hack connect the dots

Step #1: Hackers Access Uber Coders’ GitHub Site
Had Uber’s security architecture included analytics with source-code monitoring, they could’ve detected numerous anomalies associated with this breach. They include anomalous location(s) and anomalous source-code branch(es). 

Step #2: Hackers Find and Use Credentials for Uber’s Amazon Web Services (AWS) Account
With authentication data sources for compromised account detection, Uber’s security team would’ve been alerted to anomalous access patterns, unusual and/or unsuccessful logins attempts, unusual successful logins, anomalous time-of-day access, as well as anomalous day-of-week access. Having a library of models—with unsupervised machine learning—will scale to detect compromised accounts.

Step #3: Hackers Performed Recon in AWS Servers to Find Customer and Driver Information Archive
Monitoring lateral movement and authentication sources is essential to catching internal reconnaissance, another pivotal stage in network infiltrations. This includes spotting thieves w
andering from computer to computer (or folder to folder) as they look for data, and catching them accessing unusual/rare/inactive shared files.  

Step #4: Data Exfiltration From AWS to a Local Hacker-Owned Machine
Had they monitored data exfiltration, Uber’s security team would’ve detected such suspicious behavior as an unusual number of bytes coming out of the AWS environment, not to mention download activity.

Lastly, it’s important to note—especially in multi-step breaches such as this—the importance of a security-analytics solution that can put together a timeline of suspicious activities. A security practitioner is spared of the arduous task of “connecting the dots” and can, instead, quickly triage and escalate security incidents, as they occur.

Learn More How A.I. is key to impactful threat intelligence