Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

SANS Suffers Data Breach After Phishing Attack

August 13, 2020

When a cybersecurity training organization with a great reputation suffers a data breach, people take notice. Let me say at the outset that this appears to be a little breach – and I think that SANS has commendably treated this as a teaching moment.

Bleeping Computer posted on August 11 that the SANS cybersecurity training organization suffered a data breach after one of their employees fell for a phishing attack. The SANS Institute is one of the largest organizations offering information security training and security certification to users worldwide.

SANS posted on its website that one of their employees fell for a phishing attack that permitted an attacker to gain access to one email account. This was discovered on August 6th as part of a review of their organization's email configuration.

"We have identified a single phishing e-mail as the vector of the attack. As a result of the e-mail, a single employee's email account was impacted. Aside from the affected user, we currently believe that no other accounts or systems at SANS were compromised," states the SANS data incident notification.

The attacker configured a rule that forwarded all email received in the affected account to an "unknown external email address" and installed a malicious Office 365 add-on.

Though SANS has not provided much information about this add-on, it may be an Office 365 Oauth app used to gain persistence to the email account. The rule forwarded a total of 513 emails, with some containing a total of approximately 28,000 records of personal information (PII) for SANS members.

This information does not include passwords or financial information such as credit cards, but does include email addresses, full names, phone numbers, work title, company names, and physical addresses.

SANS instructors are conducting the investigation which makes sense given the many credentials of their own personnel. Their own forensics instructors will oversee the investigation and work to ensure that no other systems are compromised and will harden their existing systems and security.

This is the part I really like. To make this an educational opportunity, SANS says that it will host a webcast that includes information about the incident that will be useful to the entire security community.

The folks at Sensei have always admired SANS and their instructors. We will certainly attend that webcast!

Hat tip to Dave Ries.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson