T-Mobile and BlackBerry: More Lessons Learned the Hard Way

We learned this week that T-Mobile was the victim of a data breach that exposed data from tens of millions of customers, and then we found out that there is a flaw in BlackBerry’s QNX operating system that puts hundreds of millions of devices at risk. These events don’t impact everyone, but there are still lessons to be learned. 

Both these issues have significant cybersecurity implications, but there are headlines of that magnitude pretty much every week. While T-Mobile and BlackBerry need to address those issues, and the customers need to deal with the fallout, what are the lessons learned for the rest of us? The bottom line is that there are no excuses in cybersecurity. 

When I see news about the latest zero day vulnerability, or a company claiming that their data breach was at the hands of a “sophisticated” nation-state attacker, my response is that none of that should matter. Effective cybersecurity needs to be able to detect and defend against all attacks, period. The source or sophistication level of the attacker is not a justification for it succeeding. 

We have to be confident that we can protect our networks and data from all attacks. It is not OK to protect from most cyber attacks, but fail just because one attack was more complex or was executed by a more sophisticated adversary. Attacks are either detected and stopped or they succeed. Where they come from is irrelevant—or at least should be. 

The problem for most organizations is that their security posture is built on archaic solutions or legacy “next-generation” tools that are not capable of adequately protecting against today’s threats. Antiquated point solutions are like hammers—they can only detect attacks that look like nails. Next-generation solutions are too narrowly focused, and often miss the forest for the proverbial trees. 

Defenders need to have an operation-centric perspective on attacks. They need to be able to view and understand the entire malicious operation—or MalOp™—and have the broad intelligence and context necessary to identify Indicators of Behavior (IoBs) and take quick and decisive action to stop attacks, ideally through automated responses.

At Cybereason, we do what we do to empower our fellow defenders. Attackers may be able to leverage data exposed in the T-Mobile breach to steal user credentials or craft more effective phishing attacks. They might be able to exploit vulnerabilities in the QNX RTOS to compromise IoT devices and embedded systems that rely on the operating system. Attackers will continue to adapt and they will always find new ways to innovate and to infiltrate networks. 

But how the attackers get into your network doesn’t matter as much as how prepared we are to defend. What matters is that we have the right tools in place to identify suspicious or malicious behavior early in the attack sequence and the right tools to stop the attack before damage is done. 

It is important to pay attention to cybersecurity headlines so you can see trends and have awareness of issues that may pose increased risk to your organization. In the end, though, no matter where the attack is from or how the attack works, we have to stop it. There are no excuses in cybersecurity.

Lior Div
About the Author

Lior Div

Lior Div, CEO and co-founder of Cybereason, began his career and later served as a Commander in the famed Unit 8200. His team conducted nation-state offensive operations with a 100% success rate for penetration of targets. He is a renowned expert in hacking operations, forensics, reverse engineering, malware analysis, cryptography and evasion. Lior has a very unique perspective on the most advanced attack techniques and how to leverage that knowledge to gain an advantage over the adversary. This perspective was key to developing an operation-centric approach to defending against the most advanced attacks and represents the direction security operations must take to ensure a future-ready defense posture.

All Posts by Lior Div