Beruflich Dokumente
Kultur Dokumente
Raul Mendoza
Cyber Intelligence
CSOL 580
Brad Palm
In recent years Yahoo has been the victim of numerous attacks and successful breaches.
In 2013 1 billion accounts were stolen, in 2014 500 million accounts were stolen, and in 2015/16
attackers used forged cookies to access user accounts without a password. Upon reviewing the
details of the incidents, it was discovered that the latest attack involved accounts from previous
breaches.
In this report I will be reviewing the Lockheed Martin kill chain methodology (Cyber Kill
Chain, 2017, p. 1) and the actions taken by the attackers as they progressed through the kill
chain. Understanding and assessing their actions will provide our company insight into where
and how they were successful. In addition, determine if we are vulnerable in the same manner
and how best to mitigate the vulnerabilities if we are. The following questions will be addressed:
3. Can you identify where Yahoo should have been able to interdict the attackers?
Organization, Nation-State?
The successful breaches that occurred were done with a patience and finesse few
organizations or people are capable of. When analyzing the reports, it appears multiple phases of
the kill chain were performed throughout the three-year period. The attacker’s reconnaissance
In 2014, 500 million accounts with user data was collected which indicated that the
attackers were patient in their efforts to breach Yahoo. But to attain the data they must have been
YAHOO AND THE CYBER KILL CHAIN 3
delivery, exploitation, and specific actions that led to the successful exfiltration of user
information 1 year later. Specifically, hackers obtained Yahoo's code and created their own
cookies which circumvented password login requirements giving them access 32 million
accounts through 2015 and 2016. The attackers were successful in retrieving information that
included names, email addresses, telephone numbers, dates of birth and hashed passwords.
(Conger, 2016, p. 1)
Yahoo could have stopped, or at the very least, minimized how much information the
attackers were able to attain. According to reports, despite multiple efforts and requests for
financial support to increase proactive security defenses, like Intrusion Detection Systems, the
CEO continuously denied these requests. In addition, basic maintenance and security practices,
like password resets, were ignored and rejected which could have made it more challenging for
the attackers. Yahoo admits that certain senior executives also failed to comprehend or
investigate the incidents, therefore, failed to act sufficiently despite the company’s internal
It is still uncertain as to what the attackers were after, but efforts were made to sell user
information on the Dark Web. Typically, when user information is attained, attackers use the
individuals. Additionally, specific inquiries were made for compromised accounts linked to U.S.
government employees which led authorities to believe foreign intelligence agencies where
Unofficially, it was also reported that similarities were highlighted between the attack and
YAHOO AND THE CYBER KILL CHAIN 4
previous breaches that were performed by the Russian government. Skepticism still exists as to
whether the breaches were performed by state-sponsored actors. Some believe Yahoo’s claims
would reduce the embarrassment by attributing the attacks to a state-sponsor. (Conger, 2017, p.
1)
Although the Chief Information Security Officer made multiple efforts to update Yahoo’s
security practices and infrastructure, senior executives did not understand the risk or impact
cyber breaches could have on the company. Key takeaways for our company are as follows:
1. Review all policies to ensure they are current, relevant, and understood by executives and
effective
3. Based on the results from the Pentest, create a Plan of Action and Milestones to mitigate
vulnerabilities and reduce our company’s attack surface and risk of compromise
YAHOO AND THE CYBER KILL CHAIN 5
References
https://techcrunch.com/2016/12/14/yahoo-discloses-hack-of-1-billion-accounts/
Conger, K. (2017). Yahoo offers new details on breaches to Senate committee. Retrieved from
https://techcrunch.com/2017/02/27/yahoo-offers-new-details-on-breaches-to-senate-
committee/
Cyber Kill Chain. (2017). The Cyber Kill Chain. Retrieved from
http://www.lockheedmartin.com/us/what-we-do/aerospace-defense/cyber/cyber-kill-
chain.html
https://gizmodo.com/how-yahoo-totally-blew-it-on-security-1787177844