Running head: YAHOO AND THE CYBER KILL CHAIN 1

Yahoo and the Cyber Kill Chain

Raul Mendoza

University of San Diego

Cyber Intelligence

CSOL 580

Brad Palm

August 13, 2017

YAHOO AND THE CYBER KILL CHAIN 2

Yahoo and the Cyber Kill Chain

In recent years Yahoo has been the victim of numerous attacks and successful breaches.

In 2013 1 billion accounts were stolen, in 2014 500 million accounts were stolen, and in 2015/16

attackers used forged cookies to access user accounts without a password. Upon reviewing the

details of the incidents, it was discovered that the latest attack involved accounts from previous

breaches.

In this report I will be reviewing the Lockheed Martin kill chain methodology (Cyber Kill

Chain, 2017, p. 1) and the actions taken by the attackers as they progressed through the kill

chain. Understanding and assessing their actions will provide our company insight into where

and how they were successful. In addition, determine if we are vulnerable in the same manner

and how best to mitigate the vulnerabilities if we are. The following questions will be addressed:

1. How long did the attackers spend in each phase?

2. What was the overlap between phases?

3. Can you identify where Yahoo should have been able to interdict the attackers?

4. What were the attackers after?

5. What kind of attackers were these? Hacktivists, Transnational Criminal

Organization, Nation-State?

The successful breaches that occurred were done with a patience and finesse few

organizations or people are capable of. When analyzing the reports, it appears multiple phases of

the kill chain were performed throughout the three-year period. The attacker’s reconnaissance

efforts started with their ability to attain 1 billion user accounts.

In 2014, 500 million accounts with user data was collected which indicated that the

attackers were patient in their efforts to breach Yahoo. But to attain the data they must have been
YAHOO AND THE CYBER KILL CHAIN 3

successful in compromising Yahoo’s servers which would have required weaponization,

delivery, exploitation, and specific actions that led to the successful exfiltration of user

information 1 year later. Specifically, hackers obtained Yahoo's code and created their own

cookies which circumvented password login requirements giving them access 32 million

accounts through 2015 and 2016. The attackers were successful in retrieving information that

included names, email addresses, telephone numbers, dates of birth and hashed passwords.

(Conger, 2016, p. 1)

Yahoo could have stopped, or at the very least, minimized how much information the

attackers were able to attain. According to reports, despite multiple efforts and requests for

financial support to increase proactive security defenses, like Intrusion Detection Systems, the

CEO continuously denied these requests. In addition, basic maintenance and security practices,

like password resets, were ignored and rejected which could have made it more challenging for

the attackers. Yahoo admits that certain senior executives also failed to comprehend or

investigate the incidents, therefore, failed to act sufficiently despite the company’s internal

security team’s knowledge of the breaches. (Turton, 2016, p. 1)

It is still uncertain as to what the attackers were after, but efforts were made to sell user

information on the Dark Web. Typically, when user information is attained, attackers use the

information in an effort to compromise other online accounts linked to the compromised

individuals. Additionally, specific inquiries were made for compromised accounts linked to U.S.

government employees which led authorities to believe foreign intelligence agencies where

involved and attempting to purchase the information.

According to Yahoo, it is believed that state-sponsored actors performed the breaches.

Unofficially, it was also reported that similarities were highlighted between the attack and
YAHOO AND THE CYBER KILL CHAIN 4

previous breaches that were performed by the Russian government. Skepticism still exists as to

whether the breaches were performed by state-sponsored actors. Some believe Yahoo’s claims

would reduce the embarrassment by attributing the attacks to a state-sponsor. (Conger, 2017, p.

1)

Although the Chief Information Security Officer made multiple efforts to update Yahoo’s

security practices and infrastructure, senior executives did not understand the risk or impact

cyber breaches could have on the company. Key takeaways for our company are as follows:

1. Review all policies to ensure they are current, relevant, and understood by executives and

employees; revise and update as necessary

2. Perform a penetration test (Pentest) of our enterprise to determine if vulnerabilities exist

and intelligently manage them

a. Find holes now before somebody else does

b. Report problems to management

c. Verify if our monitoring, reporting, response, and mitigation procedures are

effective

d. Identify any gaps

3. Based on the results from the Pentest, create a Plan of Action and Milestones to mitigate

vulnerabilities and reduce our company’s attack surface and risk of compromise
YAHOO AND THE CYBER KILL CHAIN 5

References

Conger, K. (2016). Yahoo discloses hack of 1 billion accounts. Retrieved from

https://techcrunch.com/2016/12/14/yahoo-discloses-hack-of-1-billion-accounts/

Conger, K. (2017). Yahoo offers new details on breaches to Senate committee. Retrieved from

https://techcrunch.com/2017/02/27/yahoo-offers-new-details-on-breaches-to-senate-

committee/

Cyber Kill Chain. (2017). The Cyber Kill Chain. Retrieved from

http://www.lockheedmartin.com/us/what-we-do/aerospace-defense/cyber/cyber-kill-

chain.html

Turton, W. (2016). How Yahoo Totally Blew It on Security. Retrieved from

https://gizmodo.com/how-yahoo-totally-blew-it-on-security-1787177844