Anatomy of a Data Breach: How Cisco Recovered After a Cyber Incident

Currently one of the largest tech companies with billions of dollars in revenue, Cisco Systems, Inc. (generally known as Cisco) has historically invested in security. After illegally borrowing Stanford University’s Blue Box router and software to start the company, the founders created the Local Access Network (LAN) protocol that connects local devices to one another. Essentially, they pioneered early Wi-Fi capability. 

The trouble with connected devices, however, is that the connectivity that so appeals to customers also makes attacks easier for bad actors. Once inside the network, an attacker can theoretically access any number of other devices. To prevent this and other security issues, Cisco created the Talos Intelligence Group as a way to improve their own security posture and to provide support and insights to the public. 

Unfortunately for Cisco, the connectivity the business was built on led to a problem. In the spring of 2022, Cisco discovered that an attacker was going after its IT infrastructure. If an attacker had gained access to that infrastructure, there would have been substantial risk of that entity gaining superuser privileges — a convenient way to make itself an administrator. 

The Firehouse Caught Fire

A cyber incident at a company this large and security-focused is alarming. Cisco’s clients and investors would have been (rightly) upset when informed, but there was very little chatter on the message boards and even less quibbling over stock prices, which largely continued their upward trend in August.

Perhaps most interestingly, the fallout from this incident has been minimal. There have been no substantial attacks connected to this event on anyone Cisco works with, its customers aren’t reporting unusually high identity theft rates, and overall the company has been able to keep itself out of regulatory trouble. The PR is good, and business has been unaffected.  

Given that Cisco emphasizes the importance of security, it is perhaps surprising that it would experience a data breach. However, it’s important to remember that any company can experience a security incident, especially a large, financially solvent organization. Where there are money and online presence, there are attack opportunities. For most companies, the IT posture should not be what to do if an incident occurs; instead, it must be what to do when it does.

So, the security company’s security was compromised but it’s not as ironic as one might think, especially since the fault turned out to be a combination of voice phishing and an employee’s human error after they fell victim to multi-factor authentication (MFA) fatigue. Word to the wise: If your IT department forces you to do MFA with push notifications or phone calls, they are 1) doing it for love of security, not to be aggravating (though it may feel otherwise); and 2) hoping that you will not approve an authentication request unless you are actively trying to log in.

Cisco’s Response

The employee in question, evidently, was not trying to log in at the time of approving the push notification from the MFA platform. Thus, the attacker was able to access Cisco’s systems and start messing around. The good news is that the group didn’t get very far.

Probably of foremost importance to limiting the scope of the attack, Cisco caught the breach early. Closely attending to system activity and limiting the employees who had permission to access sensitive data likely helped. Early intervention prevented ransomware from being deployed, something that would have made the situation much worse. Since Cisco is such a large company, it is vulnerable to supply-chain attacks, in which the attacker utilizes information or access from one company to attack others. 

Because the breach occurred due to a social engineering attack, in which a single employee’s account was used to infiltrate the company’s servers, the incident would have been much worse had that employee had unmitigated access to all company data (especially consumer data, which was not compromised). By minimizing the amount of information available to any given employee at any given time (think need-to-know basis for access), Cisco was able to keep damage to a minimum.

Following the breach, according to Talos, Cisco required all employees to reset their passwords to prevent the attacker from returning after expulsion. In addition to closing potential attack vectors, Cisco continued monitoring the system to ensure that there was no continued suspicious activity. Although the attacker persistently attempted to regain access, Cisco’s measures appear to have been effective. Going forward, Cisco’s security team recommends (and presumably implemented for themselves) increasing employee training, offline backups (that are regularly checked for functionality), and network segmentation, among other things.  

Show IT Some Love

Cisco’s security measures before the incident contributed to the breach being far less problematic, for both the company and its customers, than it could have been. Thus far, it seems the security measures taken after the incident have also been effective. The average cost of a breach is over $4 million, but Cisco didn’t have to pay ransom, fines, or legal settlements, and given that business was not affected, it likely dodged most financial repercussions. All in all, Cisco has escaped essentially unscathed.  

No organization is perfect. Cisco could have disclosed the breach earlier (before being outed by the group that got them), for example. Additionally, improved employee training might have prevented the employee from storing passwords in the browser or from authenticating MFA requests from the attacker. However, ultimately the company is a good example of a solid approach to data security and incident response. All of the prevention measures contributed to low costs and zero downtime. We would all do well to take the example under advisement.