The recent Apple breach in March 2022 is not the first one it encountered. A few months ago, in September 2021, Apple iPhones, iPads, Macs, and other devices got infected by well-known spyware designed by an international company, practically taking control of millions of iPhone devices. It was a direct attack on not just the users or devices but on the reputation, hard work, and years of innovation Apple had invested in. A couple of years back, in 2019, Google found out about an exploit that affected an unknown number of iPhones. Users got infected with monitoring spyware through this exploit by visiting the wrong website. From there, hackers could access pretty much everything on their devices. Before that, from 2010 through 2015, there were several hacks of Apple devices and data: XcodeGhost and KeyRaider malware attacks involving iCloud and other user data leaks.
In the recent episode, Apple’s services in production such as App Store, Apple TV, and Apple Music also got hit. Nearly a dozen Apple services were down for thousands of users – 11 total outages to be exact. At cPacket, we have always paid close attention to the service downtime from the security and the performance angles both – and shrinking the time to bring it back into production.
First of all, device manufacturers and digital service providers like Apple need to realize that they are vulnerable from both ends, the endpoints like the mobile devices themselves and the data center and/or cloud side where digital content and services are hosted. For example, Apple may choose to store iCloud data on the storage in its data centers, in AWS, Azure, or Google cloud or all of the above – no one exactly knows. But the responsibility to observe and secure its digital assets and user data lies ultimately with Apple after the cloud service providers have met their service level agreements. Applying the appropriate patches and closing the vulnerabilities is essential, but ongoing observability and security practices are required across a distributed hybrid-cloud environment like the above, leaving no blind spots.
An average breach continues for hundreds of days, and it’s not a single-day incident. By the time you find it, it’s already late. You can only outperform the hackers and stay a couple of steps ahead by establishing and observing ongoing security practices based on classic segmentation and signature-based techniques combined with newer network traffic intelligence-based methods. A traditional signature-based system alone cannot detect more unknown emerging behaviors. On the devices and users side, it is referred to as endpoint detection and response (EDR), while on the data center or cloud side, it is the network detection and response (NDR).
To make NDR happen, you must first tap and collect the network data-in-motion from all environment corners: user flows, the cloud, and the data centers. You need to process and forward the network data to your trusted threat detection algorithms and tools to be analyzed for any unusual behaviors, possibly using AI/ML techniques. cPacket and its partners (such as Vectra and Corelight) provide a scalable, hybrid-cloud, and multi-cloud NDR solution. At cPacket, we have saved many enterprises, including large banks, hospitals, government entities, and big tech companies, from such attacks through robust NDR techniques. I wish therefore, that cPacket was deployed in Apple’s data centers and virtual private clouds (VPCs).
But there is a chance a persistent hacker still might get through – then what? Just like what happened. Apple’s security operations team would need to assess and contain the damage right away. Run the forensic analysis to find out where the holes are to close and respond to it, minimizing and shortening the impact window and damage surface area. At the same time, in parallel, the IT operations and services teams need to observe the user experiences and service health closely to make sure that the services do not go down, or at least not impacted in terms of experience deterioration – which did happen. It is where an observability solution is required to narrow down what’s wrong were in a brief period. Still, some damage will be done. When those services were down or deteriorated, Apple was losing money from its subscriptions. Its ordering system may have been down, and it may not have booked orders, directly impacting its sales and share price. Even though recovered, many customers may be concerned or tired with ongoing data breaches and may have unsubscribed, moved their data, or migrated away from the Apple devices altogether. Net results are loss of revenue, customers, and reputation. With the rapidly rising cyber threats, companies like Apple must be prepared for a “when not if” situation and have the required observability, containment, and response strategy in place. When it does happen, that is not the time to consider it.