January 14, 2025
Research Fellow:
- Bobby Boughton, MacroPraxis Research Institute Fellow
Link To Research Paper
Breach Analysis Visual:
Research Summary
In December 2023, First American Financial Corporation experienced a ransomware and data exfiltration attack that resulted in widespread operational disruption during peak transaction periods. The breach, attributed to sophisticated threat actors potentially linked to ALPHV/BlackCat or LockBit, exploited a vulnerability in a public-facing system and remained undetected for an estimated 14 days. The attackers systematically moved through the environment—establishing persistence, escalating privileges, and staging sensitive data for exfiltration—ultimately causing over $285 million in financial impact through lost revenue, customer remediation, and reputational harm. First American has not confirmed whether a ransom was paid, and recovery efforts appear to have relied on internal measures.
The TBT analysis aligns the attacker’s actions to each stage of the MITRE ATT&CK framework and maps them against traditional security controls that either failed or were missing entirely. Tools such as endpoint detection and response (EDR), SIEM, DLP, PAM, and egress filtering were either insufficiently tuned, poorly enforced, or not deployed in critical parts of the environment. From Initial Access through Impact, the report identifies repeated missed detection opportunities—particularly at the Execution, Persistence, and Lateral Movement stages—where deception technology such as honeytokens, fake RDP sessions, and decoy databases could have provided early warnings and slowed the attacker’s progression.
Ultimately, the analysis suggests that the breach was preventable or at least containable had modern deception techniques been integrated into First American’s security posture. These tools could have disrupted the kill chain during early phases, prompting faster response and reducing financial exposure. The TBT approach illustrates not only how the breach occurred, but also how it could have been intercepted, offering valuable insight for executive teams and security leaders seeking to modernize their defenses against increasingly stealthy and coordinated ransomware operations.