One glance at the headlines and it would be easy to think that we are losing the fight against data breaches.
Over a billion user accounts breached in the Yahoo mega hack, thousands of customers left out of pocket in the Tesco Bank hack and TalkTalk fined a record £400,000 by the ICO following its much-publicised 2015 data breach – big companies keep on being publicly felled by hackers and, let’s be honest, this is just the tip of the iceberg. What about the data breaches not yet disclosed to the public, or the breaches that are yet to be discovered by the companies themselves?
As we await the next mega breach to hit the headlines, is the picture that is being painted by these public disclosures accurate – are companies powerless to stop data breaches?
Looking for some clarity on the matter, CBR’s Ellie Burns spoke to Alex Moyes at LightCyber, discussing the how and why when it comes to hackers and data breaches.
EB: What’s the likelihood that an attacker will get in to your network?
AM: If the motivation is sufficient, an attacker will find a way into your network. If the assets available through your network offer enough financial or political incentive, attackers will uncover a gap in your defences. Some attackers are after Personally Identifiable Information (PII) that they can sell on the Dark Web—PII such as identity details, bank account access, or credit card numbers. Some are after intellectual property or business secrets to sell or use themselves, or to leverage for extortion. Others seek to manipulate systems or data to directly get money. Criminals go where the money is located.
The best white hat penetration testers will guarantee that they can gain access to any network within two days, and they are generally limited by some ethical standards that they would not violate. Any trained cyberwarfare expert should be able to get in anywhere they please. Most of the time, gaining a foothold in a network comes from compromising a user’s computer or account. There are so many ways this could occur; it is simply not possible to prevent or protect against them all. If the motivation exists, an attacker will find a way.
Today, large numbers of organisations have no idea that an external attacker or malicious insider is in their network conducting an active attack. Some of these may never know, or won’t find out until years later. A good number of discovered attacks will never be disclosed in public if they don’t involve the compromise of PII. Lloyd’s claims that over 90% of European businesses have suffered a data breach in the past five years. For most, it’s not a question of if, but when.
EB: How do attackers get in?
AM: The most common way to gain a foothold in a network is through compromising an employee’s computer or credentials and using it as a starting point to explore the network and expand the realm of control. The compromise may come through well-researched, highly convincing phishing. It may come as the result of social engineering or breaking passwords. Perhaps a drive-by malware download from visiting a reputable site, created in a way that an attacker could utilise. Maybe it involved custom or zero-day malware. There are hundreds or thousands of possibilities.
EB: How do attackers operate once they get in?
AM: Once an attacker has a foothold in a network, they need to explore and understand the network and expand their area of control. Unless they are lucky enough to land exactly on the asset they want to damage or steal, they must figure out where the assets are located and how they can create a path to get to them. Staying hidden is paramount.
While malware may have played a role in helping compromise a user machine, once inside, an attacker rarely uses malware. The network reconnaissance and lateral movement is systematically accomplished using administrative and networking tools, utilities and procedures. Much of this is done by trial and error, and it is all carefully orchestrated by a human threat actor. Generally, attackers need to compromise other user machines or accounts to build a path to the assets they want to control.
EB: Why is it difficult to detect attacker activities?
AM: Since an active attacker is using tools and procedures that can easily blend in with other traffic on the network, they can be difficult to spot. An attacker tries to look like a user with valid credentials conducting their work on the network. They blend in and are difficult to see.
Almost everything they do happens on the network, so having complete network visibility is a must-have for a starting point to uncover the attack. Often, the security emphasis is on the endpoint or in a reduced set of network activity recorded in a log. Even if the activity is flagged by a security system, there are generally too many anomalies to let real attack activity stand-out. One challenge of attack detection requires an extensive refinement to separate the anomalous from the anomalous that is indicative of an attack.
Another important aspect is to be able to “connect the dots,” and realise that individual events alone may not be suspicious, but taken together they comprise an attack. This is an ability to see the forest for the trees and can result in understanding a timeline of events that are tasks designed to achieve an attacker’s objectives.
Attacker activities are best understood against a baseline of known good or normal activity for each user and device on the network. Anomalies become apparent, and then they must be further reviewed for evidence of attack activity.
Obviously, there is a vast amount of data involved with the ability to accurately detect an active attacker. It requires machine learning to pare down data, establish ongoing user and device profiles, find anomalies and then assess and refine them into meaningful intelligence.
EB: Is the data breach problem over-hyped?
AM: There may seem to be a news glut of headline after headline of a new data breach discovered or disclosed. The problem is far deeper and more dangerous than most people recognise. Theft of intellectual property and business secrets is already extensive, but the full effect may not be felt for years. It will drive some organisations out of business and result in job losses and financial disaster.
In many ways, we are only seeing the tip of the iceberg. There have been indications of data and systems manipulation in the past, but the potential damage caused by a data breach could be staggering, breaking down critical infrastructure and harming the economy or the safety of a geographic region, or even of the entire world.