Big Ticket Data Breaches
How do they go undetected for so long?
July 15, 2020 – PII Data of around 270 million Wattpad (a social storytelling website) users’ was leaked by an unknown hacker. The hacker released private data in public forums. According to researchers, the breach happened in June 2020.
March 30, 2021 – Data of 100 million Mobikwik mobile wallet and payment app users was published on the dark web for sale. This data was around 8.2TB in size, and it included KYC documents, Aadhar cards, CC details, etc. Though Mobikwik denied the data breach, many independent security researchers confirmed the attack.
April 26, 2021 – A hacker group allegedly leaked customer data of BigBasket, an Indian online supermarket website. Data was stolen in November 2020. They published PII data of around 20 million customers in public domains.
These three different stories from different lines of business from around the globe are examples of “big-ticket data breaches,” the worst nightmare for CEOs of any organization. The impact of such data breaches is not limited just to financial loss. They can erode customer trust, cause privacy issues and adversely affect the company’s brand image.
Information Security teams and law enforcement agencies spend countless hours locating and prosecuting the culprits of such attacks. Companies spend a disproportionate amount of money and other resources responding to lawsuits, settlements, and PR campaigns associated with these attacks. In some cases, companies might even go out of business.
Discussions related to data breach consequences and repercussions point us to three major questions:
- How do these massive data breaches go undetected for a long time?
- Who are the attackers? What is their modus operandi to avoid detections?
- What proactive controls can be taken to avoid such data breaches?
According to Wikipedia, “A data breach is a security violation in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.” A data breach is also termed as data leakage, data spill, information leakage, etc.
The target of data breaches can be financial data (such as credit card information, personally identifiable information, etc.), proprietary data like designs and formulas, or even state secrets like weapon codes.
There are different kinds of threat actors behind these breaches.
Few of these breaches were identified quickly. For example, in the Swedish Government’s mainframe data breach, the mainframe operators observed higher loads with Performance Monitor. They contacted authorities, and the hack was exposed. In the case of Sony Pictures, the breach was disclosed when, shortly after the breach, the hacker group published sensitive information about the company.
But in other cases, the detection happened late. As per IBM’s Cost of a Data Breach 2019 report, the average breach identification time was 206 days. There are various reasons behind the delay in detection or the inability to detect.
The following are some of the reasons that help attackers go undetected for long.
- 0-Days (Zero-day) Exploits: 0-days are non-public vulnerabilities that are exploited in the wild. 0-day vulnerabilities do not have patches or detection mechanisms. This delays the detection of data breaches. For instance, in the Swedish Mainframe Data Breach mentioned earlier, attackers found two 0-day vulnerabilities in IBM z/OS and used them for attacking mainframes. In another example, HAFNIUM, a notorious cyberespionage group, used 0-days in on-premises MS Exchange servers to compromise mailboxes.
- Insufficient Threat Detection and Monitoring: Lack of proactive threat monitoring and detection increase the chances of data breaches that go unnoticed. When detection and monitoring tools are not set up appropriately, critical alerts can be missed.
In the Marriot Starwood Data Breach case, investigators found Mimikatz (a famous post-exploitation tool) running on the network. Mimikatz, being a tool created for experimentation purposes, could have been detected easily using the YARA rules released by the developer for every new version.
The threat detection capabilities could also be hampered due to insufficient staff and tools.
- Relying too heavily on audits: “Compliance doesn’t mean security.” Company leaders often forget this golden rule in enterprise security and rely heavily on compliance audit reports. Organizations can ignore the ever-evolving threat ecosystem only at the peril of breaches going undetected.
- Stolen Credentials: Credentials exposed in online code repositories or unprotected website directories, when active, lead to breaches that can go undetected. The attackers successfully log in using these credentials, and the breach seems just like normal administrator behavior.
- Use of High Privilege Account: Attackers get hold of high privilege accounts such as domain admins, thereby accessing networks and infrastructure through legitimate modes but for illegal use.
- Weak Password: Threat actors can easily leverage the use of weak/guessable/default passwords by Bruteforce or Enumeration. This applies to both internal and external assets. When such passwords are cracked, the breach cannot be spotted easily.
- Passing information without proper access control: Accidently passing sensitive files to unauthorized persons may lead to breaches that can go undetected.
- Deliberate Data Stealing: Ex or current employees storing sensitive data on personal email or storage devices can lead to severe security compromises since the personal devices and accounts would not have the same protection as enterprise assets (both for preventing and detecting breaches).
- Stolen IT assets: Stolen laptops or mobiles of a high-ranking official can be used for data mining by attackers.
- Improper IT asset decommissioning: Scrapping HDD without degaussing or shredding may leak sensitive data and credentials. It’s easy for anyone to use these credentials for long-term access to any network.
- Malware: Attackers may use advanced malwares that are file-less (i.e., run only in memory) to exfiltrate or encrypt sensitive data. These kinds of malware can be latent and do not get detected and contained easily.
- Use of Low Beacon by attackers: Malwares use beaconing to communicate with C2 servers asking for instructions. Beaconing is communication between malware and the C&C server of malware. This communication can be used for the detection of malware. To avoid detection, attackers may use low (impersonating as legitimate traffic) and slow (low rate of message exchange) beaconing that cannot be spotted easily.
- Not learning from examples: Last but probably the most common mistake leading to repeated non-detection of breaches is not learning from previous mistakes. Even though there are abundant examples of data breaches and their repercussions, many organizations simply ignore them and do not put policies, processes, and people to detect intrusions.
No mechanism or tool can guarantee 100% security for any organization. However, there are multiple ways by which the probability of preventing data breaches can be increased and the time required to detect them reduced.
- Maintain Asset Inventory: Having a clear and dynamically updated visibility of software and hardware assets inside the organization can help prevent and detect breaches. When the organization doesn’t even know about the infrastructure within its domain, the possibility of breaches in such infrastructure being detected is extremely low. This is a bigger challenge in the current environment of cloud computing and IoT, where assets often lie outside the traditional organizational and data center perimeters.
- Proactive monitoring and detection: . Traditional security tools such as Intrusion Prevention Systems, Antivirus solutions identify threats based on signatures and known suspected behavior. Due to this, many modern attacks with 0-day exploits may go undetected for extended periods.
Organizations need to use techniques such as Threat Hunting to monitor and detect advanced, unknown threats proactively. New generation endpoint security solutions such as Managed Detection & Response (MDR), Endpoint Detection & Response (EDR) tools have become a necessity. Tools such as Network Intelligence’s BlueScope, a highly customizable Threat Hunting platform with MDR capabilities, can help eliminate the probability of breaches going undetected for long.
- Blue Team Setup: Organizations should set up Blue Teams, which actively identify new threats. This team should not be involved in other traditional activities such as vulnerability assessments but should be focused on identifying fresh, potential threats.
- Recurrent Red Team Assessment: Organizations should carry out Red Team Assessments at regular intervals. Red Team Assessment helps identify conventional and unconventional security loopholes through which attackers can breach an organization’s infrastructure.
- Keep IT assets (Software and Hardware) up to date: It is essential to maintain version updates, security updates, and patches to prevent IT assets from becoming vulnerable to breaches and detecting intrusions on time.
Awareness: It is vital to educate employees on the repercussions of social engineering and phishing. Organizations should train their staff to identify phishing attacks. Awareness training must be mandatory irrespective of function or level (Senior, middle, junior). A workforce educated in cybersecurity and aware of its responsibilities in protecting the organization is its first line of defense. A comprehensive security training program for employees, like those offered by the Institute of Information Security, the training arm of Network Intelligence, can help organizations build cyber-resilience.
Organizations can also run internal phishing campaigns to test the cyber-awareness of their workforce. Such practices can help in continuous learning for the entire organization.
- Establishing trust and communication between Cybersecurity Teams and Management: Lastly and most importantly, enabling trust and communication between Cybersecurity teams and Management is extremely critical. Firstly this helps in crucial aspects like budget planning and investment decisions about the cybersecurity workforce. Secondly, this helps address gaps in current cybersecurity programs, providing visibility on current security posture and risk. But most importantly, it helps maintain transparency within an organization, which is necessary for flagging off vulnerabilities, breaches, and intrusions on time.
Shashank Gosavi has started his career as a Security Analyst Intern in Network Intelligence (I) Pvt. Ltd., Mumbai. Also working on projects of Web application, Mobile Device and thick client security testing.