A CISO’s nightmare: Your engineering manager comes to you with a source code listing one of his engineers found on Git. It’s identical to your company’s proprietary SCADA code your clients rely on to ensure infrastructure availability, but missing the copyright statements you use as company policy.
Later in the day, a technical sales lead shows you a company presentation marked ‘Proprietary & Confidential’ that he found posted on a popular file-sharing site. Finally, the HR manager is very concerned because employees have been increasingly reporting that they are receiving suspicious emails at their company address containing details that should be private. Your data is leaking, and you are only finding out about it when it’s arrived at the open Internet. Where did this stuff come from? Who is responsible for the leaks? Where has the data traveled since its departure? LemonFish Technologies has unique capabilities and expertise to answer these questions – and more often than not, they point to the mesh of anonymized networks and protocols known as the “Dark Web.”
What is the “Dark Web” actually?
As with any controversial, frequently changing and non-standardized community, it is impossible to pin a persistently accurate definition on an entity like the Dark Web. Some sufficient conditions seem to be:
These characteristics of the Dark Web make it an ideal place to initiate a data breach’s public lifecycle. There are two broad, non-mutually-exclusive categories behind most breaches: monetary gain and notoriety. Both of these require the quality of “not getting caught,” which the Dark Web enables by its very nature.
Despite these bad actors, there are many uses of the Dark Web that have no nefarious component to them – it is an important community resource for marginalized populations such as dissidents of repressive governments. It is also a valuable platform for whistle-blowers to bring illegal activities to light with less fear of reprisals. Unlike many “all-or-nothing” cyber security providers, LemonFish appreciates this distinction and incorporates ethical behavior within the Dark ecosystem into our analysis.
Data Breach on the Dark Web
So how do data thieves use these Dark technologies, and how can this knowledge be employed to reduce the time to discovery of breaches? From detecting and observing examples of data breaches across diverse industries, LemonFish has come to some conclusions:
How Would I Get to the Dark Web?The largest Dark network in the world is based on The Onion Router (Tor) technology. This network relies on passing communications across multiple ‘hops’ between requestors, relays and providers, just like the Internet. The key difference is that each hop in the communication is cryptographically protected from any of the other hops. Paths are negotiated and encrypted in a way that assures software can only decrypt and understand enough of the message to pass it to the next point. The primary user-facing client on this network is the TorBrowser, a variant of Firefox that knows how to use this protocol and also has much stricter default privacy settings than vanilla Firefox.
Understanding the Dark Web’s role in the lifecycle of a data breach is key to taking the correct steps in early detection of a breach. This in turn allows the affected parties to coordinate appropriate security, legal and public relations responses well before the all-too-usual “caught unawares” situation. LemonFish Technologies is uniquely positioned to address Dark Web data breach detection with a combination of advanced technologies, analytic practices and domain knowledge. Talk to us about helping you build a better defense against data breach and creating a ready response to when it happens to you.
In the past few years, public releases of private data have become common. While a majority of these data breaches are caused by someone outside the company, or hackers worming their way past security measures, many breaches are caused by people within the enterprise.According to a security report issued by the Intel Security Group, “[i]nternal actors were responsible for 43% of data loss, half of which is intentional, half accidental”. With the average cost of a single data breach in 2015 costing $3.79 million (a 23% increase since 2013), it is well worth the time to keep an eye on your data.
Given the number of breaches and associated cost, it makes sense for companies to spend more to protect their most important data from both outside and inside threats – sadly this is not the case. While “[c]ompanies deploying security intelligence systems, on average, experience a substantial cost savings of $1.9 million… companies deploying access governance tools experience cost savings of $1.8 million on average”, it is still reported that only 11% of companies consider themselves safe from insider threats. One can infer that 89% of companies are knowingly vulnerable to a data breach.
One of the most common insider threats is employees who leave the company. According to Gemalto, “[i]n more than 70% of [Intellectual Property] thefts, insiders stole the information within 30 days of announcing their resignation”, while reports indicate 60% of exiting employees take company data with them, either for personal gain or simply to use in their new job. This stolen information is typically uploaded to cloud storage, attached to emails, or copied to removable drives – the last of which accounts for 40% of breaches.
While recording every keystroke, mouse, and file transfer is technically possible, fighting the insider threat is much harder than pervasive data collection. The hard part is knowing which of the millions of keystrokes, mouse clicks, and file transfers each day are malicious. To perform their job, employees must transfer files, send email attachments, and insert removable storage. So stopping, or even delaying, such activity hurts the bottom line of the company, as well as frustrating employees. Current SIEM platforms can detect potential data breaches by identifying obviously malicious activity, but malicious activity for one employee is benign for another. The insider exposed to monitoring for years also learns what the SIEM system deems “malicious”. While accounting may rarely move large files, systems administrators and the research department may commonly move large files. Therefore, the reason DLP solutions fail is the hard task of distinguishing between benign and malicious, people who require large file transfers and those who do not, and people who frequently work with company IP and those who do not. This problem is made harder by the insider who avoids detection using years of daily experience within the DLP solution.
So what can be done?
First, deploy a good DLP solution to identify obviously malicious activity, such as violations of enterprise security policy. At the very least, this helps keep the honest employee honest. Second, monitor the open, deep, and dark web for your sensitive data, so you are the first to know when your DLP solution fails. This allows you to immediately mitigate the damage. Third, focus on data behavior, rather than user behavior. The data is your property, the people are not, so the law gives you greater latitude when focused on your data, your property. Finally, watch this site for upcoming posts to help you understand how to apply Data Behavior Analytics to monitor the open, deep, and dark web with LemonFish Technology’s unique solutions to this costly problem.