Look over Here! (While I Steal Your Data over There)

There’s an alarming trend in ransomware, and it’s not perpetrators requesting more bitcoin or hitting larger targets. This once-benign but annoying tactic is now being used as a mere smokescreen to mask the more sinister activity of stealing an organization’s sensitive information. The ransom payment is just a bonus. Perpetrators make the real money by selling identity information on the black market.

How Ransomware Attacks Happen

Ransomware events are triggered when the cyberthreat actor (hacker) gains a “beachhead” on an organization’s system. The entry method varies depending on the attack, but most often is a phishing email that requests access information from an employee, an email carrying malicious code in a file or link or direct access to a system through unpatched vulnerabilities or unprotected administrator accounts. More than 80 percent of breach incidents occurred through unpatched vulnerabilities in which a patch had existed for more than a year before the attack. In almost all cases, ransomware attacks don’t result from technological faults, but human error.

Data Exfiltration

While the primary motivation of ransomware attacks remains the ransom payment, we’re beginning to see them used as a smokescreen to create chaos within the organization while the attackers silently harvest sensitive information. The chaos is easily caused.

Incident response (IR) protocols set in motion by an attack have clear-cut, rehearsed procedures that response team members follow. This begins with “classifying the incident.” Once an attack is classified as ransomware, procedures to handle it are invoked. The hackers are counting on it. While the IR team resolves the ransomware crisis by counting affected systems, classifying the type of malware in play and deciding whether to pay the ransom or restore from backups, the attackers are mapping the system, identifying personally identifiable information (PII), protected health information (PHI) and trade secrets and taking them. Any alarms set off by monitoring systems often are mistaken for additional fallout from the ransomware attack.

By the time the incident is resolved, the information has already been compromised through web-based email, internet upload to a storage site such as Dropbox or Google Drive or collected on a file transfer protocol service the attackers set up on your own systems, then transferred out through that protocol.

Mitigating Exfiltration

Mitigating data theft isn’t a cybersecurity function, but rather a data and information governance function. The process for protecting your data goes beyond a ransomware heist. Information governance also protects data from accidental disclosures, regulatory slips and blemishes, internal theft and other forms of external data breaches. Consider these steps:

  1. IT security audits that include cybersecurity risk assessments and penetration testing (pen testing) are critical, as is keeping them updated. Pen testing should be performed by professionals familiar with how hackers think and act. Many pen-testing services merely run vulnerability scans and look for obvious weaknesses. This isn’t how hackers work.
  2. Have a data and information governance plan. This includes quantifying your data “crown jewels” and protected information such as PII and PHI. Other important information includes confidential or proprietary documents, trade secrets, strategic plans and copyrighted or proprietary software code. Once information is quantified and mapped to its respective locations and handlers, a plan can be created to protect it.
  3. Taking a complex systems approach to risk helps anticipate “unknown unknowns” in data protection. Because control failures often are the result of a “cascading effect” of failures from multiple components, standard approaches to enterprise risk management (ERM) and cybersecurity that look at individual components in a vacuum aren’t sufficient.
  4. Identifying protected and important information goes far beyond simple searches and point-and-click software tools. Critical data can be hidden in unusual file types, document metadata or operating system artifacts beyond the reach of standard searches and search tools. A forensic-level search of your systems will better help identify data in these areas. Forensic data analytics also can address other issues of concern outside of the data, such as risky computer activities, e.g., personal storage drives, removable media containing sensitive information and personal email accounts. Such activities affect your data’s overall safety.
  5. Understanding that your data doesn’t sit still all the time is critical. Many organizations are adept at protecting “data at rest,” only to find it can be lost or compromised when in motion. “In-motion” data includes information being transferred through upload or download or sent through email or other protocol. A data loss prevention plan should address data in all states.

Data loss prevention and information governance are little understood but powerful concepts in overall ERM. Successfully implementing them through a smart blend of controls, technologies and testing will result in a safer environment for your most valuable information.

The following two tabs change content below.
Lanny Morrow

Lanny Morrow

With 20 years of experience at BKD, Lanny is the senior data scientist and technical lead in advanced data mining and digital forensics for BKD’s Forensics & Valuation Services division. Lanny is a frequent speaker and writer on data mining and digital forensics, including contributions to university textbooks and the Association of Certified Fraud Examiners’ Fraud Magazine.

Leave a Reply

Your email address will not be published. Required fields are marked *