While data breaches are invariably costly for organizations, the fallout from a data breach isn’t always the same. There are numerous motivations for threat actors and an even greater number of strategies that they employ to achieve their varied goals. As such, it falls to security professionals can continuously learn from the ongoing cyberattacks the best ways to predict and prevent cyber breaches in a constantly evolving threat landscape.

In this article, we take a look at 5 of the lessons that can be learnt from some of the biggest cyberattacks of 2020.

1. 3rd party integrations create new attack surfaces

The recent breach of SolarWinds allowed foreign agents to access and spread malware to numerous government agencies and high-value US targets. These threat actors knew they could likely never penetrate these targets directly, and instead discovered they all used the same software for network management - SolarWinds. 

The attack spread a malware which lay unnoticed in the system for months as the attackers are believed to have observed and gathered data on their targets.

The key take away from this hack is that no matter how excellent and strict your own system’s security is, if the 3rd party systems you use have a weakness, then so do you. This is especially important as systems become increasingly interconnected, with a myriad of moving parts provided by dozens of different vendors. 

While you can’t and shouldn’t simply wall of your systems with a trust no-one approach, organizations also mustn’t take third-party solution provider’s security for granted. Conduct rigorous, ongoing security audits of your systems to be sure there’s not a nasty surprise hiding around the corner.

2. You need clarity across your organization’s security

As an organization grows in size and complexity, often, as we mentioned above, integrating and employing 3rd party vendors, the number of attack surfaces grows too. Organizations need systems in place to maintain clarity over the entirety of their IT security.

In July, Garmin was locked out of its own systems by ransomware and ended up having to pay millions in ransom for the decryption key. 

Garmin faced an impossible situation. While law enforcement officials and cybersecurity experts repeatedly warn companies not to pay ransomware attackers as it encourages further ransomware attacks, companies like Garmin are often left with no other choice. 

As such, companies need to employ systems, security protocols, and training to prevent ransomware.

For businesses like this, it’s vital to have systems in place to maintain a vigilant security posture toward every possible vector for attack.

3. Humans are the weakest link

Social engineering tactics can range from rather obvious emails from Nigerian princes to complex multi-step and highly targeted spear-phishing campaigns. In late 2020 the latter is what happened to Twitter, with numerous employees targeted with a strikingly elaborate spear-phishing campaign. The strategy involved multiple steps including tricking an employees phone carrier, pretending to be a member of the I.T. team, and creating fake login pages.

Once they had an employees admin account login they hijacked multiple high profile Twitter accounts and launched a Bitcoin scam that saw them making off with over $100,000 in less than an hour before it was stopped. Though this attack certainly could have been worse, it shows how one of a companies biggest vulnerabilities is compromised employee credentials. 

There are a couple of things that can be done to protect against employee weakness in your security defences. These include restricting employee access to sensitive data. Ensuring you offboard, and remove access to systems for old employees, implementing strong authentication protocols such as multi-factor authentication, and regular security training sessions for staff 

4. Only store data vital to providing your service

In July of 2020 GEDMatch, a DNA genealogy site was hacked. The hackers changed the user’s privacy settings - opting everyone in to share their data with law enforcement. The hack exposed the data of around 1.4 million people.

Thankfully, GEDMatch later announced that no raw DNA files had been compromised as no raw data is stored on the site. Instead, the data is encoded when it’s uploaded and the raw file deleted immediately. The key lesson here is that GEDMatch followed good practice, not storing any sensitive raw data and thus eliminating a potentially serious attack vector meaning the failure of one control did not lead to the attackers progressing beyond their initial intrusion.

If you can avoid storing highly sensitive data — such as passwords, payment information, or biometric data — on your own servers, do so. Deleting raw DNA data helped minimize the damage to GEDMatch in this breach.

5. People aren’t going to stop reusing passwords

The majority of people on the internet don’t know the best online security practices and many reuse the same tired old password across numerous websites. This has lead to a rise in popularity of one of the most common attack strategies employed by threat actors, credential stuffing. This is when they buy large datasets of login details, eg. passwords and user names, and apply them to other sites. While the strike rate is generally quite low, this strategy of credential stuffing does work. This is what happened to several insurance companies in 2020 including Independence Blue Cross. 

Independence Blue Cross reported that their member portals had been improperly accessed by hackers reusing credentials stolen from MyFitnessPal in an attack from 2018.

People aren’t going to stop reusing passwords anytime soon, but businesses can still guard against credential stuffing. One crucial step is to implement strong authentication protocols such as multi-factor authentication or adaptive authentication, which asks users for more credentials if their behavior is suspicious. In this case, it could have noticed that members were logging in with new I.P. addresses or at an unusual time of day, and asked them to confirm their identity.

Final Words

Organizations are increasingly connected online, using a myriad of integrations and tools to create better, more user-friendly solutions. Additionally, as we all become more technologically literate and engage more and more online there is an increasing amount of users data stored on organizational systems.

This means that the number of attack surfaces that organizations have to be aware of is continuously growing, and so too are the opportunities for attackers to achieve their goals. Whether it’s foreign espionage, idealogical fanatacism, or for personal financial gain.

Ultimately, we’re all in this together, a data breach or successful attack on one company could easily have ramifications against your own organizations. As such, employing the right tools, such as an OSINT tool like Signal, to monitor, detect and better protect against potential threats in this growing threat landscape has never been more important. 

As threat actors continuously challenge the cyber defences of organizations, companies are increasingly forced to focus on improving cybersecurity practices. However, even the best cybersecurity teams with the largest budgets find it hard to stay ahead of the evolving threat landscape. And with more technology in use, a growing reliance on cloud storage and the Internet of Things (IoT), there is a growing potential for sensitive data to be exposed to threats. 

As such it’s unsurprising that data breaches, in spite of increased cybersecurity spending, are becoming more common and more expensive to deal with. Employees need intelligent security practices and cyber habits and companies need to be armed with the latest technology and tools for early data breach detection to gain the upper hand when combatting this ever-changing threat.

Data Breaches Need to be Caught Early

The average cost of a data breach in 2020 according to the IBM / Ponemon Institute report was $3.86 million. However, there are plenty of examples where the costs have vastly exceeded this average, escalating into the hundreds of millions or even billions. For example, the Equifax data breach in 2017 cost Equifax $1.7 billion in the end. Another high profile example, Facebook eventually settled on a fine of $5 billion after it’s ‘privacy misstep’ involving Cambridge Analytica. This bill doesn’t include the additional costs and expenses that Facebook has accrued in the development and expansion of their cybersecurity and privacy departments nor does it account for the reputational damage it suffered.

While costs of these extremes are rare, data breaches in general are not. The IBM report goes on to analyse particular subsets of the data noting that the worst impacted is healthcare with an average data breach cost exceeding $7 million. And that the average time taken for an organization to identify and contain a data breach, was an astonishing 280 days, over 9 months. This is in spite of significant evidence that the speed of containment has a significant impact on the overall data beach cost, which if left unchecked can linger for years after the incident. 

How to Prevent Data Breaches

As with many of these things prevention is often the best policy. 

Data Breach Prevention #1: Have Clear Security Protocols 

Every employee should know, understand and be able to abide by strict security protocols to keep company data secure and thwart social engineering tactics. Having protocols is one of the best ways to help prevent data theft by ensuring unauthorized personnel do not have access to data. 

Data Breach Prevention #2: Safeguard Against Human Error

Many data breaches are the result of an employee error. This could be anything from downloading a document off of an illegitimate website, social engineering tactics or even outright blackmail. Employees should only have access to the information that is vital to their particular roles within the company. Those with higher level access should accordingly have higher levels of cyber security training and understanding.

Data Breach Prevention #3: Improved Password Protection

Having strong unique passwords is the first line of defence against any cyberattack. However, nobody, whether they are a high level executive not, is going to be able to remember a dozen or more 12 character passwords that use special characters, letters and numbers. Make sure that 2FA is enabled on all logins, and use a password manager (with 2FA enabled) to auto generate and save complex passwords and ensure the highest levels of password security are enabled.

Data Breach Prevention #4: Update Security Software Regularly

Companies should utilize a high quality antivirus software, anti-spyware program and firewall. Additionally, these programs should be regularly updated to keep them free from vulnerabilities. 

Data Breach Prevention #5:OSINT for Dark Web Forums

By monitoring dark web forums and other chat rooms you can learn of planned attacks, potential exploits and even find exploit kits being sold online. This will give you a good indication of the access methods which have been discovered allowing you to implement a patch quickly to prevent it.

The Tools for Early Detection of Data Breaches: LERTR

Having the right tools is vital if an organization wants to prevent or mitigate the threat of data breaches. Using an OSINT platform like Signal allows security teams to efficiently monitor the surface, deep, and dark web for details or indications of potential and past data beaches. For example, you might find exploit kits targeting a vulnerability specific to your company. This would allow you to prepare a patch for this vulnerability before it was exploited. 

Additionally, hackers might discuss strategies or plans around an upcoming data breach attempt on a dark web forum. Forewarned, you have a better chance of catching and preventing the attempt. However, prevention isn’t always possible. For those scenarios where you do face a data breach you want to discover it as quickly as possible to mitigate the potential damage and limit the costs.

To this end we have integrated with Webhose to advance our early data breach detection capabilities. Additionally, we have launched LERTR, a cyber specific OSINT platform. aa

Final Words

Data breaches are increasingly common and expensive. Effective preventative measures need to be put in place and maintained to limit threats. However, even the best defences can fall to a determined threat actor. As such organizations needs to ensure they have all the tools to not only prevent, but also to detect early and contain data breaches quickly should one occur.

Signal is a powerful OSINT tool which allows users to create searches using boolean logic enhanced with NLP, with which security teams can efficiently monitor online activity to detect threats as or even before they emerge.