Patrick Martin, Senior Threat Intelligence Analyst at Skurio, explores how organisations can monitor for large volumes of data and know it belongs to them.
According to a 2019 DCMS report, around a third (32%) of UK businesses experienced a cyber attack or suffered a data breach in the last year. Many of these breaches originated via third parties in the increasingly expansive supply chains that have become the business norm.
Any organisation wanting to identify if, and how, its data has been breached when connected to hundreds, sometimes thousands, of third parties requires a very specific type of data monitoring.
Leaked and stolen data is compiled, shared and sold on the open and Dark Web every day. Before they can deal with any security incident, organisations must first find a way to clearly establish if any Dark Web data is theirs and whether it’s a new breach.
One technique is to use fake or synthetic identities to watermark information. This allows companies to determine if a specific data set belongs to them as well as when and where it came from. Armed with this knowledge the organisation can then take remedial steps.
These might include plugging security gaps or informing regulators and individuals affected as quickly as possible to minimise any damage.
Data outside the organisation
Our connected world increasingly requires organisations to share sensitive information beyond the security of their own networks. There are several reasons for this. Firstly, digital transformation has been the catalyst for a growing supply chain of products, apps and services to manage customer data through the sales cycle and service delivery.
It is commonplace for multiple third-party suppliers to be involved in the customer journey. For instance, order processing is often carried out by a third-party shopping cart plugin while fulfilment is provided by a separate delivery company. Each one adds to the level of risk.
The attack surface for threat actors increases and there’s a greater chance information may be mishandled in some way. The transition to the cloud, making data accessible from any device and from any location, also plays a part. Data in the cloud is no longer directly governed by the organisation.
Instead responsibility for data security lies as much with the cloud service provider as with the client organisation. Yet the client remains responsible for the data and accountable for a breach, wherever it happens.
Finally, the growth of shadow IT – applications not reviewed or sanctioned by the IT security team - equally presents a risk. Shadow IT increases the number of places where company sensitive data is being stored and shared. It only takes one of these apps to be compromised for this information to be accessible to threat actors.
Detecting whether company data has been breached or misused of is a major challenge for CISOs. There may be millions of data points to trawl through.
When threat actors succeed in stealing an organisation’s customer information, they will most likely to try to share or sell it via a bin site or on the Dark Web. Tracing stolen information being sold on the Dark Web back to you is almost impossible to do without specialist help.
Often it involves gaining access to sites where other threat actors must vouch for you. This poses inherent risks for a legitimate organisation. Risks that they would want to avoid. If the threat actor is trying to sell the details on a bin site, they will advertise email addresses and passwords.
The issue is that such sites contain so much data – up to tens of millions of individual records. So, while it could be possible for an organisation to go through this information and cross-check it against their own database for a match, this is time consuming and far from conclusive.
Many of those customers will also be registered with other suppliers. As a result, the breach could have originated anywhere throughout the supply chain. A more effective and efficient technique is to use synthetic identities. These are fake credentials, including email addresses, created for this specific purpose and nothing else.
These are then mixed in with the real customer data to act as a marker. If later these bogus credentials appear on a bin site or elsewhere on the open or Dark Web, an organisation will be able to tell with complete certainty that their security has been breached - either by a threat actor or a malicious employee.
Where synthetic emails are used, they should only receive communications that relate solely to the database they are stored on. For instance, if the fake account is stored on a CRM database, only marketing emails from the organisation should end up in the inbox.
Anything else appearing in there indicates the data is compromised. When this happens the system automatically alerts the security team that an unknown email has been received and needs immediate attention.
The system can be programmed to ignore emails with specific keywords, such as the organisation’s name during the set-up stage to reduce false positives. Any emails that do not contain the keywords will trigger an alert.
Synthetic identities can also be used to create a timestamp. Fake credentials can be changed at regular intervals to provide a picture of when data was stolen. Then correlate these details against the dates they were first entered on the system.
Protection for customer data should be a top priority in any organisation’s cyber security plan. Monitoring the Dark Web and using fake identities provides concrete evidence of whether or not valuable PII has been stolen, enabling enterprises to take swift and decisive remedial action.